Privacy policy

1. Data controller

• Data controller: Dextra Transaction Services S.L..
• Address: Av. Diagonal 468, 08006 Barcelona, España.
• CIF: B44741924.
• Registration data: Inscrita en el Registro Mercantil de Barcelona, CIF B44741924.
• Contact email: support@lexpartis.com.
• Data Protection Officer (DPO): dpo@lexpartis.com.

The User may contact the Data Protection Officer for any matters relating to the processing of their personal data or the exercise of their rights regarding data protection.

2. Scope of application and role as Data Controller or Processor

This Policy applies to the processing of personal data in which Dextra Transaction Services S.L. acts as Data Controller, namely: (i) data of visitors and Users of the Website; (ii) data of individuals who contact us (forms, email, calls, professional networks); (iii) data of professionals who manage and operate the application on behalf of a client (law firm, court, executor) in relation to their own identity, authentication, and traceability.

When, within the framework of the Lex Partis service, our clients —such as law firms, executors, judicial administrators, or courts— enter personal data of third parties (decedents, heirs, legatees, creditors, experts, counterparts) into the application, Dextra Transaction Services S.L. acts as Data Processor in accordance with Article 28 of the GDPR. In such cases, the conditions of processing are governed by the corresponding Data Processing Agreement signed with each client, who is the Data Controller in relation to the data subjects.

3. Data we process

The categories of personal data that we process as Data Controller include, as applicable:

• Identifying data: name and surname, NIF/NIE, professional registration number, electronic signature.
• Contact data: postal address, email, telephone number.
• Professional data: position, organisation to which they belong, area of activity.
• Economic and billing data: when the User contracts the service (payment method, banking details, billing information).
• Technical and browsing data: IP address, device and browser identifiers, activity logs and security events strictly necessary for the provision of the service and protection against fraud.
• Data derived from the use of the application by authorised Users: audit logs, timestamps, cryptographic hashes of events.

In general, we do not process data belonging to special categories under Article 9 of the GDPR. In the event that a client, acting as Data Controller, enters such data into the application, its processing will be fully subject to the Data Processing Agreement and the enhanced technical and organisational security measures provided therein.

4. Purposes

Your personal data will be processed for the following purposes:

• Management, administration, maintenance, and improvement of the Website and the Lex Partis application, including account creation, User authentication, and the provision of contracted functionalities.
• Attention and response to inquiries, requests for information, quotes, demonstrations, and complaints submitted through the Website or any other enabled channels.
• Compliance with contractual, tax, accounting, commercial, and administrative obligations legally required of Dextra Transaction Services S.L..
• To ensure the security of information, the confidentiality of communications, and the traceability of critical events in the application, including the prevention of fraud and unauthorised access.
• Sending electronic commercial communications regarding products, services, events, and news from Lex Partis, provided that the User has expressly consented or there is a prior commercial relationship that enables commercial prospecting in accordance with Article 21.2 LSSI-CE.
• Aggregated statistical analysis of the use of the Site for product improvement purposes, without such analysis allowing for the individual identification of the User.

5. Legal basis

The legal bases on which the processing of your personal data is based are as follows:

• Execution of the contract (Article 6.1.b GDPR): for the provision of the Lex Partis service to clients who have contracted it and the management of commercial and pre-contractual relationships.
• Compliance with a legal obligation (Article 6.1.c GDPR): to meet obligations arising from tax, commercial, accounting, administrative, or data protection legislation.
• Legitimate interest (Article 6.1.f GDPR): for the security of information and systems, the prevention of fraud, the auditing of critical events, commercial prospecting within the limits of Article 21.2 LSSI-CE, and the performance of aggregated statistical analyses.
• Consent (Article 6.1.a GDPR): for the sending of electronic commercial communications when there is no prior contractual relationship, for the use of non-strictly necessary cookies, and, in general, for any other processing where the User's consent is expressly requested. Consent may be withdrawn at any time without retroactive effects.

6. Recipients and categories of assignees

Personal data may be communicated, depending on the purpose of the processing and always with the legally required guarantees, to the following categories of recipients:

• Public administrations, judges and courts, law enforcement agencies, and other competent authorities, when there is a legal obligation to communicate.
• Financial entities, for the management of collections and payments.
• External advisors (auditors, lawyers, tax consultants) subject to the duty of professional secrecy.
• Service providers acting as Data Processors for Dextra Transaction Services S.L. (cloud hosting, email infrastructure, electronic signature platforms, support and communication tools) duly bound by the corresponding contract under Article 28 GDPR.

Dextra Transaction Services S.L. does not transfer or sell personal data to third parties for commercial or advertising purposes.

7. International transfers

In general, personal data is processed on servers located within the European Economic Area (EEA). In the event that, for the provision of the service or due to the use of infrastructure providers, it is necessary to carry out international transfers outside the EEA, these will only be executed when one of the following guarantee mechanisms provided for in Chapter V of the GDPR applies: (i) adequacy decision of the European Commission regarding the destination country; (ii) standard contractual clauses adopted by the European Commission (SCC 2021); (iii) binding corporate rules; or (iv) any other legally admissible instrument. The User may obtain a copy of the adopted guarantees by contacting the DPO at dpo@lexpartis.com.

8. Retention

Personal data will be retained for the strictly necessary time to fulfil the purposes for which they were collected and, in particular, for the following periods:

• Data linked to the execution of the contract: for the entire duration of the contractual relationship and, once concluded, as long as any responsibilities of any kind may arise.
• Data subject to accounting, tax, and commercial obligations: for a minimum of six (6) years in accordance with Article 30 of the Commercial Code and applicable tax legislation.
• Data related to inquiries and commercial communications: until the User objects or withdraws their consent.
• Security and traceability records: for the period necessary to ensure the legal, technical, and forensic security of the platform.

Once the aforementioned periods have elapsed, the data will be deleted or, where applicable, duly anonymised.

9. Your rights

The User may exercise, at any time and free of charge, the following rights recognised by Articles 15 to 22 of the GDPR and Articles 11 and following of the LOPDGDD:

• Right of access to their personal data and to information regarding the processing.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure (‘right to be forgotten’) when the circumstances of Article 17 GDPR apply.
• Right to restriction of processing in the cases of Article 18 GDPR.
• Right to data portability in the cases of Article 20 GDPR.
• Right to object to processing on grounds relating to their particular situation or, in any case, against the sending of commercial communications.
• Right not to be subject to automated decisions, including profiling, which produce legal effects concerning them or significantly affect them.
• Right to withdraw consent given at any time, without affecting the lawfulness of processing based on the consent prior to its withdrawal.

The exercise of these rights may be carried out by written request addressed to the Data Protection Officer at dpo@lexpartis.com, accompanied by a copy of the national identity document or equivalent document proving the identity of the requester. Dextra Transaction Services S.L. will respond to the request within a maximum period of one month from its receipt, extendable by two additional months in case of complexity or number of requests received.

If you believe that the processing of your personal data infringes applicable regulations, you may lodge a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es.

10. Security measures

Dextra Transaction Services S.L. has adopted appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, in accordance with the provisions of Articles 32 to 34 of the GDPR and the National Security Scheme. Such measures include, without limitation: encryption in transit (TLS) and at rest of sensitive data, role-based access control (RBAC), optional multi-factor authentication, logical multitenant segregation, immutable audit logs with cryptographic seals, periodic backups with integrity verification, continuity and disaster recovery plans, periodic vulnerability assessments, code review programmes, and ongoing staff training in security and privacy.

11. Processing of minors' data

The Lex Partis service is directed exclusively at professionals of legal age. Dextra Transaction Services S.L. does not knowingly collect or process personal data of minors under fourteen (14) years of age, the minimum age for consent in accordance with Article 7 LOPDGDD. If a client, acting as Data Controller, must process data of minors in the context of a succession or partition procedure, the legally established enhanced guarantees will apply.

12. Automated decisions and profiling

Unless in expressly identified cases communicated to the User, Dextra Transaction Services S.L. does not make decisions based solely on the automated processing of data, including profiling, which produce legal effects on Users or significantly affect them in a similar manner. The functionalities of the Lex Partis application that employ algorithms —such as verifiable draws or rotating allocation proposals— are executed under the control and supervision of the client, who retains the final decision.

13. Modifications to the Privacy Policy

Dextra Transaction Services S.L. reserves the right to modify this Privacy Policy to adapt it to legislative, jurisprudential developments or its own internal practices. Any modification will be communicated on the Site with reasonable notice prior to its entry into force.

14. Supervisory authority

The competent supervisory authority for data protection in Spain is the Agencia Española de Protección de Datos (AEPD), located at C/ Jorge Juan 6, 28001 Madrid, with its electronic headquarters at www.aepd.es. Any interested party has the right to lodge a complaint with the AEPD if they believe their rights regarding data protection have not been adequately addressed by the Data Controller.