Privacy

Privacy Statement

Last updated: 23 December 2025


1. Who We Are

Daurada Prime (“Daurada Prime”, “we”, “our”, or “us”) provides business-to-business (B2B) software-as-a-service solutions for organizations. The Daurada Prime software-as-a-service platform is a product of Prometheus Engineering SL.

We are committed to protecting the privacy, confidentiality, and security of personal and business data entrusted to us.

This Privacy Statement explains how we process personal data when acting as a data controller, and how we protect data when acting as a data processor on behalf of our customers.

2. Scope of This Statement

This Privacy Statement applies to:

  • Visitors to our websites

  • Prospective customers and business contacts

  • Authorized users of our services

  • Customer administrators and billing contacts

It does not replace or override any Data Processing Agreement (DPA) entered into with customers for use of our services.

3. Our Core Privacy Principles

We design and operate our services according to the following principles:

  • We do not sell personal data or business data

  • We do not trade, broker, or monetize data

  • We collect only what is necessary

  • We process data only for legitimate, explicit purposes

  • We apply privacy-by-design and security-by-default

4. Roles Under the GDPR

4.1 When We Act as a Data Controller

Daurada Prime acts as a data controller for personal data related to:

  • Account registration and administration

  • Billing and invoicing

  • Sales, marketing, and customer communications

  • Website usage and security monitoring

In these cases, we determine the purposes and means of processing.

4.2 When We Act as a Data Processor

For customer-uploaded or customer-generated data processed within our services, Daurada Prime acts as a data processor, processing such data solely on documented instructions from the customer, who is the data controller.

5. Categories of Data We Process

Depending on context, we may process:

  • Contact information (name, business email, phone number)

  • Account credentials and access metadata

  • Billing and payment information

  • Service usage and audit logs

  • Technical and security data (IP addresses, device/browser data)

  • Customer-provided business data processed within the platform

We do not intentionally collect special categories of personal data as defined under Article 9 GDPR.

6. Lawful Bases for Processing

We process personal data under one or more of the following lawful bases:

  • Performance of a contract (Article 6(1)(b))

  • Legal obligation (Article 6(1)(c))

  • Legitimate interests (Article 6(1)(f))

  • Consent, where required (Article 6(1)(a))

7. Data Sharing and Disclosure

7.1 No Sale of Data

Daurada Prime does not sell customer personal data or business data.

We do not engage in data brokerage, advertising networks, or secondary monetization of data.

7.2 Limited Sharing

We may share data only with:

  • Infrastructure and hosting providers

  • Payment processors

  • Security and monitoring providers

  • Professional advisors (legal, accounting)

All such providers are bound by contractual confidentiality and data-protection obligations.

8. International Data Transfers

Where data is transferred outside the European Economic Area (EEA), we rely on:

  • EU adequacy decisions, or

  • Standard Contractual Clauses (SCCs), and

  • Appropriate technical and organizational safeguards

9. Data Retention

We retain personal data only for as long as necessary to:

  • Fulfill contractual obligations

  • Comply with legal requirements

  • Resolve disputes

  • Enforce agreements

Customer data processed under a DPA is retained and deleted according to customer instructions and contractual terms.

10. Security Measures

We implement appropriate technical and organizational measures including:

  • Encryption in transit and at rest

  • Role-based access controls

  • Audit logging

  • Secure development and deployment practices

  • Regular security reviews

11. Data Subject Rights

Where applicable, individuals have the right to:

  • Access their personal data

  • Rectify inaccurate data

  • Request erasure

  • Restrict or object to processing

  • Data portability

  • Lodge a complaint with a supervisory authority

Requests may be submitted via the contact details below.

Where we act as a processor, requests should be directed to the relevant customer (data controller).

12. AI and Machine Learning Privacy Statement

Daurada Prime uses AI-assisted features to provide insights, automation, and product improvements.

We are committed to responsible and privacy-preserving use of AI.

12.1 No Training on Identifiable Customer Data

  • We do not use identifiable customer personal data or business data to train our AI models.

  • We do not permit third-party AI providers to use our customer data for model training.

12.2 Use of Aggregated and Anonymized Data Only

Where AI is used to improve our services:

  • Data is aggregated, anonymized, or pseudonymized

  • No data is traceable back to a specific customer, tenant, or individual

  • Outputs are used only for internal product improvement and analytics

12.3 Customer Control

AI features operate within the contractual and technical controls of our platform.

Customer data remains customer data at all times.

13. Cookies and Tracking

We use cookies and similar technologies only where necessary for:

  • Website functionality

  • Security

  • Performance and analytics

Where required, consent is obtained in accordance with applicable law.

14. Changes to This Statement

We may update this Privacy Statement from time to time.

Material changes will be communicated via our website or customer communications.

15. EU Artificial Intelligence Act (AI Act) – Forward-Compatibility Statement

Daurada Prime is committed to aligning its AI-enabled features with the requirements of Regulation (EU) 2024/… on Artificial Intelligence (the “EU AI Act”), and to evolving our governance, documentation, and controls as the regulation becomes fully applicable.

15.1 AI System Risk Classification

Based on our current and planned use of AI:

  • AI features provided by Daurada Prime are designed to fall within:

    • Minimal-risk or limited-risk AI system categories under the EU AI Act

  • We do not deploy AI systems intended for:

    • Social scoring

    • Biometric identification or categorization

    • Predictive policing

    • Automated decisions producing legal or similarly significant effects on individuals

Should any AI functionality approach high-risk classification, we will:

  • Conduct formal risk assessments

  • Implement mandatory conformity measures

  • Provide customers with appropriate disclosures and documentation

15.2 Purpose Limitation and Human-Centric Design

AI features within Daurada Prime are intended to:

  • Provide decision support, insights, recommendations, or automation assistance

  • Improve usability, efficiency, and operational understanding

AI systems are not designed to replace human judgment in legally, financially, or ethically significant decisions.

15.3 Human Oversight and Control

In alignment with Articles 14 and 26 of the EU AI Act:

  • AI-assisted outputs are subject to human review and discretion

  • Customers retain full control over:

    • Whether AI features are enabled

    • How AI-generated insights are acted upon

  • Where applicable, AI outputs are:

    • Clearly identifiable as AI-assisted

    • Explainable at an appropriate level for the use case

We design AI features so that:

  • Humans can override, disregard, or intervene in AI-supported outcomes

  • No irreversible action is taken solely on the basis of AI output

15.4 Transparency and Information Obligations

Daurada Prime commits to transparency by:

  • Informing customers when AI functionality is in use

  • Describing the intended purpose, limitations, and expected performance characteristics of AI features

  • Avoiding deceptive, manipulative, or opaque AI behaviors

Where required by law, we will provide:

  • AI system descriptions

  • Risk mitigation summaries

  • User guidance documentation

15.5 Data Governance and Training Controls

Consistent with both the EU AI Act and GDPR:

  • Customer personal data and business data are not used to train AI models

  • AI systems rely only on:

    • Aggregated data

    • Anonymized or pseudonymized datasets

    • Synthetic or non-customer datasets

  • Third-party AI providers are contractually prohibited from using our data for training purposes

15.6 Accuracy, Robustness, and Cybersecurity

We design AI features to meet the AI Act’s expectations for:

  • Technical robustness and reliability

  • Protection against data poisoning and misuse

  • Secure model deployment and access control

  • Continuous monitoring for unintended behavior

AI systems are evaluated and improved using controlled, privacy-preserving methods.

15.7 Accountability and Governance

Daurada Prime maintains internal accountability structures for AI use, including:

  • Clear ownership of AI-related features

  • Documentation of design assumptions and limitations

  • Ongoing review of regulatory developments

  • Alignment with emerging EU guidance and harmonized standards

15.8 Regulatory Evolution

This statement reflects our current understanding of the EU AI Act and may evolve as:

  • Implementing acts are finalized

  • Harmonized standards are published

  • Regulatory guidance is clarified

Material changes affecting customers will be communicated transparently.

16. Sovereign Cloud and Data Residency

Daurada Prime is designed to support regional and sovereign cloud deployment models in response to customer regulatory, contractual, and data-residency requirements.

16.1 Regional Data Residency

Subject to contractual agreement and service availability, customer data may be hosted within designated geographic regions, including:

  • European Union (EU)

  • United States (US)

Customer data is processed and stored within the selected region in accordance with applicable data-protection laws. When setting up service initially, we will home your data in the region that aligns with the mailing address used or selection made when you create your first Organization. Contact us if you need different arrangements for your Organization or Organizational Units.

16.2 Logical and Operational Segregation

For sovereign or region-bound deployments:

  • Customer data is logically segregated by region

  • Cross-region replication is disabled unless explicitly requested

  • Access by personnel is restricted based on role, authorization, and operational necessity

  • Administrative access is logged and auditable

16.3 Cross-Border Access Controls

Where operational access is required:

  • Access is granted on a least-privilege basis

  • Support and operations personnel and all sub-contractors are subject to contractual confidentiality obligations

  • Remote access is secured and monitored

Daurada Prime does not provide unrestricted global access to customer data.

16.4 Law Enforcement and Government Requests

Requests for access to customer data by government or law-enforcement authorities are:

  • Assessed for legal validity

  • Limited to the minimum legally required scope

  • Handled in accordance with applicable law

  • Disclosed to customers where legally permitted

16.5 Future Sovereign Offerings

Daurada Prime may expand sovereign cloud capabilities over time, including additional jurisdictions or enhanced sovereignty controls, in response to customer demand and regulatory developments.

17. Contact Information

For privacy-related questions or requests, contact:

Daurada Prime

Email: privacy@dauradaprime.com

Daurada Prime is a product of Prometheus Engineering SL, Spain with CIF: B65670945 and VAT ID: ESB65670945


Appendix A — United Kingdom (UK GDPR & Data Protection Act 2018)

Applicable to users located in the United Kingdom

Following the UK’s withdrawal from the European Union, the UK GDPR and the Data Protection Act 2018 apply.

A.1 Regulatory Alignment

Daurada Prime processes personal data in compliance with:

  • UK GDPR (as incorporated into UK law)

  • Data Protection Act 2018

Our GDPR-based controls meet or exceed UK GDPR requirements.

A.2 International Data Transfers

Where personal data is transferred from the UK to the EEA or other countries, we rely on:

  • UK adequacy regulations, or

  • UK International Data Transfer Agreements (IDTAs), or

  • UK Addendum to EU Standard Contractual Clauses

A.3 Supervisory Authority

UK residents may lodge complaints with the Information Commissioner’s Office (ICO).

Appendix B — Switzerland (FADP / revFADP)

Applicable to users located in Switzerland

Switzerland’s revised Federal Act on Data Protection (revFADP) entered into force in 2023 and imposes GDPR-like—but in some areas stricter—requirements.

B.1 Legal Basis and Transparency

Daurada Prime:

  • Applies purpose limitation and proportionality principles

  • Provides transparency equivalent to GDPR Articles 13 and 14

B.2 Data Subject Rights

Swiss data subjects may:

  • Request access and correction

  • Object to processing

  • Request deletion where legally permissible

B.3 Cross-Border Transfers

Transfers outside Switzerland are protected using:

  • Adequacy determinations, or

  • Contractual safeguards aligned with Swiss FDPIC guidance

Appendix C — Germany (Enhanced Employee & Workplace Privacy)

Applicable to German customers and users

Germany applies GDPR alongside national rules that impose stricter requirements for employee and workplace data.

C.1 Employee Data

Where customer use of Daurada Prime involves employee data:

  • Processing is limited to what is necessary for employment-related purposes

  • Customers remain responsible for establishing legal bases under German labor law

C.2 Works Councils (Betriebsrat)

Daurada Prime provides technical and contractual support to customers where:

  • Works council consultation or approval is required

  • Audit logs and access controls are needed for compliance

Appendix D — France (CNIL & Cookie/Tracking Rules)

Applicable to users located in France

France enforces GDPR through the CNIL, with particularly strict interpretations regarding cookies and tracking technologies.

D.1 Cookies and Analytics

Daurada Prime:

  • Uses cookies only where necessary for functionality, security, or analytics

  • Obtains consent where required

  • Honors opt-out and preference mechanisms

D.2 Enforcement Authority

French residents may lodge complaints with the Commission Nationale de l’Informatique et des Libertés (CNIL).

Appendix E — California, United States (CCPA / CPRA)

Applicable to California residents acting in a business capacity

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), imposes obligations that are partially stricter than GDPR in disclosure and categorization.

E.1 No Sale or Sharing of Personal Information

Under CCPA/CPRA definitions:

  • Daurada Prime does not sell personal information

  • Daurada Prime does not share personal information for cross-context behavioral advertising

E.2 Consumer Rights

California residents have the right to:

  • Know what personal information is collected

  • Request deletion (subject to legal exceptions)

  • Correct inaccurate information

  • Limit use of sensitive personal information

Requests may be submitted using the contact details in the main Privacy Statement.

E.3 Business-to-Business Context

Where permitted by law:

  • Certain rights may be limited for B2B communications

  • Daurada Prime applies GDPR-equivalent protections regardless

Appendix F — Canada (PIPEDA)

Applicable to users located in Canada

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to commercial activities.

F.1 Accountability and Purpose Limitation

Daurada Prime:

  • Identifies purposes for collection

  • Limits use and disclosure

  • Retains data only as long as necessary

F.2 Access and Correction

Individuals may request access to and correction of their personal information.

Appendix G — Brazil (LGPD)

Applicable to users located in Brazil

Brazil’s Lei Geral de Proteção de Dados (LGPD) closely mirrors GDPR and includes strict enforcement.

G.1 Legal Bases

Processing is conducted under LGPD lawful bases including:

  • Contract performance

  • Legal obligation

  • Legitimate interest

G.2 Data Subject Rights

Brazilian data subjects may:

  • Confirm processing

  • Access and correct data

  • Request anonymization or deletion

  • Object to processing

Appendix H — All other Jurisdictions

For countries with privacy regimes that are less stringent than GDPR, no separate appendix is required.

In those jurisdictions, Daurada Prime continues to apply GDPR-level protections as a global baseline.