Macadam Logo
Download the App

MACADAM PLATFORM PRIVACY POLICY

(Last update: January 2025)

For the purposes of interpretation of the terminology used in this policy and its annexed documents (hereinafter all of them referred to as the "Privacy Policy"), as an integral part of the Terms and Conditions of Use of the Macadam Platform, except in the case of a specific nomenclature of this Privacy Policy is provided herein, the words with initial capital letter shall have the meaning given in Clause 3 “Definitions” of the aforementioned terms and conditions.

The User should also be aware that specific privacy policies may apply to certain processing activities, such as those related to the Automatic Cashback service. These policies can be accessed here.

In compliance with Applicable Legislation, MACADAM TECHNOLOGIES, S.L. undertakes to adopt the necessary technical and organizational measures for the protection of data collected from Users through the Macadam Platform, according to the level of security appropriate to the risk.

We inform you that both the Macadam Website and the Macadam Application use cookies and/or similar technologies such as the so-called Software Development Kits that collect and store information while you browse the Macadam Website or use the Macadam Application. For more information please, read Macadam Cookie Policy.

1.​ Laws incorporated into this Privacy Policy

This Privacy Policy is compliant with current Spanish and European legislation on the protection of Personal Data. Specifically, it is in compliance with the following regulations:

  • The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
  • April 2016 on the Protection of Natural Persons with regard to the Processing of
  • Personal Data and on the Free Movement of such data (GDPR).
  • The Organic Law 3/2018, of December 5, on the Protection of Personal Data and
  • Guarantee of Digital Rights (LOPD-GDD).

The Royal Decree 1720/2007, of December 21, which approves the Regulation for the ●​

Development of the Organic Law 15/1999, of December 13, on the Protection of Personal Data (RDLOPD).

  • The Law 34/2002, of July 11, on Services of the Information Society and Electronic
  • Commerce (LSSI-CE).

2.​ Identity of the Data Controller for the processing of Personal Data

The Data Controller of the Personal Data collected is the Spanish company MACADAM TECHNOLOGIES, S.L., with N.I.F. B44845337 and share capital of 3,000 euros. It is registered in the Mercantile Registry of Barcelona under Volume 48762, Folio 113, Page B 595293 (hereinafter, the “DataController”, the “Company”, “Macadam” or “We”, indistinctly). Its contact details are as follows:

  • Address: 401 Avenida Diagonal, 08008 - Barcelona, 1st Floor
  • Contact email: contact@macadam.app

Please note that our Partners offer advertising and services on the Macadam Platform that are independent of Macadam. In this case, once you are redirected to the Partner's website or service, we cannot be held responsible for the data they collect. The respective Partner will be responsible for processing your data as the Data Controller, in accordance with their own Privacy Policy and practices. However, in accordance with this Privacy Policy, we may occasionally share certain Personal Data with them to enable the specific functionality of the Partner or to improve the experience and personalization of the Service.

For your convenience and information, you can find references to our Partners' Privacy and Cookie Policies in our Cookie Policy. These references will be updated by Macadam to the extent possible. However, the policies binding on the User will be those in effect at any given time and provided by the respective Partner.

3.​ Register of Personal Data

In compliance with the provisions of the GDPR and the LOPD-GDD, we inform you that the Personal Data collected by the Company will be incorporated and will be subject to the processing activities described in Section 5.

Likewise, in accordance with the provisions of the GDPR and the LOPD-GDD, unless the exception provided for in Article 30.5 of the GDPR applies, a Record of Processing Activities is kept which specifies, according to its purposes, the processing activities carried out and the other details established in the GDPR.

4.​ Principles applicable to the processing of Personal Data

The processing of the User's Personal Data shall be subject to the following principles contained in Article 5 of the GDPR and in Article 4 and following of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights:

  • Principle of lawfulness, fairness, and transparency:
  • User consent will be required at all times, with completely transparent information about the purposes for which Personal Data is collected.
  • Principle of purpose limitation:
  • Personal data will be collected for specific, explicit, and legitimate purposes.
  • Principle of data minimization:
  • Only the Personal Data that is strictly necessary in relation to the purposes for which it is processed will be collected.
  • Principle of accuracy:
  • Personal data must be accurate and always kept up to date.
  • Principle of storage limitation:
  • Personal data will only be kept in a form that permits the identification of the User for as long as necessary for the purposes of its processing.
  • Principle of integrity and confidentiality:
  • Personal data will be processed in a way that ensures its security and confidentiality.
  • Principle of proactive accountability:
  • The Data Controller will be responsible for ensuring that the above principles are complied with.

5.​ Categories of Personal Data, purposes and legitimizing basis

Depending on the purpose for which the Company collects the different types of Personal Data, the following processing activities are distinguished (click here to access the Record of Processing Activities (ROPA) with the different processing activities).

6.​ Consent as a legal basis

When the legal basis for processing is consent (e.g., offering you personalized advertising, see ROPA), the Company commits to obtaining the User's express and verifiable consent for the processing of their Personal Data for one or more specific purposes.

The User will have the right to withdraw their consent at any time. Withdrawing consent will be as easy as giving it. As a general rule, withdrawing consent will not condition the use of the Macadam Platform.

On occasions where the User must or can provide their data through forms to make inquiries, request information, or for reasons related to the content and/or functionalities of the Platform, he/she will be informed if the completion of any of them is mandatory because they are essential for managing the inquiry.

7.​ Retention periods of Personal Data

The Personal Data provided will be kept for the time necessary to fulfill the purpose for which they are collected and to determine the possible responsibilities that may arise from the purpose, in addition to the periods established in the regulations.

In this regard, Personal Data will be kept while the contract between the Parties is still in force, that is, while the User Account is still active. If the User Account has been deleted for any reason or if the User Account has been inactive for a period of at least 24 months, the

Company will proceed to erase all Personal Data except such needed to fulfil legal obligations. Personal Data that must be retained to meet legal obligations will be blocked in accordance with the provisions of this Section 7.

Data blocking will be carried out in such a way that:

  • Access to Personal Data is not allowed for personnel who would normally have access to it;
  • Access is limited only to those with the highest level of responsibility, with restricted access solely for compliance with legal obligations;
  • Data processing will be for archival purposes only, and cannot be used for the purpose that justified its collection.

Some data blocking periods based on Macadam's legal obligations may be as follows:

If applicable, after the expiration of the blocking period, data will be physically deleted, or, where appropriate, anonymized securely by Macadam (anonymized/non-Personal Data).

Please note that geolocation and health data are pseudonymized after 24 months, and only the data strictly necessary to provide the service and related to completed transactions will be retained in the active database. By default, geolocation and health data not related to transactions will be physically deleted or anonymized after 24 months.

Regarding your identity document, we will retain the copy provided by the User for a period of 1 month. After this period, we will retain the necessary data contained within the identity document but not the copy itself, proceeding with physical deletion.

Regarding the IP addresses used, Macadam will only retain the last IP used. However, physical deletion will occur after 3 months of inactivity or after the User Account is deleted.

For the User's information, deletion processes, or, if applicable, the transfer from the active database to the blocked database, will generally occur within a maximum period of 7 days. If the User is within this period and wishes to access their data, we request that they contact Macadam as soon as possible, although Macadam cannot guarantee access to the data during this period.

8.​ Recipients of Personal Data

The Company will not transfer Personal Data to third parties or make international transfers without the appropriate measures, as indicated below.

However, if your Personal Data is transferred outside the EEA (European Economic Area), to our Partners or service providers, we will take steps to ensure that your Personal Data receives the same level of protection as if it had remained within the EEA, by entering into the confidentiality and data processing agreements required by the regulations for providers located in third countries, applying the necessary safeguards and guarantees to preserve your privacy.

Macadam will base international transfers on the Standard Contractual Clauses approved by the EU Commission which may be updated or revised and may also base them on other transfer mechanisms such as adequacy decisions, where applicable, Binding Corporate Rules or Agreements approved by the European Data Protection Authorities. For transfers to other Macadam group entities located outside the EEA, we have established an Intragroup Data Transfer Agreement based on the European Commission's Standard Contractual Clauses that may be updated or revised, which protects Personal Data transferred between Macadam entities.

Also, in accordance with the ROPA, we may share some data with our Partners and communicate specific data to our contractual providers with whom we guarantee that we have signed binding contractual commitments to comply with data protection regulations for the communication of Personal Data between data controller and data processor.

  • Partners
  • : Macadam integrates in its platform the services of different providers that are part of the service that can be provided through the Macadam Platform (surveys, video games, analysis...). Many of these services provided by our Partners will be necessary in order to be able to provide you with the Service. With these Partners, we share certain information, the details of which you can see in the table below. We will ensure the transparency of the Partners with whom we collaborate and will only share data to provide you with the service and/or functionality requested, for example, to provide you with rewards.
  • Providers of services
  • . Macadam may subcontract the rendering of certain services and therefore there may be entities with access to certain data for the exclusive performance of the service subcontracted by Macadam.
  • Customer service and incident management
  • . Macadam will be able to communicate your data to companies that provide the customer service, as well as to those that direct actions tending to the measurement of the degree of satisfaction of the Users with respect to the benefit of the Service, and accomplishment of surveys, previous agreement in writing with them.
  • Companies of the Macadam Group
  • . Macadam may communicate your data to other companies of the Macadam Group, including subsidiaries, for the fulfillment of contractual obligations arising from the use of the Macadam Platform and the provision of services.
  • Computer systems services
  • . Macadam may contract computer services for the management and maintenance of Macadam's own systems, so that these entities may have accessory access to data owned by Macadam.

In particular, we inform you that we may share your Personal Data (with or without your consent depending on the processing in question):

If you wish, you can contact us and request a more exhaustive list of recipients, so that you have full control over your Personal Data.

We will not transfer your data to third parties unless (i) it is necessary for the provision of the contracted Services, (ii) as a User you have given us your explicit consent, (iii) when we are requested to do so by a competent authority in the exercise of its functions conferred by law or (iv) if we are required by law.

In the event that the Controller intends to transfer Personal Data to a third country or international organization, at the time the Personal Data is obtained, the User will be informed about the third country or international organization to which the data is intended to be transferred, as well as the existence or absence of an adequacy decision of the Commission.

9.​ Secrecy and security of Personal Data

The Company undertakes to adopt the necessary technical and organizational measures, according to the level of security appropriate to the risk of the data collected, so as to ensure the security of Personal Data and prevent the accidental or unlawful destruction, loss or alteration of Personal Data transmitted, stored or otherwise processed, or unauthorized communication or access to such data.

Macadam will store your Personal Data on servers located in Brussels (Belgium) and managed by Google Cloud Platform which is part of the association CISPE (Cloud Infrastructure Service Provider in Europe) that promotes the correct application of the applicable regulations on Data Protection.

Macadam’s Web Site has an SSL (Secure Socket Layer) certificate, which ensures that Personal Data is transmitted securely and confidentially, as the transmission of data between the server and the User, and in feedback, is fully encrypted or encrypted.

However, because it cannot guarantee the impregnability of the Internet or the total absence of hackers or others who fraudulently access Personal Data, the Data Controller undertakes to notify the User without undue delay when a breach of security of Personal Data occurs that is likely to involve a high risk to the rights and freedoms of natural persons. Following the

provisions of Article 4 of the GDPR, a breach of security of Personal Data means any breach of security resulting in accidental or unlawful destruction, loss or alteration of Personal Data transmitted, stored or otherwise processed, or the unauthorized communication of or access to such data.

Personal data will be treated as confidential by the Data Controller, who undertakes to inform and ensure by means of a legal or contractual obligation that such confidentiality is respected by its employees, associates, and any person to whom it makes the information accessible.

10.​Rights deriving from the processing of Personal Data

The User may exercise against the Data Controller the following rights recognized in the GDPR and the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights:

  • Right of access
  • : It’s the User's right to obtain confirmation as to whether or not your Personal Data is being processed and, if so, to obtain information about your specific Personal Data and the processing that has been or is being carried out, as well as, among other things, the information available on the origin of such data and the recipients of the communications made or planned for such data.
  • Right of rectification
  • : It is the User's right to have their Personal Data modified if it turns out to be inaccurate or, taking into account the purposes of the processing, incomplete.
  • Right to erasure ("right to be forgotten"):
  • It is the User's right, provided that current legislation does not establish otherwise, to obtain the erasure of their Personal Data when it is no longer necessary for the purposes for which it was collected or processed; the User has withdrawn their consent to the processing and there is no other legal basis for it; the User objects to the processing and there are no legitimate grounds for it to continue; the Personal Data has been unlawfully processed; the Personal Data must be erased to comply with a legal obligation; or the Personal Data has been obtained as a result of a direct offer of information society services to a child under 14 years of age. In addition to deleting the data, the Data Controller, taking into account the available technology and the cost of implementation, must take reasonable measures to inform other data controllers processing the Personal Data of the data subject's request for erasure of any links to that Personal Data.
  • Right to restriction of processing
  • : It is the User's right to restrict the processing of their Personal Data. The User has the right to obtain restriction of processing where they contest the accuracy of their Personal Data; the processing is unlawful; the data controller no longer needs the Personal Data, but the User needs it for legal claims; and when the User has objected to the processing.
  • Right to data portability
  • : Where processing is carried out by automated means, the User has the right to receive their Personal Data from the data controller in a structured, commonly used and machine-readable format, and to transmit it to another data controller. Where technically feasible, the data controller will transmit the data directly to the other controller.
  • Right to object
  • : It is the User's right not to have their Personal Data processed by the Company or for the processing to be stopped.
  • Right not to be subject to a decision based solely on automated processing, including
  • profiling:
  • This is the User's right not to be subject to an individualized decision based solely on automated processing of his or her Personal Data, including profiling, unless otherwise provided for by applicable law.

Thus, the User may exercise his/her rights by means of a written communication addressed to the Data Controller with the reference “GDPR-Macadam”, specifying:

  • Name, surname of the User and copy of the ID card. In cases where representation is admitted, it will also be necessary the identification by the same means of the person representing the User, as well as the document proving the representation. The photocopy of the ID may be replaced by any other means valid in law that proves the identity.
  • Request with the specific reasons for the request or information to be accessed. â—Ź Address for notification purposes.
  • Date and signature of the applicant.
  • Any document that proves the request you are making.

This application and any attachments may be sent to the following address and/or e-mail address:

  • Address: Avenida Diagonal, nÂş 401, 08008 - Barcelona, Planta 1
  • Contact email: contact@macadam.app

11.​Links to third party websites

The Platform may include hyperlinks or links that allow access to websites of our Partners or other third parties other than the Company, and therefore are not operated by the Company. The owners of such websites will have their own data protection policies, being themselves, in each case, responsible for their own files and their own privacy practices.

12.​Complaints to the supervisory authority

In the event that the User considers that there is a problem or infringement of the regulations in force in the way in which his/her Personal Data is being processed, he/she shall have the right to effective judicial protection and to file a complaint before a supervisory authority, in particular, in the State in which he/she has his/her habitual residence, place of work or place of the alleged infringement. In the case of Spain, the supervisory authority is the Spanish Data Protection Agency ().

13.​Acceptance and changes to this Privacy Policy

It is necessary that the User has read and agrees with the conditions on the protection of Personal Data contained in this Privacy Policy, as well as to accept the processing of their Personal Data so that the Data Controller can proceed in the manner, during the periods and for the purposes indicated. The use of the Macadam Platform shall imply the acceptance of its Privacy Policy.

The Company reserves the right to modify its Privacy Policy, according to its own criteria, or motivated by a legislative, jurisprudential or doctrinal change of the Spanish Data Protection Agency. Changes or updates to this Privacy Policy shall be in accordance with the procedure established for the modification of the Terms and Conditions of Use of the Macadam Platform.