Privacy
Policy

The privacy of customers’ personal data is important to Xolo. This Policy describes the rules according to which Xolo processes the personal data of any person using Xolo’s website https://www.xolo.io/es-en, mobile apps and any services offered by Xolo.

The use of this website implies their acceptance of this Privacy Policy.

Xolo adopts the necessary measures to guarantee the security, integrity and confidentiality of the data in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of individuals with regard to the processing of personal data and the free circulation thereof, and in matters not provided for by it by Organic Law 3/2018 of December 5, Protection of Personal Data and guarantee of digital rights, the Royal Decree 1720/2007, of December 21, which approves the Regulations for the development of the Organic Law on Data Protection, and Law 34/2002, of July 11, on Information Society Services and Electronic Commerce. Through the registration forms on this website or by sending an email, personal data of each client are collected and processed, which are necessary for the management and maintenance of some of the services provided and whose treatment is governed by this Privacy Policy.

1. General Definitions

   Xolo Service provider who needs to process customer’s personal data for the provision of service:

   • XOLO BUSINESS SPAIN, S.L.U, Muntaner 239, atic 08021 Barcelona con CIF: B-67817262
   • Xolo OÜ, registry code 12844111, address Paju 1a, Tartu, 50603, Estonia, who provides platform services
   • Affiliate of the service provider whose company information is provided in the respective service agreement
   Customer

   Natural person who is using Xolo’s website, app or any services provided by Xolo
   GDPR

   Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
   Policy

   This privacy policy
   Personal Data

   Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data processed by Xolo is described under Section 3
   Processing

   Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
   Controller

   A person who alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Depending on the service the Controller of the Customer’s Personal Data is: XOLO BUSINESS SPAIN, S.L.U, Muntaner 239, atic 08021 Barcelona con CIF: B-67817262
   Processor

   A person who Processes Personal Data on behalf of the Controller. In the course of provision of Service, Xolo may act as Processor by Processing Personal Data on behalf of its Customer or Customer’s legal entity. However, this Policy shall not regulate the Xolo’s actions as Processor
   Service

   Any services provided by Xolo via website https://www.xolo.io/es-es and Xolo mobile apps. Xolo currently provides management services such as registration with the Spanish Tax Agency (AEAT), Canary Islands Tax Agency (ATC) and with Social Security (Special Regime for Self-Employed Workers (RETA); Accounting services for the Client’s professional activities in Spain; completion and presentation of taxes in relation to professional activities as well as other services that Xolo and the Client may additionally agree on.

2. Policy Applicability

   This Policy applies to Personal Data Processing where Xolo acts as a Controller. Any personal data Processing conducted on behalf of the Customer or his legal entity is subject to an additional data processing agreement signed between Xolo and the legal person controlled by the Customer.

3. Personal Data being collected

   Xolo Processes the following Personal Data about the Customer:

   1. Personal Details – full name (surname and given name), gender, personal identification code, date of birth, nationality, contact postal address, e-mail address, mobile phone number, bank where the personal bank account exists;
   2. Identification Data – data retrieved from the copy of a passport, such as document number, issue date, expiry date and issuing entity, photo, URL of a Portfolio or LinkedIn profile;
   3. Verification Data – data which Xolo collects for the purpose of conducting Customer due diligence under applicable anti-money laundering laws and the financing of terrorism -in particular, Law 10/2010 of April 18 on the prevention of money laundering and financing of terrorism
   4. Background and Profile Data – Customer’s Google profile data, such as name, e-mail address, language preference and profile picture and also data Xolo collects and Processes for the purpose of conducting Customer adverse media checks via open sources;
   5. Payment Data – data concerning payments for Xolo’s Service and state fees, such as account number (IBAN), account holder name, bank name, transaction details.
   6. Business related Data – in the course of providing certain Services Xolo collects and Process the business description provided by the Client;
   7. Device Data – information regarding the device on which the Customer is using the Xolo’s website/app, including the device’s model, name or any other identifier and the IP address;
   8. Preference Data – Customer’s preferences in the Xolo’s website/app;
   9. Customer Support Data – communication between Xolo and the Customer (inquiries submitted via the website, email, social media or chat);
   10. Usage Data – data about Customer’s interaction in Xolo’s website/app.
   11. Sensitive Data – data which includes special categories of personal data (as defined in GDPR) and other sensitive data such as, but not limited to, marital status, possible religious affections, health data and data concerning Customer’s spouse and children.

4. Sources of Personal Data collection

   Majority of Customer’s Personal Data Processed by Xolo is collected directly from the Customer. However, Xolo may collect Customer’s Personal Data also from third party sources, such as databases of financial sanctions and people subject to international financial sanctions and databases of politically exposed people. Some of these databases are publicly available and some of them are not.

5. Purposes for collecting and Processing Customer’s Personal Data

   Personal Data collected by Xolo is Processed for the purposes established in the law or as described herein, including but limited for the following purposes:

   1. Contractual Purpose – Xolo needs to Process Customer’s Personal and Sensitive Data in order to enter into service agreement with the Customer and to provide Service to the Customer;
   2. Compliance Purpose – Xolo needs to Process Customer’s Personal Data in order to perform obligations under applicable laws, such as to comply with anti-money laundering requirements, and combat fraud, ensure the fulfilment of international financial sanctions, comply with the lawful inquiries and orders of public authorities with whom Xolo is obligated to cooperate;
   3. Analytical Purpose – Xolo needs to Process Customer’s Personal Data in order to manage, analyse and improve the Service, website and app, including for machine learning, automation (using LLMs and other tools), data annotation (as specified in section 7 below), testing and training and anonymized research purposes;
   4. Marketing Purpose – Xolo needs to Process Customer’s Personal Data in order to send relevant promotional information to the Customer about Xolo Services and the related offerings by third parties we work with, if the Customer has granted an explicit consent to use his/her Personal Data for this purpose;
   5. Customer Engagement Purpose – Xolo may process Personal and Sensitive Data in order to send personalised congratulatory messages, small gifts and other gestures celebrating Customer’s personal milestones for the purpose of enhancing customer relationship, if the Customer has granted an explicit consent to use his/her Personal Data for this purpose;
   6. Personalization Purpose – Xolo needs to Process Customer’s Personal Data in order to personalize the Service and the content provided to the Customer;
   7. Communication Purpose – to contact the Customer for administrative purposes such as customer service, address technical or legal issues related to the Service provided, or share updates and notifications about the Service;
      
      Business Continuity Purpose – Xolo needs to process personal details during any means of financing process to ensure business continuity;

6. Automated decision making

   Xolo is providing certain Services for the Customers active in the certain field of activities. Not all fields of activities are supported by Xolo’s Services. Xolo is using automated decision making in the pre-contractual Processing in order to establish sufficiently whether the Customer is eligible to use Xolo’s Services.

   Automated decision making refers to a decision which is taken solely on the basis of automated Processing of Customer’s Personal Data. This means Processing using, for example, software code or an algorithm, which does not require human intervention. During the onboarding process, the Customer is being asked for the field of activity of the service provided in course of using Xolo’s Services. The automated decision making is necessary for entering into agreement with Xolo. The automated decision making is used in order to accept or reject the Customer’s application to enter into a service agreement with Xolo. In case the field of activity which the Customer wishes to act on is not supported by Xolo’s Services, then the Customer’s application will be rejected. Upon rejection, Xolo will inform the Customer by e-mail about the reasoning for rejection. The Customer is entitled to request human intervention or object to the decision by contacting Xolo.

7. Technological aspects of our Service provision and development

   To improve on how the Controller provides the Services, Xolo may use automatic algorithms, machine learning, large language models (LLMs) and similar solutions. These tools help us recognize patterns in data, make informed predictions, and generate contextually accurate outputs.

   Machine learning involves the use of algorithms and statistical models that allow computer systems to learn from data and improve over time without being explicitly programmed. It helps us automate decisions, reduce human error, and enhance the precision of our Services.

   Large language models (LLMs) are a specific type of machine learning system designed to understand and generate human language. They are trained on large amounts of text data to identify linguistic patterns and relationships, allowing them to produce coherent and relevant responses based on user input. Both machine learning models and LLMs are continuously monitored and adjusted both automatically and by real people to ensure they remain accurate, fair, and effective.

   All models are trained and tested on real or anonymized datasets and their performance depends heavily on the quality of this input data. These processes are conducted solely for internal development purposes and always under a valid legal basis and contractual agreement with our Customers. Xolo is committed to using machine learning and LLM technologies in an ethical, secure, and transparent manner. We ensure that the outcomes support fair and responsible service delivery.

   Xolo may use machine learning and LLM technologies to understand and classify Customer communication and suggest appropriate responses for the appropriate Xolo employee, train to recognise patterns in Customer’s platform usage to develop and enhance Service provided to Customers, to automate data extraction, and to screen transaction, invoice-related data and other documentation to ensure accuracy and limit human errors.

8. Legal grounds for Processing

   Xolo is relying on the following legal grounds when Processing Customer’s Personal Data:

   1. Processing is necessary for the performance or entry into a contract between Customer and Xolo (GDPR article 6 (1) (b)), Xolo is Processing Personal Data for Contractual Purpose under contract entered into between Xolo and Customer;
   2. Processing is necessary for compliance with a legal obligation to which Xolo is subject (GDPR article 6 (1) (c)). Xolo is Processing Personal Data for Compliance Purpose under legal obligations to which Xolo is subject to;
   3. Processing is necessary for the purposes of the legitimate interests pursued by Xolo (GDPR article 6 (1) (f)). Xolo is Processing Personal Data for Analytical, Personalization or Business Continuity Purpose under legitimate interest;
   4. Customer has granted consent to the Processing of his Personal Data (GDPR article 6 (1) (a)). Xolo is Processing Personal Data for Marketing Purpose under Customer’s consent.

9. Transfer of the Personal Data

   Xolo may transfer Customer’s Personal Data to third parties, such as:

   1. legal and regulatory authorities (e.g. commercial register) whom Xolo is obligated to disclose Customer’s Personal Data under the law;
   2. server hosts who host Xolo’s servers;
   3. identification service providers who help Xolo verify Customer’s identity and acquire Verification Data;
   4. communication service providers who facilitate e-mails, calls, SMS messages and other communication between Xolo and the Customer;
   5. customer support and customer management service providers;
   6. marketing service provider;
   7. Xolo’s partner bank who provides banking services to the Customer or to the legal entity controlled by the Customer or any other financial service provider;
   8. Xolo’s affiliate. i.e. any company that directly or indirectly controls Xolo; any company that is directly or indirectly controlled by Xolo; or any company that is controlled, directly or indirectly, by the ultimate parent company of Xolo. Control shall mean owning more than fifty percent of the voting rights in a company or otherwise having the power to govern the financial and the operating policies or to appoint the management of a company;
   9. Other parties involved with the provision of Xolo’s Service (accountants, auditors, lawyers, IT systems suppliers and support, or any other outsourcing providers).
   10. Third Parties in dealings related to Business Continuity Purpose - Xolo needs to process personal details during any means of financing process to ensure business continuity in accordance with article 21 of Organic Law 3/2018 of December 5, Protection of Personal Data and guarantee of digital rights.
       
       Xolo has taken steps to ensure that these data recipients protect the confidentiality and security of Personal Data, and to ensure that Personal Data is Processed only for the provision of Service and in compliance with applicable law.
       
       Such third parties may be located in countries outside of the European Economic Area ("EEA") whose privacy regulations may differ and which are not subject to adequacy decisions of the European Commission. In those countries the security of the Personal Data (inc. protection against misuse, unauthorized access, disclosure, alteration or destruction) may not be ensured as it is secured in the European Union, due to the lack of adequate data protection level.
       
       For example, Xolo may transfer Customer’s Personal Data to the US, in which case Xolo shall ensure that the recipient of the Personal Data has adopted standard data protection clauses adopted by a control authority and approved by the Commission, or has adopted codes of conduct, together with binding and enforceable commitments from the controller or processor in the third country to apply adequate guarantees, including those relating to the rights of the interested persons, or certification mechanisms, together with binding and enforceable commitments of the person in charge or the person in charge of the treatment in the third country to apply adequate guarantees, including those relating to the rights of the interested persons.
       
       When transferring collected Personal Data outside of the EEA, Xolo shall ensure the application of the appropriate safeguards. If the Customer wishes to receive a copy, please contact us as instructed below.

10. Security

    Xolo will take appropriate legal, organisational, and technical measures to protect Personal Data consistent with applicable privacy and data security laws. Security measures shall be applied in order to protect Personal Data from involuntary or unauthorized Processing, disclosure or destruction.

    Upon transferring Personal Data to third parties, Xolo will apply the following safeguards:

    1. Xolo enters into a data processing agreement with the relevant third party;
    2. Xolo makes sure that such third party undertakes to implement appropriate technical and organizational measures ensuring the Processing of Customer’s Personal Data in accordance with this Policy and applicable law;
    3. Xolo makes sure that (a) the third party is established in a jurisdiction which the European Commission has recognized as ensuring an adequate level of personal data protection, or (b) the Processing of Customer’s Personal Data is subject to other appropriate safeguards stipulated in the GDPR.

11. Integrity and retention of the Personal Data

    Xolo will retain Personal Data for the period required or permitted by applicable law, but no longer than is reasonably necessary in order to achieve the purposes for which the Personal Data was collected. Xolo’s general data retention period is 10 years after ending the business relationship with you. This is a statutory data retention period which we have to follow to be compliant with our legal obligations. In some cases we may need to hold your personal data for longer to meet our legal obligations (for example accounting-related data needs to be stored for a statutory time period, typically 7 years) or if we have a legitimate interest (if longer data retention is for example required by our cooperation partners) to do so and in some cases we will hold your data for less time. Data retention details are available in Annex 1 of this Policy.

    Xolo takes reasonable steps to ensure that the Personal Data we Process is reliable for its intended use, accurate, and complete as necessary to carry out the purposes described herein.

12. Customer’s rights in regarding to the collection of Personal Data

    Customer has the following rights in relation to the Processing of his Personal Data:

    1. Request information - Xolo has provided all information which the Customer has the right to receive in this Policy. The valid version of the Policy is available on Xolo’s website at any time.
    2. Right to access - Customer has the right to ask Xolo to provide a copy of Customer’s Personal Data which Xolo Process.
    3. Right to Rectification - Customer has the right to ask Xolo to rectify Personal Data in case the data is incorrect or incomplete.
    4. Right to Erasure - Customer has the right to ask Xolo to erase Personal Data, unless Xolo is obliged to continue Processing Customer’s Personal Data under law or under a contract between the Customer and Xolo, or in case Xolo has other lawful grounds for the continued Processing of Personal Data.
    5. Right to Restriction - Customer has the right to ask Xolo to restrict the Processing of his Personal Data in case the data is incorrect or incomplete or in case his Personal Data is Processed unlawfully.
    6. Right to Data Portability - Customer has the right to ask Xolo to provide the Customer or, in case it is technically feasible, a third party, his Personal Data, which the Customer has provided to Xolo and which is Processed in accordance with Customer’s consent or a contract between the Customer and Xolo.
    7. Right to Object - Customer has the right to object to Processing his Personal Data in case there is a reason to believe that Xolo has no lawful grounds for Processing the Personal Data.
    8. Right to withdraw Consent for the Processing of Personal Data - Customer is entitled to withdraw the consent granted for the Processing of Personal Data et any time. Withdrawal does not affect the lawfulness of the Processing conducted before the withdrawal.
    9. Right to File Complaints - Customer has the right to file complaints regarding Processing of his Personal Data.
    10. In order to exercise any rights referred herein the Customer is required to submit a written application to Xolo (Xolo’s contact details can be found under Section 16). Xolo has the right to decline this application by justifying the reasons for the refusal. According to the article 12(3) of GDPR, Xolo is obligated to respond to the application within 1 month. However, Xolo will make its best efforts to respond to Customer’s request within 1 week.

    When the Customer provides Personal Data of their partner, spouse, children, or other relatives, they do so to ensure the accuracy of their annual tax return filings (RENTA). Xolo processes this third-party personal data solely for the provision of the RENTA service. We respect the privacy of each Customer’s family members – they are entitled to the same data protection rights outlined above and may contact us at any time to exercise the rights as described in Section 13.

13. Commercial Communication

    If a Customer receives commercial emails from us, he may unsubscribe at any time by following the instructions contained within the email or by sending an email to info@xolo.io

    The Customer is able to view and modify settings relating to the nature and frequency of promotional communications that they receive from us by accessing the "Personal Settings" section in the self service area of the website.

    The Customer has to be aware that if he opts-out of receiving commercial emails from us or otherwise modifies the nature or frequency of promotional communications he receives from us, it may take up to five (5) business days for us to Process the request. Additionally, even after he/she opts-out from receiving commercial messages from us, he/she will continue to receive administrative messages from us regarding the Service.

14. Applicable law and jurisdiction

    This Policy will be governed by and construed in accordance with Spanish law. Without prejudice to any rights the Customer may have to refer a complaint to the authorities, the courts of Spain have exclusive jurisdiction to settle any dispute arising in connection with this Policy and for such purposes Xolo and the Customer will irrevocably submit to the jurisdiction of the Spanish courts.

15. Right to amend this Policy

    Xolo is entitled to unilaterally amend this Policy from time to time. In case of significant changes, Xolo will notify the Customer about the changes via e-mail. In case the new terms refer to Processing of Customer’s Personal Data for any new purpose, which requires Customer’s consent, then Xolo will not Process Personal Data for such new purpose, before it has received respective consent.

16. Contact Information

    Should the Customers have any questions regarding this Policy or they want to exercise their rights, they are welcome to contact Xolo with requests, inquiries or any complaints via email: info@xolo.io clearly indicating (i) your identity, indicating, at least, your full name and the email address you used when registering on the website, and (ii) the right or rights you exercise.

    You can also go to the Spanish Data Protection Agency (www.agpd.es) to request the protection of your rights, if you consider it appropriate.

    The exercise of these rights is free, unless manifestly unfounded or excessive requests are made, in which case the interested party may be required to assume the cost of the processing.

17. Confirmation

    By accepting this Policy, the Customer confirms that he has familiarized himself with this Policy, understood it and agrees to its terms.

Last updated: March 19, 2026

Annex 1.

Personal data processing details.