Privacy Policy
Last updated: June 2026 · Next review: June 2027
1. Data Controller
Rubén Bordonada Arroyo ([Tax ID — pending model 037]), owner of IAGovernance.com, based in Zaragoza, Spain. Contact: privacidad@iagovernance.com
2. Data We Collect and Purposes
We collect personal data in the following contexts:
2.1 Free Assessment (email gate)
When you complete the AI Governance or Data Governance assessment and choose to receive the report, we collect: email, name, company, industry, company size, and professional role.
- Primary purpose: sending you the results report and personalized roadmap.
- Legal basis: performance of the requested service — Art. 6.1.b GDPR.
- Secondary purpose (only if you check the box): sending you updates on the AI Act, Data Governance, and regulatory compliance, at a maximum frequency of 2 emails per month.
- Legal basis for communications: explicit consent — Art. 6.1.a GDPR. You can withdraw consent at any time by replying to the email or contacting us.
We also automatically collect: country and city of origin (via IP geolocation through ipapi.co), browser language, and consent timestamp. This data is used solely to segment assessment analysis and is not shared with third parties for commercial purposes.
2.2 Data We Do Not Collect
We do not collect special category data (health, ideology, ethnic origin, etc.), data from minors, or payment information (payments are handled entirely by Lemon Squeezy as Merchant of Record).
3. Data Processors and International Transfers
We use the following services as data processors:
- Google LLC (Google Sheets / Google Workspace): storage of assessment leads. The transfer of data to the USA is covered by the EU-U.S. Data Privacy Framework (European Commission Adequacy Decision, July 2023). Google LLC is DPF-certified. More info: Google's privacy policy.
- Lemon Squeezy (Merchant of Record): payment and invoicing management for digital products. Lemon Squeezy acts as the direct seller and data controller for payment data. Its privacy policy is available on its website.
- Netlify Inc.: website hosting. Servers are located in the EU. More info in Netlify's privacy policy.
- Plausible Analytics: cookie-free web analytics, with no identifiable personal data, fully GDPR-compliant. Data is stored in the EU.
- ipapi.co: IP geolocation service to detect the user's country. Only accessed when the user completes the assessment form. The IP address is not stored.
4. Data Retention
Assessment data is retained for 24 months from the date of capture, or until the user requests its deletion. Data with newsletter consent is retained while that consent remains active. After this period, data is irreversibly deleted or anonymized.
5. User Rights
Under GDPR (Arts. 15-22), you have the right to:
- Access: know what data we hold about you.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your data ("right to be forgotten").
- Objection: object to processing based on legitimate interest.
- Portability: receive your data in a structured format.
- Withdrawal of consent: at any time for newsletter communications, without affecting the lawfulness of prior processing.
- Complaint to the AEPD: if you believe processing violates your rights, you can file a complaint with the Spanish Data Protection Agency (www.aepd.es).
To exercise any right, email us at privacidad@iagovernance.com stating your name, email, and the right you wish to exercise. We will respond within a maximum of 30 days.
6. Cookies and Tracking Technologies
IAGovernance.com uses Plausible Analytics, a web analytics tool that does not use cookies or track users across sites. It does not collect identifiable personal data. For more information, see our Cookie Policy.
We also use the browser's localStorage to remember whether the user has already completed the assessment's email gate, avoiding showing it repeatedly. This data stays exclusively in the user's browser and is never sent to our servers.
7. Security
We apply appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or alteration, including HTTPS across all communications and access controls on the spreadsheets where leads are stored.
8. Changes
We may update this policy to reflect changes to our services or applicable law. In the event of substantial changes, we will communicate this through the website. The last update date always appears at the top of this document.