Privacy Policy
PRIOR NOTICE FOR USERS OF MAPAL APPLICATIONS
This Website Privacy Notice also applies to users of the MAPAL OS and MAPAL ONE applications, as well as to users of other MAPAL applications, to the extent that these applications are integrated into MAPAL's digital ecosystem and share technological infrastructures and services managed through this website.
Therefore, all users are informed that access to and use of the applications entails the processing of personal data under the terms established in this Privacy Policy, without prejudice to any additional notices or information clauses that may be displayed within each application according to its specific functionality or user profile.
Confidentiality and security are core values of the MAPAL Group, and consequently, we are committed to ensuring User privacy at all times and not collecting unnecessary information.
We provide below all the necessary information about our Privacy Policies in relation to the personal data we collect on this website (https://mapal-os.com/) and on our back-office management platform for the hospitality and catering industry, MAPAL OS (https://mapal-os.com/en/login).
Data processing is different in both cases, based on the following terms:
• Who are the data controller and the data processor that processes your data
• For what purposes do we collect the data we request from you?
• What is the legitimacy for processing it
• Categories of personal data we process
• How long we retain personal data
• Recipients of your data
• Rights related to your personal data
• External links
• Security of your personal data
• International data transfers
Glossary
Administrator: This is the person in charge of controlling user access to the platform, managing their permissions, roles, and profiles.
Customer: For the purposes of this policy, this is the data controller who signs the Software License and Service Provision Agreement with MAPAL.
Data Processor: This refers to the company or person that provides a service to the data controller and, therefore, processes the data under the controller's instructions and for the controller's benefit. The controller makes decisions regarding the purposes and means of processing.
Data Controller: This refers to the company or person who determines the purposes and means of processing personal data. In other words, they decide why and how the data is processed, even if the processing activity is not carried out directly by them.
User: This refers to the person who accesses the platform and uses its features through a user permit and access passwords managed by the administrator.
INFORMATION FOR USERS OF THIS WEBSITE:
1. Data Controller
Mapal SOFTWARE, S.L. (B85594752) (“MAPAL”)
C/ del Arte, 21, planta 6º
28033 Madrid, España
Email: hello@mapal-os.com
Data Protection Officer: Lant Abogados (Lant Advisors, S.L.P.); email: dpo@mapal-os.com or mapal@delegado-datos.com.
2. Purposes and legitimacy of the processing of data sent through:
- CONTACT FORM:
Purposes:
Provide you with a means to contact us,
Respond to your requests for information,
Address the inquiries you receive,
Conduct analysis on Website usage to identify user preferences and behaviors,
If you provide your consent and check the relevant box, send you communications about our products, services, and activities, including by electronic means (email, SMS, WhatsApp), and also provide your data to other Mapal companies (Flow Hospitality LTD, Ideolys SAS & GetCompliant) so that they can also contact you and offer you personalised information.
Legitimation: The user's consent when requesting information from us through our contact form and by checking the box accepting the sending of their own and third-party information.
SENDING EMAILS:
Purposes:
Respond to your requests for information,
Address your requests, and
Respond to your questions or concerns.
Legitimacy: The user's consent when requesting information from us via email.
- SUSCRIPTION TO OUR NEWSLETTER:
Purposes: Sending our commercial newsletter and informative and advertising communications about our products or services that may be of interest to you, including by electronic means such as email.
Legitimacy: User consent when subscribing to our commercial mailings and/or newsletters.
- REQUEST A DEMO (https://mapal-os.com/en/request-a-demo):
Purposes: Learn how MAPAL OS tools work.
Legitimacy: User consent when requesting the demo.
3. Categories of personal data we process
Various categories of personal data are collected and processed on the MAPAL website (https://mapal-os.com/en/), depending on the interactions they have with our website. The main categories of personal data that may be processed are detailed below:
1. Identification and contact information: These data are collected when users complete contact forms, subscribe to newsletters, or send emails. It includes:
- First and last name,
- Professional email address,
- Details of the company requested,
- Any other information provided in the form.
2. Website navigation and usage data: Through cookies and other similar technologies, data related to user interaction on the website is collected, such as:
- IP address,
- Type of device and browser used,
- Pages visited and time spent,
- Browsing habits and preferences.
3. Communication data: Information provided by users when communicating with MAPAL, whether through forms, emails, or other means, including:
Inquiries,
Information requests,
Demo requests,
Comments or suggestions.
4. How long we retain personal data
The retention periods for personal data vary depending on the purpose for which it was collected:
1. Contact form:
Once your request has been submitted through our form or answered by email, if you have not generated a new treatment, and if you have agreed to receive commercial mailings, until you request to unsubscribe from them.
2. Sending e-mails:
Once the request is answered by email, if it has not generated a new data processing.
3. Suscription to newsletter:
Until the individual revokes consent and requests to unsubscribe from the service.
4. Request a demo:
For the time necessary to process the demo request and maintain related commercial communications, and/or initiate a contractual relationship if the applicant is interested.
5. Recipients of your data
Your data is confidential and will not be shared with third parties unless necessary for the provision of services or under legal obligation.
Regarding the contact forms on this website www.mapal-os.com, provided you have checked the corresponding box, your data will be shared with the following Mapal group companies so they can also contact you and offer you personalised information when necessary for internal administrative purposes or to provide services:
- Flow Hospitality LTD, Apex 3, 2nd floor (rear office), 95 Haymarket Terrace, Edinburgh, EH12 5HD, United Kingdom.
- Ideolys SAS, 52 Rue Jacques-Yves Cousteau 8500 La Roche-sur-Yon France.
- GetCompliant 2013 AB, Hornsbruksgatan, 23b Stockholm 117 34 Sweden.
- Mapal SOFTWARE, S.L., Calle del Arte, 21, floor 6º, 28033 Madrid, Spain.
MAPAL may also transfer your data to third parties when necessary to provide services, such as technology service providers (web hosting, email services, analytics, CRM, etc.) and marketing campaign or form management companies. All these providers act as data processors, under contracts that guarantee confidentiality and compliance with the GDPR.
Under no circumstances will data be transferred to third parties for commercial purposes.
6. Rights related to your personal data
Consent can be withdrawn at any time, once it has been granted for the processing of personal data. Under no circumstances does the withdrawal of this consent affect the execution of the subscription contract or the relationships previously established.
Likewise, you may exercise the following rights:
Request access to your personal data or its rectification when it is inaccurate.
Request its erasure when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
Request restriction of processing in certain circumstances.
Request objection to the processing of data for reasons related to your particular situation.
Request data portability in the cases provided for in the regulations.
Where and how to request the exercise of your rights: By writing to Mapal SOFTWARE, S.L., C/ del Arte, 21 6ºB, C.P. 28033 Madrid, Spain, or by emailing our Data Protection Officer at mapal@delegado-datos.com or dpo@mapal-os.com, indicating the subject line "Personal Data" and specifying the right you wish to exercise and which personal data you wish to exercise.
If you believe that we have not met your rights in accordance with your expectations, you may file a complaint with the Information Commissioner's Office (https://ico.org.uk/).
7. External links
Through this Website, the user may access MAPAL's official profiles on various social media platforms, such as YouTube and LinkedIn, via external links. These links redirect to platforms managed by third parties, whose privacy and cookie policies are independent and beyond the control of MAPAL. Therefore, when accessing these sites, the user is responsible for assessing and accepting, where applicable, the conditions established by each service provider.
By interacting with our official social media profiles (for example, by following, commenting, sharing, or including content), the user consents to the processing of personal data visible on their profile, in accordance with the terms of use of each platform. This data processing may include access to public profile information, sending direct messages, or communicating through channels enabled by the social media platform itself, always within the framework of the relationship established between the user and MAPAL.
The users may manage their privacy, control their connections, restrict who accesses their information, or delete content by accessing the privacy settings of their account on the corresponding social media platform.
Please note that some of these platforms may have servers located outside the European Economic Area, which could involve international data transfers. Therefore, we recommend carefully reviewing their own privacy policies, available at the following links:
Google / YouTube: https://policies.google.com/privacy?hl=en
8. Security of your personal data
With the aim of safeguarding the security of your personal data, we inform you that we have adopted all necessary technical and organisational measures to guarantee the security of the personal data provided against alteration, loss, and unauthorised processing or access.
9. International data transfers
The personal data collected through this website are not transferred outside the European Economic Area (EEA). However, if any international transfer were to take place, MAPAL would ensure that it would be done in compliance with the GDPR and that appropriate safeguards would be in place.
INFORMATION FOR THE CUSTOMER AND ADMINISTRATORS OF THE MAPAL OS PLATFORM:
MAPAL respects your privacy and is committed to protecting the personal data we process through our MAPAL OS platform, which you access as a Customer (through your account as a user with an administrator profile) after entering into the corresponding Software License and Service Agreement.
This information explains what data we collect, how we use it, and the exercise of your rights as a Customer and administrator. The Software License and Service Agreement, hereinafter referred to as the "Agreement," involves the processing of personal data and includes a specific Data Processing Engagement Agreement as an annex. We provide the following additional information to your Agreement. In the event of any conflict between your Agreement and this document, the Agreement shall prevail.
1. Data Processor (“MAPAL”)
By virtue of the MAPAL Group company, also generically referred to as MAPAL, having entered into the Software License and Service Provision Agreement (as a supplier), the position of Data Processor corresponds to one of the following MAPAL Group companies.
- MAPAL Software S.L., C/ del Arte, 21 floor 6 Madrid 28033, Spain.
- Flow Hospitality LTD, Apex 3, 2nd floor (rear office), 95 Haymarket Terrace, Edinburgh, EH12 5HD, United Kingdom.
- Ideolys SAS, 52 Rue Jacques-Yves Cousteau 8500 La Roche-sur-Yon France.
- GetCompliant 2013 AB, Hornsbruksgatan, 23b Stockholm 117 34 Sweden.
Data Protection Officer: Lant Abogados (Lant Advisors, S.L.P.); email dpo@mapal-os.com.
2. Data Controller (“the Customer”)
Customers of MAPAL Group companies (as entities that benefit from the Software Solutions provided by MAPAL Group companies through the MAPAL OS platform, following the execution of the Software License and Service Provision Agreement) are data controllers based on the following functions:
They decide what data is collected (name, schedule, performance, absences, etc.).
They determine the purposes for which it is used (work management, time tracking, etc.).
They establish the means and legal basis for processing.
The MAPAL Group companies act as Data Processors, processing personal data on behalf of the Customer and only processing data in accordance with the Customer's documented instructions.
Therefore, MAPAL is obliged to:
Ensure appropriate technical and organizational security measures.
Not using the data for its own purposes.
Assist the Customer in complying with the GDPR (for example, in exercising employee rights).
These obligations are formalised through the aforementioned Data Processing Agreement, an annex to the "Agreement" which regulates the aspects required by the GDPR and other applicable legislation.
3. Purposes of processing
The personal data provided by the Customer (through users with an administrator profile) in MAPAL OS will be processed for the provision of services for the following purposes:
We process your personal data, as well as that of the users you manage, for the following purposes:
Customers and users with system administrator profile:
Execute the MAPAL OS service provision agreement;
Ensure the operation, maintenance, and security of the platform;
Assist with configuration, support, and training;
Send service-related notifications;
Perform system analysis and improvements (with anonymized or aggregated data);
Comply with legal or regulatory obligations.
Manage access, permissions, and authorized use of the MAPAL OS platform;
Verify the identity of the administrator user and assign appropriate permissions;
Provide technical and functional support related to the use of the platform;
Send operational communications related to the account or technical incidents;
Comply with applicable legal and security obligations.
Users (normally Customer’s employees):
The purposes of MAPAL OS processing for users (i.e., staff who access the system at the Customer's discretion and as part of their work) may vary depending on the modules contracted by the company, but generally include the following:
Work profile management;
Access and update your personal and professional information (e.g., contact information, training, availability, etc.);
Monitor attendance or schedule compliance (clocking in);
Shift and schedule management;
Check your work shifts, schedule changes, assignments, and hours worked;
Request changes, vacations, or absences;
Access training and development;
Complete online training courses or modules (e-learning);
Track your training progress and certifications;
Evaluations and performance;
Receive feedback and participate in performance reviews;
View individual or team goals assigned by managers;
Internal communication and notifications;
Receive important announcements, company documents, or messages from supervisors;
Regulatory compliance and internal policies;
Access mandatory documents, regulations, and workplace policies.
With your consent, we may also send you marketing communications related to improvements, updates, or new MAPAL products.
4. Legitimation of data processing
For the provision of services related to your role as administrator.
Contract execution: User management, users with administrator profiles, and access to the MAPAL OS platform (Art. 6.1.b GDPR).
Compliance with legal obligations (Art. 6.1.c GDPR).
MAPAL's legitimate interest in ensuring the security of the platform and its proper functioning (Art. 6.1.f GDPR).
Where applicable, express consent for the sending of commercial communications (Art. 6.1.a GDPR).
5. Categories of personal data we process
In accordance with the purposes described in this policy, MAPAL will process only the personal data strictly necessary to fulfill said purposes, in compliance with the data minimisation principle set forth in Article 5.1.c) of the General Data Protection Regulation (GDPR).
(i) Within the framework of the contracting of licenses and services (Customer):
Identification data: first and last name.
Contact information: address, email address, telephone number.
Economic and financial data: information regarding payment methods and bank details for administrative and accounting purposes.
Browsing data: related to the user's interaction with the Website and the MAPAL OS platform, in accordance with the cookie policy.
(ii) Using the MAPAL OS platform (with system administrator profile):
Identification data: first name, last name, corporate email address.
Authentication data: username, password (encrypted).
Professional data: job title, managed work center(s).
Activity data: actions performed on the platform (configuration, role assignment, report viewing, etc.).
Technical metadata: date and time of access, IP address, browser type, and operating system. Providing personal data marked as mandatory is essential for the proper management of the contractual relationship or for access to the services offered by MAPAL.
(iii) In relation to registration on the User Portal (users, normally employees):
MAPAL OS may process different categories of user personal data depending on the active modules, the data provided by the Customer on the platform, and how each Customer configures its platform. The most common categories are listed below:
- Identification date
- Date of birth
Contact information
Employment and professional data
Job title
Department or area
Assigned schedule and shifts
Employment history within the group
Assigned supervisor or manager
Training data
Training completion history (e.g., occupational risk prevention)
Attendance and schedule control data
Time recording (clocking in)
Shift attendance
Vacation or absence requests
Performance and evaluation data
Feedback received
Assigned objectives
Performance evaluations
Browsing data: related to use and behavior on the Website and the MAPAL OS platform.
User ID
Date and time of access, IP address, and device used (for traceability and security)
Other optional data (depending on the company's configuration)
Banking information (if managed by the company through MAPAL)
Work permit or visa documentation
Health information related to work-related fitness or occupational risk prevention (only if applicable and with an appropriate legal basis).
Refusal to provide this information may result in the impossibility of providing the requested services.
In cases where the execution of the services contracted by our Customers requires users to download and install an application developed by MAPAL, we inform you that said application will be governed by its own Terms of Use and the Privacy Policy specific to that application, as well as its environment and functionalities.
In this policy, you can find the terms and conditions pertaining to MAPAL ONE, which are also applicable to other applications such as Mapal Manager, among others.
6. How long we retain personal data
Upon termination of the Contract, in accordance with Article 28 of the GDPR and acting as Data Processor, we will delete from our systems the personal data you provided for the provision of the service. If you wish to download all the data you have provided to us to date, you must download your data through the platform before canceling the Contract. Once the cancellation has been processed, the personal data will be finally deleted, in compliance with the aforementioned Article 28 of the GDPR, without the possibility of recovering it.
7. Recipients of your data
Data will not be transferred to third parties unless legally required or with the data subject's consent. The following parties will only have access to the data:
1. Account managers:
- They have control over system configuration.
- They access data for work, organizational, or compliance purposes.
- They can export or integrate data with other internal systems.
2. MAPAL (Data Processor): MAPAL accesses and processes data only under the Customer's instructions, including:
- Technical support.
- Updates and maintenance.
- User account management.
MAPAL does not use this data for its own purposes or share it with third parties without the Customer's authorization, except in cases where there is a legal requirement.
3. Authorised subcontractors (MAPAL's third-party technology providers):
If MAPAL requires the hiring of an external technology provider to provide services, all applicable legal formalities will be adopted, including the signing of the corresponding Data Processing Agreement with the provider.
4. Public authorities (in exceptional cases):
Data may be communicated to administrative or judicial authorities only when there is a legal obligation to do so, such as labor inspections, judicial investigations, and compliance with tax and/or data protection regulations.
5. Other MAPAL group companies, if necessary to provide the service.
Under no circumstances will data be transferred to third parties for commercial purposes.
8. Rights related to your personal data
MAPAL provides the Customer with a Data Protection Officer who will not only be responsible for supervising all data processing carried out by MAPAL but will also be able to address any issues related to data processing. The contact details of the Supplier's Data Protection Officer are: dpo@mapal-os.com or mapal@delegado-datos.com.
Should MAPAL, as data processor, receive a request to exercise rights that the Customer must address as data controller, MAPAL will notify the Customer without delay.
Where and how to request your rights: As a Customer and/or administrator, you have the right to access your personal data, request rectification or deletion, limit or object to processing, and/or request data portability by writing to MAPAL Software, S.L., C/ del Arte, 21, 6th floor, C.P. 28033 Madrid, Spain, or by emailing our Data Protection Officer at dpo@mapal-os.com or mapal@delegado-datos.com, indicating the subject line "Personal Data" and specifying the right you wish to exercise and with respect to which personal data.
With respect to users' personal data, the Customer is responsible for providing the corresponding information and facilitating the exercise of their rights, as the Data Controller. Should users request the exercise of their rights against MAPAL, MAPAL undertakes to inform the Data Controller as soon as possible so that the Data Controller can provide the user with the corresponding information.
If you believe that we have not met your rights in accordance with your expectations, you may file a complaint with the Information Commissioner's Office (https://ico.org.uk/).
9. External links
MAPAL OS software does not typically integrate direct links to social media for registered users, as it is geared toward professional functions (employee management, training, shift work, etc.). Therefore, internal users of the software are not affected by social media from the system interface.
However, when users visit the public website (mapal-os.com), for example, to register, obtain information, or access resources, they may be affected by:
a) Third-party cookies: Some analytical, advertising, or social media cookies (such as LinkedIn or Google) may track user behavior if the user agrees to their use.
This may occur, for example, if they click on integrated social media buttons, embedded YouTube videos, links to MAPAL LinkedIn profiles, or in the case of remarketing or personalized advertising, where MAPAL may use platforms such as LinkedIn Ads or Google Ads to display ads to previous visitors to its website.
b) In the case of integrated external training and content, some modules (such as MAPAL Learning or Flow) may include externally hosted learning resources, such as YouTube videos and links to documents on other platforms.
c) If the content is loaded directly from external servers, these may collect certain technical data (such as IP address, browser, etc.).
We recommend carefully reviewing the privacy policies available at the following links:
-Google / YouTube: https://policies.google.com/privacy?hl=es
- LinkedIn: https://es.linkedin.com/legal/privacy-policy
10. Security of your personal data
In order to safeguard the security of your personal data, we inform you that we have adopted all necessary technical and organisational measures to guarantee the security of the personal data provided against alteration, loss, and unauthorised processing or access, as well as the adoption of appropriate safeguards when hiring sub processors.
MAPAL guarantees the technical and operational security of the software as the data processor.
The Customer is responsible for defining access levels, data usage and retention policies, and training its internal users.
11. International data transfers
Personal data collected through MAPAL OS is not transferred outside the European Economic Area (EEA). However, if any international transfer were to take place, MAPAL would ensure that it would be done in compliance with the GDPR and that appropriate safeguards would be in place.
INFORMATION FOR THE MAPAL ONE APPLICATION USER:
Mapal One (hereinafter "the Application") and MAPAL are registered trademarks of the group of companies formed by the following companies: Mapal Software S.L, with registered office at C/ Arte, 21, floor 6, Madrid, CP 28033, Spain. Flow Hospitality Training LTD, with registered office at Apex 3, 2nd floor (Rear office), 95 Haymarket Terrace, Edinburgh, EH12 5HD, United Kingdom. Ideolys SAS, with registered office at 52 Rue Jacques-Yves Cousteau, 8500 La Roche-sur-Yon, France. GetCompliant 2013 AB, with registered office at Hornsbruksgatan, 23b, Stockholm, Sweden.
The data controller of the data included in this Application is THE CUSTOMER, i.e., the employer, who will require its use in accordance with the employment relationship between THE EMPLOYEE (for these purposes, "the User") and THE EMPLOYER. Therefore, said data has been included in the Application under the instructions of the EMPLOYER, with our group companies acting as data processors. We process the data on behalf of and under the instructions of the employer company pursuant to the Software License and Services Agreement entered into with the EMPLOYER, as well as the Data Processing Contract attached thereto. The group, both the data controller and the data processors are obligated to comply with the provisions of current data protection legislation. Therefore, any queries, requests, or exercise of rights of access, rectification, deletion, restriction, objection, and portability of your data may be directed to your EMPLOYER's Human Resources Department and the data controller. If you wish, you may also contact our data protection officer: mapal@delegado-datos.com or dpo@mapal-os.com.
You may also file a complaint with your local supervisory authority. You can find the terms of use for the MAPAL ONE Application at the following link: https://mapal-os.com/en/legal-notice.
12. Update of the Policies
It is important that you inform us whenever there has been any change in your personal data so that we can keep it up to date. Otherwise, we are not responsible for its accuracy.
We are not responsible for the privacy policy regarding the personal data you may provide to third parties through the links available on our website.
These Privacy Policies may be modified to adapt them to changes on our website, as well as legislative or jurisprudential changes that affect the processing of your personal data, so you must review them periodically.
Last review May 2025