Back to homepage

Privacy Policy

REVERSA — DISRUPTIVE LABS, S.L.

Version: 1 | Effective date: 10/04/2026

1. Data Controller

The data controller is DISRUPTIVE LABS, S.L. (“Reversa”), with Tax ID B21866249 and registered address at Calle Valle de la Fuenfría 10, P1, 6ºC, 28034 Madrid.

Data protection contact: tomas@reversa.ai.

2. Scope

For the purposes of this privacy policy, the following terms shall have the meaning set out below: (i) “Platform”: the regulatory intelligence technology platform developed and operated by Reversa, accessible in SaaS mode through the Reversa website, including any updates, improvements or successive versions; and (ii) “Policy”: this Privacy Policy, together with any amendments or updates made in accordance with section 10.

Reversa undertakes to observe the following principles in the processing of personal data: (i) it will not request personal information unless strictly necessary for the provision of the contracted services; (ii) it will not share users’ personal data with third parties, except in the cases provided for in this Policy, in order to comply with legal obligations or where there is express authorization from the data subject; and (iii) it will not use personal data for purposes other than those expressly set out in this Policy.

This Policy governs the processing of personal data of: (i) representatives and designated users of clients who access the Platform; (ii) contact persons of potential clients; and (iii) visitors to the Reversa website. Accessing and using the Platform or any means that entails processing of personal data through it implies acceptance of this Policy, as well as of the provisions contained in the Legal Notice. References in this Policy to the Platform and the Reversa website shall be interchangeable and shall be understood jointly.

3. Data Processed and Purposes

3.1 Contract management and access to the Platform

Data: identification and contact data of the client’s representative and users (name, surname, position, email, telephone, IP address, access credentials); professional data and employment details; financial data (billing data, bank or credit card details necessary for payment processing); and Platform browsing and usage data (sections visited, session times, IP address, device type and browser).

Purpose: performance of the service provision contract and management of access.

Legal basis: performance of a contract to which the data subject is a party (art. 6.1.b GDPR).

Retention period: for the term of the contract and, once terminated, for the time necessary to address any legal liabilities and, in any case, subject to the blocking regime regulated in art. 32 LOPDGDD.

3.2 Commercial communications and pre-contractual relationship

Data: identification and contact data of representatives of potential clients.

Purpose: management of requests for information and, where there is a prior contractual relationship and for similar services, sending commercial communications about the Platform.

Legal basis: legitimate interest of Reversa (art. 6.1.f GDPR) or, where applicable, consent (art. 6.1.a GDPR). Consent, where obtained, shall be freely given, specific, informed and unambiguous, and provided separately for each purpose.

Retention period: until the consent is withdrawn or the right to object is exercised. The data subject may object at any time in a simple and free-of-charge manner by communication to the address provided.

3.3 Platform technical and usage data — Key distinction

Two categories of data generated during the use of the Platform are distinguished:

(a) Confidential Client interaction data

These are the documents, queries, outputs and any information that the Client or its users upload, enter or generate in the Platform in the exercise of their professional activity and which are directly linked to their specific operational context.

  • This data is the exclusive property of the Client.
  • Reversa will process it solely as data processor, in the name and on behalf of the Client, subject to the data processing agreement (DPA) entered into between the parties.
  • It shall not be used to train, fine-tune or improve Reversa’s models or agents, except with the express written authorization of the Client.

(b) Aggregated and anonymized technical and usage data

These are performance data, system logs, usage metrics (response times, aggregated types of query, technical errors) and interactions that have been subject to an irreversible anonymization process, such that they do not allow the Client or any user to be identified. Reversa may process this aggregated and anonymized technical and usage data to operate, maintain and improve the Service, without identifying the Client or its end users.

3.4 Cookies and similar technologies

For the use of cookies or storage technologies on the user’s terminal that are not strictly necessary for the provision of the service, Reversa will obtain the user’s prior informed consent, providing clear and complete information about their use and purposes. Strictly necessary technical cookies do not require consent. Full details are set out in the Cookie Policy available on the Platform.

3.5 Source of the personal data

The personal data processed by Reversa comes from the following sources: (i) data provided directly by the data subject or by the Client by filling in forms, sending communications or any other means of contact with Reversa; (ii) data generated as a result of the user’s navigation and use of the Platform; (iii) data generated as a result of the development, handling and maintenance of the contractual relationship between the Client and Reversa; and (iv) third-party data provided by the Client or its users in the context of the use of the Platform.

4. Legitimation of Processing for Service Improvement (Learning)

Where Reversa intends to use interactions or content which, despite the anonymization process, may contain traces of personal data for the purpose of improving or training its artificial intelligence models and agents, such processing shall be subject to the following rules:

  • Legal basis: explicit, granular consent, separate from the main processing. Such consent shall be freely given, specific, informed and unambiguous.
  • Provision of the service shall not be conditional upon the Client or its users consenting to processing for improvement/learning purposes, given that such purposes are not necessary for the performance of the services contract.
  • The Client may revoke this consent at any time without this affecting the provision of the main service.

5. Recipients and International Transfers

Reversa will not transfer personal data to third parties except in the following cases: (a) to comply with legal obligations or when applicable law so requires in good faith; (b) through data processors (technology providers, sub-processors) acting under Reversa’s instructions and with appropriate contractual safeguards; (c) where there is express authorization from the data subject; (d) at the request of government authorities in the context of ongoing investigations; (e) to verify or enforce the terms of use or other applicable policies; (f) to detect and protect against fraud or technical or security vulnerabilities; (g) to respond to emergency situations; or (h) to protect the rights, property or safety of Reversa, its clients or the general public.

Where providers located outside the European Economic Area are used, transfers shall be protected by the appropriate safeguards provided for in Chapter V of the GDPR (adequacy decision, standard contractual clauses or other equivalent safeguards).

6. Rights of Data Subjects

Data subjects may exercise the following rights, directly or through a representative, by means of a request addressed to tomas@reversa.ai:

  • Right of access: the data subject may ascertain whether Reversa is processing personal data concerning them and, where applicable, obtain information on the purposes, categories of data, recipients and applicable retention periods.
  • Right of rectification and erasure: the data subject may request the rectification of their data where it is inaccurate or incomplete, as well as its erasure where they consider that it is no longer necessary for the purposes for which it was collected.
  • Right to object: the data subject may object to the processing of their data, unless there are compelling legitimate grounds or it is necessary for the exercise or defense of possible claims, in which case Reversa will keep the data duly blocked for the corresponding periods.
  • Right to restriction of processing: the data subject may request the restriction of processing while the contestation of the accuracy or lawfulness of the data is verified, or during the exercise or defense of possible claims.
  • Right to portability: the data subject may request the transmission of their data to another controller in a structured, commonly used and machine-readable format, in the circumstances provided for by applicable law.
  • Where there is processing for profiling purposes with legal or similarly significant effects, the data subject shall have the right to object to automated individual decisions.

The exercise of the above rights is free of charge.

Data subjects also have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) or other competent authority.

7. Security Measures

Reversa maintains the levels of security required by current regulations to protect personal data against accidental loss and unauthorized access, processing or disclosure, taking into account the state of technology, the nature of the data stored and the risks to which it is exposed. The measures aimed at ensuring a level of security appropriate to the risk shall include, where applicable: (i) the pseudonymization and encryption of personal data; (ii) measures capable of ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) measures capable of restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; (v) the periodic assessment of the risk of accidental or unlawful destruction, loss or alteration of personal data; and (vi) measures to ensure that any person acting under the authority of Reversa and having access to personal data processes it only on Reversa’s instructions.

8. Retention and Deletion

Upon termination of the contractual relationship, Reversa may delete the Client’s data in accordance with its policies, unless there is a legal obligation to retain it.

In particular: (i) where there is a contract or any type of legal relationship that binds the data subject to Reversa, the data will be kept for the time necessary to fulfill the contractual relationship and, in any case, for the limitation periods required by applicable legislation, being subsequently deleted unless it is necessary to keep it to comply with any legal provision or administrative or judicial requirement; (ii) contact data will be processed for the time necessary to attend to and manage the queries made and, in the case of sending information about Reversa’s services, for as long as the data subject does not object to such sending; and (iii) personal data processed as a result of navigation on the Platform will be retained as long as the data subject does not revoke their consent and, in any case, for a maximum period of one (1) year.

Where deletion is appropriate, the data will be blocked in accordance with art. 32 LOPDGDD, remaining reserved exclusively for being made available to judges, the public prosecutor’s office or competent authorities during the limitation period of the corresponding actions, after which they will be destroyed.

9. Amendments

Reversa reserves the right to update this Policy. Amendments will be notified with reasonable advance notice through the Platform or by email. Continued use of the Platform after due notification will imply acceptance of the updated version, except in those cases in which applicable law requires the express consent of the data subject.

10. User Responsibility

The user shall be solely responsible in the event of completing forms with false, inaccurate, incomplete or outdated data.

The user and, where applicable, the Client, warrant to Reversa that the personal data provided through the Platform or by any other means has been obtained lawfully and that they have all the authorizations, consents and legal bases legally required for its communication and processing by Reversa in accordance with the purposes set out in this Policy. In particular, where the user or the Client provides personal data of third parties, they warrant that they have previously informed such third parties of the content of this Policy and have obtained their consent or another valid legitimizing basis for the communication of their data to Reversa. The user and the Client shall hold Reversa harmless against any claim, penalty or liability that may arise from the breach of the obligations set out in this section.

Cookie Usage

We use analytical cookies to improve our website and your experience. For more information, visit our Cookie Policy.