DATA PROTECTION AND PRIVACY POLICY
This legal text informs you about how we collect and process your personal data through the use of our website www.cartesio.com (hereinafter, theWebsite”), including any information you may provide to us through the Website, such as when you submit your contact details via the designated form or when you register as a client.
By providing us with your data, the user warrants that they have sufficient legal capacity to give consent and to access our services.
- Data Controller
For the purposes provided for in the European General Data Protection Regulation EU 2016/679, of April 27, of the Parliament and the Council ("GDPR") and other applicable national regulations, Cartesio Inversiones, SGIIC, S.A., with registered office at Glorieta de Rubén Darío, 28010 – Madrid (hereinafter,"Cartesio"), informs you that it is the Data Controller of the data processed through this Website as well as those subsequently processed as a result of its activity.
Cartesio fully complies with the current legislation on the protection of personal data, and with the confidentiality commitments inherent to its activity.
- Data Protection Officer
Cartesio has a Data Protection Officer responsible for overseeing and ensuring compliance with data protection within the entity. For any inquiries or requests related to data protection, you may contact them at the following email address: dpo@cartesio.com.
- What personal data processing does Cartesio carry out?
Cartesio obtains personal data through the following means:
- Through the contact form on the Website or through its employees or collaborators via any means—email, phone, or in-person meetings—identification and contact data is collected. Specifically, name, surname, email address, and telephone number to respond to your request based on Articles 6.1.a) and 6.1.b) of the GDPR. Cartesio will retain this data for the time necessary to respond. Interested parties may also contact via WhatsApp if they choose to do so based on their will to use this medium (Art. 6.1.a) GDPR). More information on WhatsApp use is available in section eight “Use of WhatsApp”.
If such data is not necessary and a relationship is not established with Cartesio, it will be deleted within six months of reviewing the request.
- Through the Website, technical and analytical cookie data is collected. Cookies are small data files sent to the user’s computer, mobile phone, or other access device when visiting a website. They allow information about the user’s browsing to be obtained or generate a unique identification code. Cartesio uses first party and third-party cookies for necessary technical purposes to navigate the Website, as well as for analytical purposes. The user may consent to the use of non-technical cookies (Art. 6.1.a of the GDPR). Detailed information about Cartesio’s cookie use can be found in our Cookies Policy.
- Client onboarding procedure. Through the designated forms, either via the Website or traditionally by email or at the office, Cartesio collects the personal data necessary to analyze your request and profile and to manage your possible registration as a client (Art. 6.1.b of the GDPR). Detailed information on the use of data from potential and actual clients of Cartesio is further detailed in section five, “Processing of personal data of clients”.
- Private Client Area. Cartesio provides clients who have registered directly with Cartesio (not through third-party distributors) a private web area where they can access updated information on their investments (Art. 6.1.b of the GDPR). Clients may also contact Cartesio through this medium.
- Monthly factsheet.Individuals, either clients or professionals who have shown interest (Art. 6.1.a of the GDPR), will receive monthly communication about Cartesio’s activity or other relevant investment information. They will receive the factsheet until they unsubscribe. Upon unsubscribing, if they are not clients, their data will be deleted.
- Collection and updating of personal data
Cartesio requires certain essential data from users to provide its services. This data will be requested personally or through web forms. At the time of data collection, users will be duly informed of their rights in terms of personal data protection.
To ensure that the information in our processing systems is always up-to-date and error-free, we request that our clients and users inform us as soon as possible of any modifications or corrections to their personal data.
- Processing of clients' personal data
Cartesio obtains personal data through all know-your-client (KYC) forms, meetings, public records, and, if applicable, third-party databases specialized in identification tasks. Likewise, Cartesio may process data of third parties such as legal representatives, authorized persons, beneficial owners, indirect owners of the company, administrators, family members, and minors communicated by the client to Cartesio. Clients commit to informing these third parties about Cartesio’s processing of their data.
All requested data must be provided in order to process the client onboarding, without which the procedure cannot be completed.
- Purpose and legal basis of data processing by Cartesio
- Client registration and service provision (Art. 6.1.b of the GDPR), which includes all related tasks such as managing subscription, redemption, and transfer orders, which involve: (i) data sharing with depositary entities and fund administrators; (ii) sending regular updates about contracted products or positions; and (iii) managing information about investors, payments, and collections. Also, through the “Private Client Area” on the Website, Cartesio will process the relevant information available in that private space and identity verification data that allows clients to access their profile.
- Compliance with legal obligations (Art. 6.1.c of the GDPR):
- Analysis of client profiles as required by investment services regulations. These profiles are created based on information provided in the suitability test for classification purposes.
- In compliance with Anti-Money Laundering and Counter-Terrorist Financing (AML/CTF) obligations, Cartesio may:
- Carry out identification and updating personal data through internal or external sources.
- Communicate data to public administrations and regulatory bodies inside or outside the European Union, where such transfer is mandatory under current legislation and for reasons of public interest.
- Likewise, based on applicable legislation, different regulatory authorities, tax authorities, or courts may require Cartesio to provide information related to clients' personal data.
- Processing of Data Derived from the Exercise of Data Protection Rights.
- Consent (Art. 6.1.a of the GDPR):
- Based on the clients’ request regarding the execution of transfer operations, personal data will be communicated to the destination management companies indicated by the clients.
- Likewise, clients who wish may use WhatsApp as a means of communication. More information about the use of WhatsApp as a communication channel with Cartesio is available in section eight “Use of WhatsApp”.
- Communications about Cartesio, monthly reports or other information about investment opportunities. Unless the client has indicated otherwise, through the opposition procedure provided (either in the registration documentation or through each communication), Cartesio may process personal data to send commercial information, both by electronic and traditional means, about other services or products offered by it. The legal basis for offering Cartesio products is as follows:
- In the case of electronic communications, the Spanish Law 34/2002, on Information Society Services and Electronic Commerce.
- In the case of communications by telephone calls, postal mail or promotional documentation and in accordance with the provisions of Law 11/2022, of June 28, General Telecommunications Law and the GDPR, Cartesio relies on its legitimate interest (Art. 6.1.f) of the GDPR) to maintain and improve the contracting of its products.
No data relating to special categories of personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health information is collected. However, in compliance with AML/CFT obligations, data on infractions and sanctions may be processed that could result in the inability to contract with Cartesio.
- Retention of Clients’ Personal Data
Clients’ personal data will be processed as long as the contractual relationship remains in place. In this regard, Cartesio will keep the personal data of its clients duly blocked, after the termination of the contractual relationship, for the limitation period of any legal actions that could arise from the relationship maintained with the data subject. In any case, AML/CFT regulations require such data to be kept for a period of 10 years from the termination of the business relationship or the execution of the transaction.
- Recipients of Clients’ Personal Data
Recipients of clients’ personal data may include:
- The delegated administrator of the contracted funds.
- Distributors or destination managers to whom Cartesio transfer client data as a result of executing transfer operations initiated at the request of the clients when Cartesio is the original manager of the transferred funds.
- Sub-custodian entities and other depositary entities.
- Regulatory bodies and public institutions of the General State Administration, regional or local administrations, or authorities that may be located within or outside the European Economic Area, to whom the transfer is legally required.
- Judicial bodies.
- Service providers that may access personal data as part of their service provision, such as auditors, external experts, lawyers, delegated administration service providers, consultants, advisors, IT maintenance providers, technological platforms, data hosting and backup services, potential buyers or investors, administrative services, and document destruction services, among others. Cartesio pre-selects these providers based on data protection compliance criteria, has signed data protection contracts with them, and monitors their compliance.
International Transfers and Safeguards
It may be the case that some of the service providers mentioned above are located in countries outside the European Union, whose level of protection is not the same as that of the European Union. In such cases, either the exceptions set out in Article 49 of the GDPR apply, or, in compliance with Article 46 of the same regulation, Cartesio adopts appropriate safeguards by signing a contract that includes the standard contractual clauses approved by the European Commission to ensure the protection of personal data, as well as reinforced measures to ensure that these third parties guarantee a level of protection similar to that of the EU, with concrete measures to preserve the confidentiality, integrity, availability, resilience, and control of the personal data that may be processed.
In this sense, one of the providers used by Cartesio is the Mailchimp platform, operated by Intuit Inc., based in the United States, to manage the sending of electronic communications to our investment clients as well as to subscribers of the newsletter (factsheet recipients). The use of this service involves the international transfer of personal data to a country outside the European Economic Area (USA).
Mailchimp is certified under the EU-U.S. Data Privacy Framework (DPF), approved by the European Commission on July 10, 2023, which ensures that data processing by this provider offers an adequate level of protection under the terms provided for in Article 45 of Regulation (EU) 2016/679 (GDPR).
The personal data processed through Mailchimp is limited to what is strictly necessary (name, email address, and, if applicable, client category and communication preferences) and is used exclusively to send information about our investment services, institutional activities or previously requested or authorized informative content. This data is not shared with third parties for other purposes and will be retained as long as the contractual relationship exists or the consent has not been revoked.
At any time, data subjects may object to the processing of their data for direct marketing purposes, including treatments based on simplified profiling to tailor the content of communications. Likewise, they may revoke their consent or exercise their rights of access, rectification, erasure, restriction, and portability by sending a written request, accompanied by a copy of their identity document, to the following email address: dpo@cartesio.com, or by postal mail to: Cartesio Inversiones, SGIIC, S.A., Glorieta de Rubén Darío, 3, 28010 – Madrid, Spain.
More information about the processing of personal data by Mailchimp can be found in its privacy policy:
- Risk Analysis and Security Measures
Cartesio has adopted the necessary measures to ensure the security of information, as required by Article 32 of the GDPR, according to the nature of the personal data processed and the circumstances of the processing, in order to avoid, as far as possible and always according to the state of the art, its alteration, loss, unauthorized processing or access, thus guaranteeing its confidentiality, integrity and availability.
Likewise, Cartesio has carried out risk analyses in terms of data protection for all the processing activities identified in this document. In the matters analyzed, aspects relating to: processing of special categories of data; volume of data; involvement of third parties in the data flow; evaluation of personal aspects of individuals; categorization/segmentation; carrying out creditworthiness management tasks; use of external reference files; contracting of external providers; data transfers; legal bases for processing and the possibility for data subjects to exercise their data protection rights, among others, have been taken into account.
All staff employed by Cartesio and its third-party collaborators are obliged to comply with the aforementioned regulations, with special attention to their duties and obligations, including the duty of confidentiality, which will be duly determined by Cartesio.
- Confidentiality and Professional Secrecy
The data collected in all private communications between Cartesio and clients or users will be treated with absolute confidentiality. Cartesio undertakes to maintain the secrecy of personal data, to safeguard it, and to adopt all necessary measures to prevent its alteration, loss, and unauthorized processing or access, in accordance with the current regulations.
In addition, the information of any type that the parties exchange between themselves, that which they agree to be of such nature, or that which simply concerns the content of such information, shall also have the status of confidential. The visualization of data through Internet, will not suppose direct access to the same ones, except with the express consent of its owner for each occasion.
We recommend that you do not provide any third party with your identification, password or reference numbers provided by Cartesio. Furthermore, to ensure that the protection of professional secrecy between Cartesio and the customer is preserved in all communications, the customer/user must not disclose confidential information to third parties, neither of their positions at Cartesio nor even of their relationship with Cartesio.
- Use of WhatsApp
Both those interested in contacting Cartesio and customers who so wish may choose to communicate with Cartesio via WhatsApp. Such authorization implies that Cartesio may use this medium as a communication channel, as well as, if authorized, to participate in interest groups.
Those who authorize such use are informed that this use implies that:
- you must be a user of the WhatsApp application and, therefore, of your adherence to the terms and conditions of Meta Platforms, Inc. and.
- that, only if you wish to participate in WhatsApp groups, your phone number and application profile will be shared with the other members of this group.
This tool is a means of communication with Cartesio and, therefore, very useful for its speed and direct contact, but its use should be avoided for sending any message or content that exceeds this professional relationship (e.g. inappropriate content, jokes, memes, political or religious matters or any other non-professional nature). Likewise, this medium should also be avoided to send information containing personal data or confidential information. For the sending of personal information, the other means of sending information made available by Cartesio should be used.
The use of WhatsApp as a communication channel does not, under any circumstances, allow for its use to process redemption, subscription, or transfer orders of funds, which must be submitted through the channels specifically established for this purpose. Cartesio will NOT process any subscription, redemption, or transfer orders received via WhatsApp.
The authorization granted to use this channel may be revoked at any time.
Cartesio will only respond to WhatsApp messages during business hours.
- Exercise of Data Protection Rights
The holders of personal data that Cartesio may process have the following data protection rights:
- Access: They may obtain information related to the processing of personal data and a copy of said personal data.
- Rectification: If they consider that the personal data is inaccurate or incomplete, they may request that such data be modified accordingly.
- Erasure: They may request the deletion of personal data, to the extent permitted by applicable law.
- Restriction: They may request the restriction of the processing of personal data.
- Objection: They may object to the processing of personal data, for reasons related to their particular situation, and specifically, at any time, to the receipt of commercial communications.
- Data Portability: Where legally applicable, they have the right to have their personal data returned to them or, where technically feasible, to a third party.
- Not to be subject to automated individual decision-making: This aims to ensure that they are not subject to a decision based solely on data processing, including profiling, which produces legal effects or similarly significantly affects them.
- To withdraw consent: They have the right to revoke the authorization they may have granted.
To exercise these rights, data subjects can contact Cartesio Inversiones, SGIIC, S.A., Glorieta de Rubén Darío, 3, 28010 – Madrid, Spain, or via email at: dpo@cartesio.com.
In addition, they may obtain detailed information about the data protection risk analysis, the legitimate interests of Cartesio for sending commercial communications, or any other data protection information. They may also file a complaint or claim on the matter with Cartesio’s Data Protection Officer at the addresses indicated above or with the supervisory authority, the Spanish Data Protection Agency (AEPD), whose contact details are available on the websitehttps://www.aepd.es.
- Changes to the Data Protection and Privacy Policy
Cartesio reserves the right to modify its Data Protection and Privacy Policy in order to adapt it to new legislation or case law, as well as to incorporate changes that may derive from existing codes of conduct in the matter, or from strategic corporate decisions, effective as of the date of publication of such modification on Cartesio’s Website.
Last update: May 2025