Privacy Policy — Visualnet

At Visualnet we respect your privacy and protect your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter "GDPR"), the Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"), and complementary applicable legislation. This Policy explains how we collect, use, retain and protect your information.

This version 2.0 supersedes and replaces version 1.0 (January 2026).

1. Data controller

Legal name: Production Lifecycle Management, S.L.
Tax ID: B65356727
Registered office: Barcelona, Spain
Activity: B2B procurement platform for audiovisual production services and international directory of suppliers
Privacy contact: privacidad@visualnet.com

1.1 Data Protection Officer

Visualnet has assessed the criteria of Article 37 of the GDPR and Article 34 of the LOPDGDD and has concluded that the cases of mandatory designation of a Data Protection Officer do not apply: the processing does not include special categories of data under Article 9 of the GDPR, does not involve regular and systematic large-scale monitoring of natural persons within the meaning of Article 37.1.b, and the core activity of the controller does not consist of processing that would require such a designation. Privacy enquiries are channelled through the email address indicated in the preceding section, attended by personnel with specific responsibility in this area.

1.2 Supervisory authority

The competent Spanish supervisory authority is the Spanish Data Protection Agency (AEPD) — www.aepd.es. Data subjects whose habitual residence is in another Member State of the European Union may, alternatively, lodge a complaint with the supervisory authority of their State of residence, in accordance with Article 77 of the GDPR.

2. Personal data we process

2.1 Registration and account data

First and last name of the registered user.
Email address (account identifier).
Password (stored as a bcrypt hash; never in plain text).
Legal name, tax identifier and contact details of the entity to which the user belongs.
Country and city of professional activity.

2.2 Platform usage data

Projects, Requests for Offer and offers created, issued or received.
Action records in the Audit Trail (actions on Projects and Requests for Offer, with time stamp and SHA-256 cryptographic hash chained to the preceding record).
Wallet transaction history (amounts, dates, references).
IP address and session data (transmitted with TLS 1.2 or higher encryption).

2.3 Billing data

Holder's name and billing details (legal name, tax identifier, address).
Credit card data: Visualnet does not store card data. Payment processing is delegated to Stripe, Inc., a PCI-DSS-certified provider. We only retain the internal identifier (customer token) and the last four digits of the card for reference purposes.

2.4 Data in the context of Framework Agreements

Within the Framework Agreement programme with Studios, Broadcasters and Audit Firms, Visualnet may process personal data of the client's employees, contractors and suppliers that appear in the documentation of Projects and Requests for Offer. In this context, Visualnet acts as Data Processor and the client as Data Controller. The specific conditions are formalised in the corresponding Data Processing Agreement signed between the parties.

2.5 Professional data of Suppliers in the Directory

Visualnet operates an international professional Directory of companies providing audiovisual production services. The Directory constitutes internal infrastructure of the Platform — it is not accessible to the public and does not allow external consultation.

Data processed. Company identifier (legal name, tax identifier, website), professional contact data (name and function of the person designated as company contact, professional email address, professional telephone) and classification by the Platform's own taxonomy of audiovisual production activities.

Purpose of processing. Directory data is used exclusively to: (a) invite the company to participate in Requests for Offer issued by Production Companies using the Platform; (b) send service communications relating to the operation of the Platform itself. Directory data is not used for Visualnet's own commercial purposes, is not transferred to third parties and is not enriched with additional data obtained from external sources.

Legal basis — Article 19 LOPDGDD. The processing is grounded in Article 19 of Spanish Organic Law 3/2018, which establishes the legal presumption of lawfulness, under Article 6.1.f of the GDPR, of the processing of contact data and of the function or position held by natural persons providing services in a legal entity, provided that (a) the processing relates only to the data necessary for their professional localisation, and (b) the purpose is solely to maintain relations with the legal entity in which the data subject provides services. The Directory operation described in this section meets both requirements.

Source of the data. Part of the Directory's records have been obtained directly from the data subject through voluntary registration on the Platform. The remaining part comes from publicly accessible sources, in particular: professional directories maintained by official audiovisual promotion bodies (Film Commissions and equivalents), commercial registries and public databases of economic activity, audiovisual professional associations and published sectoral catalogues. The specific source from which each particular record originates is identified, in accordance with Article 14 of the GDPR, in the first communication that the Platform addresses to its data subject.

Data subject rights. Persons whose data appear in the Directory may exercise the rights of objection and erasure at any time by writing to privacidad@visualnet.com. Every communication issued by the Platform also incorporates a specific one-click link to unsubscribe from the operational Directory.

3. Purposes and legal bases of processing

Provision of the contracted service (basis: contractual performance, Article 6.1.b of the GDPR): account registration and management, management of Projects, Requests for Offer, offers, awards, generation of the Procurement File and billing.
Compliance with legal obligations (basis: Article 6.1.c of the GDPR): accounting, tax and audit retention in accordance with applicable regulations; handling of requests from public authorities under the law.
Legitimate interest (basis: Article 6.1.f of the GDPR, in relation to Article 19 of the LOPDGDD for the professional contact data of the Directory): security of the Platform, integrity of the competitive processes documented on it and fraud prevention; maintenance of the international Directory of suppliers in accordance with section 2.5; service improvement and aggregated usage analysis without individual identification; defence against claims.
Commercial and marketing communications (basis: consent, Article 6.1.a of the GDPR): sending of product news and marketing communications where the user has provided express consent, revocable at any time free of charge and without affecting the lawfulness of prior processing.

4. Recipients and sub-processors

Visualnet does not sell or transfer personal data to third parties for commercial purposes. Data may be communicated to the following categories of recipients:

Sub-processors. Technology providers that render services to Visualnet under a data processing agreement compliant with Article 28 of the GDPR: Amazon Web Services EMEA SARL (cloud infrastructure, eu-west-1 region, Ireland); Stripe Payments Europe Ltd. (payment processing); transactional email delivery providers. The updated list of sub-processors is available at visualnet.com/privacidad/subencargados.
Other Platform users. In the context of a Request for Offer, the professional identification data of the Production Manager is visible to the invited Suppliers; the professional identification data of the Supplier is visible to the inviting Production Company. The integrity rules of the competitive process prevent, in any event, a Supplier from being able to see the content of the offers of other Suppliers invited to the same process.
Auditors designated within Framework Agreements. Auditors expressly designated by a Production Company or Framework Agreement client have read-only access to the Audit Trail of the process, without access to the individualised detail of non-awarded offers — unless the Production Company expressly consents or the scope of the professional engagement agreed between the parties so requires and the Production Company has given its consent.
Public authorities. Where there is a legal obligation, judicial requirement or administrative decision requiring the communication.

5. International data transfers

Data is stored on Amazon Web Services servers located in the eu-west-1 region (Ireland), within the European Economic Area. Any international transfer outside the EEA associated with the provision of the service is carried out with the adequate safeguards provided for in Chapter V of the GDPR, in particular the European Commission's Standard Contractual Clauses (Article 46.2.c of the GDPR) and, in the case of Stripe, Inc., the EU-U.S. Data Privacy Framework and UK Extension adequacy frameworks where applicable.

6. Retention periods

Active account data: for the entire duration of the contractual relationship.
Portability period after account cancellation: ninety (90) days from the date of cancellation, during which the user may export the Procurement File of each of their Projects in signed PDF format and in machine-readable structured format (JSON).
Data after account cancellation: five (5) years for handling any contractual claims, in accordance with Article 1964 of the Spanish Civil Code; ten (10) years for compliance with tax obligations and the prevention of money laundering.
Procurement File and associated Audit Trail: a minimum of seven (7) years from the date of closure of the Project, in line with the general tax limitation periods applicable in the European Union and with the documentary retention periods required for records that serve as the substrate for professional audit engagements on audiovisual procurement.
Billing data: ten (10) years in accordance with applicable Spanish tax regulations.

Once the applicable periods have elapsed, the data is irreversibly deleted or anonymised, without prejudice to its possible retention in the immutable Audit Trail where sectoral regulations require it.

7. Data subject rights

As a data subject, you are entitled to the following rights with regard to the processing of your personal data:

Access

Obtain confirmation as to whether Visualnet processes your data and, where applicable, access it.

Rectification

Request the correction of inaccurate or incomplete data.

Erasure

Request the deletion of data when it is no longer necessary for the purpose for which it was collected.

Objection

Object to processing based on legitimate interest or on direct marketing.

Restriction

Request the suspension of processing in the cases provided for in Article 18 of the GDPR.

Portability

Receive your data in a structured, commonly used and machine-readable format, and transmit it to another controller where technically feasible.

Automated decisions

Not to be subject to automated decisions producing legal effects or significantly similar effects (Article 22 of the GDPR).

Withdrawal of consent

Withdraw consent at any time, where processing is based on it, without affecting the lawfulness of prior processing.

To exercise any of these rights, send a written request to privacidad@visualnet.com indicating the right you wish to exercise and attaching a copy of your identification document. Visualnet will respond within a maximum period of one (1) month from receipt, extendable by two (2) additional months in cases of complexity.

If you consider that the processing of your data infringes applicable regulations, you may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) or with the supervisory authority of the Member State of the European Union in which you have your habitual residence.

8. Security measures

Visualnet applies appropriate technical and organisational measures to ensure the security of processing in accordance with Article 32 of the GDPR, in particular:

TLS 1.2 or higher encryption for all communications in transit.
AES-256 encryption for data stored at rest.
Role-based access control (RBAC) under the principle of least privilege.
Tenant data segregation in an isolated multi-tenant architecture.
Audit Trail with SHA-256 cryptographic hashes chained to the preceding record, conferring on the set the character of immutability for evidential purposes — any subsequent alteration of a record is mathematically detectable.
Periodic backups with retention on AWS S3.
Continuous monitoring and vulnerability management.
Documented security incident response procedure.

9. Cookies

Visualnet uses exclusively technical cookies strictly necessary for the operation of the Platform. No analytical, advertising or tracking cookies are used. For further information, please consult our Cookie Policy.

10. Artificial intelligence assistant and automated decisions

The Platform incorporates an artificial-intelligence-based assistant aimed at the Production Manager that suggests improvements to the technical drafting of Requests for Offer and provides guidance on the selection of invited Suppliers.

The assistant's suggestions do not constitute automated decisions producing legal effects or significantly similar effects within the meaning of Article 22 of the GDPR: the assistant offers proposals that the human user reviews, modifies, accepts or discards freely before any action with effects on Suppliers. The final decision on the drafting of the Request for Offer and the selection of the universe of invited Suppliers rests, in any event, with the Production Manager of the Production Company.

Visualnet does not carry out profiling activities with legal consequences for data subjects.

11. Security breach notification

In the event of a personal data breach that may pose a risk to the rights and freedoms of data subjects, Visualnet will notify the incident to the Spanish Data Protection Agency within a maximum period of seventy-two (72) hours of becoming effectively aware of it, in accordance with Article 33 of the GDPR.

Where the breach entails a high risk to the rights and freedoms of data subjects, Visualnet will communicate the incident to those affected without undue delay, in accordance with Article 34 of the GDPR, on the terms and with the minimum content provided for in that provision.

12. Modification of the Policy

Visualnet may update this Policy periodically. Substantive modifications will be notified to registered users at least thirty (30) days in advance of their entry into force, by email to the registered address and by notice on the Platform itself. The current version, together with its date of last update, will always be accessible at visualnet.com/privacidad.

13. Contact

For any query concerning the processing of your personal data or the exercise of your rights:

Production Lifecycle Management, S.L.
Email: privacidad@visualnet.com