Last updated: April 1st, 2025

Privacy Policy

INDEX

 

  1. Introduction
  2. How are your data obtained?
  3. Data collected
  4. Use and purpose of the data collected
  5. Retention of your data
  6. Disclosure of your data
  7. Data sharing with third parties
  8. Security
  9. Changes to the Privacy and Cookie Policy
  10. Your rights
  11. Contact information
  12. Applicable law and jurisdiction

 

1. Introduction

1.1. CityXerpa is a technology platform accessible through a mobile application (the “Platform”, hereinafter). Through this Privacy Policy, users of the Platform are informed about the collection, processing, and use of their personal data.

1.2. The owner of the Platform and the data controller of the users’ personal data is the company indicated below (the “Company”, hereinafter):

Company name XERPA, S.L.
Registered office Av. Nacions Unides, 40, 1, Escaldes-Engordany (AD700)
Tax Registration Number L-711201-Y
Commercial Register Info Number 16095, Book S-241, Pages 451–460

1.3. XERPA, S.L. provides the various services of the Platform, either directly or through its subsidiaries (identified in Annex I of the General Terms and Conditions). Hereinafter, both “XERPA, S.L.” and its subsidiaries will be referred to indistinctly as the “Company” or “CityXerpa”.

1.4. This Privacy Policy is established to disclose what information we collect, how we process and protect it, and is provided by users of the Platform (hereinafter, the “Users“) through their registration as App users, so that the User can freely decide whether they wish to allow us to process said information.

1.5. This Privacy Policy does not apply to third-party platforms, even if they are linked to the Platform. We strongly recommend that Users read the Privacy Policies of any third-party platforms they visit.

1.6. By using the Platform, the User expressly accepts this Privacy Policy and the corresponding Terms and Conditions. If the User disagrees with any of the documents mentioned, they are kindly asked to refrain from using the Platform.

2. How is your data obtained?

2.1. The Company obtains information from Users when:

  • The User creates an account on the Platform, or whenever they update their account settings;
  • The User purchases a product or service, and throughout the service process (including payment and delivery);
  • The User contacts the Platform directly via email, telephone, letter, message, or any other communication method; and
  • Each time the User browses and/or uses the Platform (both before and after account creation).

3. Data collected

3.1. The personal information collected by the Company about the User includes, but is not limited to, the following:

  • Email address
  • Encrypted password
  • First and last name
  • Username
  • External authentication system (FaceID, AppleID, etc.)
  • Phone number and country code
  • Default language on the phone
  • Location (we do not share or store it)
  • Personalization and service preference information
  • Addresses
  • Billing information
  • Payment methods
  • Data on purchased products and services
  • Technical information about the device or connection type used to access the Platform

 

4. Use and purpose of collected data

4.1. The Company uses the collected personal data for legitimate and justified purposes, including:

  • To provide the services offered by the Platform;
  • To manage browsing within the Platform;
  • To inform Users about products and services promoted on the Platform.

4.2. The Company processes Users’ personal data with absolute confidentiality and undertakes to adopt all necessary measures to prevent any alteration, loss, or unauthorized processing, in accordance with the applicable regulations in force at any given time.

5. Data retention

5.1. The Company retains information about the User only for the strictly necessary period.

5.2. The obtained information will be retained for the time required to fulfill the purposes set forth in Clause 4, to defend the legitimate interests of the Platform, or for the period specifically established by applicable laws and regulations.

5.3. To determine appropriate retention periods, the Company considers the following criteria:

  • The Company’s contractual obligations and related rights regarding this data;
  • Legal obligations established by current legislation requiring data retention for a specific period;
  • Statutory limitations set by applicable laws;
  • Justified reasons for processing, without prejudice to the Company’s obligation to conduct proportionality assessments;
  • Potential disputes involving the Company;
  • Guidelines from competent data protection authorities.

6. Disclosure of your data

6.1. The information collected about the User is transferred to and stored on the Company’s servers located in the European Union.

6.2. The Company operates with full responsibility and transparency regarding who it shares this information with.

7. Data sharing with third parties

7.1. In the context of the Platform’s operations, the Company may share User data with third-party providers of products and services, as well as with its “Partners” and other collaborators, including but not limited to:

  • Payment service providers;
  • IT service providers (including cloud service providers) for data storage and analysis;
  • Associated providers or Partners (establishments from which the User purchases products or services, to process orders, solve issues, or improve their services);
  • Couriers, if necessary, to deliver products purchased through the Platform;
  • Third parties associated with customer service;
  • Third parties associated with marketing and advertising.

7.2. In all such cases, relationships with third parties are governed by appropriate contracts to ensure that these parties apply sufficient technical and organizational measures to protect personal data.

7.3. Users are explicitly informed that if the Company enters a joint venture, is acquired, sold, or merges with another company, it is entitled to transfer and/or disclose User information to that company, new business partners or owners, and/or their advisors.

7.4. The Company may also share your information in the following circumstances:

  • If the Platform is legally or regulatorily required to disclose or share your information. This includes cases where the Company is legally required to respond to requests for information from the police or any competent authority, or to exchange information with other companies, organizations, or public/private entities for the purpose of preventing and/or protecting against fraudulent behavior;
  • To fulfill and enforce contractual obligations with the User and any other agreements;
  • To protect the rights of the Platform, its providers, couriers, and other parties, including fraud prevention;
  • With other third parties when reasonably necessary to detect or prevent criminal activity.

7.5. In any case, the Platform will take all necessary measures to ensure that data is processed securely and in accordance with this Policy when shared with third parties.

8. Security

8.1. The Company adopts the necessary technical and organizational measures to ensure the security of personal data and prevent its alteration, loss, unauthorized access, or processing, taking into account the state of technology, the nature of the stored data, and the risks to which it is exposed.

8.2. In particular, the Company uses encryption protocols and secure communication channels, and restricts access to data to authorized personnel only.

8.3. However, the User acknowledges that internet data transmission is not completely secure and that, despite the Company’s efforts, absolute protection cannot be guaranteed.

9. Modifications to the Privacy Policy

9.1. The Company reserves the right to modify this Privacy Policy without prior notice to its Users.

9.2. Relevant changes to this policy will be notified to the User upon their next login to the App. The User must read and accept these changes in order to continue using the Platform.

9.3. Notwithstanding the above, non-essential modifications (such as updates, correction of formal errors, or wording changes that do not involve material changes) will be notified to the User via the email address provided during registration, so that the User can review and take note of the changes made.

9.4. In this context, Users are encouraged to periodically review this Privacy Policy.

9.5. If the User disagrees with this policy or any of its modifications and/or updates, they are requested to stop using the Platform and delete the App from their mobile device.

10. Your Rights

10.1. In accordance with data protection legislation, the User has a series of rights regarding the information processed by the Company, which are detailed below:

a) Right of access. The User has the right to know, without undue delay, whether personal data concerning them is being processed, and if so, to access such data and obtain a copy of the files held by the Platform.

b) Right to rectification. The User may request that the Platform correct, complete, or clarify their personal data if it is incorrect, incomplete, or inaccurate. In this context, the User can request that the Platform rectify any error in the information, and the Platform will inform them of the effective modification of the data within the corresponding timeframe.

c) Right to erasure (“right to be forgotten”). The User may request the deletion of personal data concerning them.

d) Right to object to processing. The User has the right to object to certain types of processing, including processing for direct marketing and profiling. To express their objection, the User may change their marketing preferences in their profile or disable the use of cookies.

e) Right to restrict processing. The User has the right to block or suppress the future use of their information under the following circumstances:

 

 

i. The data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the data.

 

 

ii. The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.

 

 

iii. The controller no longer needs the personal data for the purposes of the processing, but the data subject requires it for the establishment, exercise, or defense of legal claims.

 

 

 

 

iv. The data subject has objected to processing, pending the verification of whether the legitimate grounds of the controller override those of the data subject.

 

 

In such cases, the Platform may continue to store the data, but must not use it for any other purpose.

f) Right to data portability. The User may request the personal data they have provided, and has the right to receive it in a structured, commonly used, and machine-readable format. They may also transmit such data to another data controller in the following cases:

 

 

 

i. When the processing is based on consent.

 

 

 

 

ii. When the processing is carried out by automated means.

 

 

The exercise of this right implies that the personal data will be transmitted directly from one controller to another, where technically feasible.

g) Right to lodge complaints. The User has the right to file complaints regarding how we manage or process personal data with the Andorran Data Protection Agency (www.apda.ad), as well as with the data protection authority of their EU Member State, or any relevant national authority.

h) Right to withdraw consent. If the User has given consent to the Platform for any processing of their information, they have the right to withdraw such consent at any time by contacting the Company. The withdrawal of consent will not render the Company’s previous use of the data unlawful during the time when the consent was valid.

10.2. All rights may be exercised by contacting the Company via email at: dataprotection@cityxerpa.com, or by written request to: Avinguda de les Nacions Unides, 40, 1st floor, Edifici A Tower (Local Comercial), Escaldes-Engordany (AD700). To exercise these rights, the User must include a copy of their identification document so we can verify their identity. The exercise of any right is free of charge.

10.3. When the User exercises the rights of access, rectification, erasure, restriction, objection, or data portability, the data controller must provide information on the actions taken without undue delay.

10.4. The maximum response time is one (1) month from the day following receipt of the request by the data controller.

10.5. This period may be extended by two (2) more months if necessary, taking into account the complexity and number of requests. The controller must inform the data subject of any such extension within one month of receiving the request, stating the reasons for the delay.

11. Contact Information

11.1. If you wish to contact CityXerpa, you can write to info@cityxerpa.com, use the “Contact” section of the Platform, or send a letter to: Avinguda de les Nacions Unides, 40, 1st floor, Edifici A Tower (Local Comercial), Escaldes-Engordany (AD700).

12. Governing Law and Jurisdiction

12.1. This Privacy and Cookie Policy shall be governed by common Andorran law, as well as by Qualified Law 29/2021, of October 28, on the protection of personal data.

12.2. The courts of Andorra la Vella shall have exclusive jurisdiction over any claim arising from or related to this Privacy and Cookie Policy, with express waiver of any other applicable jurisdiction.