Privacy Policy
Effective and last updated: July 13, 2026
This Privacy Policy explains what personal data BAM SEO collects through bamseo.com, why it is used, the legal basis for each use, who receives it, how long it is retained, and the choices available to you.
1. Controller and scope
BAM SEO, based in Barcelona, Spain, is the controller for the processing described in this policy. Privacy and rights requests may be sent to [email protected].
This policy covers visitors to bamseo.com, people who request an audit or proposal, business contacts, and prospective clients. Client campaign data processed under a signed service agreement may also be subject to a separate data processing agreement.
2. Data we collect
We collect information you submit, including name, work email, website URL, selected business goal, message content, language, and any information you add in later correspondence. The audit form contains a hidden anti-spam field.
Our systems also receive technical and usage data such as IP address, date and time, requested URL, referring page, browser or device information, user agent, language, security events, and server logs. With analytics consent, Google Analytics and Google Tag Manager may receive page views, interactions, campaign attribution data, approximate location derived from IP, and device or browser identifiers.
We store theme and language-related preferences and your cookie choice in browser storage. We do not intentionally request special-category data, government identifiers, payment-card data, or information about children through the website.
3. Sources of data
We obtain data directly from you, automatically from your browser and device, and from the organisation you represent. We may also receive ordinary business-contact information from public company websites, professional networks, referrals, or existing business relationships when permitted by law.
4. Purposes and legal bases
Audit and proposal requests are used to respond, evaluate fit, prepare requested recommendations, and take steps toward a possible contract. The legal basis is Article 6(1)(b) GDPR when you request those steps and Article 6(1)(f) for proportionate B2B follow-up with the organisation you represent.
Client and supplier contacts are processed to administer agreements, deliver services, invoice, keep records, and manage the relationship. The basis is contract, legitimate interests in managing a business relationship, and legal obligations.
Technical logs are used to deliver and secure the site, diagnose faults, prevent abuse, and establish or defend claims. The basis is our legitimate interest in operating a secure and reliable service. Optional analytics and advertising measurement are used only after consent under Article 6(1)(a). We do not use website data to make solely automated decisions with legal or similarly significant effects.
5. Recipients and service providers
We disclose data only as needed to providers supporting the site and communications: Adios for application hosting in Germany; Mailjet, a Sinch service, for delivery of audit notifications and confirmation emails; and Google Analytics and Google Tag Manager for consented measurement.
Data may also be disclosed to professional advisers, auditors, insurers, courts, regulators, law-enforcement bodies, or a purchaser in a genuine corporate transaction where permitted or required by law. We do not sell personal data and do not disclose it to data brokers.
6. International transfers
Hosting is configured in Germany. Mailjet and Google may use infrastructure or support operations in other countries. Where personal data is transferred outside the EEA and no adequacy decision applies, we use an available lawful safeguard, such as the European Commission's Standard Contractual Clauses, and supplementary measures where required. Copies or further information about relevant safeguards may be requested at [email protected].
7. Retention periods
Audit and proposal records are normally retained for up to 24 months after the last substantive contact, unless you object earlier or a longer period is needed for a resulting client relationship or legal claim. Client, contract, invoice, and accounting records are retained for the contract term and the statutory periods applicable to commercial and tax records.
Operational security logs are normally retained for up to 12 months unless an incident requires longer investigation. BAM SEO's policy is to configure analytics event-level retention at no more than 14 months; aggregated reports may remain after direct identifiers are removed. Rights-request records may be retained for up to three years to demonstrate compliance. Browser consent preferences expire after 12 months.
8. Cookies and browser storage
The essential browser-storage items used by this site remember the selected visual theme and the cookie choice. Optional Google measurement technologies are activated only after analytics consent. They may distinguish browsers, measure pages and actions, and attribute traffic or conversions.
The first banner allows you to accept or reject optional measurement. You may change or withdraw that choice at any time through Cookie preferences in the footer. Blocking browser storage may affect preference persistence but should not prevent access to public content.
9. Security
We use access controls, transport encryption, provider security features, input validation, and other organisational and technical measures intended to protect personal data. No online service can guarantee absolute security. If a personal-data breach creates a legal notification duty, we will notify the competent authority and affected people as required.
10. Rights and children
You may request access, rectification, erasure, restriction, portability, or object to processing, and you may withdraw consent at any time. Direct-marketing objections are absolute. Full instructions, response periods, and complaint options appear in the GDPR Rights Notice.
The site and audit form are intended for business users aged 18 or older. We do not knowingly collect personal data from children. Contact [email protected] if you believe a child has supplied data.
11. Changes and contact
We may revise this policy when processing activities, providers, or legal requirements change. Material changes will be identified by a new effective date and, where appropriate, a more prominent notice or renewed consent. Contact [email protected] with privacy questions.