Data processing agreement annex

Last updated: January 2026

DATA PROCESSING AGREEMENT ANNEX

(Art. 28 Regulation (EU) 2016/679 — GDPR)

January 2026

Gathered SL (Tax ID B26744649), hereinafter the Processor, and the client registered on the platform, hereinafter the Controller, agree that the processing of personal data carried out through the Gathered platform is governed by the following conditions:

Purpose: The Processor shall process personal data of the Controller's employees and contacts solely to provide the contracted services.

Duration: For the term of the service contract. Upon termination, data shall be deleted or returned within a maximum of 30 days, unless there is a legal obligation to retain them.

Nature and purpose: Storage, processing and display of business management data, including work time tracking, customer management and internal operations.

Type of data: Identifying data, employment data, photographic images for attendance verification purposes, and any other data entered by the Controller on the platform.

Categories of data subjects: Employees, collaborators and commercial contacts of the Controller.

Processor obligations: Process data only in accordance with the Controller's instructions; ensure confidentiality; apply appropriate technical and organisational security measures; not subcontract without prior authorisation; assist the Controller in exercising data subject rights; delete or return data upon completion of the service; make available to the Controller the information necessary to demonstrate compliance.

Sub-processors: Gathered SL may use infrastructure providers located in the European Union. List available upon request at soporte@gathered.so.

International transfers: No data transfers are made outside the European Economic Area.

By contracting Gathered's services, the Controller expressly accepts the conditions of this Annex.