GDPR & AI Governance Framework: LeadROJO

Document Status: Final (2026 Launch Version)

Parent Entity: LeadROJO (Costa del Sol, Spain)

1. Governance & Corporate Identity

LeadROJO is a trade name of LeadROJO We operate under a "Privacy by Design" mandate, ensuring that all AI-driven automation for the Spanish real estate market complies with:

• EU GDPR (Regulation 2016/679)
• Spanish LOPDGDD (Organic Law 3/2018)
• EU AI Act 2024/2026 (Transparency and Risk requirements)

2. Supervisory Authority

LeadROJO is established in Spain. The competent supervisory authority for our data processing activities is the Spanish Data Protection Agency (AEPD), with registered office in Madrid.

• Lead supervisory authority: AEPD (https://www.aepd.es)
• Primary jurisdiction: Spain

3. The "AI Transparency" Logic (EU AI Act & Art. 13 GDPR)

In compliance with the EU AI Act (2026) and Article 13 of the GDPR, we provide full disclosure regarding the automated systems used:

• Algorithmic Disclosure: We use Large Language Models (LLMs) to qualify leads based on intent, budget, and location.
• No High-Risk Automated Decisions: Our AI does not make decisions that produce legal effects (e.g., credit scoring or rental rejection). It produces a Qualification Score and summary for the Agency’s review.
• The "Human-in-the-Loop" Requirement: Our technical architecture prevents the AI from signing contracts or making binding offers. All final real estate actions must be triggered by a verified human user of the Agency.

4. International Data Transfers & Sovereignty

We apply a tiered sovereignty approach:

1. Data Residency: All Lead Data and conversation history are stored at rest within the AWS eu-central-1 (Frankfurt) region.
2. Transient Processing: For AI qualification, data may transit through non-EEA AI APIs (e.g., OpenAI/Anthropic). These flows are protected by Zero Data Retention (ZDR) agreements and the 2021 Standard Contractual Clauses, ensuring EU citizen data is never used to train foundational AI models.
3. Sub-processor Register: A current list of sub-processors (and their hosting regions) is available on request to all Agency Clients.

5. Spanish Digital Rights (ARCO-POL+)

Beyond standard GDPR rights, we provide specific tools for Spanish "Digital Rights" (LOPDGDD):

• Right to Human Intervention: Leads can trigger a "Bypass AI" command at any time to speak with a human agent.
• Right to Erasure (ARCO): We provide a one-click "Right to be Forgotten" toggle in the Agency dashboard to delete lead records across WhatsApp logs and databases.
• Right to Disconnection: The platform supports business-hour muting to comply with Spanish labor laws regarding digital disconnection.

6. Security & Technical Oversight

• Encryption: TLS 1.3 for data in motion and AES-256 for data at rest.
• Auditability: We maintain a ROPA (Record of Processing Activities) for every client, documenting the data lifecycle from Meta Lead Ad to AI Qualification.
• Breach Protocol: In the event of a data incident, LeadROJO will notify the Controller (the Agency) within 48 hours, facilitating their mandatory 72-hour report to the AEPD.