Privacy & Cookies Policy
Last updated: August 12, 2025
1. Introduction
Equitera (“we,” “our,” “us”) provides a platform for anonymously assessing psychosocial state in the workplace. It is designed to support employers in addressing their obligations under Ley 31/1995 de Prevención de Riesgos Laborales (PRL) and applicable labour and data protection laws. Our platform does not exempt companies from their legal obligations under Ley 31/1995 de Prevención de Riesgos Laborales. Employers remain solely responsible for ensuring full compliance with PRL, including carrying out comprehensive occupational risk assessments and implementing appropriate preventive measures.
We respect your privacy and are committed to protecting your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and related legislation.
This Privacy & Cookies Policy explains how we process data, what we collect, why we do it, and how we keep it safe.
2. Who We Are
Data Controller:
When we provide our platform directly to an employer, that employer acts as the Data Controller.
We act as the Data Processor under a Data Processing Agreement (Art. 28 GDPR).
If you are an employee completing a questionnaire, your employer is responsible for determining the purpose and means of data processing. We process data only on their instructions.
Contact for privacy matters: privacy@equitera.es
3. Data We Process
We design our platform to ensure that employees’ survey responses are anonymous. During questionnaire completion, We do not collect names, email addresses, or other direct identifiers.
For platform access and administration, we may process contact details of employer representatives (e.g., HR managers, designated prevention staff, or persons requesting access to the platform via the Equitera website) for the purpose of account management and communication. These data are used solely for administrative and support purposes and are never linked to employee survey responses.
However, questionnaires may collect special category data under GDPR, as they relate to your mental and emotional well-being (Art. 9(1) GDPR), but such data is always collected in anonymous form and only processed at the aggregated department level to prevent re-identification.
We collect:
a) Account Credentials
4. Purpose of Processing
We process questionnaire responses exclusively for:
5. Legal Basis
Processing is based on:
6. Anonymisation & Minimisation
7. AI Advice Disclaimer
AI-generated recommendations in our platform are for informational and organisational purposes only and:
“Do not replace professional medical or psychological evaluation.”
8. Data Retention
9. Sharing of Data
We do not sell or rent any data.
Aggregated results may be shared with:
10. Your Rights
Depending on the context (and whether we are the Controller or Processor), you may have rights under GDPR, including:
11. Validated Questionnaires
Our questionnaires are based on internationally recognised and validated tools for psychosocial risk assessment, including:
- CoPsoQ-ISTAS21 (Tipo A) – the Copenhagen Psychosocial Questionnaire (CoPsoQ) – ISTAS21 (version Tipo A), which is used in Spain for compliance with Ley 31/1995 de Prevención de Riesgos Laborales. The Tipo A version of ISTAS21 is specifically designed for organisational use and does not require administration by licensed psychologists. It is applied exclusively for the collective assessment of psychosocial risks and never for individual diagnostic or medical purposes.
- HSE Management Standards Indicator Tool - – developed by the UK Health and Safety Executive. These materials are used under Crown Copyright and made available under the Open Government Licence (OGL), which allows free use, reproduction, and commercial adaptation.
- BAT-23 (Burnout Assessment Tool, short version) – a validated scientific instrument designed to assess burnout at the organisational level. It is used exclusively for organisational and research purposes and not for individual diagnostic or medical evaluation.
In addition, the platform may also support custom questionnaires designed by employers or HR departments. These are processed under the same safeguards as validated tools: responses remain anonymous, no personal identifiers (e.g., names, emails, IDs) are collected during completion, and results are shared only in aggregated form.
12. Disclaimer / Limitation of Liability
Equitera provides a digital tool designed to support employers in meeting their obligations under Ley 31/1995 de Prevención de Riesgos Laborales (PRL) regarding the assessment of psychosocial risks.
The platform offers validated questionnaires (e.g., ISTAS21 Tipo A, CBI) and aggregated reporting features. However:
13. Cookies
We use cookies and similar technologies to ensure the proper functioning of our website, improve performance and analyse usage.
14. Security
We implement appropriate technical and organisational measures to:
15. Contact
For any questions about this Privacy & Cookies Policy or our data protection practices, contact privacy@equitera.es
Last updated: August 12, 2025
1. Introduction
Equitera (“we,” “our,” “us”) provides a platform for anonymously assessing psychosocial state in the workplace. It is designed to support employers in addressing their obligations under Ley 31/1995 de Prevención de Riesgos Laborales (PRL) and applicable labour and data protection laws. Our platform does not exempt companies from their legal obligations under Ley 31/1995 de Prevención de Riesgos Laborales. Employers remain solely responsible for ensuring full compliance with PRL, including carrying out comprehensive occupational risk assessments and implementing appropriate preventive measures.
We respect your privacy and are committed to protecting your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and related legislation.
This Privacy & Cookies Policy explains how we process data, what we collect, why we do it, and how we keep it safe.
2. Who We Are
Data Controller:
When we provide our platform directly to an employer, that employer acts as the Data Controller.
We act as the Data Processor under a Data Processing Agreement (Art. 28 GDPR).
If you are an employee completing a questionnaire, your employer is responsible for determining the purpose and means of data processing. We process data only on their instructions.
Contact for privacy matters: privacy@equitera.es
3. Data We Process
We design our platform to ensure that employees’ survey responses are anonymous. During questionnaire completion, We do not collect names, email addresses, or other direct identifiers.
For platform access and administration, we may process contact details of employer representatives (e.g., HR managers, designated prevention staff, or persons requesting access to the platform via the Equitera website) for the purpose of account management and communication. These data are used solely for administrative and support purposes and are never linked to employee survey responses.
However, questionnaires may collect special category data under GDPR, as they relate to your mental and emotional well-being (Art. 9(1) GDPR), but such data is always collected in anonymous form and only processed at the aggregated department level to prevent re-identification.
We collect:
a) Account Credentials
- Name, company name, email address, and telephone number (submitted through our website form and used to provide access credentials and registration for administrative and support purposes).
- Username and password (provided during registration and used exclusively for authentication and secure access).
- Passwords are encrypted and never stored in plain text.
- Credentials are stored separately from survey data and are never linked to questionnaire answers.
- Our questionnaires are based on validated instruments such as CoPsoQ-ISTAS21 (Tipo A). Employees provide only structured multiple-choice responses; we do not collect burnout, stress, or well-being indices directly. These indices are calculated automatically from the responses. Raw answers are stored anonymously, without any user identifiers, while the derived indicators are retained and shared only in aggregated form at the department level (groups of ≥5 employees) to ensure privacy and prevent re-identification.
- Department name (selected from a predefined list).
- Responses are anonymised, and no individual results are accessible.
- Technical data necessary for service operation (session tokens, cookies as detailed below).
- IP addresses in identifiable form (we anonymise or hash before storage).
- Device identifiers linked to individuals.
4. Purpose of Processing
We process questionnaire responses exclusively for:
- Aggregated analysis of psychosocial risk factors in departments (groups of ≥5 employees to ensure anonymity).
- Generating AI-based organisational recommendations for the employer.
- Helping employers comply with PRL obligations to evaluate psychosocial risks.
- Individual profiling,
- Disciplinary actions,
- Marketing to employees.
5. Legal Basis
Processing is based on:
- Survey responses: Art. 9(2)(b) GDPR – necessary for carrying out obligations in employment, social security and social protection law (specifically, PRL obligations), or
- Explicit consent Art. 6(1)(a) GDPR – explicit consent, where required outside the scope of PRL.
- Account credentials: Art. 6(1)(b) GDPR – processing is necessary for the performance of a contract (providing secure access to the platform).
- Technical cookies: Art. 6(1)(f) GDPR – legitimate interest in ensuring security and functionality.
6. Anonymisation & Minimisation
- Responses are aggregated by department; results are only shown for groups of ≥5 participants.
- Small departments are merged with others to prevent re-identification.
- No open text fields are collected: for the protection of users’ privacy, our questionnaires are limited to multiple-choice and scale-based responses. We do not include open text fields to prevent the accidental submission of personally identifiable or sensitive information. This design ensures compliance with the GDPR principle of data minimisation (Art. 5(1)(c) GDPR).
- Technical logs are stripped of IP addresses and device identifiers, or anonymised before storage.
7. AI Advice Disclaimer
AI-generated recommendations in our platform are for informational and organisational purposes only and:
“Do not replace professional medical or psychological evaluation.”
8. Data Retention
- Aggregated results are retained for the duration agreed with the employer (typically up to 12 months).
- Survey responses are anonymised at the moment of submission: no user IDs, IP addresses, or other identifiers are collected. Data is received in anonymous form and stored only in aggregated format, ensuring that no raw identifiable data ever exists in our systems.
9. Sharing of Data
We do not sell or rent any data.
Aggregated results may be shared with:
- The employer (Data Controller),
- Occupational health & safety services engaged by the employer.
10. Your Rights
Depending on the context (and whether we are the Controller or Processor), you may have rights under GDPR, including:
- Right of access,
- Right to rectification,
- Right to erasure,
- Right to restriction of processing,
- Right to data portability,
- Right to object.
11. Validated Questionnaires
Our questionnaires are based on internationally recognised and validated tools for psychosocial risk assessment, including:
- CoPsoQ-ISTAS21 (Tipo A) – the Copenhagen Psychosocial Questionnaire (CoPsoQ) – ISTAS21 (version Tipo A), which is used in Spain for compliance with Ley 31/1995 de Prevención de Riesgos Laborales. The Tipo A version of ISTAS21 is specifically designed for organisational use and does not require administration by licensed psychologists. It is applied exclusively for the collective assessment of psychosocial risks and never for individual diagnostic or medical purposes.
- HSE Management Standards Indicator Tool - – developed by the UK Health and Safety Executive. These materials are used under Crown Copyright and made available under the Open Government Licence (OGL), which allows free use, reproduction, and commercial adaptation.
- BAT-23 (Burnout Assessment Tool, short version) – a validated scientific instrument designed to assess burnout at the organisational level. It is used exclusively for organisational and research purposes and not for individual diagnostic or medical evaluation.
In addition, the platform may also support custom questionnaires designed by employers or HR departments. These are processed under the same safeguards as validated tools: responses remain anonymous, no personal identifiers (e.g., names, emails, IDs) are collected during completion, and results are shared only in aggregated form.
12. Disclaimer / Limitation of Liability
Equitera provides a digital tool designed to support employers in meeting their obligations under Ley 31/1995 de Prevención de Riesgos Laborales (PRL) regarding the assessment of psychosocial risks.
The platform offers validated questionnaires (e.g., ISTAS21 Tipo A, CBI) and aggregated reporting features. However:
- The platform does not replace a full occupational risk assessment or professional evaluation by accredited specialists, where such evaluation is legally required.
- AI-generated insights and aggregated reports are for informational and organisational purposes only.
- The final responsibility for complying with PRL and for the adequacy of risk prevention measures rests with the employer (Data Controller).
- Equitera acts solely as a technical service provider and cannot be held liable for how employers interpret or apply the results in their workplace policies.
13. Cookies
We use cookies and similar technologies to ensure the proper functioning of our website, improve performance and analyse usage.
14. Security
We implement appropriate technical and organisational measures to:
- Prevent unauthorised access,
- Ensure encryption in transit and at rest,
- Limit access to authorised staff under confidentiality obligations.
15. Contact
For any questions about this Privacy & Cookies Policy or our data protection practices, contact privacy@equitera.es
Need more info or interested in a demo?
Leave your contact details and we’ll send you access to the demo version or answer your questions shortly
