Skip to content

Privacy Policy

Last updated: April 2026

1. Data Controller

In accordance with Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD), we inform you that your personal data will be processed by:

  • Company name: Blue Mountain Capital Partners, SLU
  • Tax ID (CIF): B42779140
  • Registered office: Paseo de la Castellana 40, Floor 8, 28046 Madrid, Spain
  • Email: info@blue-mountain.es
  • Phone: +34 910 917 811

2. Data Protection Officer

Blue Mountain Capital Partners, SLU is not required to appoint a Data Protection Officer (DPO) pursuant to Article 37 of the GDPR. However, you may address any queries regarding the processing of your personal data to info@blue-mountain.es, indicating "Data Protection" in the subject line.

3. Personal Data We Collect

Depending on your interaction with our Website, we may collect the following categories of personal data:

3.1. Data voluntarily provided by the user

  • Contact form: first and last name, email address, company or organization (optional), phone number (optional), and message content.
  • Email communications: personal data included by the user in communications sent to our email addresses.
  • Submission of investment opportunities: data relating to companies, corporate transactions, financial information, contact details of intermediaries (lawyers, tax advisors, consultants) and business owners, as well as any associated documentation voluntarily submitted to Blue Mountain.

3.2. Data collected automatically

  • Browsing data: IP address, browser type and version, operating system, language, pages visited, date and time of access, time spent on pages, and referring URL.
  • Cookies: data collected through cookies is detailed in our Cookie Policy.

4. Purposes of Processing and Legal Basis

The personal data collected is processed for the following purposes, together with their corresponding legal basis:

Purpose Legal basis Description
Handling inquiries Consent (Art. 6(1)(a) GDPR) Respond to information requests submitted through the contact form or by email.
Commercial and investment relationships Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR) Manage relationships with business owners, intermediaries (lawyers, tax advisors, consultants), and other counterparts in the context of direct investment transactions.
Commercial communications Consent (Art. 6(1)(a) GDPR) Send communications about our activities, transactions, or services, provided prior express consent has been obtained.
Compliance with legal obligations Legal obligation (Art. 6(1)(c) GDPR) Comply with applicable legal requirements, including, where applicable, anti-money laundering and counter-terrorist financing (AML/CTF) obligations and other tax and commercial regulations.
Website analysis and improvement Legitimate interest (Art. 6(1)(f) GDPR) Analyze the use of the Website through web analytics tools to improve its performance, content, and user experience. Our legitimate interest consists of the continuous improvement of our digital services.

5. Data Recipients

Personal data may be disclosed to the following recipients or categories of recipients:

  • Web hosting provider: Hetzner Online GmbH (Germany, EU), where the Website servers are hosted.
  • Transactional email provider: Amazon Web Services (Amazon SES), for sending notifications arising from the contact form.
  • Web analytics tool: Google Analytics (Google Ireland Limited / Google LLC), for web traffic analysis.
  • Public authorities and regulatory bodies: where there is a legal obligation to disclose data.
  • Professional advisors: Blue Mountain's lawyers, auditors, and tax advisors, bound by confidentiality obligations, when necessary for the performance of their duties.

Blue Mountain does not sell, rent, or transfer personal data to third parties for commercial purposes.

6. International Data Transfers

Some of the aforementioned providers may process data outside the European Economic Area (EEA):

  • Google Analytics (Google LLC, USA): The transfer is based on the EU-US Data Privacy Framework, approved by the European Commission's Adequacy Decision of 10 July 2023, as well as the Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • Amazon SES: The service operates from the EU region (eu-west-1, Ireland), so data is processed within the EEA. In the event of any transfer outside the EEA, Standard Contractual Clauses (SCCs) apply.

7. Data Retention Periods

Personal data will be retained for the periods indicated below, unless a legal obligation requires retention for a longer period:

Data category Retention period
Contact form inquiries Until the inquiry is resolved and for a maximum of 12 additional months, unless a commercial relationship is established.
Commercial/investment relationship data For the duration of the relationship and, after its termination, for the applicable statute of limitations period (generally between 5 and 10 years under commercial and tax regulations).
Commercial communications Until the data subject withdraws their consent.
Browsing and analytics data 14 months (Google Analytics) from the date of collection.
Data for legal compliance Periods established by applicable regulations (6 years for commercial obligations under the Commercial Code; 4 years for tax obligations under the General Tax Law).

8. Data Subject Rights

In accordance with the GDPR and the LOPDGDD, any data subject has the right to exercise the following rights in relation to their personal data:

  • Right of access (Art. 15 GDPR): obtain confirmation as to whether we are processing your data and access such data.
  • Right to rectification (Art. 16 GDPR): request the correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): request the deletion of your data when, among other grounds, they are no longer necessary for the purpose for which they were collected.
  • Right to restriction of processing (Art. 18 GDPR): request the restriction of processing of your data under certain circumstances.
  • Right to data portability (Art. 20 GDPR): receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
  • Right to object (Art. 21 GDPR): object to the processing of your data, including profiling.
  • Right not to be subject to automated individual decision-making (Art. 22 GDPR): not be subject to a decision based solely on automated processing that produces legal effects or significantly affects you.

9. Procedure to Exercise Your Rights

To exercise any of the aforementioned rights, the data subject may contact Blue Mountain through the following means:

  • Email: info@blue-mountain.es, indicating "Exercise of data protection rights" in the subject line.
  • Postal mail: Blue Mountain Capital Partners, SLU, Paseo de la Castellana 40, Floor 8, 28046 Madrid, Spain. Attention: "Data Protection".

The request must include:

  • First and last name of the data subject.
  • A copy of their national identity card, passport, or other valid identification document.
  • Specification of the right being exercised and the specific request.
  • Address for notification purposes.

Blue Mountain will respond to the request within a maximum period of one month from receipt, which may be extended by a further two months in the case of complex requests or a high volume of requests. The data subject will be informed within the first month of any such extension.

10. Complaint to the Supervisory Authority

If the data subject considers that the processing of their personal data does not comply with applicable regulations, they have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):

  • Website: www.aepd.es
  • Postal address: C/ Jorge Juan 6, 28001 Madrid, Spain
  • Phone: 901 100 099 / +34 91 266 35 17

Nevertheless, we kindly request that you contact us before lodging a complaint so that we may attempt to resolve any issue relating to the protection of your data.

11. Security Measures

Blue Mountain has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, including among others:

  • Encryption of communications via TLS/SSL protocol (HTTPS).
  • Access control to information systems based on the principle of least privilege.
  • Regular backups and disaster recovery procedures.
  • Staff training and awareness in data protection and information security.
  • Periodic assessment and review of the effectiveness of technical and organizational measures.
  • Security incident management procedures and data breach notification protocols.

12. Minors

The Blue Mountain Website is not directed at minors under the age of 14. Blue Mountain does not knowingly collect personal data from individuals under said age. If we become aware that we have collected personal data from a minor under 14 without the consent of their parent or legal guardian, we will proceed to delete such data as soon as possible.

13. Amendments to the Privacy Policy

Blue Mountain reserves the right to amend this privacy policy to adapt it to legislative or jurisprudential changes, or changes in our data processing practices. Amendments will be published on this same page indicating the date of the last update.

We recommend that Users periodically review this policy to stay informed about how we protect their personal data.