TRACK
es ES
English
TRACK GET A QUOTE
Privacy Policy

At GOFO IBERIA S.L. and its subsidiaries (hereinafter collectively referred to as “GOFO”), we recognize the importance of protecting your personal data. We value the trust you place in us and are committed to handling your information responsibly, transparently, and in strict compliance with applicable laws and regulations.

This Privacy Policy describes how GOFO collects and processes your personal data when you interact with our services, including through:

  • our website: https://www.gofo.com/es/,
  • our parcel delivery and courier services, the e-commerce platforms operated by GOFO’s customers,
  • the GOFO system,
  • as well as the dedicated GOFO COURIER mobile application
    (collectively, the “GOFO Services”).

By using the GOFO Services, you acknowledge and accept the data practices described in this Privacy Policy. For any questions regarding the collection or processing of your personal data, you may contact us at:

GOFO IBERIA S.L.
Address: Calle Eduardo Barreiros 104, Modulo 17, 28041 Madrid
Email: dpo@gofoexpress.com

Any capitalized term not expressly defined in this Privacy Policy shall have the meaning given to it in the Terms of Use.

1. Personal data processed

We collect certain personal data, understood as any information that directly or indirectly identifies an individual, or any other data to which the organization has or may have access.

Such data may include, without limitation: first and last name, address, date of birth, gender, nationality, telephone number, email address, banking and payment information, official identification documents (required notably for KYC due diligence, identity verification, or fraud prevention), technical data transmitted by devices used to access the GOFO Services, network connection data (e.g., IP address), marketing and communication preferences, usage and transaction data (e.g., searches, orders, claims, ads viewed, delivery addresses, location data), as well as any other information provided while using the GOFO Services.

You agree not to provide us with any false, inaccurate, or misleading data and to inform us of any changes to your information. GOFO reserves the right, at its sole discretion, to request additional documents to verify the accuracy of the information provided.

Personal data is generally provided voluntarily by you when interacting with the GOFO Services, including in the following cases:

  • When registering for and/or using the GOFO Services;
  • When submitting forms (including job applications via GOFOCAREER) related to our services, online or offline;
  • When entering into contracts or providing documents related to your interactions with GOFO;
  • When communicating with us (telephone calls, correspondence, videoconferences, social networks, emails, etc.), including with our customer service;
  • When browsing our website (cookies, trackers, and other similar technologies);
  • When using the GOFO COURIER mobile application linked to the GOFO System;
  • When performing transactions via the GOFO System;
  • When providing feedback or filing complaints;
  • When disclosing personal data for any other reason;
  • When interacting with a partner carrier responsible for executing the GOFO Services.

GOFO may also receive information about you from third parties, such as its customers or carriers (e.g., updated delivery addresses, proof of delivery by photograph or ID document).

Additional examples of information we may receive include:

  • Updated delivery address information collected from our carriers or third parties, used to confirm successful delivery;
  • Proof of delivery and receipt of your parcel, including photographs taken at the time of delivery representing you and/or your parcel alongside your official identification document.

2. Purposes and legal bases for processing

The processing purpose corresponds to the objective pursued by the data controller. GOFO undertakes to process the personal data it collects or holds about you only for specific, explicit, and legitimate purposes, and not to process them in a manner incompatible with those purposes.

The main legal bases for processing and their associated purposes are:

  • Performance of a contract with the data subject (Art. 6(1)(b) GDPR): GOFO relies on this legal basis for the delivery of products and services purchased by the User via e-commerce platforms operated by GOFO’s customers. We also rely on this legal basis when using your personal data to verify your identity for parcel handover, to communicate with you regarding the ordered services, and to notify you of the delivery status.
  • GOFO’s legitimate interests in ensuring the provision, support, and improvement of the GOFO Services (Art. 6(1)(f) GDPR): We rely on this legal basis when we use your data to ensure proper functioning of services, analyze performance, correct errors, and improve usability and efficiency.
  • Consent of the data subject (Art. 6(1)(a) GDPR): We will ask for your consent for sending commercial prospecting and marketing. We may send you emails or other communications regarding GOFO Services of potential interest, facilitate your future shipments and deliveries, and provide promotional information and materials related to GOFO Services (and/or those of its affiliates or partners), including current or future services.
  • Compliance with legal and regulatory obligations (Art. 6(1)(c) GDPR): for example, handling disputes before competent courts, processing customs formalities, maintaining accounting records, or responding to rights requests.

3. Cookies and trackers

To enable our systems to recognize your browser or device and to provide and improve the GOFO Services, we use cookies and similar identifiers.

You may manage cookies directly through your browser settings. The “Help” function of most browsers explains how to configure your browser to refuse cookies, be notified of each new cookie, or disable all cookies.

However, if you disable all cookies, neither we nor third parties will be able to transfer cookies to your device. As a result, certain preferences will need to be re-entered at each visit, and some features or services may no longer function properly.

For further information regarding the use of cookies, please visit our Cookie Policy.

4. Data recipients

When GOFO acts as data controller

Personal data you provide may be shared with the following categories of recipients, strictly as necessary to achieve the purposes for which the data was collected:

Internal recipients within GOFO:

  • GOFO departments, services, and operational units duly authorized to process such data;
  • GOFO subsidiaries, where access is required in connection with their respective functions.

External recipients, outside the GOFO perimeter:

  • Authorized technical service providers and their subcontractors, solely within the scope of the services entrusted to them;
  • Business partners, subject to appropriate contractual safeguards;
  • Contracting parties, beneficiaries of services, authorized agents, or any third party designated by the data subject or users of GOFO products and/or services, where communication is necessary to fulfill contractual obligations;
  • Public authorities, court officials, legal advisors, or administrative and judicial authorities, where disclosure is required by law or regulation, pursuant to a binding request, as part of GOFO’s legal obligations, or for the protection and defense of its rights and legitimate interests;
  • Mediators and supervisory or regulatory authorities legally entitled to receive such information;
  • Audit bodies, including statutory auditors, external auditors, or customs authorities.

Where any of these recipients are located outside the European Economic Area, GOFO will adopt all applicable safeguards under applicable regulations in order to guarantee the integrity, confidentiality, and appropriate handling of data. Further information on the safeguards adopted may be requested by sending an email to: dpo@gofo.com

When GOFO acts as processor, within the meaning of the GDPR

GOFO undertakes to comply with all legal, regulatory, and contractual obligations imposed by the relevant data controller. In this context, personal data may only be disclosed to:

  • Recipients expressly designated by the data controller;
  • Duly authorized or approved subprocessors;
  • Public authorities, court officials, legal advisors, administrative and judicial authorities, in accordance with applicable laws or regulations, or in response to enforceable requests, where such disclosure is required to enable GOFO to meet its legal obligations or defend its legitimate interests;
  • Mediators and supervisory or regulatory authorities legally empowered to access such data;
  • Audit bodies, including statutory auditors, external auditors, customs authorities, and foreign postal administrations, where such access is required for control, compliance, or operational purposes.

5. Data retention periods

The retention period of your personal data depends on the nature of the data and the specific purposes for which they are processed. Where data is collected for multiple purposes, it will be retained for the longest period necessary to achieve all relevant purposes. GOFO commits to retaining personal data only as long as necessary for the provision of relevant products and services and in compliance with applicable legal and regulatory obligations.

The main retention periods are as follows:

1. Customer management and GOFO products/services:

  • Account creation and subscription: retained for six (6) years from the last login or account deletion, provided no active service remains.
  • Delivery preference management: retained for five (5) years from the last update or modification.
  • Duration of contractual relationship: retained for the entire contractual period between the data subject and GOFO and for a further six (6) years thereafter.

2. Commercial prospecting:

  • Retained for three (3) years from the last contact with the prospect, or until consent is withdrawn.

3. Customer service call recordings:

  • Retained for six (6) months from the date of recording.

4. Fraud and cybercrime detection, prevention, and mitigation:

  • Retained for twelve (12) months from the fraud alert record date.

5. Rights requests (e.g., access, rectification, deletion):

  • Retained for three (3) years from the date of processing, except documents, which are retained for one (1) year.

6. Accounting and financial record-keeping:

  • Retained for ten (10) years from the end of the relevant fiscal year.

 

Once these retention periods have expired, personal data will be deleted, unless it is necessary to keep them blocked for a longer limitation period applicable to GOFO.

6. Data security

GOFO implements technical and organizational measures, along with appropriate rules and procedures, to protect your personal data against unauthorized access, misuse, disclosure, loss, or destruction. To ensure the confidentiality of your data, GOFO also applies industry-standard safeguards such as firewalls and secure passwords.

However, it is the User’s responsibility to ensure that the mobile device they use is properly secured and protected against malware such as trojans, computer viruses, or worms. The User understands that, in the absence of appropriate security measures (e.g., secure browser settings, updated antivirus software, personal firewall, avoiding the installation of software from untrusted sources), there is a risk that data and passwords used to access their information could be discovered by unauthorized third parties.

GOFO applies industry-standard security measures, including the establishment of reasonable system standards and the use of security technologies to protect personal information against unauthorized access, use, or alteration, thereby preventing data damage or loss. GOFO’s network services use encryption technologies such as Transport Layer Security (TLS) and similar protocols, and provide browsing services via HTTPS to secure data transmission. We also use encryption and isolation technologies to store and protect personal data, as well as various data-masking techniques, such as content substitution and SHA256, to enhance personal information security during use, including during consultation and analysis.

GOFO exercises strict control over data access rights and implements multi-factor authentication techniques to protect personal data and prevent any unauthorized use. We use automated security code checks and log analysis technologies to perform personal data security audits. We also regulate the storage and use of personal data by establishing a data classification and qualification system, data security management specifications, and data security development specifications. Comprehensive control is exercised over data through confidentiality agreements, as well as monitoring and auditing mechanisms. GOFO has established a Data Security Committee, supported by a dedicated information protection department and an incident response organization, to promote and ensure the security of personal data.

In the event of a security incident involving personal data, GOFO will inform the User in a timely manner, in compliance with applicable legal and regulatory requirements, regarding the general situation of the incident, its potential impact on security, corrective measures implemented or planned, recommendations to prevent and reduce risks, and possible remedial actions. At the same time, GOFO will promptly notify the User of specific circumstances of the incident by email, letter, telephone, or urgent notice. If individual notification of multiple users proves difficult, GOFO will adopt a reasonable and secure method to disseminate the information. GOFO will also report the handling of security incidents to the competent authorities in accordance with applicable laws and regulations.

If the User has any questions concerning the protection of their personal data, or if they discover that their personal data has been compromised, including their account or password, they must immediately contact GOFO through the channels specified in this Privacy Policy so that appropriate measures can be taken.

7. Rights of data subjects

In accordance with applicable data protection regulations, GOFO ensures that each individual receives clear and transparent information about the processing of their personal data as well as the rights they may exercise.

Under applicable law, you have the following rights regarding your personal data:

Right of access:

You may request access to your personal data that we hold. This includes the right to obtain the following information, including a copy of your personal data:

  • Categories of data processed;
  • Purposes of the processing;
  • Recipients or categories of recipients to whom your data has been disclosed;
  • Retention period of your data.


GOFO undertakes to provide this information in an understandable format or in line with your request, subject to technical constraints.

Right to rectification:

You may request the correction of inaccurate or incomplete personal data concerning you.

Right to object:

You may object at any time to the processing of your personal data on grounds relating to your particular situation, where processing is based on our legitimate interests, unless our legitimate interests override yours or where processing is necessary for the establishment, exercise, or defense of legal claims.

You also have the right to object at any time to the processing of your personal data for direct marketing purposes, including profiling. In this case, we will cease such processing.

Right to erasure (“right to be forgotten”):

You may request the deletion of your personal data, provided that retention is not required for:

  • Compliance with a legal obligation;
  • Performance of a contract with you;
  • Establishment, exercise, or defense of legal claims;
  • Archival, historical, or scientific purposes.

Right to restriction of processing:

You may request the suspension of processing of your personal data if:

  • You contest the accuracy of the data;
  • You object to the processing of your data.

Right to data portability:

You may request the transfer of your personal data in a structured, commonly used, and machine-readable format, allowing you to retain or transmit it to another controller. This right is subject to the condition that its exercise does not adversely affect the rights and freedoms of third parties.

Rights relating to automated decision-making:

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or significantly affects you in a similar way. If you believe you have been subject to such a decision and disagree with the outcome, you may contact us to request a review of the decision.

Right to provide post-mortem instructions:

You may provide instructions regarding the fate of your personal data after your death.

Right to withdraw consent:

Where processing is based on your consent, you may withdraw your consent at any time, enabling you to modify or withdraw your consent to direct marketing activities.

8. Exercising your rights

If you wish to exercise your rights regarding your personal data, please follow the procedure below:

a) Submission of requests

Requests may be submitted:

  • By email to: dpo@gofoexpress.com
  • By post to the GOFO headquarters: Calle Eduardo Barreiros 104, Modulo 17, 28041 Madrid

If you act on behalf of a third party, you must provide a notarized power of attorney or a simple proxy signed before two witnesses, as applicable. In addition, you must present your original identification document for visual verification by the recipient of the request.

If, after contacting us, you believe your personal data rights have not been respected, you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.

b) Processing deadlines

GOFO has a maximum of one (1) month from the date of receipt of your request to respond and inform you whether it has refused or proceeded with your request.

The above deadline may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you if we need to extend such period.

c) Refusal of requests

GOFO may refuse access, rectification, erasure, or objection requests in the following cases:

  • The User is not the owner of the personal data, or the legal representative is not duly authorized;
  • The User’s personal data is not found in our database;
  • There is a legal impediment or a ruling by a competent authority limiting access, rectification, erasure, or objection.

In all such cases, GOFO will inform the User or their legal representative, as appropriate, of the reasons for its decision, via the same channel used for the request, providing relevant justifications where applicable.

GOFO guarantees that personal and/or sensitive data will be stored in the corresponding databases and processed with the necessary security measures, in compliance with applicable legal provisions. The User is responsible for the accuracy of the data provided.

GOFO also reserves the right to amend or update this Privacy Policy at any time due to legal reforms, internal policy changes, or requirements related to the provision of our services or products. Such modifications will be made available in this Privacy Policy.

9. Effective date

This Privacy Policy is effective as of May 12, 2026.

CONNECT WITH US

FOR CUSTOMERS

FOR BUSINESS

FOR PARTNERS

RESOURCES

Privacy Policy | Terms of Use | Cookie Policy

Copyright © GOFO 2026. All Rights Reserved.