Privacy Policy
Effective date: March 1, 2026 Last updated: March 17, 2026
CuevasLab ("we", "us", "our") operates the website shop.cuevaslab.es. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you visit our website or make a purchase.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) (EU Regulation 2016/679) and applicable Spanish data protection laws.
1. Data Controller
CuevasLab Madrid, Spain Email: privacy@cuevaslab.es
For any questions about this policy or your personal data, contact us at the email above.
2. What Data We Collect
We collect different types of personal data depending on how you interact with our website:
Data you provide directly
- Account information -- name, email address, password (hashed)
- Shipping and billing addresses -- street, city, postal code, country
- Payment information -- processed securely by Stripe; we never store your card details
- Contact form submissions -- name, email, message content
- Phone number -- if provided during checkout
- VAT number -- if provided for business purchases
Data collected automatically
- Device and browser information -- browser type, operating system, screen resolution
- Usage data -- pages visited, time spent, click patterns
- IP address -- used for fraud prevention and approximate geolocation
- Cookies and similar technologies -- see our Cookie Policy
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Process and fulfill your orders | Performance of a contract (Art. 6(1)(b)) |
| Create and manage your account | Performance of a contract (Art. 6(1)(b)) |
| Send order confirmations and shipping updates | Performance of a contract (Art. 6(1)(b)) |
| Process payments securely | Performance of a contract (Art. 6(1)(b)) |
| Respond to your inquiries and support requests | Legitimate interest (Art. 6(1)(f)) |
| Prevent fraud and secure our platform | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal and tax obligations | Legal obligation (Art. 6(1)(c)) |
| Analyze website usage to improve our services | Legitimate interest (Art. 6(1)(f)) |
| Send marketing communications (only with consent) | Consent (Art. 6(1)(a)) |
4. Who We Share Your Data With
We share your personal data only with trusted third parties who help us operate our business:
- Stripe -- payment processing (PCI DSS Level 1 certified)
- Shipping carriers -- name and address for delivery fulfillment
- Vercel -- website hosting and content delivery
- Google -- reCAPTCHA (spam prevention), Google Address Validation, Analytics
- Cloudinary -- image hosting and optimization
We never sell your personal data to third parties. All our service providers are bound by data processing agreements that comply with GDPR requirements.
5. International Data Transfers
Some of our service providers (Stripe, Vercel, Google, Cloudinary) may process data outside the European Economic Area (EEA). In such cases, we ensure adequate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- Provider certifications and compliance frameworks
6. Data Retention
We retain your personal data only as long as necessary:
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Order and transaction data | 7 years (tax and legal obligations) |
| Contact form messages | 2 years |
| Website analytics | 26 months |
| Cookies | See Cookie Policy |
After the retention period, data is securely deleted or anonymized.
7. Your Rights Under GDPR
As a resident of the European Union, you have the following rights:
- Right of access -- request a copy of the personal data we hold about you
- Right to rectification -- correct inaccurate or incomplete data
- Right to erasure ("right to be forgotten") -- request deletion of your data
- Right to restriction -- limit how we process your data
- Right to data portability -- receive your data in a structured, machine-readable format
- Right to object -- object to processing based on legitimate interests
- Right to withdraw consent -- withdraw consent at any time (for consent-based processing)
To exercise any of these rights, contact us at privacy@cuevaslab.es. We will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Espanola de Proteccion de Datos, AEPD) at www.aepd.es.
8. Security Measures
We implement appropriate technical and organizational measures to protect your data:
- HTTPS encryption on all pages
- Hashed passwords -- we never store passwords in plain text
- PCI DSS compliant payment processing via Stripe
- Access controls -- only authorized personnel can access personal data
- Regular security updates to our infrastructure
9. Children's Privacy
Our website is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify you by email or through a prominent notice on our website.
11. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or your personal data:
Email: privacy@cuevaslab.es Address: CuevasLab, Madrid, Spain
We aim to respond to all privacy-related inquiries within 30 days.