Privacy Policy

1. Data controller

In accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), we inform you that the controller responsible for processing your personal data is:

2. Data we collect

2.1. Registration and account data

Full name, email address, password (encrypted), contact phone number and tax details (CIF/NIF).

2.2. Company data (B2B clients)

Company name, trade name, tax address, bank details (IBAN), contact person and tax documentation (Modelo 036, census registration certificate or similar).

2.3. Browsing data

IP address, browser and device type, pages visited, visit duration and cookies (see our Cookie Policy).

2.4. Order data

Order history, shipping address, product preferences and order-related communications.

3. Purpose of processing

• Account management: Create and manage your user account on our wholesale platform.
• Professional verification: Validate your status as a professional or business in the sector.
• Order processing: Manage, process and deliver your orders, including issuing delivery notes and invoices.
• Billing and collections: Issue invoices, manage payments and direct debits.
• Commercial communications: Send information about products, offers and news (only with your express consent).
• Service improvement: Analyse platform usage to improve the experience.
• Legal compliance: Comply with legal, tax and commercial obligations.
• Customer support: Respond to enquiries and resolve issues.
• Fraud prevention: Detect and prevent fraudulent activities or misuse of the platform.

4. Legal basis for processing

• Performance of a contract (Art. 6.1.b GDPR): To manage your account, process orders and provide the contracted service.
• Legal obligation (Art. 6.1.c GDPR): To comply with tax regulations (Ley General Tributaria), commercial regulations (Código de Comercio) and anti-money laundering legislation.
• Consent (Art. 6.1.a GDPR): To send commercial communications and use non-essential cookies. You may withdraw your consent at any time.
• Legitimate interest (Art. 6.1.f GDPR): To improve our services, prevent fraud and ensure platform security.

5. Data recipients

Your data may be shared with the following categories of recipients, solely for the purposes stated:

• Banking institutions: For payment and direct debit management.
• Transport agencies: For order delivery (name, address, phone).
• Technology providers: Hosting services (Vercel/Supabase), storage (Vercel Blob), transactional email (Resend) and cache (Upstash), with data processing agreements pursuant to Art. 28 GDPR.
• Public authorities: Agencia Tributaria (AEAT), Social Security and other administrations when legally required.

We do not sell, rent or share your personal data with third parties for commercial purposes unrelated to the provision of our service.

6. International transfers

Some of our technology providers (Supabase, Vercel, Upstash) may process data outside the European Economic Area (EEA). In such cases, we ensure adequate safeguards are in place in accordance with the GDPR: standard contractual clauses approved by the European Commission (Decision 2021/914), certification under the EU-US Data Privacy Framework, or European Commission adequacy decisions.

7. Retention period

Once these periods expire, data will be securely deleted or anonymised.

8. Your rights

Under the GDPR (Arts. 15 to 22) and the LOPDGDD, you have the following rights:

• Access (Art. 15): Obtain confirmation of whether we process your data and access it.
• Rectification (Art. 16): Correct inaccurate data or complete incomplete data.
• Erasure (Art. 17): Request deletion of your data when it is no longer necessary.
• Objection (Art. 21): Object to the processing of your data in certain circumstances.
• Restriction (Art. 18): Request restriction of processing in legally prescribed cases.
• Portability (Art. 20): Receive your data in a structured, commonly used and machine-readable format.
• Withdrawal of consent: Withdraw your consent at any time without affecting the lawfulness of prior processing.
• Not to be subject to automated decisions (Art. 22): We do not use decisions based solely on automated processing that produce legal effects on you.

Right to lodge a complaint: If you believe that the processing of your data violates the regulations, you may file a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid — www.aepd.es.

9. Security measures

We implement appropriate technical and organisational measures proportionate to the risk, in accordance with Art. 32 GDPR, to ensure the confidentiality, integrity and availability of your data:

• Password encryption using secure algorithms (bcrypt).
• Encrypted communications via HTTPS/TLS across the entire site.
• Role-based access control: only authorised personnel can access personal data.
• Row Level Security (RLS) in the database: each user can only access their own data.
• Automated and encrypted backups.
• Rate limiting and brute-force attack protection.
• Infrastructure providers with security certifications (SOC 2, ISO 27001).

10. Minors

Our platform is intended exclusively for professionals and businesses. We do not intentionally collect data from individuals under 18 years of age. If you become aware that a minor has provided personal data, please contact us so we can proceed with its immediate deletion.

11. Third-party links

Our website may contain links to third-party sites (Google Maps, social networks, suppliers). We are not responsible for the data processing carried out by such third parties. We recommend consulting their respective privacy policies before providing them with personal data.

12. Changes to this policy

We reserve the right to modify this Privacy Policy to adapt it to legislative, case-law or business practice changes. Changes will be published on this page with the corresponding update date. In the event of substantial changes, we will inform you by email or through a prominent notice on the platform.

13. Contact

For any enquiry related to this Privacy Policy or the processing of your personal data: