Privacy Policy
This privacy policy applies to the processing of personal data of customers and users of https://www.claraduran.com and of the subdomain https://shop.claraduran.com hereinafter the WEBSITE, whose Data Controller is Clara Durán González, hereinafter the DATA CONTROLLER.
Applicable regulations
Our Privacy Policy has been designed in accordance with REGULATION (EU) 2016/679 of the EUROPEAN PARLIAMENT and of the COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter GDPR EU 2016/679, and insofar as it does not contradict the aforementioned Regulation, by the provisions of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights, hereinafter LOPDGDD 3/2018.
By providing us with their data, customers and users declare that they have read and are aware of this Privacy Policy, giving their unequivocal and express consent to the processing of their personal data in accordance with the purposes and terms set out herein.
KEY INFORMATION ON DATA PROTECTION | |
Data Controller | Clara Durán González |
Purpose | To respond to requests for information, answer queries, subscribe to the newsletter, manage orders from customers and users of the online shop, provide customer service, and send commercial communications about our products and/or services by email, SMS/MMS, WhatsApp, Telegram or other equivalent electronic means of communication, provided that the DATA SUBJECT has consented to the processing of their personal data for this purpose. |
Legal basis | Performance of a contract to which the DATA SUBJECT is party or for the application of pre-contractual measures at the DATA SUBJECT’s request. Legitimate interest of the controller. Consent of the DATA SUBJECT. |
Recipients | No data will be transferred to third parties, except where legally required. |
Rights | You have the right to access, rectify and erase your data, as well as other rights, indicated in the additional information, which you can exercise by contacting the data controller at hola@claraduran.com |
Additional information | You can consult additional and detailed information on Data Protection in the attached clauses at https://www.claraduran.com/privacy-policy |
Additional information on data protection
The DATA CONTROLLER is:
- Identity: Clara Durán González
- Tax ID number: 51115936T
- Address: Calle Princesa 31, 2nd Floor, Apt. 2 – 28008 Madrid (Spain)
- Telephone: +34 911 484 397
- Email: hola@claraduran.com | shop@claraduran.com
Purposes and legal basis of the processing
a) In general:
The DATA CONTROLLER processes the personal data provided by its customers and users for the following purposes:
- Purpose: To respond to requests for information, answer queries, subscribe to the newsletter, manage orders from customers and users of the online shop, provide customer service, perform administrative and accounting duties, and send commercial communications about our products and/or services by email, SMS/MMS, WhatsApp, Telegram or other equivalent electronic means of communication, provided that the DATA SUBJECT has consented to the processing of their personal data for this purpose.
- Legal basis for this processing: Performance of a contract to which the DATA SUBJECT is party or for the implementation of pre-contractual measures at the DATA SUBJECT’s request. Legitimate interest. The DATA SUBJECT’s consent, which may be withdrawn at any time.
b) Website email accounts:
The DATA CONTROLLER processes the personal data provided by customers and users through the email accounts on the WEBSITE:
- Purpose: To contact the DATA SUBJECT, respond to requests for information and answer queries, as well as to send commercial communications about our products and/or services by email, SMS/MMS, WhatsApp, Telegram or other equivalent electronic means of communication, provided that the DATA SUBJECT has consented to the processing of their personal data for this purpose.
- Legal basis for this processing: The consent of the DATA SUBJECT, which may be withdrawn at any time.
c) Electronic forms WEBSITE:
The DATA CONTROLLER processes the personal data provided by customers and users through the electronic forms for collecting personal data on the WEBSITE for the purposes identified below:
In relation to the “Newsletter Form”:
- Purpose: Allows the user to register to receive the newsletter.
- Legal basis for this processing: The consent of the DATA SUBJECT, which may be withdrawn at any time.
In relation to the “Register Form”:
- Purpose: Allows the user to create an account to register on the website.
- Legal basis for this processing: Performance of a contract to which the DATA SUBJECT is party or for the implementation of pre-contractual measures at the DATA SUBJECT’s request.
In relation to the “Login Form”:
- Purpose: Allows registered users to access the website to purchase the products and contract the services made available to them in the online shop.
- Legal basis for this processing: Performance of a contract to which the DATA SUBJECT is party or at the DATA SUBJECT’s request to take steps prior to entering into a contract.
In relation to the “Guest order form”:
- Purpose: Allows users, without the need to register in advance, to purchase the products and contract the services made available to them in the online shop.
- Legal basis for this processing: Performance of a contract to which the DATA SUBJECT is party or at the DATA SUBJECT’s request to take steps prior to entering into a contract.
When the data requested in the electronic forms is necessary, the DATA CONTROLLER will indicate that it is mandatory at the time of collecting data from customers and users, and failure to provide it will mean that the corresponding request cannot be processed.
What type of data do we process?
For the purposes set out in the previous section, we process the customers’ and users’ data, which can be divided into the following sources and categories:
a) Data provided directly by the customers and users, either at the time of requesting the service by completing the electronic forms for collecting personal data provided for this purpose on the website, or data provided throughout the contractual relationship through various means, such as complaints or requests for information submitted to Customer Service. The customers and users are responsible for its accuracy and updating.
- Identifying data: (name and surname, ID number, foreigner identification number, passport number, postal address, delivery address, email address, telephone number, mobile phone number, username and password).
- Payment details: processed exclusively by a secure external provider. We do not store credit or debit card details on our systems.
b) Data obtained from sources other than the customer or user, either with their consent or through any other legal authorisation (legitimate interest, compliance with a legal obligation, etc.).
c) Data provided indirectly by the customers and users, as a result of the provision of the contracted service and the maintenance of this activity. This category includes traffic data, payment history for products and/or services, browsing data through the public website (including IP address, cookie data, history, etc.) or access to the private area or other similar areas.
How do we use your personal data?
The personal data you provide will be processed for the following purposes:
- To manage the processing, invoicing and dispatch of orders placed through the online shop.
- To send commercial communications about related products and services, by electronic or conventional means, provided that there is a legal basis for doing so, such as the express consent of the DATA SUBJECT or the legitimate interest of the BUSINESS, in accordance with the terms permitted by the applicable regulations on data protection and electronic commerce.
- To comply with the legal obligations arising from Law 10/2010, of 28 April, on the prevention of money laundering and terrorist financing, including identity verification, gathering information on economic activity and retaining documentation for the legally required period. Such data may be shared, where appropriate, with the competent authorities.
In any case, personal data will be processed in a confidential, lawful, fair and transparent manner, limited to the purposes described and adopting the appropriate technical and organisational measures to ensure its security.
Record of processing activities
We inform you that the personal data obtained from the customers and users as a result of completing the electronic forms on the WEBSITE form part of the Processing Activity Log (RAT) of the DATA CONTROLLER, which will be updated periodically in accordance with the provisions of the EU GDPR 2016/679 and the LOPDGDD 3/2018.
Recipients of personal data
The personal data provided by the DATA SUBJECTs may be communicated to the following recipients, depending on the purpose for which they were collected:
a) In general:
- Mail Boxes Etc. (MBE Worldwide), courier service provider acting as a data processor.
- CPC Servicios Informáticos Aplicados A Nuevas Tecnologías, S.L., the company that owns Mailrelay, a marketing automation and email marketing services platform, in its capacity as data processor.
- Dinahosting S.L., as the provider of the website hosting and email management service, in its capacity as data processor.
- Secure payment processors: electronic payment platforms (Redsys) acting as data processors, for the sole purpose of managing the secure collection of payments for orders placed by the CONSUMER.
- Competent public authorities and bodies, where required to comply with legal obligations of the BUSINESS.
b) For queries sent via the email accounts listed on the WEBSITE, or through the ‘Newsletter’, ‘Register’, ‘Login’ and ‘Guest order form’:
- No data will be transferred to third parties unless legally required.
International data transfers to third countries
The following service providers, located in the United States, receive personal data in the course of providing their services. These international transfers are carried out in accordance with the EU–US Data Privacy Framework, ensuring an adequate level of protection as recognised by the European Commission:
- Meta Platforms, Inc., provider of Facebook Ads.
- Google LLC, provider of Google Analytics 4 and Google Ads.
Retention periods
Personal data will be retained:
a) In general:
- The data will be retained until you request its erasure and, in any case, for the number of years necessary to comply with legal obligations.
b) For queries sent via the email accounts listed on the WEBSITE, or through the ‘Newsletter’, ‘Register’, ‘Login’ and ‘Guest order form’:
- Personal data will be kept until the end of the relationship between the DATA CONTROLLER and the customers and users, unless the latter requests its erasure beforehand, or until the DATA SUBJECT withdraws the consent given at any time, without this affecting the lawfulness of the processing based on the consent prior to its withdrawal.
To this end, the DATA SUBJECT is reminded that they must notify the DATA CONTROLLER, as the recipient to whom they communicate personal data, of any rectification or erasure of the data of their representatives, authorised persons and other contact persons.
Once the relationship has ended, to the extent that the personal data of the DATA SUBJECTs are relevant for the purposes of the DATA CONTROLLER’s liability to customers and users, such data shall be kept, securely blocked, at the disposal of the judicial authorities or the competent public administrations, for the purpose of enforcing the liabilities arising from the processing for the period of limitation thereof.
Rights of Data Subjects
Customers and users of the WEBSITE may exercise the following rights before the DATA CONTROLLER, to the extent that they are applicable: access to personal data, rectification or erasure of your data (right to be forgotten, restriction of processing, data portability, objection to processing and not to be subject to automated individual decisions and, where processing is based on consent, the right to withdraw consent at any time.
Customers and users may exercise these rights by sending a signed written request to the postal address of the DATA CONTROLLER at Calle Princesa 31, 2nd Floor, Apt. 2 – 28008 Madrid (Spain) or via email to hola@claraduran.com, attaching, in both cases, proof of identity valid in law, such as a photocopy of the ID card/foreign resident ID card or equivalent document, and clearly indicating the right they wish to exercise.
Customers and users also have the right to lodge a complaint with the competent Supervisory Authority (Spanish Data Protection Agency) if they consider that the processing does not comply with current regulations or that their rights regarding the protection of their personal data have been violated, especially when has not satisfactorily responded to the exercise of their rights, via the website https://www.aepd.es.
These rights will be addressed by the DATA CONTROLLER within one month, which may be extended to two months if the complexity of the request or the number of requests received so requires. All of this is without prejudice to the obligation to retain certain data in accordance with legal terms and until any liabilities arising from possible processing or, where applicable, from a contractual relationship, expire.
In addition to the above, and in relation to data protection regulations, Users who so request have the possibility of organising the destination of their data after their death.
Sending Marketing Communications
In accordance with the Second Final Provision of Law 9/2014 of 9 May on Telecommunications, which amends Law 34/2002 of 11 July on Information Society Services and Electronic Commerce, commercial communications sent by electronic means must be clearly identifiable as such. Furthermore, the natural or legal person on whose behalf they are made must also be clearly identifiable, without prejudice to any provisions issued by the Autonomous Communities with exclusive competence in consumer matters.
Customers and users who provide their contact details to the DATA CONTROLLER by clicking the “SEND” button on the electronic forms used to collect personal data on the website, and who tick both consent boxes — “I accept the processing of my data for the purposes indicated in the basic data protection information” and “I consent to receiving commercial communications about your products and/or services” — expressly and unequivocally authorise the DATA CONTROLLER to process their personal data for the purpose of sending them commercial communications about its products and/or services via email, SMS/MMS, WhatsApp, Telegram or other equivalent electronic means of communication.
The legal basis for this processing is the consent of the DATA SUBJECT, which may be withdrawn at any time.
In compliance with Articles 21 and 22 of Law 34/2002 of 11 July on Information Society Services and Electronic Commerce, users may object to the processing of their data for promotional purposes and may withdraw their consent to receive commercial communications by email simply by notifying the PROVIDER of their decision. This can be done through a simple and free procedure, consisting of sending an email to hola@claraduran.com with “UNSUBSCRIBE” or “DO NOT SEND” in the subject line.
The data provided will be retained for as long as the commercial relationship is maintained or for the period required to comply with legal obligations.
Social media policy
The DATA CONTROLLER maintains active profiles on the following social media platforms for informational, promotional and advertising purposes:
On these profiles, the DATA CONTROLLER acts as a joint controller of the personal data of users who engage in these digital environments (e.g. followers, subscribers, fans, commenters or individuals who communicate through these channels).
The use of these profiles is limited to:
- Sharing content related to the activities and objectives of the website and the entity.
- Disseminating relevant news, events or publications.
- Interacting with users in accordance with the terms and conditions of the social network in question.
Personal data obtained through these social platforms will not be used for purposes other than those described, unless the DATA SUBJECT has given their express consent.
Users should bear in mind that the information they share through these networks may be publicly visible, depending on the privacy settings of each profile, and that such interactions will be subject to the terms of use and privacy policies of each platform:
- Facebook → https://www.facebook.com/privacy/policy
- Instagram → https://privacycenter.instagram.com
- LinkedIn → https://www.linkedin.com/legal/privacy-policy
Users are advised to review these policies before interacting with our profiles, as the processing of their data is also subject to the provisions of these platforms.
Accuracy of the data provided by interested parties
Customers and users are responsible for ensuring that any information they provide through the electronic forms available on the WEBSITE or via emails sent to the claraduran.com domain is true, accurate and kept up to date so as to reflect their actual situation. They shall be held liable for any false or inaccurate information supplied and for any damage, inconvenience or issues thereby caused to the DATA CONTROLLER or to third parties.
IP addresses
The website servers may automatically detect the IP address and domain name used by the user. An IP address is a number automatically assigned to a computer when it connects to the Internet.
All this information is recorded in a server activity file that allows the subsequent processing of the data in order to obtain statistical measurements only, which allow us to know the number of page impressions, the number of visits made to the web services, the order of visits, the access point, etc.
Security measures
The DATA CONTROLLER guarantees that it has implemented the appropriate technical and organisational policies on the WEBSITE to apply the security measures established by the EU GDPR 2016/679 and the LOPDGDD 3/2018 in order to protect the rights and freedoms of customers and users and has provided them with the appropriate information so that they can exercise them.
In order to protect individual rights, especially in relation to automated processing, and with a view to being transparent with customers and users, the DATA CONTROLLER has established a policy that covers all such processing, the purposes pursued by the latter, their legitimacy and also the instruments available to the customers and users so that they can exercise their rights.
The WEBSITE is created with the latest version of the WordPress content management system and the Woocommerce e-commerce plugin. It has an SSL encryption certificate installed and activated for the entire domain, as well as the reCAPTCHA system, which protects the website against spam, inappropriate use and fraud, determining whether an action is being performed by a human or a bot, allowing the user to securely send their personal data through the existing electronic personal data collection forms, created with the Contact Form 7 plugin, and other security measures at both the server and website levels.
The WEBSITE is hosted on servers provided by Dinahosting S.L., with Tax ID No.: B-15805419 and address at Rúa das Salvadas 41, baixo, 15705 Santiago de Compostela, A Coruña (Spain) to the data controller, with the assigned IP address being of Spanish origin.
All information will be stored and managed with due confidentiality, applying the necessary computer security measures to prevent unauthorised access or use of your data, its manipulation, deterioration or loss.
However, the customers and users must bear in mind that the security of computer systems is never absolute. When personal data is provided over the Internet, such information may be collected without your consent and processed by unauthorised third parties.
The DATA CONTROLLER declines any responsibility for the consequences that such acts may have for the user if they published the information voluntarily.
The DATA CONTROLLER undertakes to ensure compliance with the applicable regulations on personal data protection at all times and, in particular, to implement the appropriate safeguards to protect the rights and freedoms of DATA SUBJECTs.
In the event of a breach of personal data security that poses a risk to the rights and freedoms of natural persons, the DATA CONTROLLER undertakes to notify the competent supervisory authority and, where appropriate, the DATA SUBJECTs, in accordance with the provisions of Articles 33 and 34 of the GDPR.
Acceptance and consent
The customers and users declare that they have been informed of the conditions regarding personal data protection, accepting and consenting to the automated processing of such data by the DATA CONTROLLER in the manner and for the purposes indicated in this Privacy Policy. Certain services provided on the WEBSITE may contain specific conditions with specific provisions regarding personal data protection.
Changes to this privacy policy
THE DATA CONTROLLER reserves the right to modify this Privacy Policy to adapt it to new legislation, case law, interpretations by the Spanish Data Protection Agency, and industry practices.
In such cases, the DATA CONTROLLER will announce the changes on the websites reasonably in advance of their implementation.
This Privacy Policy is supplemented by the Legal Notice, the Cookies Policy, the General Terms and Conditions and, where applicable, the Specific Terms and Conditions established for certain products and/or services, provided that access to them involves any special provisions regarding personal data protection.
