top of page

1. Identity of the Data Controller

  • Data Controller: Castellar Granados SL

  • CIF: B13922299

  • Registered Address: Paseo de Santa María de la Cabeza 21. Escalera derecha 7 derecha. 28045 Madrid.

  • Contact Email: info@castellargranados.com

 

2. Data Collection and Purposes of Processing

We process personal data only when strictly necessary, on a lawful basis, and for the following specified purposes:

  • Identification and Contact Data: this includes your name, email, phone number, and address. We process this information to manage your appointments, maintain direct communication, and handle your bespoke orders. The legal basis for this is the execution of a contract. We retain this data for the duration of our contract plus an additional five years to cover any potential legal liabilities.

  • Commercial Data: we keep a record of products you have viewed and your purchase history. The purpose of this is to send you commercial communications such as our newsletter and special promotions. This processing is based strictly on your consent. We will keep this information until you choose to withdraw your consent or unsubscribe from our list.

  • Browsing Data: we collect information such as your IP address, device type, and pages viewed through cookies. This data is used for website analytics and to improve the overall performance of our site. Our legal basis is our legitimate interest or, in the case of non-essential cookies, your explicit consent. This analytical data is typically stored for a period of 24 months.

  • Billing and Transaction Data: we process details related to your payments and purchases to comply with tax, accounting, and general legal obligations. This is required by law. According to Spanish tax regulations, we must retain this billing information for a period of 10 years.

 

3. Recipients of the Data

We only share your personal data with third parties when necessary to fulfill a contractual or legal obligation like hosting providers who host our website and therefore process your browsing data.

 

4. International Data Transfers

Some of the third-party service providers listed (e.g., analytical tools or cloud providers) may process your data outside the European Economic Area (EEA). These transfers are carried out under the Standard Contractual Clauses (SCCs) approved by the European Commission.

 

5. Rights of the Data Subject (ARCO-PLaD)

As a data subject, you have the right to exercise the following rights under the GDPR and LOPD-GDD. These rights can be exercised by sending an email to info@castellargranados.com with the subject line "Data Protection Rights" and attaching a copy of your national identity document (DNI/NIE).

  • Access: Obtain confirmation of whether or not your personal data is being processed, and access that data.

  • Rectification: Correct inaccurate or incomplete data.

  • Erasure (Right to be Forgotten): Request the deletion of your data when it is no longer necessary for the purposes for which it was collected.

  • Objection: Object to the processing of your data for specific reasons related to your particular situation.

  • Portability: Receive the personal data you provided in a structured, commonly used, and machine-readable format, and have it transmitted to another controller.

  • Limitation: Request the suspension of data processing in certain circumstances (e.g., while the accuracy of the data is being verified).

  • Not to be subject to Automated Decision-Making: The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

 

6. Right to Lodge a Complaint

If you consider that your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

 

7. Special Provisions for Minors (Spain)

The legal age for consent to process personal data in Spain is 14 years old (LOPD-GDD). If we have reason to believe that a minor under the age of 14 has provided us with personal data without the necessary parental or guardian consent, we will proceed to delete that data as soon as possible.

 

8. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: access control, pseudonymization, encryption, periodic backups, and staff training, to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Privacy Policy

bottom of page