In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016 (RGPD) and the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), the Owner informs of its personal data processing policy.
1. Responsible for the treatment
- Responsible: [PENDIENTE DE COMPLETAR]
- NIF / DNI: [PENDIENTE DE COMPLETAR]
- Address: [PENDIENTE DE COMPLETAR]
- Email: [PENDIENTE DE COMPLETAR]
- Website: https://medel.es
The Controller has not appointed a Data Protection Officer because none of the assumptions of Art. 37 RGPD or Art. 34 LOPDGDD apply. For any questions about your data you can contact the indicated email directly.
2. Data we process and purposes
We process the data that you voluntarily provide us when interacting with the Site. The categories of data and their purposes are:
| Purpose | Processed data | Legal basis | Preservation |
|---|---|---|---|
| Answer queries from the contact form | Name, email, company, phone, message | Consent (Art. 6.1.a RGPD) | Up to 1 year after last contact |
| Business proposal and budget calculator | Name, email, company, telephone, project details | Pre-contractual measures (Art. 6.1.b GDPR) | Up to 2 years since last interaction |
| Create and manage your customer account | Name, email, encrypted password (Argon2id), address, tax data | Execution of the contract (Art. 6.1.b GDPR) | While the account is active + 6 years for accounting obligations (Art. 30 CCom) |
| Process orders and issue invoices | Name, address, NIF, amounts, payment method | Execution of the contract + legal obligation (Art. 6.1.b and 6.1.c) | 6 years (Art. 30 Commercial Code) and 4 years (Art. 66 LGT) |
| Deliver licenses and product updates | Email, license data, IP, domain where it is activated | Execution of the contract (Art. 6.1.b GDPR) | While the license is valid + 1 year |
| Sending newsletter and commercial communications | Email, preferred language | Consent (Art. 6.1.a RGPD + Art. 21 LSSI-CE) | Until you withdraw consent |
| Security, fraud prevention and legal records | IP, User-Agent, access date, login attempts | Legitimate interest (Art. 6.1.f GDPR) | 30 days (security logs), 90 days (paid webhooks) |
3. Automated decisions and profiling
We do not make automated decisions that produce significant legal effects on the User, nor do we create automated profiles. The quote calculator generates an estimate based on the data you enter, but the result is indicative and does not imply a binding offer.
4. Recipients and those in charge of treatment
To provide our services we have the following data processors, all of them bound by the corresponding contract with RGPD clauses:
- Stripe Payments Europe Ltd. (Ireland) — card payment processing. Privacy policy.
- PayPal (Europe) S.à r.l. et Cie, S.C.A.(Luxembourg) — payment processing. Privacy policy.
- Hosting provider — Site and database storage.
- SMTP email provider — sending transactional emails and newsletters.
- Google Ireland Ltd. — web analytics through Google Analytics 4 (if the User grants prior consent to analytical cookies). Privacy policy.
We do not transfer your data to third parties for their own commercial purposes.
5. International transfers
Some of the above processors may transfer data outside the European Economic Area (for example, Stripe and Google may process data in the USA). In all cases, said transfers are made under the protection of:
- The EU-US Adequacy Decision Data Privacy Framework(July 10, 2023), when the recipient is adhered to the framework.
- Standard Contractual Clauses approved by the European Commission (Decision 2021/914).
- Additional guarantees applicable in accordance with Art. 46 GDPR.
6. Your rights
As the owner of your personal data you have the right to:
- Access the data we process about you (Art. 15 RGPD).
- Rectify inaccurate or incomplete data (Art. 16 GDPR).
- Delete data when it is no longer necessary (Art. 17 GDPR, "right to be forgotten").
- Limit the processing in cases of Art. 18 RGPD.
- Carry your data in a structured and readable format (Art. 20 RGPD).
- Object to processing based on legitimate interest (Art. 21 GDPR).
- Withdraw consent at any time, without retroactive effects.
- Not be subject to automated decisions (Art. 22 GDPR).
You can exercise these rights by sending an email to [PENDIENTE DE COMPLETAR] identifying yourself properly (for example, with a copy of your ID or equivalent document) and specifying the right you wish to exercise. We will respond to you within a maximum period of one month (Art. 12.3 GDPR).
7. Right to complain to the supervisory authority
If you consider that the processing of your personal data does not comply with current regulations, you have the right to file a claim with the Spanish Data Protection Agency (AEPD):
- Web: www.aepd.es
- Address: C/ Jorge Juan, 6 — 28001 Madrid
- Electronic office: sedeagpd.gob.es
8. Information security
We apply appropriate technical and organizational measures to guarantee the security of your data (Art. 32 GDPR). In particular:
- HTTPS/TLS encryption in all Site communications.
- Argon2id hash for passwords (never stored in plain text).
- Role-based access control for the administration area.
- CSRF tokens and rate-limiting to prevent brute force attacks.
- Regular backups and access log.
9. Minors
Our services are aimed at people over 18 years of age or at professionals and companies. We do not knowingly collect data from minors. If we detect that a minor under 14 years of age has provided data without parental consent, we will delete it immediately.
10. Modifications to this Policy
This Policy may be updated to reflect legal or operational changes. Any substantial modification will be notified to registered users by email and will be published on this page with the new effective date.
Last update: [PENDIENTE DE COMPLETAR]
