This Privacy Policy explains how PASTORIA PROJECT, S.L. (the legal entity behind the PASTORIA LAB brand) collects, uses, and protects personal data submitted through lab.pastoria.es, in accordance with EU Regulation 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).
1. Data Controller
- Company: PASTORIA PROJECT, S.L.
- Tax ID (CIF): B57664179
- Registered Address: Cno. Son Rapiña, núm. 8 1ºA, 07013 Palma — Islas Baleares (España)
- Email: [email protected]
- Phone: +34 971 791298
2. What Personal Data We Collect
- Contact Information: name, email address, phone number, company name.
- Communication Data: any information you provide when contacting us through forms, email, or phone.
- Early-access Data: email and (optionally) role and sector when you join the early-access list.
- Technical Data: IP address, browser type, device information, and usage data collected through privacy-first analytics.
3. Legal Basis and Purpose of Processing
- Consent (Art. 6.1.a GDPR) — when you submit forms or join the early-access list.
- Contractual Necessity (Art. 6.1.b GDPR) — to respond to your inquiries and provide requested services.
- Legitimate Interest (Art. 6.1.f GDPR) — to improve our products, website and operations.
- Legal Obligation (Art. 6.1.c GDPR) — to comply with applicable tax, accounting and regulatory requirements.
Purposes: responding to inquiries; managing the early-access list; managing business relationships; sending product launch communications (only with your consent); website analytics and improvement; legal compliance.
4. Data Retention
- Contact inquiries: up to 2 years from last contact, unless a business relationship is established.
- Early-access list: until product launch + 12 months, or until you withdraw consent.
- Contract data: duration of the contractual relationship plus applicable legal retention periods (minimum 6 years for tax purposes in Spain).
- Marketing consents: until withdrawn or 3 years of inactivity.
- Technical data: as specified in our Cookie Policy (typically 13 months maximum for analytics).
5. Data Sharing and International Transfers
We do not sell your personal data. We may share data with:
- Service Providers: hosting (Vercel/Cloudflare), email delivery (Resend), and analytics providers under data processing agreements.
- Professional Advisors: lawyers, accountants and auditors when necessary.
- Legal Requirements: public authorities when required by law.
Some service providers may be located outside the EU/EEA. Where this occurs, transfers comply with Chapter V of the GDPR through Standard Contractual Clauses, adequacy decisions, or other approved mechanisms.
6. Your Rights Under GDPR
- Right of Access (Art. 15)
- Right to Rectification (Art. 16)
- Right to Erasure (Art. 17)
- Right to Restriction (Art. 18)
- Right to Data Portability (Art. 20)
- Right to Object (Art. 21)
- Right to Withdraw Consent at any time
- Right to lodge a complaint with the Spanish Data Protection Authority (AEPD — www.aepd.es)
To exercise your rights, contact us at [email protected] or by post at the address in Section 1. We will respond within one month (extendable by two additional months if necessary).
7. Security Measures
We implement appropriate technical and organizational security measures including HTTPS encryption, access controls, secure servers, and regular security reviews. No internet transmission is completely secure, and we cannot guarantee absolute security.
8. Marketing Communications
We will only send you marketing communications if you have given explicit consent. You can withdraw consent at any time by clicking “unsubscribe” in our emails or contacting [email protected].
9. Updates to This Policy
We may update this Privacy Policy periodically. The “Last Updated” date indicates the latest revision. Significant changes will be communicated through our website or by email where appropriate.
10. Supervisory Authority
Agencia Española de Protección de Datos (AEPD) — C/ Jorge Juan, 6, 28001 Madrid, Spain — www.aepd.es.