Privacy Policy

This is a courtesy translation. In case of disputes or discrepancies, only the official Spanish version shall prevail.

1. Data Controller

In accordance with the General Data Protection Regulation (GDPR) and Spain's Organic Law 3/2018 on Personal Data Protection and the guarantee of digital rights (LOPDGDD), the data controller for this website is:
Cristiana & Matteo SL (Cristiana De Gol)
Address: Carrer Pablo Picasso 2, 07800 Eivissa, Balearic Islands, Spain
Email: cristianaematteosl@gmail.com

2. Hosting and Security (Cloudflare)

To ensure the speed and security of this website, we use the services of Cloudflare, Inc. (San Francisco, USA). When you visit our site, Cloudflare automatically records technical data in so-called "server log files". This data includes your IP address, browser type and version, the referring URL, and the date and time of access. This is technically necessary to defend the site against cyber attacks (DDoS) and to ensure the page loads correctly. Cloudflare is certified under the EU-US Data Privacy Framework (DPF), which ensures an adequate level of data protection for transfers to the USA. The transmission of technical data (such as your IP address) occurs automatically when accessing any website and is necessary for the technical functioning of the page. Without this data, it is not possible to display the website.
Legal basis: Legitimate interest (Art. 6 para. 1 lit. f GDPR).

3. Web Analytics without Cookies (Cloudflare Web Analytics)

We use Cloudflare Web Analytics to understand how many people visit our website.

• No tracking: This tool does not use cookies, does not store identifiers on your device, and does not create user profiles.
• Anonymity: We only see aggregated data (e.g., "50 visits from Spain"), without any reference to you personally.

Legal basis: Legitimate interest in understanding website usage (Art. 6 para. 1 lit. f GDPR).

4. Links to External Services (Social Media, Maps, WhatsApp)

On our website, we use links to external platforms. Unlike common "social plugins" (which transmit data as soon as the page is opened), ours are simple static links. Data is only transmitted to the respective platforms if and when you actively click on the icon or link.

When you click, you will be redirected to the following providers, who will process your data according to their own rules:

• WhatsApp: Meta Platforms Ireland Ltd. When placing an order, our website generates a pre-filled message that includes the selected products, quantities, prices, and an order ID. This data is transmitted to WhatsApp only when you confirm sending the message. Before sending, you can review and edit the message in the WhatsApp app. We do not collect any personal data (name, address, email) through our website.
• Google Maps: Google Ireland Ltd. (for viewing the map/directions).
• Google Reviews: Google Ireland Ltd. (for viewing customer reviews).
• Social Media: Meta Platforms Ireland Ltd. (Instagram) and TikTok Technology Limited (TikTok).

Data is only transmitted to these providers through your voluntary action (clicking the link). No personal data processing takes place on our website in connection with these services.

5. Data Processing for Orders (WhatsApp & Phone)

When you place an order via WhatsApp or contact us by phone, we receive and process the following personal data:

• Phone number (provided when you contact us).
• Profile name (visible on WhatsApp).
• Order contents (products, quantities, prices, and order ID).

This data is used exclusively to manage and confirm your order. We do not send marketing messages or share your data with third parties. Contact is always initiated voluntarily by you.
Legal basis: Performance of a contract or pre-contractual measures at the request of the data subject (Art. 6 para. 1 lit. b GDPR).
Retention: Order data is retained in our WhatsApp Business account for the time necessary for operational order management and compliance with applicable legal obligations.

6. Local Storage (Preferences & Shopping Cart)

This website does not use profiling or advertising cookies. We exclusively use your browser's "Local Storage" technology to save the following data on your device:

• Language preference (e.g., EN, ES, IT) — to show you the website in the correct language on your next visit.
• Shopping cart (selected products, quantities, and prices) — to preserve your selection if you reload the page. This data is automatically deleted after 24 hours.

All of this data remains exclusively on your device, is not transmitted to our servers or third parties, and can be deleted at any time by clearing your browser data (Browser settings → Clear browsing data → Site data).
Legal basis: Technically necessary storage exempt from consent under Art. 22.2 of Spain's LSSI-CE.

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). Personal data transfers are carried out under the following safeguards:

• Cloudflare, Inc. (USA): Certified under the EU-US Data Privacy Framework (DPF).
• Meta Platforms, Inc. (WhatsApp, Instagram): Data is processed by Meta Platforms Ireland Ltd. Transfers to the USA are covered by Meta's DPF certification.
• Google LLC (Maps, Reviews): Data is processed by Google Ireland Ltd. Transfers to the USA are covered by Google's DPF certification.
• TikTok Technology Limited (Ireland): Data may be transferred to third countries. TikTok uses Standard Contractual Clauses (SCCs) approved by the EU Commission.

8. Data Retention

We keep data only as long as necessary:

• Server logs (Cloudflare): Maximum 72 hours for security logs.
• Cloudflare Web Analytics: Aggregated and anonymized — no personal data retained.
• Local Storage (cart): Automatically deleted after 24 hours.
• Local Storage (language): Remains until you clear your browser data.
• WhatsApp messages: Subject to Meta's retention policies; we retain order messages in our WhatsApp Business account for operational purposes.

9. Automated Decision-Making

We do not use any form of automated decision-making or profiling within the meaning of Art. 22 GDPR.

10. Your Rights

Under the GDPR and the LOPDGDD, you have the right to:

• Request information about your data (Art. 15).
• Request the rectification or deletion of data (Art. 16-17).
• Request restriction of processing (Art. 18).
• Request the transfer of your data (Art. 20 — data portability).
• Object to processing (Art. 21).
• Withdraw your consent at any time, where processing is based on consent (Art. 7 para. 3).

To exercise these rights, contact us at the email address indicated above. We will respond to your request within one month. Exercising these rights is free of charge.

11. Right to Complain

In case of violations of data protection regulations, you have the right to file a complaint with the competent supervisory authority:
Spanish Data Protection Agency (AEPD) – www.aepd.es

12. Updates

Last updated: February 2026