Cookie preferences
Shopping Cart
Subscribe and receive news
We'll be uploading more products from your favorite brands soon.
Subscribe and be the first to hear about news and offers, get 5% of discount
Privacy Policy
Last updated: March 17, 2026
In compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Spanish Organic Law 3/2018 on Personal Data Protection and digital rights guarantee (LOPDGDD), we inform you about the processing of your personal data.
1. DATA CONTROLLER
Owner: Ray Rodriguez (sole trader), trading as Kosmetica.es
Tax ID (NIF): 14053624A
Address: C/ del Túria, 53, Extramurs, 46008 Valencia, Spain
Email: [email protected]
Phone: +34 674 02 48 13
2. DATA PROTECTION OFFICER
Given the nature and volume of data processed, Kosmetica.es is not required to appoint a Data Protection Officer under Article 37 of the GDPR. However, you may direct any data protection queries to [email protected].
3. PURPOSES OF PROCESSING, LEGAL BASIS, AND DATA PROCESSED
| Purpose | Legal basis (Art. 6 GDPR) | Data processed | Retention period |
|---|---|---|---|
| Order management and delivery | Performance of a contract (Art. 6.1.b) | Name, surname, email, postal address, phone, payment data | Duration of contractual relationship + 5 years (tax obligations) |
| User account management | Performance of a contract (Art. 6.1.b) | Name, surname, email, encrypted password, order history | Until the user requests account deletion |
| Customer support and inquiries | Legitimate interest (Art. 6.1.f) and consent (Art. 6.1.a) | Name, email, inquiry content, attachments | Until resolution of inquiry + 1 year |
| Commercial communications and newsletter | Explicit consent (Art. 6.1.a) | Email, name | Until consent is withdrawn |
| Browsing analysis and service improvement | Consent (Art. 6.1.a) granted via cookie banner | Browsing data, IP address, device type, pages visited | According to cookie duration (see Cookie Policy) |
| Legal and tax compliance | Legal obligation (Art. 6.1.c) | Billing data, tax data | 5 years (General Tax Law) / 6 years (Commercial Code) |
| Fraud prevention | Legitimate interest (Art. 6.1.f) | Payment data, IP address, transaction data | Duration of contractual relationship + 5 years |
4. DATA RECIPIENTS
Your personal data may be shared with the following recipients, exclusively for the purposes described:
| Recipient | Purpose | Country/Location | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Card payment processing | USA | Data Privacy Framework (DPF) |
| Klarna AB | Deferred payment | Sweden (EU) | Within EEA |
| Google LLC (Analytics) | Browsing and audience analysis | USA | Data Privacy Framework (DPF) |
| Google LLC (reCAPTCHA) | Bot and spam protection | USA | Data Privacy Framework (DPF) |
| Meta Platforms, Inc. | Advertising and campaign measurement | USA | Data Privacy Framework (DPF) |
| Brevo (Sendinblue) | Transactional emails and newsletter | France (EU) | Within EEA |
| Correos (State Company) | Order delivery | Spain (EU) | Within EEA |
| Trustpilot A/S | Customer review management | Denmark (EU) | Within EEA |
No data will be shared with third parties other than those indicated, except where required by law.
5. INTERNATIONAL DATA TRANSFERS
Some of the providers mentioned above (Stripe, Google, Meta) are headquartered in the United States. These transfers are carried out under the EU-US Data Privacy Framework (DPF), to which these companies are certified, ensuring an adequate level of protection in accordance with the European Commission''s Adequacy Decision of July 10, 2023.
6. DATA SUBJECT RIGHTS
As a data subject, you have the right to:
- Access: Know whether we process your data and obtain a copy.
- Rectification: Correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): Request deletion of your data when no longer necessary.
- Objection: Object to the processing of your data in certain circumstances.
- Restriction of processing: Request restriction of processing in cases provided by law.
- Portability: Receive your data in a structured, commonly used format, or request its transfer to another controller.
- Not be subject to automated decisions: Not be subject to decisions based solely on automated processing, including profiling.
- Withdraw consent: Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, send an email to [email protected] indicating the right you wish to exercise and attaching a copy of your ID or equivalent identification document. We will respond within a maximum of 30 days.
7. RIGHT TO LODGE A COMPLAINT WITH THE SUPERVISORY AUTHORITY
If you consider that the processing of your personal data does not comply with applicable regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):
- Website: www.aepd.es
- Address: C/ Jorge Juan, 6, 28001 Madrid
- Phone: 901 100 099 / 91 266 35 17
8. AUTOMATED DECISIONS AND PROFILING
Kosmetica.es does not make automated decisions or engage in profiling that produces legal effects concerning the user or similarly significantly affects them.
The use of Google Analytics and Meta Pixel involves tracking browsing behavior for statistical and advertising purposes, but always subject to the user''s prior consent through the cookie banner.
9. SOURCE OF DATA
Personal data processed by Kosmetica.es comes directly from the data subject through:
- Account registration form
- Purchase process (checkout)
- Contact form
- Newsletter subscription
- Website browsing (data collected by cookies, with prior consent)
10. SECURITY MEASURES
Kosmetica.es implements appropriate technical and organizational measures to ensure the security of personal data, including:
- Encrypted connection via HTTPS/TLS protocol
- Password storage using secure hashing
- Payment processing compliant with PCI-DSS standard (via Stripe)
- Restricted access to personal data limited to authorized personnel
- Regular backups
