1. Who is responsible for your data
The data controller under GDPR Article 4(7) is [REVIEW: legal entity name and CIF], registered at [REVIEW: registered address], Spain. You can reach our Data Protection contact at [email protected].
[REVIEW: whether a DPO is required based on scale and specific processing]
2. What we collect and why
Account data
- Identity: name, date of birth (for age verification), email, phone.
- Authentication: hashed password, Sanctum API tokens.
- Legal basis: performance of contract (GDPR Art. 6(1)(b)) and legal obligation to verify age for alcohol sales.
Order and delivery data
- Delivery address, access notes, contact phone for the driver, timestamps of each order-lifecycle event.
- Legal basis: contract performance.
Payment data
- Card details are submitted directly to Stripe and never reach our servers. We store only the last 4 digits, card brand, expiry, and Stripe PaymentIntent references.
- Legal basis: contract performance and legal obligation (invoicing, IVA).
Device and usage data
- IP address, user agent, device model, approximate location (from IP only unless you grant precise location), pages viewed, actions taken.
- Legal basis: our legitimate interest (Art. 6(1)(f)) in security, fraud prevention, and improving the Service.
Communications
- WhatsApp, email and call records when you contact our concierge.
- Legal basis: legitimate interest in responding to your enquiry.
3. Who we share it with
We only share your data with the processors necessary to operate the Service. All are bound by data-processing agreements (DPAs):
- Stripe Payments Europe Ltd. — payment processing. Stripe Privacy.
- Twilio Inc. — SMS OTP and delivery notifications. Twilio Privacy.
- Cloudflare Inc. — CDN, DDoS protection, DNS. Cloudflare Privacy.
- [REVIEW] email service provider for transactional email.
- Our drivers and warehouse team — only the minimum to fulfil your order.
We do not sell your data. We do not share it for marketing by third parties. We may disclose it to law-enforcement when legally compelled.
4. International transfers
Some of our processors store data in the United States. Transfers are governed by the EU–US Data Privacy Framework or by Standard Contractual Clauses where the framework does not apply.
5. How long we keep it
- Account data: while your account is active + 2 years after last activity.
- Order and invoicing records: 6 years (Spanish tax law requires retention).
- Age-verification evidence: 1 year after the last order, then deleted.
- Security logs: 90 days then anonymised.
- Marketing consents: until you withdraw, plus 2 years for audit.
6. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you.
- Rectification of inaccurate data.
- Erasure ("right to be forgotten"), subject to retention obligations above.
- Restriction of processing while a dispute is resolved.
- Portability — receive your data in a machine-readable format.
- Object to processing based on legitimate interest.
- Withdraw consent for marketing at any time.
Exercise any of these by emailing [email protected]. We respond within 30 days.
You also have the right to lodge a complaint with the Spanish Data Protection Authority, Agencia Española de Protección de Datos (AEPD), aepd.es.
7. Cookies
We use a minimal set of cookies:
- Essential — session, CSRF, auth token. Cannot be disabled.
- Preferences — language (ES/EN), remembered cart.
- Analytics — [REVIEW: whether GA / self-hosted Plausible / none]. Only loaded with your consent.
See our Cookie Policy for details [REVIEW: create if we deploy GA].
8. Security
We protect your data with HTTPS-only transport, hashed passwords (bcrypt), short-lived API tokens, encrypted backups, role-based access control, and regular security reviews. No system is 100% secure; if we detect a breach affecting your data we will notify you within 72 hours in line with GDPR Art. 33.
9. Children
The Service is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact [email protected] and we will delete it.
10. Changes
When we change this policy we update the "Effective" date above and — for material changes — notify you by email 14 days before the change takes effect.
11. Contact
Data Protection contact: [email protected].
General support: [email protected].