PRIVACY POLICY

1. DATA OF THE DATA CONTROLLER

-Company Name: JEFA SNEAKERS (hereinafter, the “Company” or the “Controller”).

-Registered Office: Calle Apodaca, nº 8, local 1 (Madrid)

-NIF: 01921924K

-Telephone: 634 461 098

Email for communications regarding data protection: jefasneakersshop@gmail.com

1.1. Applicable regulations 

Our Privacy Policy has been designed in accordance with the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights.

By providing us with your data, you declare that you have read and understood this Privacy Policy, giving your unequivocal and express consent to the processing of your personal data in accordance with the purposes and terms expressed herein.

The Company may modify this Privacy Policy to adapt it to new legislation, case law, or interpretations by the Spanish Data Protection Agency. These privacy conditions may be supplemented by the Legal Notice, Cookie Policy, and Terms of Purchase that, where applicable, are included when placing orders. Such access constitutes a special requirement regarding personal data protection, as certain additional information is required for the proper processing of said order.

2.- PRINCIPLES ACCORDING TO THE EUROPEAN DATA PROTECTION REGULATION

We undertake to process the personal data (hereinafter the "data") provided in accordance with the following principles set out in the General Data Protection Regulation (GDPR):

• Legality: We will only collect your Personal Data for specific, explicit, and legitimate purposes, and we will not process your Personal Data in a manner incompatible with those purposes.
• Lawfulness: In accordance with Article 6 of the General Data Protection Regulation, your personal data will be processed provided that you expressly consent to the processing of said data as a form of outsourcing your will and free and informed consent. Your personal data may be necessary to formalize a contract, agreement, or service to which the data subject is a party, to comply with legal obligations, to protect the vital interests of the data subject and another natural person, to fulfill a task carried out in the public interest or in the exercise of official authority vested in the data controller, or to satisfy the legitimate interests pursued by the data controller when these do not violate the fundamental rights and freedoms of the data subject or the protection of their personal data.
• Loyalty and transparency: in accordance with Article 5 of the General Data Protection Regulation, transparency is demonstrated by informing the data subject of the existence of the processing operation and its purposes.
• Data minimization: We limit the collection of personal data to what is strictly relevant and necessary for the purposes for which it was collected.
• Purpose Limitation: We will only collect your personal data for specific, explicit, and legitimate purposes, and we retain it as we process it.
• Accuracy: We will keep your personal data accurate and up to date.
• Data Security: We implement appropriate technical and organizational measures to ensure an adequate level of security, taking into account the risks and nature of the data, in order to prevent its disclosure or unauthorized access, as well as any loss or alteration. In short, any form of unlawful processing.
• Any person who, having given their consent for data collection, wishes to request any management of the processing is recognized and may exercise the following rights: access, rectification, objection, erasure, restriction of processing, portability, and the right not to be subject to individualized decisions. This right will be free of charge, and the request will be corrected within one month, which may be extended for another two months in light of exceptional circumstances, such as the number of requests, complexity, or other similar requests.
• Principle of retention limitation: data will be retained for as long as necessary and for the purposes of processing without undue delay, and during this time, users' and clients' personal data will be available to them upon request.

3. PURPOSE OF THE PROCESSING OF PERSONAL DATA

We process your personal data for the following purposes:

- Provide you with product-related information through the catalog made available to the user.

-To carry out, in the case of purchasing an item through the website, order management, tracking it for proper delivery, post-sale customer service, and payment collection.

-To manage social media. The Controller has a presence on social media. If you become a follower on the Data Controller's social media accounts, the processing of your personal data will be governed by this section, as well as by the terms of use, privacy policies, and access regulations applicable to the relevant social media platform, which you have previously accepted .

-If the user expressly agrees by checking the corresponding box, we may send newsletters about new collections, offers, or other news that may be of interest to the user, provided they do not revoke their consent. A simple and free means of doing so will be made available. A discount code will also be sent periodically through this channel, provided the user who authorized it does not revoke said authorization.

3.1. Retention period of your data 

We will retain your personal data from the moment you give us your consent until you revoke it or request that processing be restricted. In such cases, we will retain your data in a blocked form for the legally required periods (contractual relationships, tax or accounting matters, etc.), and will only be available in response to any request notified by a public or judicial authority.

With regard to data collected for newsletter sending, unless the user revokes their consent beforehand, we will retain the information for this purpose for two years. It will then be deleted, and it will be necessary to collect the data again through the enabled channel, with the user's express authorization.

3.2 Restricted access area policy for customers

The Controller will facilitate the registration of the user by entering the necessary access data, which will include the account name, usernames, and passwords. For security reasons, the user will receive an email to activate their account and access the application . The user will be responsible in all cases for safeguarding their access codes. Therefore, they will be solely responsible for any damages that may arise from improper use of said codes, as well as their loss or any other circumstance that could pose a risk of access or use by unauthorized third parties. Users must immediately notify the company so that it can block and replace them.

The Controller reserves the right to freely accept or reject any user's registration request. The data entered by users must be accurate, current, and truthful, and will be processed and handled in compliance with current personal data protection legislation.

4. LEGITIMATION AND DATA COLLECTED

The legitimacy for processing your data is the express consent granted through a positive and affirmative act (filling out the corresponding form and checking the box accepting this policy or calling or sending an email providing your information for a consultation) at the time you provide us with your personal information, whether to request information or to place an order.

4.1. Consent to process your data 

By filling out the forms, checking the "I accept the Privacy Policy" box and clicking to send the data, or by sending emails to the Company through the accounts enabled for this purpose, the User declares that he or she has read and expressly accepted this privacy policy and gives his or her unequivocal and express consent to the processing of his or her personal data for the purposes indicated.

4.2. Data categories 

The data collected through the contact form falls under the category of identifying data, such as: name, telephone number, email address, and the IP address from which you accessed the data collection form. In the authorization you provide for us to send the newsletter, we will only request your name and email address, as no other type of data is necessary for the purpose for which they are requested.

When placing an order, we will also request the address, as this is essential information to correctly process the order and send it to the customer.

5. SECURITY MEASURES

As part of our commitment to ensuring the security and confidentiality of your personal data, we inform you that the necessary technical and organizational measures have been adopted to guarantee the security of your personal data and prevent its alteration, loss, processing, or unauthorized access, taking into account the state of technology, the nature of the data stored, and the risks to which they are exposed, in accordance with Article 32 of the EU GDPR 679/2016. 

All data is stored on secure servers, where backup copies are made, ensuring information is always available for proper order execution and business continuity.

6. DATA TRANSFER

Only the data strictly necessary to deliver the order placed by the user may be transferred. The recipients are the courier companies with which agreements have been reached. In any case, the corresponding contracts with these providers are signed. These contracts, based on Article 28 of the GDPR, guarantee adequate data processing and limit processing exclusively to the purpose of delivering the orders.

Apart from the above, no assignments or international transfers of the data collected through this website are foreseen, except as authorized by tax, commercial, and telecommunications legislation, as well as in cases where a judicial authority requires us to do so.

7. USER RIGHTS

Any data subject has the right to obtain confirmation as to whether or not we are processing personal data concerning them. Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. In certain circumstances, data subjects may request that the processing of their data be restricted, in which case we will only retain it for the exercise or defense of legal claims. For reasons related to their particular situation, data subjects may object to the processing of their data. The Data Controller will cease processing the data except for compelling legitimate reasons or for the exercise or defense of potential legal claims.

We also remind you that, if you are a customer, you can revoke your consent or object to receiving commercial communications by any means and at any time, by sending an email to jefasneakersshop@gmail.com .     

If you believe that your request has not been properly addressed or that your data is not being processed appropriately, you can direct your complaints to the Spanish Data Protection Agency , the regulatory body for this matter in Spain.

Below, we provide you with more detailed information on these rights, with direct access to their exercise using the links provided by the Spanish Data Protection Agency:

A)-RIGHT OF ACCESS

Article 15 of the General Data Protection Regulation recognizes the data subject's right to know whether or not their personal data is being processed, the purposes of the processing, the categories of data, the recipients, the source of the data, the retention period, and the criteria for determining that retention period. Thus, the data controller will provide a copy of the personal data being processed electronically upon submission of the request.

They may also request the data controller to rectify, delete, or restrict data and processing.

In order to make it easier for the user to exercise this right, we provide the form that must be completed for your request via the following link:

https://www.aepd.es/media/formularios/formulario-derecho-de-acceso.pdf

B)-RIGHT OF RECTIFICATION AND DELETION

Articles 16 and 17 of the General Data Protection Regulation establish that, regarding the rectification and deletion of personal data, the client or user may request the rectification of their personal data because they consider it to be inaccurate, or that it be completed or deleted because it is no longer necessary for the purposes for which it was collected and processed.

In order to make it easier for the user to exercise this right, we provide the form that must be completed for your request via the following link:

https://www.aepd.es/media/formularios/formulario-derecho-de-rectificacion.pdf

https://www.aepd.es/media/formularios/formulario-derecho-de-supresion.pdf

C)- RIGHT TO LIMITATION OF PROCESSING

The data subject shall have the right to obtain from the controller restriction of processing of their personal data whenever they contest the accuracy of their personal data. That is, data may only be processed, with the exception of storage, with the consent of the data subject, for the exercise or defense of legal claims, to protect the rights of another natural or legal person, or for reasons of public interest of the Union or a particular Member State . Furthermore, the data subject shall be informed by the controller before such restriction is lifted.

In order to make it easier for the user to exercise this right, we provide the form that must be completed for your request via the following link:

https://www.aepd.es/media/formularios/formulario-derecho-de-limitacion.pdf

1. D) -RIGHT TO DATA PORTABILITY

Article 20 of the General Data Protection Regulation recognizes the right of the data subject to receive the personal data concerning them, that is, to have it transmitted directly from one controller to another, whenever technically feasible, in a structured, commonly used, and machine-readable format, without hindrance from the controller to whom the data was provided, when consent has been expressly outsourced or through a contract.

In order to make it easier for the user to exercise this right, we provide the form that must be completed for your request via the following link:

https://www.aepd.es/media/formularios/formulario-derecho-de-acceso.pdf

8. CONFIDENTIALITY

Any personal data collected will be treated with absolute confidentiality. The Company undertakes to maintain confidentiality and guarantees its duty to safeguard it by adopting all necessary measures to prevent its alteration, loss, and unauthorized processing or access, in accordance with applicable law.

To this end, the Controller guarantees that it will maintain the corresponding confidentiality agreements with any persons who may be involved in any phase of the processing of the personal data collected.

9. INTERNATIONAL DATA TRANSFERS

An International Data Transfer is defined as the communication of your personal data to countries located outside the European Union, and more specifically outside the European Economic Area (EEA). There are exceptions to countries outside this European area that are not considered an international transfer, as the recipient countries are considered adequate by the European Data Protection Commission to comply with European data protection standards.

If the Company transfers personal information outside the EEA, whether because the data is stored on a server outside the borders of the EEA or for any other reason, it ensures that the contractual clauses governing such international transfer are maintained, ensuring that the provider that may host or process personal information complies with the minimum security standards and principles set forth in the GDPR.