PRIVACY POLICY

Last updated: April 2025

In compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation — GDPR) and Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), users are hereby informed about the processing of their personal data.

1. DATA CONTROLLER

  • Company name: Palau Antiguitats S.C.P.
  • Tax ID (CIF): J63393441
  • Registered address: C/ Gràcia, 1 – BJ, 08012 Barcelona, Spain
  • Contact email: info@palauantiguitats.com

2. PERSONAL DATA PROCESSED

Depending on the user’s interaction with the website, the following categories of personal data may be processed:

  • Identification data: full name, email address, telephone number, postal address.
  • Financial data: payment information provided through a secure payment gateway (card data is not stored by the owner).
  • Browsing data: IP address, browser type, technical and analytical cookies (see Cookie Policy).

3. PURPOSES AND LEGAL BASIS FOR PROCESSING

Personal data are processed for the following purposes:

a) Order management and sales contracts

Legal basis: performance of a contract (Article 6(1)(b) GDPR). Required for the placement, management, fulfilment, shipping and invoicing of orders placed through the online store.

b) Customer service and enquiry management

Legal basis: legitimate interests of the controller (Article 6(1)(f) GDPR). Used to respond to communications received via the contact form or email.

c) Compliance with legal obligations

Legal basis: legal obligation (Article 6(1)(c) GDPR). Includes the issuance of invoices, tax filings and document retention in accordance with Spanish commercial and tax law.

d) Commercial communications and newsletter

Legal basis: the user’s explicit consent (Article 6(1)(a) GDPR). Users may withdraw their consent at any time by writing to info@palauantiguitats.com or by clicking the unsubscribe link in any communication received.

4. RECIPIENTS AND DATA DISCLOSURES

Personal data may be shared with the following third parties, only to the extent necessary:

  • Shipping and logistics companies: for the fulfilment and delivery of orders.
  • Financial institutions and payment gateways: for the processing of transactions.
  • Public authorities: when required by applicable law (e.g. Spanish Tax Agency — Agencia Tributaria).
  • Technology service providers (hosting, CRM, email marketing): acting as data processors under a signed Data Processing Agreement (DPA).

No personal data will be sold or transferred to third parties for commercial purposes without the user’s prior consent.

5. INTERNATIONAL DATA TRANSFERS

Where service providers are located outside the European Economic Area (EEA), the owner ensures that such transfers are subject to appropriate safeguards as provided under Chapter V of the GDPR (adequacy decisions, Standard Contractual Clauses or other recognised mechanisms). In particular, tools such as Google Analytics or email marketing services rely on Standard Contractual Clauses approved by the European Commission.

6. RETENTION PERIODS

  • Customer and order data: 5 years from the last transaction (Article 30 of the Spanish Commercial Code) or up to 10 years for tax-related documentation.
  • Contact and enquiry data: 3 years from the last communication.
  • Newsletter subscribers: until consent is withdrawn.

7. USER RIGHTS

Users may exercise the following rights recognised under the GDPR at any time:

  • Right of access: to obtain confirmation of whether their data is being processed and receive a copy.
  • Right to rectification: to correct inaccurate or incomplete data.
  • Right to erasure (‘right to be forgotten’): to request the deletion of personal data.
  • Right to object: to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to restriction of processing: to request that processing be suspended in certain circumstances.
  • Right to data portability: to receive personal data in a structured, commonly used and machine-readable format.
  • Right to withdraw consent: at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, users must send a written request to info@palauantiguitats.com, attaching a copy of their national identity document (DNI) or equivalent identification. The owner will respond within one month (extendable by a further two months in complex cases).

If users believe that the processing of their personal data infringes applicable data protection law, they may lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD): www.aepd.es.

8. SECURITY MEASURES

Palau Antiguitats S.C.P. has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These include the use of HTTPS protocol, access controls, regular back-ups and incident response procedures.