PRIVACY POLICY
Who is the controller of your data?
In accordance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD), it is hereby informed that the personal data provided through this website will be processed by:
Controller: LUMBRE Gallery / Marjorie Colas
Tax Identification Number (NIF): X9769160W
Address: Calle Infantas, 25, 28004, Madrid, Spain
Email: info@lumbregallery.com
Website: www.lumbregallery.com
Hereinafter, THE GALLERY.
What personal data are processed through this website?
THE GALLERY may process the following categories of data:
a) Identification data
first name and surname
email address
telephone number
company (in the case of B2B)
b) Economic and transactional data
billing information
purchase history
payment-related information (without access to full card details)
THE GALLERY does not store bank or card data.
Payments are processed entirely through Stripe as a certified external provider.
c) Browsing data
IP address
browser type
device
browsing behaviour (cookies, if accepted)
d) Communications
requests sent via forms
email communications
history of requested quotations
For what purposes are personal data processed?
Personal data are processed for the following purposes:
managing information or contact requests
managing purchase requests and personalised quotations
managing payments, invoicing and contractual compliance
contacting the user by email in relation to their request
complying with legal and tax obligations
improving the functioning of the website (analytics, if consented)
sending informational or commercial communications, only if authorised by the user
What is the legal basis for processing the data?
The processing of data is based on:
performance of a contract or pre-contractual measures
express consent of the data subject
compliance with legal obligations
legitimate interest, in specific and limited cases (security, fraud prevention)
To whom may personal data be disclosed?
Personal data may be disclosed only to:
a) Service providers
Hostinger (web hosting)
Stripe (online payments)
HubSpot (forms, CRM or communications, if used)
logistics providers (only data necessary for shipping)
All providers act as data processors, under agreements in accordance with Article 28 GDPR.
b) Public authorities
When required by law (tax, accounting, judicial).
Are international data transfers carried out?
Some providers (Stripe, Google, HubSpot) may carry out international data transfers outside the European Economic Area.
These transfers are carried out with appropriate safeguards, such as:
Standard Contractual Clauses (SCCs)
additional technical measures in accordance with GDPR
How long are the data retained?
Data will be retained:
while a contractual relationship exists
for the legally required periods (tax, accounting)
until the user withdraws their consent
for the time strictly necessary for the purpose for which they were collected
What rights can users exercise?
The user may exercise the following rights:
access
rectification
erasure
objection
restriction of processing
data portability
withdrawal of consent at any time
They may exercise these rights by sending an email to:
info@lumbregallery.com
They also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).
What security measures are applied to protect the data?
THE GALLERY applies appropriate technical and organisational measures to ensure the security of personal data, including:
a) Technical measures
secure connection via SSL certificate
protected and updated servers
encryption of data in transit
access control systems
periodic backups
protection against malware and automated attacks
b) Organisational measures
restricted access to data only to authorised personnel
basic training in data protection
internal confidentiality policies
periodic review of providers
protocols in case of security breaches
c) Secure payments
payments are carried out exclusively through Stripe, a PCI-DSS certified provider
THE GALLERY does not access or store card data
Are commercial communications sent?
The user will only receive commercial communications if they have had a prior commercial relationship or have given their express consent.
At any time, they may unsubscribe through:
the link included in communications
direct request by email
Informational communications and newsletter
Personal data provided through the subscription form will be processed by LUMBRE Gallery for the purpose of sending information about exhibitions, fairs, events, artistic news and activities related to the gallery.
The legal basis for processing is the consent of the data subject (Article 6.1.a GDPR).
Consent may be withdrawn at any time without affecting the lawfulness of processing prior to its withdrawal.
Subscription to the newsletter is not a condition for making purchases or contracting services.
Data will be retained until the data subject withdraws their consent.
To ensure the validity of consent, a double verification system (double opt-in) may be used, whereby the user must confirm their subscription via a link sent to their email address.
No automated profiling with legal effects on the data subject will be carried out.
What happens if the user provides data of third parties?
If the user provides data of third parties (for example, for shipments or gifts), they declare that they have obtained their consent and undertake to inform them of the content of this policy.
Are minors’ data processed?
This website is not intended for children under 14 years of age.
If improper processing of minors’ data is detected, it will be immediately deleted.
Can this Privacy Policy be modified?
THE GALLERY reserves the right to modify this Privacy Policy in order to adapt it to legal or technical changes.
Users are advised to review it periodically.
What legislation applies?
This policy is governed by Spanish law and European data protection legislation.