This Privacy Policy regulates the processing of the personal data that MILIIEVSKA MARYNA (hereinafter, "the Controller") collects through the website https://vommo.es, in compliance with Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD).
1. Data Controller
1.1. Owner: MILIIEVSKA MARYNA (Individual entrepreneur — Self-employed)
1.2. NIF: Y5930891X
1.3. Address: Calle Poeta Ben Hafadja, No. 2, Floor 5, Door 17, 46009 Valencia (Valencia), Spain
1.4. Email: info@vommo.es
1.5. Phone: +34 614 55 77 04
1.6. Website: https://vommo.es
2. Data Protection Officer (DPO)
2.1. The Controller has not appointed a Data Protection Officer as the circumstances established in Article 37 of the GDPR and Article 34 of the LOPDGDD do not apply. The Controller's activity does not consist of processing operations which, by their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale, nor in the large-scale processing of special categories of data.
2.2. For any matter related to the processing of personal data, the data subject may contact the Controller directly through the address info@vommo.es.
3. Purposes of the processing
3.1. Personal data collected through the website will be processed for the following purposes:
3.1.1. Management of the commercial relationship, processing of orders, shipments, returns and guarantees.
3.1.2. Administrative, accounting and tax management.
3.1.3. Management of collections, payments and invoicing.
3.1.4. Customer service and resolution of inquiries or complaints.
3.1.5. Sending electronic commercial communications about own products and services, provided that there is prior consent from the data subject or a prior contractual relationship exists in accordance with article 21.2 of Law 34/2002 (LSSI-CE).
3.1.6. Voluntary subscription to newsletters and sending of periodic information.
3.1.7. Creation of commercial profiles for advertising purposes through cookies and tracking pixels, with prior consent of the data subject (see clause 9).
3.1.8. Compliance with legal obligations applicable to the Controller.
4. Legal basis
4.1. The processing of personal data is carried out under the following legal bases of article 6.1 of the GDPR:
4.1.1. Performance of a contract (art. 6.1.b GDPR): for the processing and management of orders, shipments, returns and guarantees, as well as for the provision of services requested through the website.
4.1.2. Consent of the data subject (art. 6.1.a GDPR): for the sending of commercial communications, subscription to newsletters, installation of cookies that are not strictly necessary and the creation of advertising profiles. Consent may be revoked at any time without affecting the lawfulness of the processing prior to its withdrawal.
4.1.3. Compliance with a legal obligation (art. 6.1.c GDPR): for the retention of data for tax, accounting and civil liability purposes, as well as to respond to requirements from competent authorities.
4.1.4. Legitimate interest (art. 6.1.f GDPR): for the prevention of fraud, the security of the website, the improvement of services and the exercise or defense of claims. In all cases, the corresponding balancing test has been carried out, with the rights and freedoms of the data subject prevailing in all cases where appropriate.
5. Retention periods
5.1. Personal data will be kept for the following periods, determined according to the purpose of the processing and the applicable legal obligations:
5.1.1. Customer and buyer data: while the commercial relationship is maintained and, once finished, during the limitation period for legal actions derived from it (5 years according to article 1964.2 of the Civil Code).
5.1.2. Invoicing data and accounting documentation: 6 years according to article 30 of the Commercial Code.
5.1.3. Tax and fiscal data: 4 years according to article 66 of Law 58/2003, General Tax Law.
5.1.4. Legal guarantee of product conformity: data necessary to handle claims during a period of 3 years from delivery, according to article 120 of Royal Legislative Decree 1/2007 (TRLGDCU), modified by Royal Decree-law 7/2021.
5.1.5. Data processed based on consent (commercial communications, newsletter, advertising profiling): until the data subject withdraws their consent or exercises their right of erasure.
5.1.6. Navigation data and cookies: during the periods indicated in the Cookies Policy.
5.2. Once the indicated periods have ended, the data will be deleted or blocked in accordance with the provisions of article 32 of the LOPDGDD, remaining at the exclusive disposal of Judges and Courts, the Public Prosecutor's Office or the competent Public Administrations, for the handling of possible liabilities arising from the processing, during their limitation period.
6. Recipients of the data
6.1. Personal data may be communicated to the following recipients, whenever necessary for the purposes described in clause 3:
6.1.1. Competent Public Administrations, in the cases provided for by law.
6.1.2. Financial entities and payment gateways, for the management of collections.
6.1.3. Transport and logistics companies, for the delivery of orders.
6.1.4. Tax, accounting and legal advisors, within the framework of their respective professional services.
6.1.5. Technology providers (hosting, email, analysis and marketing tools, customer service), acting as data processors under a contract adjusted to article 28 of the GDPR.
6.2. Except for the previous cases and those provided for in clause 7, no data transfers are made to third parties without the consent of the data subject.
7. International data transfers
7.1. In general, personal data is processed within the European Economic Area (EEA).
7.2. However, within the framework of the processing of analytical and advertising cookies described in the Cookies Policy, international transfers of data to the United States of America occur through the following providers:
Google Ireland Ltd. (controller in the EEA) and Google LLC (processing in the USA), for Google Analytics 4, Google Ads and Google Tag Manager services. Information: https://policies.google.com/privacy.
Meta Platforms Ireland Ltd. (controller in the EEA) and Meta Platforms, Inc. (processing in the USA), for the Meta Pixel / Facebook Ads service. Information: https://www.facebook.com/privacy/policy.
7.3. Said transfers are covered by the Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequacy of the level of protection of personal data under the EU-U.S. Data Privacy Framework, to which the aforementioned US entities are adhered. The official register of certified entities can be consulted at https://www.dataprivacyframework.gov/list.
7.4. In the event that any of said adequacy decisions cease to be applicable, the Controller would adopt additional guarantees in accordance with article 46 of the GDPR, such as Standard Contractual Clauses approved by the European Commission, and would carry out the corresponding transfer impact assessment (TIA).
7.5. These transfers only occur when the user has provided their consent to analytical or advertising cookies through the settings panel described in the Cookies Policy.
8. Categories of data processed
8.1. Depending on the user's interaction with the website, the Controller may process the following categories of data:
8.1.1. Identification data: name, surname, DNI, NIE or passport.
8.1.2. Contact data: postal address, telephone number, email address.
8.1.3. Invoicing and transaction data: payment information, bank details necessary for collection, purchase history.
8.1.4. Navigation data: IP address, browser type, operating system, dates and duration of access, device identifiers, referral source, interactions with the website.
8.1.5. Data provided voluntarily through contact forms, subscription, comments or reviews.
8.2. The Controller does not process special categories of data as defined in article 9 of the GDPR (health data, ethnic origin, religious convictions, etc.).
9. Profiling and automated decisions
9.1. When the user provides their consent to advertising and analytical cookies, the Controller, together with the providers indicated in clause 7, carries out profiling for commercial and advertising purposes, consisting of:
9.1.1. Analysis of the user's navigation behavior on the website (pages visited, products viewed, time spent, conversion events).
9.1.2. Segmentation into advertising audiences for the personalization and measurement of marketing campaigns on third-party platforms (Google Ads, Meta Ads).
9.1.3. Attribution of conversions to the corresponding advertising campaigns.
9.2. Applied logic: the aforementioned providers use their own algorithms that combine the user's activity on the website with their activity on other sites and platforms in which they intervene, in order to infer commercial interests and offer relevant advertising content.
9.3. Consequences: profiling is used exclusively for advertising and statistical purposes and does not produce automated decisions with legal effects nor does it significantly affect the data subject within the meaning of article 22 of the GDPR. Profiling is not used to condition prices, deny products or establish differentiated contractual conditions.
9.4. Rights of the data subject: the user can object to profiling at any time:
By withdrawing consent for advertising and/or analytical cookies from the "Configure cookies" link available in the footer.
By exercising the advertising controls provided by the providers themselves: Google Ads Settings, Meta Ad Preferences.
By contacting the Controller at info@vommo.es.
10. Rights of the data subject
10.1. The data subject may exercise the following rights recognized in articles 15 to 22 of the GDPR and in articles 13 to 18 of the LOPDGDD:
Access to their personal data.
Rectification of inaccurate or incomplete data.
Erasure of data when, among other reasons, they are no longer necessary for the purposes for which they were collected.
Restriction of processing, in certain circumstances.
Objection to processing, including profiling for direct marketing purposes.
Portability of data in a structured, commonly used and machine-readable format.
Right not to be subject to automated individual decisions, including profiling, which produce legal effects or significantly affect them in a similar way.
Revocation of consent given, at any time.
10.2. Rights may be exercised by sending a request to info@vommo.es or by postal mail to the address indicated in clause 1.3, attaching a copy of the DNI, NIE, passport or equivalent document proving the identity of the applicant.
10.3. The Controller will respond to the request within a maximum period of one month from its receipt, extendable by another two months in the case of complex requests or a high number of requests, in accordance with article 12.3 of the GDPR.
10.4. The data subject also has the right to file a claim with the Spanish Data Protection Agency (AEPD), with address at C/ Jorge Juan, 6, 28001 Madrid, or through its electronic office https://www.aepd.es, especially when they have not obtained satisfaction in the exercise of their rights.
11. Security measures
11.1. The Controller has adopted the technical and organizational measures necessary to guarantee the security of personal data and prevent their alteration, loss, unauthorized processing or access, depending on the state of technology, the nature of the data and the risks to which they are exposed, in accordance with article 32 of the GDPR.
11.2. Nevertheless, the user must be aware that security measures on the Internet are not impregnable and that leaks can occur due to malicious actions by third parties, although the Controller uses all means at their disposal to avoid them and, where appropriate, notify the Control Authority and the data subjects affected under the terms provided for in articles 33 and 34 of the GDPR.
12. Minors
12.1. In accordance with article 7 of the LOPDGDD, the use of the website, the placing of orders and the processing of personal data are reserved for persons over 14 years of age. Minors under that age must have the express consent of their parents or legal guardians.
12.2. The Controller does not intentionally collect data from children under 14 years of age. If such a circumstance is detected, the data will be deleted without delay.
13. Modification of the Privacy Policy
13.1. The Controller reserves the right to modify this Privacy Policy in order to adapt it to legislative or jurisprudential developments or changes in the processing carried out.
13.2. Any modification will be published on the website indicating the date of the last update. When modifications substantially affect the rights of data subjects, they will be informed by reasonable means.