Legal
Privacy Notice
This notice explains what personal data we collect, why, and the rights you have over it under GDPR and Spanish data-protection law.
Effective date: 24 May 2026
Preliminary notice — pending a final review by our data-protection counsel.
1. Who controls your data
CanGerard, with registered office in Catalonia, is the data controller for personal data collected through this site. You can reach the data-protection contact at gerard@cangerard.cat.
2. What data we collect
Account data (name, email, hashed password, preferred language), delivery addresses, order history, payment metadata returned by Stripe (we never store full card numbers), product reviews you publish, and standard technical data (IP, browser, locale) for security and analytics.
3. Why we use it
To create and maintain your account, process orders and payments, deliver your purchases, handle returns and customer service, prevent fraud, send transactional messages, comply with our legal obligations and — only with your consent — send marketing communications.
4. Legal basis
Performance of the contract for order processing and account management; legal obligation for accounting and tax records; legitimate interest for fraud prevention, product improvement and privacy-friendly cookieless analytics; and your consent for any optional marketing communications.
5. Who we share with
Sellers receive the data they need to fulfil your order (name, address, items). We use Stripe (payments), Sendcloud (shipping labels) and Supabase (database hosting) as data processors under contract. We do not sell your data.
6. How long we keep it
Order and accounting records are kept for the period required by Spanish tax law (currently 6 years). Account data is kept while your account is active and deleted within 90 days of closure, unless we are required to keep it longer.
7. Your rights
You have the right to access, correct, delete, restrict or port your personal data, and to object to specific processing. You can exercise these rights by writing to gerard@cangerard.cat. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or the Catalan Data Protection Authority (APDCAT).
8. Security
We use HTTPS in transit, encrypted database storage, hashed passwords, role-based access control and audit logs to protect your data. No system is impenetrable, but we work continuously to reduce risk.
9. Changes to this notice
We may update this notice when our practices change or when the law evolves. Significant changes will be announced via email or a banner on the site.