Privacy policy

Last updated: 22/09/2025

Main domain: www.garmonyarns.com (language folders /es, /en, /fr, /pt)

This Privacy Policy comprehensively describes how Garmon Yarns processes personal data in its online shop, support channels and marketing systems, in accordance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 (LOPDGDD) and the e-privacy rules applicable in Spain. It includes a processing map, legal bases, retention periods, international transfers and rights. When we introduce new tools or change purposes, we will update this Policy.

1) Controller and scope

• Controller: Elisabet García Ruiz (Self-employed professional)
• Trading name: Garmon Yarns
• NIF/VAT: ES09025821T
• Address: Paseo de la Alameda 21 (Local Garmon Yarns), 28804, Alcalá de Henares (Madrid), Spain
• Privacy/rights contact: tienda[garroba]armonyarns.com
• Data Protection Officer (DPO): Not appointed (not required)

Scope of application: this Policy covers the site www.garmonyarns.com and its language folders (/es, /en, /fr, /pt), the purchase process (checkout), forms (contact, newsletter with double opt-in, back-in-stock notices), reviews and the loyalty programme, as well as customer support via email, telephone, WhatsApp Business (1-to-1), online chat and interaction on Instagram, Facebook, TikTok, Pinterest and YouTube. We do not operate marketplaces at the time of this publication.

2) Sources of data and categories

Sources: web forms, checkout and after-sales, support channels (email/telephone/WhatsApp/chat), reviews (Judge.me), web browsing (cookies/SDK managed by the CMP), and interactions on social networks.

Categories:

• Identification and contact: first name, surname, email, telephone, addresses (shipping/billing).
• Transactional: orders, amounts, purchase details, coupons, returns, incidents.
• Payment: processed by providers; we do not store card data.
• Preferences/loyalty: subscriptions, points and redemptions, VIP tiers, rewards history.
• Browsing/analytics and advertising: online identifiers, cookies, conversion events, Consent Mode v2.
• Communications/support: messages, tickets, complaints.
• UGC (reviews): texts and ratings; we do not publish amounts or leaderboards with personal data.

3) Purposes, legal basis, necessity and retention

The following processing map details for each purpose: data used, legal basis (Art. 6 GDPR), whether it is mandatory and its retention period (indicative; see also Annex B).

Consequences of not providing mandatory data: we will not be able to process your order, manage returns or respond to specific requests.

4) Profiling and automated decisions

We carry out operational and commercial segmentations to personalise the experience (e.g., activity, categories purchased, likelihood of repeat purchase, lifetime value and VIP tier in the loyalty programme). 

Data and inputs: order history (frequency, average basket), interaction with our communications and, if you have accepted it in the CMP, browsing/cookie signals; we do not process special categories. Segmentation is used to prioritise content and offers, and does not entail solely automated decisions with legal or similarly significant effects, nor service denials. You can object to segmented marketing, withdraw cookie consent in the CMP and request information about the logic applied, its significance and the envisaged consequences. If in the future we apply automated decisions with significant effects, we will inform you in advance and you may request human intervention, express your point of view and contest the decision.

5) Recipients and processors

We work with third parties that act as processors under a GDPR contract (Art. 28) or as independent controllers when they process data for their own purposes.

Main processors (categories and examples):

• eCommerce platform: Shopify.
• CMP (consent/cookies): Consentmo GDPR.
• Email marketing/CRM: Shopify Email.
• Reviews/UGC: Judge.me.
• Logistics/shipping management: Packlink Pro (intermediation) and carriers: Correos, Correos Express, SEUR, InPost (Mondial Relay) (the list may vary by area).
• Email hosting and DNS: dondominio.com (accounts @garmonyarns.com).
• Advertising and measurement: Google Analytics, Google Tag Manager, Google Ads; Meta Ads and TikTok Ads.
• Internal automations (where applicable): Shopify apps for upsell/cross-sell, back-in-stock and Loyalty.
• Accountancy/administration: Domo Gestión (secure receipt of accounting/sales information).
• Management/Veri*factu (planned): Holded.

Independent controllers/joint controllers:

• Payments: Shopify Payments and compatible methods. They manage authorisation/settlement and apply their own policies (we recommend reviewing them).
• Advertising platforms: Google, and when enabled, Meta/TikTok (for measurement/ads under your consent in the CMP).

6) International transfers

Some providers may access or host data outside the EEA (e.g., the USA, the United Kingdom or Canada). In such cases we require appropriate safeguards (Arts. 44–49 GDPR), which may include Standard Contractual Clauses (SCC), adequacy decisions (e.g., the EU-US Data Privacy Framework for certified entities) or equivalent instruments (UK IDTA), together with additional technical/organisational measures. We will keep the inventory of sub-processors by category up to date.

7) Retention periods

We apply data minimisation and storage limitation:

• Customers/orders: contractual relationship and thereafter 6 years (commercial documentation) and 4 years (tax).
• Support/queries: up to 3 years depending on the nature.
• Marketing: until withdrawal or 3 years of inactivity.
• Loyalty/referrals: programme duration and subsequent statutory periods.
• Cookies/identifiers: as per durations declared in the CMP.
• Reviews/surveys: while useful; possible anonymisation after a reasonable period.

We will keep data restricted (blocked) for the limitation periods to address potential liabilities.

8) Data subjects’ rights

Rights (EU/EEA and UK): access, rectification, erasure, objection, restriction of processing, portability and withdrawal of consent at any time.
How to exercise them:

1. Send an email to tienda[garroba]armonyarns.com, use the form www.garmonyarns.com/pages/contacto or send a postal letter to the address indicated.
2. We may request verification (confirmation by email/telephone and/or data associated such as order number).
3. Authorised representative: in accordance with applicable regulations, you may appoint a representative to submit requests on your behalf. Before acting, we may request proof of authorisation and, where applicable, direct verification of your identity.
4. Response time: 1 month (extendable by 2 months in complex cases, with notice).
5. If you are not satisfied, you can lodge a complaint with the AEPD (www.aepd.es) or another competent authority in your country.

No discrimination for exercising rights: we will not adopt practices that result in unfavourable treatment for exercising these rights.

Marketing opt-outs: available in each email/SMS or by requesting it via the above channels. In WhatsApp Business 1-to-1, you may ask at any time not to receive marketing communications.

9) Children’s data

The Services are not directed at minors. We do not knowingly collect minors’ data under the applicable law. If you are a parent/guardian and believe a minor has provided us with data, contact us to delete it. As of the effective date, we have no actual knowledge of the sale or “sharing” (as defined in certain laws) of personal data of individuals under 16.

10) Third-party websites and links

The Services may link to third-party sites/platforms. We do not control their security or privacy; we recommend reviewing their policies before use. Content you publish in public areas (including social media) may be visible to third parties without limitation.

11) Security

While we apply appropriate measures, no measure is impregnable. Avoid sending us sensitive information via unsecured channels. We retain data for as long as necessary to: maintain your account, provide Services, comply with legal obligations, resolve disputes and enforce our terms, in line with the periods set out in this Policy.

We implement technical and organisational measures appropriate to the risk, including:

• Encryption in transit (TLS) and secure configuration of cloud platforms.
• Access control with MFA or one-time links; principle of least privilege and role segregation.
• Back-up management provided by cloud services; reasonable periodic testing.
• Internal policies on confidentiality and basic staff training.
• Incident logging and handling; deletion/anonimisation procedures.
• Periodic evaluation of effectiveness and review of sub-processors.

Data breaches: we will notify the AEPD and, where appropriate, affected individuals within a maximum of 72 hours from becoming aware, in accordance with Arts. 33 and 34 GDPR.

12) Cookies, SDK and Consent Mode v2

We use cookies and similar technologies for technical, preference, analytics and advertising purposes. We manage consent via Consentmo GDPR (CMP), which allows acceptance/rejection by categories, withdrawal of consent and review/update of preferences.

• Prior blocking: enabled for advertising/tracking tags until you make your choice.
• Consent Mode v2: implemented to transmit aggregated signals/consent state to Google where applicable.
• Cookie matrix and durations: available in the CMP and in the Cookies Policy (providers, purposes, lifespan and type).
• Advertising/remarketing: only if you accept the advertising category in the CMP (e.g., Google Ads; Meta/TikTok Ads in future).

13) Commercial and operational communications

• Email (Shopify Email): marketing sends only with consent (double opt-in).
• SMS (Shopify): campaigns and notices with consent.
• WhatsApp Business: 1-to-1 support; broadcast lists only with specific consent.
• Abandoned baskets and operational reminders: based on your interaction and according to your CMP preferences where advertising identifiers are involved.

You can withdraw your consent at any time and you will continue to receive communications strictly necessary for contract performance (order confirmations, shipping notices, etc.).

14) Relationship with Shopify (platform and features)

Our shop is hosted on Shopify, which collects and processes personal information to provide and improve the platform’s services (hosting, checkout, compatible payments, security, aggregated analytics, personalisation/ads features where you consent). For certain platform-wide uses (e.g., protecting, developing and improving its ecosystem; advanced features combining signals from multiple shops), Shopify acts as a controller. In those cases, Shopify will determine purposes and means and will handle rights related to those uses.
For more information and to exercise rights with Shopify, see its Consumer Privacy Policy and privacy portal: https://privacy.shopify.com/en.

Flows and transfers: Shopify and sub-processors may operate from countries outside the EEA/UK. We require safeguards (e.g., Standard Contractual Clauses, adequacy frameworks such as the EU-US DPF for certified entities, or equivalent instruments), together with additional technical and organisational measures.

Marketing and measurement integrations: we may enable personalised advertising and measurement with third parties (e.g., Google Ads initially, and in future Meta/TikTok) only if you give consent in the CMP. Shopify may facilitate these integrations; third parties will use data under their own policies. You can object or withdraw your consent via the panel.

Enhanced Services (Shopify Network Intelligence): Shopify may combine signals from your activity on our store with signals from other merchants across the Shopify ecosystem and from Shopify itself to provide Enhanced Services (e.g., security/anti-fraud and platform improvements). In the EEA/UK/Switzerland, any advertising or personalisation based on that combination of signals will only be activated if you give your consent in the CMP; you can withdraw it at any time from the CMP and/or via Shopify’s privacy portal ( https://privacy.shopify.com/en).”

15) Loyalty and referrals programme

Joining the “Club Garmon” loyalty programme managed via Zing Loyalty (Shopify App) is voluntary and governed by the Programme Terms.

Purposes: manage your participation (join/leave), accrue and redeem points (“hebras”), calculate and assign VIP tiers and rewards, apply incentives/bonuses (e.g., welcome, birthday if you provide it), manage referrals, prevent fraud/abuse (e.g., suspicious redemptions, repeated returns) and provide programme support.

Data processed: identification and contact; Shopify customer ID; programme ID, points balance, history of accruals/redemptions and expiries; tier/level and progression; coupons or discounts generated and their status; programme events (date/time, channel, shop/checkout); minimal referral data (codes/links and aggregated metrics); optionally date of birth and preferences you choose to provide. We do not publish leaderboards or amounts spent.

Legal basis: (i) performance of a contract (Art. 6.1.b GDPR) to operate the programme under its terms; (ii) legitimate interest (Art. 6.1.f) for security/anti-fraud, quality and non-advertising internal metrics; (iii) consent (Art. 6.1.a) for marketing communications about the programme and for optional attributes (e.g., birthday) or advertising pixels/cookies, which are only activated if you accept them in the CMP.

Automation and profiling: the calculation of points, assignment of tiers and eligibility for rewards is carried out automatically, without legal or similarly significant effects (Art. 22 GDPR). You can object to profiling for marketing purposes and request human review of issues (e.g., a denied redemption).

Anti-fraud and reversals: we may temporarily hold points or reverse accruals/redemptions if there are returns/cancellations or reasonable signs of abuse (e.g., multiple account creation). We will document the incident and you may make representations.

Recipients/processors: Zing Loyalty acts as a processor; it may integrate with Shopify (checkout/discounts) and, where applicable, with our email/SMS provider for programme communications. We will not disclose your data to third parties for their own purposes.

International transfers: Zing Loyalty and/or its sub-processors may operate outside the EEA/UK. We require safeguards (e.g., SCC, EU-US DPF where applicable) and appropriate technical/organisational measures.

Retention: while you belong to the programme; after leaving, we will retain the operational history and evidence of redemptions affecting accounting/tax for the legal periods (6/4 years in Spain). Other programme data will be deleted or anonymised within up to 3 years from leaving, unless there are open issues.

Leaving and effects: you can leave at any time. Leaving entails the loss of unredeemed points and tier-related benefits. You can continue to shop normally without the programme. You may opt out of marketing and remain in the programme (operational communications only).

Cookies/tracking: any tag or cookie used for programme personalisation or measurement is governed by your choice in the CMP and is pre-blocked until your consent.

16) Reviews and UGC

We process verified reviews to evidence purchase, improve service quality and guide other customers.

Data processed: name or alias, email (not displayed), order number or reference for verification, review content and rating, date and minimal technical metadata; optionally, images and/or videos you choose to provide.

Publication and visibility: the review (and, where applicable, your name/alias) may be shown on the product page and indexed by search engines. We do not publish amounts or economic leaderboards of customers.

Legal basis: (i) legitimate interest (Art. 6.1.f GDPR) to request post-purchase reviews, verify authenticity, moderate unlawful or offensive content and detect fraud; (ii) consent (Art. 6.1.a) when the review includes image, voice or other identifiers that may make you recognisable, or for any promotional reuse other than publication on the product page itself.

Moderation and limits: we may not publish, edit (to remove third parties’ personal data) or remove reviews containing offensive language, third-party advertising, misleading information, third-party personal data or content that infringes rights (e.g., intellectual property or image). We may ask you for proof of purchase experience to keep the review as “verified”.

Provider and transfers: we use Judge.me as a processor for managing and verifying reviews. This provider may carry out international transfers; we require appropriate safeguards (e.g., SCC/adequacy frameworks) and complementary technical/organisational measures.

Retention and specific rights: we will retain the review while it is relevant (normally, while the product is offered in the shop) and may subsequently anonymise or pseudonymise it. You can edit, remove or request anonymisation of your review via our contact channels indicated in this Policy. Withdrawal of a review does not affect the lawfulness of prior processing.

17) Customer support and forms

We process the data you provide via contact/support forms, as well as by email, telephone, WhatsApp Business (1-to-1) and online chat, for the following purposes: (i) to respond to queries and manage incidents, returns or warranties; (ii) to identify the referenced order or product; (iii) to follow up the conversation and improve service quality; and (iv) to prevent abuse/spam and maintain channel security.

Data processed: identification and contact; message content; order/product references; minimal technical metadata (date/time, session identifier and truncated IP); and, where applicable, attachments you send (avoid including special category data).

Legal basis: pre-contractual steps (product enquiries/sign-up), performance of a contract (order support, warranties, returns), legal obligation (consumer/warranty) and legitimate interest (quality, traceability, security and anti-spam).

Mandatory/optional nature: fields marked as mandatory are essential to handle your request; optional fields help prioritise and resolve faster. If you do not provide the mandatory fields, we will be unable to handle your request.

Retention: up to 3 years from the last interaction. If the case is linked to a sale, the commercial/tax periods indicated in this Policy may also apply. Security/anti-spam evidence may be kept for the time strictly necessary to investigate incidents.

Recipients/processors: our email systems (provider dondominio.com), the Shopify platform where the form is integrated and our internal support tools; we do not disclose your data to third parties for their own purposes.

Channel security: encryption in transit (TLS), access controls, honeypot/captcha and anti-spam filters. If you contact us via social networks, processing is also governed by that platform’s privacy policy.

18) Payments and financing

We process payments via Shopify Payments (and compatible methods shown at checkout, such as cards and wallets). For authorisation, settlement and risk controls, Shopify Payments acts as an independent controller. Garmon Yarns does not store full card data; we receive only transaction identifiers, status (authorised/declined, refunded/chargeback), method used and, where applicable, masked data (e.g., last 4 digits and brand).

Purposes and legal bases

• Collection of orders, issuing refunds and managing cancellations → Performance of a contract (Art. 6.1.b GDPR).
• Compliance with accounting and tax obligations → Legal obligation (Art. 6.1.c).
• Fraud prevention, chargeback handling and payment security → Legitimate interest (Art. 6.1.f), with appropriate safeguards.

Processing by the payment provider

• Automated risk assessment and anti-fraud controls.
• Strong Customer Authentication (SCA/PSD2), e.g., 3-D Secure 2 where applicable.
• Automated decisions to authorise or decline transactions, which may produce economic effects (e.g., a declined charge). For these processing activities, rights must be exercised directly with Shopify Payments under its privacy notice.

Chargebacks and disputes
In the event of a chargeback, we may share with the acquirer/payment provider the strictly necessary information (e.g., proof of delivery, customer communications, order data) to defend the transaction.

International transfers and retention
The provider may process data outside the EEA/UK under recognised safeguards (e.g., SCC, EU-US DPF where applicable). We retain payment evidence linked to the order according to the commercial and tax periods indicated in this Policy; the provider retains its data under its own policy.

Exercising rights
For processing where Shopify Payments is controller, you can consult and exercise rights via its privacy portal. For the part we carry out (e.g., accounting reconciliation and refunds), you can write to us at tienda[garroba]armonyarns.com.

19) Logistics and after-sales

To manage deliveries, returns, exchanges and after-sales, we disclose to Packlink Pro (intermediation platform) and selected carriers (e.g., Correos, Correos Express, SEUR, InPost/Mondial Relay) the strictly necessary data: first and last name, full address and/or pick-up point, email and/or telephone for tracking notices, order number/ID, shipment references (parcels, approximate weight/volume), tracking number, delivery instructions and, for international shipments, essential customs data.

Packlink Pro acts as a processor (label and document generation, routing and traceability); carriers act, in general, as independent controllers in providing the transport service and in meeting their own obligations (traceability, proof of delivery, incidents, claims and sector regulations). These providers will use your contact details exclusively for logistics (e.g., delivery/pick-up notices) and not for promotional purposes.

Legal basis: performance of a contract (order delivery/returns handling), legal obligation (consumer, product safety, tax/customs where applicable) and legitimate interest (shipment security and traceability, fraud prevention).

Retention and transfers: we retain shipping documentation and proof of delivery for the applicable statutory periods. For shipments outside the EEA/UK, disclosure of data to postal operators/customs in the destination country may involve international transfers; in such cases, we require appropriate safeguards (e.g., SCC or adequacy decisions) and complementary technical/organisational measures.

20) Advisory services and tax obligations

We disclose data to Domo Gestión (accountancy firm) for accounting and for fulfilling tax and commercial obligations.

Role: Domo Gestión acts as a processor (Art. 28 GDPR) and only processes information following our instructions; it may be an independent controller with respect to its own professional and archiving obligations.

Data disclosed (strictly necessary): identification and contact (ours and, where applicable, the customer listed on the sales document), order and invoice numbers, dates, lines and amounts, NIF/VAT, addresses, means of payment (token/status; never full card data), discounts/taxes applied and supporting documentation for returns/warranties.

Channels and security: exchange is carried out via encrypted channels and controlled repositories (e.g., files in a secure portal or SFTP, restricted access and access logs); we avoid sending sensitive files via open email.

Legal basis: legal obligation (tax/accounting and commercial law) and legitimate interest (internal control and audit). Retention: we keep documentation for 6 years (commercial) and 4 years (tax); Domo Gestión will keep information for the time strictly necessary to provide the service and meet its professional obligations.

Exercising rights: GDPR requests related to these processing activities must be addressed to Garmon Yarns; we will forward to the accountancy firm those corresponding to its role as processor.

21) Exercising rights — operational detail

1. Request channels: send us an email to tienda[arroba]garmonyarns.com, use the form https://www.garmonyarns.com/pages/contacto or send a postal letter to Paseo de la Alameda 21 (Local Garmon Yarns), 28804, Alcalá de Henares (Madrid), Spain.
2. Minimum content of the request: state the right you wish to exercise (access, rectification, erasure, objection, restriction, portability or withdrawal of consent), the scope/period concerned and, where applicable, data to help us locate the information (e.g., email used for your purchases, order number, sign-up channel). If you act on behalf of another person, go to point 4.
3. Identity verification: we will prioritise requests received from the email associated with your account/orders. If that is not possible or there are reasonable doubts, we may request additional proof (e.g., telephone confirmation or official document). If you send a document, mask data not required (recommended: hide photo, MRZ and support number; leave visible name, document and validity date).
4. Authorised representative: we accept representatives’ requests if they provide valid proof (power/authorisation signed) and the data subject’s identification. We may verify directly with the data subject before acting.
5. Timeframes and form of response: we will respond within 1 month of receipt; it may be extended up to 2 months if the request is complex or multiple (we will inform you within the first month). The response will be free of charge and by electronic means unless you request another format or it is impossible.
6. Limitations and refusals: we may limit/refuse where the request is manifestly unfounded or excessive, where we cannot identify the requester with reasonable diligence, or where compliance would infringe third-party rights or legal obligations (e.g., commercial/tax retention, security, fraud prevention). In such cases we will explain the reason and your options for appeal.
7. Cost: the exercise is free of charge; for unfounded or excessive requests we may charge a reasonable fee based on administrative costs or refuse to act (Art. 12.5 GDPR).
8. Complaints and non-discrimination: if you are not satisfied, you can complain to the AEPD (https://www.aepd.es) or another competent authority. We will not discriminate against you for exercising your rights.

22) Changes to the Policy

We will publish updates on this page, indicating the effective date, and will keep a version history available upon request. If changes are material (e.g., new purposes, new legal bases or new recipients), we will notify you with reasonable advance notice by email or a prominent notice on the website and, where legally required, we will seek your consent again.

23) Contact

• Email: tienda[garroba]armonyarns.com
• Contact form: www.garmonyarns.com/pages/contacto
• Postal address: Paseo de la Alameda 21 (Local Garmon Yarns), 28804, Alcalá de Henares (Madrid), Spain

Annex A — Legitimate interest test (summary)

Processing: pre/after-sales customer support; satisfaction surveys and verified reviews; minimum necessary security/anti-fraud; basic personalisation with minimal intrusiveness initiated by the user.
Necessity: essential operations for service quality and security.
Balance: low/medium impact mitigated by options to object, opt-out and preference control in the CMP.
Conclusion: legitimate interest prevails, maintaining safeguards and transparency.

Annex B — Retention table

Annex C — Categories of providers (processors)

• eCommerce platform: Shopify.
• Consent/cookies: Consentmo GDPR.
• Email marketing: Shopify Email.
• Reviews: Judge.me.
• Logistics/shipping: Packlink Pro + carriers (Correos, Correos Express, SEUR, InPost/Mondial Relay; the list may vary).
• Upsell/cross-sell/back-in-stock: Essentials Upsell; Doran Back In Stock.
• Corporate email/DNS: dondominio.com.
• Accountancy: Domo Gestión.
• Management/Veri*factu: Holded.

Annex D — Cookies/SDK (category view)

• Technical: essential for browsing, security and basket.
• Preferences: language, region, UI.
• Analytics/measurement: GA4/Consent Mode v2 (aggregation/signals).
• Advertising/remarketing: Google Ads (initially); future Meta/TikTok tags subject to consent.

For details of each cookie/SDK (name, provider, purpose, expiry), see the CMP panel and the Cookies Policy.