Privacy policy

Last updated: 12/07/2026

Main domain: www.garmonyarns.com (language folders /es, /en, /fr, /pt)

This Privacy Policy provides a comprehensive description of how Garmon Yarns processes personal data in its online shop, customer service channels and marketing systems, in accordance with Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 (LOPDGDD) and the ePrivacy regulations applicable in Spain. It includes a processing map, legal bases, retention periods, international transfers and rights. When we introduce new tools or change our purposes, we will update this Policy.

1) Data controller and scope

  • Data controller: Elisabet García Ruiz (Self-employed professional)
  • Trading name: Garmon Yarns
  • Tax ID/VAT number: ES09025821T
  • Registered address: Paseo de la Alameda 21 (Garmon Yarns premises), 28804, Alcalá de Henares (Madrid), Spain
  • Privacy/rights contact: tienda[garroba]armonyarns.com
  • Data Protection Officer (DPO): Not appointed (not legally required)

Scope: this Policy covers the website www.garmonyarns.com and its language folders (/es, /en, /fr, /pt), the purchasing process (checkout), forms (contact, double opt-in newsletter, availability alerts), reviews and loyalty programme, as well as customer service by email, telephone, WhatsApp Business (one-to-one), online chat and interactions on Instagram, Facebook, TikTok, Pinterest and YouTube. We do not operate on marketplaces as of the date of this publication.

2) Data sources and categories

Sources: web forms, checkout and after-sales service, customer service channels (email/telephone/WhatsApp/chat), reviews (Judge.me), website browsing (cookies/SDKs managed through the CMP), and social media interactions.

Categories:

  • Identification and contact details: first name, surname, email address, telephone number, addresses (delivery/billing).
  • Transactional data: orders, amounts, purchase details, vouchers, returns, incidents.
  • Payment data: processed by providers; we do not store card details.
  • Preferences/loyalty data: subscriptions, points and redemptions, VIP tiers, reward history.
  • Browsing/analytics and advertising data: online identifiers, cookies, conversion events, Consent Mode v2.
  • Communications/support data: messages, tickets, complaints.
  • UGC (reviews): texts and ratings; we do not publish amounts or rankings containing personal data.

3) Purposes, legal basis, requirement and retention

The following processing map sets out, for each purpose, the data used, the legal basis (Article 6 GDPR), whether it is mandatory and the applicable retention period (for guidance; also see Annex B).

Purpose Data Legal basis Mandatory? Retention

Purchases, deliveries, returns and guarantees

Identification, contact and transactional data

Performance of a contract

Yes, to enter into the contract

Duration of the relationship + 6 years (commercial) / 4 years (tax)

Customer service (pre-sales/after-sales)

Identification and contact details, messages

Pre-contractual measures / Legitimate interests

Required to provide assistance

Up to 3 years

Invoicing/accounting/taxation

Identification and transactional data

Legal obligation

Yes

6 years (commercial) / 4 years (tax)

Fraud prevention and security

Technical identifiers, events

Legitimate interests

Required for protection

For as long as necessary + statutory periods

Newsletter and marketing by email/SMS/WhatsApp

Identification and contact details, preferences

Consent (double opt-in for email)

Optional

Until consent is withdrawn or after 3 years of inactivity

Web analytics and measurement

Cookies/IDs, events

Consent (CMP)

Optional

According to the lifespan of cookies/IDs (see CMP)

Advertising, measurement and remarketing (Google Ads and Meta Ads; TikTok Ads in the future)

Cookies and online identifiers, browsing and conversion events, product and transaction data and, where applicable, identification and contact details used for user matching.

Consent (CMP) for personalised advertising, remarketing, advertising measurement and non-essential tracking technologies.

Optional

According to the lifespan of the cookies and identifiers and the periods applied by each platform; please consult the CMP and the providers’ policies.

Personalisation, cross-selling/upselling, abandoned baskets

Identifiers and events

Consent where cookies are involved; legitimate interests for minimal reminders initiated by the user

Optional

12–24 months (or according to the CMP)

Loyalty and referral programme (points/redemptions/tiers)

Identification, transactional and loyalty data

Performance of a contract (programme terms) + consent for marketing

Required to participate

Duration of membership + statutory periods

Reviews/satisfaction surveys

Basic identification details, order, review text

Legitimate interests (quality/verification) or consent where additional identifiers are published

Optional

For as long as they remain relevant (possible anonymisation)

Management of GDPR rights

Identification details, relationship metadata

Legal obligation

Yes

Limitation periods

Consequences of not providing mandatory data: we will be unable to process your order, manage returns or respond to specific requests.

4) Profiling and automated decision-making

We carry out operational and commercial segmentation to personalise the experience (e.g. activity, categories purchased, likelihood of repurchase, lifetime value and loyalty VIP tier).

Data and inputs: order history (frequency, average order value), interaction with our communications and, where you have accepted them through the CMP, browsing/cookie signals; we do not process special categories of personal data. Segmentation is used to prioritise content and offers and does not involve solely automated decisions that produce legal or similarly significant effects, or the refusal of services. You may object to segmented marketing, withdraw your cookie consent through the CMP and request information about the logic involved, its significance and the envisaged consequences. Should we introduce automated decision-making producing significant effects in the future, we will inform you in advance and you will be entitled to request human intervention, express your point of view and challenge the decision.

5) Recipients and data processors

We work with third parties that act as processors under GDPR-compliant agreements (Article 28) or as independent controllers where they process data for their own purposes.

Main processors (categories and examples):

  • eCommerce platform: Shopify.
  • CMP (consent/cookies): Consentmo GDPR.
  • Email marketing/CRM: Shopify Email.
  • Reviews/UGC: Judge.me.
  • Logistics/shipping management: Packlink Pro (intermediary) and carriers: Correos, Correos Express, SEUR, InPost (Mondial Relay) (the list may vary by area).
  • Email hosting and DNS: dondominio.com (@garmonyarns.com accounts).
  • Advertising, measurement and attribution: Google Analytics, Google Tag Manager, Google Ads and Meta Platforms, using tools such as Meta Pixel and the Meta Conversions API; TikTok Ads once activated.
  • Internal automations (where applicable): Shopify apps for upselling/cross-selling, back-in-stock alerts and loyalty.
  • Accountancy/advisory services: Domo Gestión (secure receipt of accounting/sales information).
  • Management/VeriFactu software (planned): Holded.

Independent/joint controllers:

  • Payments: Shopify Payments and supported payment methods. They manage authorisation/settlement and apply their own policies (we recommend consulting them).
  • Advertising platforms: Google and Meta and, once activated, TikTok. These platforms may process certain data to provide their advertising, measurement, attribution and security services, and for other purposes determined in accordance with their own policies and the terms applicable to their business tools.

6) International transfers

Some providers may access or host data outside the EEA (e.g. the USA, United Kingdom or Canada). In such cases, we require appropriate safeguards (Articles 44–49 GDPR), which may include Standard Contractual Clauses (SCCs), adequacy decisions (e.g. the EU–US Data Privacy Framework for certified organisations) or equivalent instruments (the IDTA in the UK), together with supplementary technical and organisational measures. We will keep our category-based inventory of subprocessors up to date.

7) Retention periods

We apply the principles of data minimisation and storage limitation:

  • Customers/orders: for the duration of the contractual relationship and, afterwards, for 6 years (commercial documentation) and 4 years (tax).
  • Support/enquiries: up to 3 years, depending on their nature.
  • Marketing: until consent is withdrawn or after 3 years of inactivity.
  • Loyalty/referrals: for the duration of the programme and subsequent statutory periods.
  • Cookies/identifiers: according to the durations declared in the CMP.
  • Reviews/surveys: for as long as they remain useful; possible anonymisation after a reasonable period.

We will retain blocked data for the applicable limitation periods in order to address any potential liabilities.

8) Rights of data subjects

Rights (EU/EEA and UK): access, rectification, erasure, objection, restriction of processing, portability and withdrawal of consent at any time.
How to exercise them:

  1. Send an email to tienda[garroba]armonyarns.com, use the form at www.garmonyarns.com/en/pages/contact-us or send a letter to the postal address provided.
  2. We may request verification (confirmation by email/telephone and/or associated details such as your order number).
  3. Authorised representative: in accordance with applicable law, you may appoint a representative to submit requests on your behalf. Before processing the request, we may ask for proof of authorisation and, where appropriate, direct verification of your identity.
  4. Response period: 1 month (extendable by a further 2 months in complex cases, provided that we inform you).
  5. If you are dissatisfied, you may lodge a complaint with the AEPD (www.aepd.es) or another competent authority in your country.

No discrimination for exercising your rights: we will not engage in practices resulting in unfavourable treatment because you have exercised these rights.

Marketing opt-outs: available in every email/SMS or by requesting this through the channels listed above. In one-to-one WhatsApp Business conversations, you may ask us at any time not to send you marketing communications.

9) Children’s data

The Services are not intended for children. We do not knowingly collect children’s data as defined by applicable law. If you are a parent or guardian and believe that a child has provided us with personal data, please contact us so that we can delete it. As of this date, we have no actual knowledge of selling or sharing, within the meaning given to those terms by applicable legislation, the personal data of children under the age of 16.

10) Third-party websites and links

The Services may contain links to third-party websites/platforms. We do not control their security or privacy practices; we recommend reviewing their policies before using them. Content you post in public areas, including on social media, may be visible to third parties without restriction.

11) Security

Although we apply appropriate measures, no security measure is impenetrable. Please avoid sending us sensitive information through unsecured channels. We retain data for as long as necessary to maintain your account, provide services, comply with legal obligations, resolve disputes and enforce our terms, in accordance with the periods set out in this Policy.

We apply technical and organisational measures appropriate to the level of risk, including:

  • Encryption in transit (TLS) and secure configuration of cloud platforms.
  • Access controls using MFA or single-use links; the principle of least privilege and segregation of duties.
  • Backup management provided by cloud services; reasonable periodic testing.
  • Internal policies on confidentiality and basic staff training.
  • Incident logging and management; deletion/anonymisation procedures.
  • Periodic assessment of effectiveness and review of subprocessors.

Personal data breaches: we will notify the AEPD and, where applicable, the affected individuals within a maximum of 72 hours of becoming aware of the breach, in accordance with Articles 33 and 34 GDPR.

12) Cookies, SDKs and Consent Mode v2

We use cookies and similar technologies for technical, preference, analytics and advertising purposes. We manage consent through Consentmo GDPR (CMP), which allows you to accept/reject cookies by category, withdraw consent and view/update your preferences.

  • Prior blocking: enabled for advertising/tracking tags until you make your choice.
  • Consent Mode v2: implemented to transmit aggregated signals/consent status to Google where applicable.
  • Cookie table and durations: available in the CMP and the Cookie Policy (providers, purposes, lifespan and type).
  • Advertising, measurement and remarketing: where you accept the relevant category in the CMP, we may use Google and Meta advertising technologies to measure results, attribute conversions, create audiences and display personalised or remarketing advertisements. In Meta’s case, the integration may use Meta Pixel and the Meta Conversions API, which enables certain events and data to be transmitted from Shopify to Meta through server-to-server communications as well. TikTok Ads may be incorporated in the future and will likewise be subject to the applicable consent settings.
  • Meta Pixel and Meta Conversions API: where you have provided the required consent, we may share information with Meta about your interaction with our shop, such as page and product views, searches, products added to or removed from your basket, commencement of the checkout process, payment-related information and purchases. To improve measurement, attribution and user matching, certain identifiers and personal data may also be transmitted, such as your name, email address, telephone number, address or location and other technical identifiers, depending on the data available and the integration settings. Some of this information may be transmitted from the browser using Meta Pixel and some through the Conversions API from Shopify’s systems. Meta may use this data in accordance with its terms and policies applicable to its business technologies.

13) Marketing and operational communications

  • Email (Shopify Email): marketing messages are sent only with consent (double opt-in).
  • SMS (Shopify): campaigns and alerts are sent with consent.
  • WhatsApp Business: one-to-one customer service; broadcast lists are used only with specific consent.
  • Abandoned baskets and operational reminders: based on your interaction and in accordance with your CMP preferences where advertising identifiers are involved.

You may withdraw your consent at any time and will continue to receive communications that are strictly necessary for the performance of the contract (order confirmations, dispatch notifications, etc.).

14) Relationship with Shopify (platform and features)

Our shop is hosted on Shopify, which collects and processes personal information to provide and improve its platform services (hosting, checkout, supported payments, security, aggregated analytics, personalisation/advertising features where you consent). For certain platform-wide uses (e.g. protecting, developing and improving its ecosystem; advanced features that combine signals from multiple shops), Shopify acts as the data controller. In these circumstances, Shopify determines the purposes and means of processing and handles rights relating to those uses.
For further information and to exercise your rights with Shopify, please consult its Consumer Privacy Policy and privacy portal: https://privacy.shopify.com/en.

Data flows and transfers: Shopify and its subprocessors may operate from countries outside the EEA/UK. We require safeguards (e.g. Standard Contractual Clauses, adequacy frameworks such as the EU–US DPF for certified organisations, or equivalent instruments), together with supplementary technical and organisational measures.

Marketing and measurement integrations: we use third-party marketing and measurement integrations, including Google and Meta. In Meta’s case, Shopify’s official Facebook & Instagram integration may use Meta Pixel, the Conversions API and other compatible advertising technologies to transmit browsing and conversion events and, where applicable, certain personal data intended to improve user matching, measurement, attribution and advertising. These technologies will be used in accordance with the applicable consent settings. TikTok may be incorporated in the future.

Enhanced Services (Shopify Network Intelligence): Shopify may combine signals from your activity in our shop with signals from other merchants within the Shopify ecosystem and from Shopify itself to provide Enhanced Services (e.g. security/fraud prevention and platform improvements). In the EEA/United Kingdom/Switzerland, any advertising or personalisation based on this combination of signals will only be activated where you provide your consent through the CMP; you may withdraw it at any time through the CMP and/or Shopify’s privacy portal ( https://privacy.shopify.com/en).”

15) Advertising and measurement with Meta

We use Shopify’s Facebook & Instagram integration to synchronise our product catalogue with Meta technologies and, where you have provided the required consent, to measure activity associated with our advertising campaigns, perform conversion attribution, create audiences and display personalised or remarketing advertisements on Facebook, Instagram and other Meta services.

For these purposes, we may use Meta Pixel, the Meta Conversions API and other compatible advertising technologies integrated through Shopify. These tools may record events such as page and product views, searches, products added to or removed from the basket, commencement of the checkout process, payment-related information and purchases.

Depending on the event and the data available, the processing may include online and technical identifiers, browser and device information, IP address, cookie identifiers, URLs visited, products viewed, product identifiers, basket contents, transaction value and currency, and data relating to orders and conversions. To improve matching between activity in our shop and users of Meta technologies, certain available personal data may also be transmitted, such as your name, email address, telephone number, address or location information. Where applicable, this data may be subject to technical safeguards, such as hashing, before it is transmitted.

Information may be transmitted from your browser through Meta Pixel and/or from Shopify’s systems through the Conversions API, which enables certain events and data to be communicated between servers. The use of server-to-server transmission does not change the applicable legal basis or remove the relevant consent controls.

The legal basis for using these technologies for personalised advertising, remarketing and advertising measurement is your consent, where required. You may accept, reject or withdraw your consent at any time through our privacy or cookie preferences panel. Withdrawing your consent does not affect the lawfulness of processing carried out before its withdrawal.

Meta may use the information received in accordance with the terms applicable to its business tools and its own privacy policies. Processing may involve international data transfers, which will be carried out using the mechanisms and safeguards recognised by applicable law.

The synchronisation of Garmon Yarns’ product catalogue with Facebook and Instagram does not, in itself, mean that we share the personal data of all our customers with Meta. The processing of personal data for measurement, matching, attribution, audience creation or advertising will depend on the features used and the applicable privacy and consent settings.

16) Loyalty and referral programme

Joining the “Club Garmon” loyalty programme, managed through Zing Loyalty (Shopify App), is voluntary and governed by the Programme Terms.

Purposes: managing your participation (joining/leaving), accumulating and redeeming points (“strands”), calculating and assigning VIP tiers and rewards, applying incentives/bonuses (e.g. welcome rewards and birthday rewards where you provide your date of birth), managing referrals, preventing fraud/abuse (e.g. suspicious redemptions or repeated returns) and providing programme support.

Data processed: identification and contact details; Shopify customer ID; programme ID, points balance, history of points earned/redeemed and expiry dates; tier and progress; vouchers or discounts generated and their status; programme events (date/time, channel, shop/checkout); minimum data required for referrals (codes/links and aggregated metrics); and, optionally, your date of birth and any preferences you choose to provide. We do not publish rankings or amounts spent.

Legal basis: (i) performance of a contract (Article 6(1)(b) GDPR) to operate the programme in accordance with its terms; (ii) legitimate interests (Article 6(1)(f)) for security/fraud prevention, quality and internal non-advertising metrics; (iii) consent (Article 6(1)(a)) for marketing communications concerning the programme and for optional attributes (e.g. date of birth) or advertising pixels/cookies, which are only activated where you accept them through the CMP.

Automation and profiling: the calculation of points, assignment of tiers and determination of reward eligibility are carried out automatically, without producing legal or similarly significant effects (Article 22 GDPR). You may object to profiling for marketing purposes and request a human review of incidents (e.g. the refusal of a redemption).

Fraud prevention and reversals: we may temporarily withhold points or reverse points earned/redemptions where there are returns/cancellations or reasonable indications of abuse (e.g. the creation of multiple accounts). We will document the incident and you will be entitled to submit any representations you consider appropriate.

Recipients/processors: Zing Loyalty acts as a data processor; it may integrate with Shopify (checkout/discounts) and, where applicable, with our email/SMS provider for programme communications. We will not disclose your data to third parties for their own purposes.

International transfers: Zing Loyalty and/or its subprocessors may operate outside the EEA/UK. We require safeguards (e.g. SCCs and the EU–US DPF where applicable) and appropriate technical/organisational measures.

Retention: for as long as you remain a member of the programme; after you leave, we will retain operational history and evidence of redemptions affecting accounting/taxation for the applicable statutory periods (6/4 years in Spain). Other programme data will be deleted or anonymised within a maximum of 3 years after you leave, unless there are open incidents.

Leaving the programme and its effects: you may leave at any time. Leaving the programme results in the loss of unredeemed points and benefits associated with your tier. You may continue shopping as normal without the programme. You may choose not to receive marketing while remaining in the programme (operational communications only).

Cookies/tracking: any tags or cookies used for programme personalisation or measurement are governed by your choices in the CMP and are blocked in advance until you provide your consent.

17) Reviews and UGC

We process verified reviews to confirm purchases, improve service quality and guide other customers.

Data processed: name or alias, email address (not visible), order number or reference for verification, review content and rating, date and minimum technical metadata; optionally, any images and/or videos you choose to provide.

Publication and visibility: the review, and your name/alias where applicable, may be displayed on the product page and indexed by search engines. We do not publish amounts or customers’ financial rankings.

Legal basis: (i) legitimate interests (Article 6(1)(f) GDPR) in requesting post-purchase reviews, verifying their authenticity, moderating unlawful or offensive content and detecting fraud; (ii) consent (Article 6(1)(a)) where the review includes an image, voice or other identifiers that could make you recognisable, or for any promotional reuse other than publication on the relevant product page.

Moderation and restrictions: we may decline to publish, edit (to remove third-party personal data) or remove reviews containing offensive language, third-party advertising, misleading information, third-party personal data or content that infringes rights (e.g. intellectual property or image rights). We may ask you for proof of your purchasing experience in order to retain the “verified” status of the review.

Provider and transfers: we use Judge.me as a data processor to manage and verify reviews. This provider may carry out international transfers; we require appropriate safeguards (e.g. SCCs/adequacy frameworks) and supplementary technical/organisational measures.

Retention and specific rights: we will retain the review for as long as it remains relevant (normally while the product is available in the shop), after which we may anonymise or pseudonymise it. You may edit, withdraw or request the anonymisation of your review through the contact channels specified in this Policy. Withdrawing a review does not affect the lawfulness of previous processing.

18) Customer service and forms

We process the data you provide through our contact/support forms, as well as by email, telephone, WhatsApp Business (one-to-one) and online chat, for the following purposes: (i) responding to enquiries and managing incidents, returns or guarantees; (ii) identifying the order or product referred to; (iii) following up on the conversation and improving service quality; and (iv) preventing abuse/spam and maintaining channel security.

Data processed: identification and contact details; message content; order/product references; minimum technical metadata (date/time, session identifier and truncated IP address); and, where applicable, any attachments you send (please avoid including special categories of personal data).

Legal basis: pre-contractual measures (product/joining enquiries), performance of a contract (support relating to orders, guarantees and returns), legal obligations (consumer law/guarantees) and legitimate interests (quality, traceability, security and spam prevention).

Mandatory/optional nature: fields marked as mandatory are essential in order to process your request; optional fields help us prioritise and resolve it more quickly. If you do not provide the mandatory information, we will be unable to process your request.

Retention: up to 3 years from the last interaction. Where the matter is linked to a sale, the commercial/tax periods specified in this Policy may also apply. Security/spam-prevention evidence may be retained for the period strictly necessary to investigate incidents.

Recipients/processors: our email systems (dondominio.com), the Shopify platform where the form is integrated and our internal customer service tools; we do not disclose your data to third parties for their own purposes.

Channel security: encryption in transit (TLS), access controls, honeypot/CAPTCHA and anti-spam filters. If you contact us through social media, the processing is also governed by the privacy policy of the relevant platform.

19) Payments and financing

We process payments through Shopify Payments and the compatible methods displayed at checkout, such as cards and digital wallets. In relation to authorisation, settlement and risk controls, Shopify Payments acts as an independent data controller. Garmon Yarns does not store full card details; we receive only transaction identifiers, status (authorised/declined, refunded/charged back), the method used and, where applicable, masked details (e.g. the final 4 digits and card brand).

Purposes and legal bases

  • Collecting payment for orders, issuing refunds and managing cancellations → Performance of a contract (Article 6(1)(b) GDPR).
  • Compliance with accounting and tax obligations → Legal obligation (Article 6(1)(c)).
  • Fraud prevention, chargeback management and payment security → Legitimate interests (Article 6(1)(f)), with proportionate safeguards.

Processing carried out by the payment provider

  • Automated risk assessment and fraud-prevention checks.
  • Strong customer authentication (SCA/PSD2), e.g. 3-D Secure 2 where applicable.
  • Automated decisions to authorise or decline transactions, which may produce financial effects (e.g. a payment being declined). Rights relating to this processing must be exercised directly with Shopify Payments in accordance with its privacy notice.

Chargebacks and disputes
In the event of a chargeback, we may share with the acquiring institution/payment provider the information strictly necessary to defend the transaction (e.g. proof of delivery, communications with the customer and order details).

International transfers and retention
The provider may process data outside the EEA/UK under recognised safeguards (e.g. SCCs and the EU–US DPF where applicable). We retain evidence of payment linked to the order in accordance with the commercial and tax periods specified in this Policy; the provider retains its data in accordance with its own policy.

Exercising your rights
For processing in respect of which Shopify Payments acts as the controller, you may obtain information and exercise your rights through its privacy portal. For the processing carried out by us (e.g. accounting reconciliation and refunds), you may contact us at tienda[garroba]armonyarns.com.

20) Logistics and after-sales service

To manage deliveries, returns, exchanges and after-sales services, we provide Packlink Pro (intermediary platform) and the selected carriers (e.g. Correos, Correos Express, SEUR, InPost/Mondial Relay) with the data strictly necessary: first name and surname, full address and/or collection point, email address and/or telephone number for tracking notifications, order number/ID, shipment details (number of parcels and approximate weight/volume), tracking number, delivery instructions and, for international shipments, essential customs information.

Packlink Pro acts as a data processor (generating labels and documents, routing and tracking); carriers generally act as independent controllers when providing transport services and complying with their own obligations (tracking, proof of delivery, incidents, complaints and sector-specific regulations). These providers will use your contact details exclusively for logistics purposes (e.g. delivery/collection notifications) and not for promotional purposes.

Legal basis: performance of a contract (delivery of the order/management of returns), legal obligations (consumer law, product safety, tax/customs requirements where applicable) and legitimate interests (shipment security and traceability, fraud prevention).

Retention and transfers: we retain shipping documentation and proof of delivery for the applicable statutory periods. For shipments outside the EEA/UK, communicating data to postal operators/customs authorities in the destination country may involve international transfers; in such cases, we require appropriate safeguards (e.g. SCCs or adequacy decisions) and supplementary technical/organisational measures.

21) Accountancy services and tax obligations

We disclose data to Domo Gestión (accountancy firm) for accounting purposes and compliance with tax and commercial obligations.

Role: Domo Gestión acts as a data processor (Article 28 GDPR) and processes information only in accordance with our instructions; it may act as an independent controller in relation to its own professional and record-keeping obligations.

Data disclosed (minimum necessary): identification and contact details (ours and, where applicable, those of the customer named on the sales document), order and invoice number, dates, line items and amounts, tax/VAT number, addresses, payment method (token/status; never full card details), discounts/taxes applied and supporting documentation for returns/guarantees.

Channels and security: data is exchanged through encrypted channels and controlled repositories (e.g. files in a secure portal or SFTP, restricted access and access logs); we avoid sending sensitive files through unsecured email.

Legal basis: legal obligation (tax/accounting and commercial legislation) and legitimate interests (internal control and auditing). Retention: we retain documentation for 6 years (commercial) and 4 years (tax); Domo Gestión will retain the information for the period necessary to provide the service and comply with its professional obligations.

Exercising your rights: GDPR requests relating to this processing must be addressed to Garmon Yarns; we will forward to the accountancy firm any requests relevant to its role as a processor.

22) Exercising your rights — operational details

  1. Request channels: send us an email at tienda[arroba]garmonyarns.com, use the form at https://www.garmonyarns.com/pages/contacto or send a letter to Paseo de la Alameda 21 (Garmon Yarns premises), 28804, Alcalá de Henares (Madrid), Spain.
  2. Minimum content of the request: state the right you wish to exercise (access, rectification, erasure, objection, restriction, portability or withdrawal of consent), the relevant scope/period and, where applicable, information that will help us locate the data (e.g. the email address used for your purchases, order number or subscription channel). If you are acting on behalf of another person, proceed to point 4.
  3. Identity verification: we will prioritise requests received from the email address associated with your account/orders. Where this is not possible or where reasonable doubts exist, we may request additional evidence (e.g. telephone confirmation or an official identity document). If you send a document, obscure any unnecessary information (recommended: conceal your photograph, MRZ and support number; leave your name, document type and expiry date visible).
  4. Authorised representative: we accept requests from representatives where they provide valid evidence (a power of attorney/signed authorisation) and identification of the data subject. We may verify the request directly with the data subject before taking action.
  5. Time limits and response format: we will respond within 1 month of receipt; this may be extended by up to 2 further months where the request is complex or multiple (we will inform you within the first month). The response will be free of charge and provided electronically unless you request another format or this is not possible.
  6. Restrictions and refusals: we may restrict/refuse a request where it is manifestly unfounded or excessive, where we cannot identify the applicant with reasonable diligence, or where compliance would infringe third-party rights or legal obligations (e.g. commercial/tax retention, security or fraud prevention). In such cases, we will explain the reason and your available remedies.
  7. Cost: exercising your rights is free of charge; for unfounded or excessive requests, we may charge a reasonable fee based on administrative costs or refuse to act (Article 12(5) GDPR).
  8. Complaints and non-discrimination: if you are dissatisfied, you may lodge a complaint with the AEPD (https://www.aepd.es) or another competent authority. We will not discriminate against you for exercising your rights.

23) Changes to the Policy

We will publish updates on this page, indicating their effective date, and will retain a version history available upon request. Where changes are material (e.g. new purposes, new legal bases or new recipients), we will notify you with reasonable notice by email or through a prominent notice on the website and, where legally required, obtain your consent again.

24) Contact

  • Email: tienda[garroba]garmonyarns.com
  • Contact form: www.garmonyarns.com/en/pages/contact-us
  • Postal address: Paseo de la Alameda 21 (Garmon Yarns premises), 28804, Alcalá de Henares (Madrid), Spain

Annex A — Legitimate interests assessment (summary)

Processing activities: pre-sales/after-sales customer service; satisfaction surveys and verified reviews; minimum necessary security/fraud prevention; minimally intrusive basic personalisation initiated by the user.
Necessity: operations essential to service quality and security.
Balancing test: low/medium impact mitigated by rights to object, opt-out options and preference controls in the CMP.
Conclusion: legitimate interests prevail, subject to continued safeguards and transparency.

Annex B — Retention table

Area

Period

Customers/orders

Duration of the relationship + 6 years (commercial) / 4 years (tax)

Support/enquiries

Up to 3 years

Marketing

Until consent is withdrawn or after 3 years of inactivity

Loyalty programme

Duration of membership + statutory periods

Reviews

For as long as they remain relevant; possible anonymisation

Cookies/IDs

According to the CMP and Cookie Policy

Annex C — Categories of providers (processors)

  • eCommerce platform: Shopify.
  • Consent/cookies: Consentmo GDPR.
  • Email marketing: Shopify Email.
  • Reviews: Judge.me.
  • Logistics/shipping: Packlink Pro + carriers (Correos, Correos Express, SEUR, InPost/Mondial Relay; the list may vary).
  • Upselling/cross-selling/back-in-stock alerts: Essentials Upsell; Doran Back In Stock.
  • Business email/DNS: dondominio.com.
  • Accountancy/advisory services: Domo Gestión.
  • Management/VeriFactu: Holded.

Annex D — Cookies/SDKs (category overview)

  • Essential: required for browsing, security and the basket.
  • Preferences: language, region, UI.
  • Analytics/measurement: GA4/Consent Mode v2 (aggregation/signals).
  • Advertising, measurement and remarketing: Google Ads and Meta Ads, including Meta Pixel and the Meta Conversions API where applicable; future TikTok technologies subject to consent and activation.

For details of each cookie/SDK (name, provider, purpose and expiry), please consult the CMP panel and the Cookie Policy.