Privacy Policy
01
Data Controller
The entity responsible for processing your personal data collected through www.canhippie.com is:
| Field | Details |
|---|---|
| Controller | Carmen Melissa van der Hooft |
| NIF | X5487120X |
| Address | Camino Diseminados 115, 46838, Benicolet, Valencia, Spain |
| Contact email | [email protected] |
| Supervisory authority | Agencia Española de Protección de Datos (AEPD) — www.aepd.es |
02
What Data We Collect & Why
We only collect personal data that is strictly necessary for the purposes described below. We never collect more data than we need.
2.1 — Purchases & Order Fulfilment
Data collected: name, delivery address, billing address, email, phone number, and payment details (processed securely by our payment provider — we never store card numbers).
Legal basis: Performance of a contract — Article 6.1(b) GDPR.
Retention period: Up to 5 years for invoicing and tax compliance obligations under Spanish law (Ley 58/2003 General Tributaria).
2.2 — Customer Account
Data collected: name, email address, encrypted password, and purchase history.
Legal basis: Performance of a contract — Article 6.1(b) GDPR.
Retention period: While the account remains active, plus 1 year following a deletion request.
2.3 — Contact & Customer Enquiries
Data collected: name, email address, and the content of your message.
Legal basis: Legitimate interest in responding to your enquiry — Article 6.1(f) GDPR.
Retention period: 1 year from the date of last communication.
2.4 — Marketing Communications (future)
We do not currently send marketing emails or newsletters. When we introduce this service, we will request your explicit prior consent before sending any commercial communications. You may withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us directly. We will also consult the Lista Robinson (Spain’s opt-out registry) before initiating any direct marketing activities.
Legal basis (future): Consent — Article 6.1(a) GDPR.
2.5 — Website Analytics (future)
We do not currently use analytics tools. Should we introduce them (e.g. Google Analytics), we will update this policy, and your cookie consent will be required before any analytical cookies are placed on your device.
03
With Whom We Share Your Data
We do not sell, rent, or trade your personal data. We only share data with carefully selected service providers acting as data processors on our behalf, under written data processing agreements as required by Article 28 GDPR:
- Payment processors (e.g. Stripe, PayPal, Redsys) — to handle transactions securely
- Shipping & logistics providers — to fulfil and deliver your orders
- Hosting provider — Kinsta Inc., USA — hosted on Google Cloud Platform (EU Region). Standard Contractual Clauses apply.
- E-commerce platform — WooCommerce (Automatic Inc.), USA. Standard Contractual Clauses Apply.
If any service provider is located outside the EU/EEA, appropriate safeguards are in place (Standard Contractual Clauses or an adequacy decision).
04
Your Rights
Under the GDPR and LOPDGDD (Organic Law 3/2018), you have the following rights in relation to your personal data:
- Right of access — obtain confirmation of whether we process your data and receive a copy
- Right to rectification — correct inaccurate or incomplete personal data
- Right to erasure (“right to be forgotten”) — request deletion of your data where permitted
- Right to restriction of processing — limit how we use your data in certain circumstances
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interest or for direct marketing
- Right to withdraw consent — at any time, where consent is the legal basis for processing
- Right not to be subject to automated decisions — we do not use automated decision-making or profiling
To exercise any of these rights, please email info@canhippie.com with proof of your identity. We will respond within 30 calendar days. You also have the right to lodge a complaint with the AEPD at www.aepd.es.
05
Security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, or destruction. Our website uses HTTPS encryption at all times. Payments are processed exclusively through PCI-DSS certified payment gateways — we never store card details on our servers.
06
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes via email (if you have an account) or by a prominent notice on our website. The date shown at the top of this page always reflects the most recent revision.