LEGAL DOCUMENTATION

GDPR Compliance

Last Updated: February 2, 2026

1. Our Commitment to GDPR

SvartxLab is committed to full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page outlines how we protect your data rights and maintain the highest standards of data protection.

As a B2B platform operating in the European Union, we recognize that business contact information qualifies as personal data and treat it with the same level of protection as consumer data.

2. Data Controller Information

Data Controller: SvartxLab

Location: Madrid, Spain

Contact Email: info@svartxlab.com

Phone: +34 694 241 833

Data Protection Officer: Available upon request

3. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR. We are committed to facilitating the exercise of these rights:

3.1 Right to Be Informed

You have the right to clear, transparent information about how we collect and use your personal data. This information is provided in our Privacy Policy and this GDPR Compliance page.

3.2 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information within 30 days of your request, free of charge.

How to request: Email info@svartxlab.com with "Data Access Request" in the subject line

Information provided:

  • Categories of data processed
  • Purposes of processing
  • Recipients of data
  • Retention periods
  • Your rights and how to exercise them

3.3 Right to Rectification

You have the right to have inaccurate or incomplete personal data corrected. You can update most information directly through your account settings or by contacting us.

3.4 Right to Erasure ("Right to Be Forgotten")

You have the right to request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent (where processing is based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required for compliance with a legal obligation

Note: We may retain certain data where we have a legal obligation to do so (e.g., tax records for 7-10 years).

3.5 Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain situations:

  • You contest the accuracy of the data (restriction during verification)
  • Processing is unlawful but you prefer restriction over erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing (restriction pending verification)

3.6 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON) and to transmit that data to another controller.

This right applies when processing is based on consent or contract and is carried out by automated means.

3.7 Right to Object

You have the right to object to processing of your personal data where:

  • Processing is based on legitimate interests
  • Processing is for direct marketing purposes
  • Processing is for scientific/historical research or statistical purposes

We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

3.8 Rights Related to Automated Decision-Making and Profiling

Currently, we do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. If this changes, we will update this policy and obtain your explicit consent where required.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b) GDPR)

Processing necessary to fulfill our B2B sales contracts:

  • Order processing and fulfillment
  • Payment processing
  • Customer support
  • Shipping and delivery

Legal Obligation (Art. 6(1)(c) GDPR)

Processing required by law:

  • Tax compliance and accounting
  • Anti-money laundering checks
  • Consumer protection regulations
  • Data breach notifications

Legitimate Interests (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate business interests:

  • Fraud prevention and security
  • Network and information security
  • Business analytics and improvement
  • Internal administration

We have conducted legitimate interest assessments (LIAs) to ensure our interests do not override your rights.

Consent (Art. 6(1)(a) GDPR)

Processing based on your explicit consent:

  • Marketing communications
  • Optional cookies and analytics
  • Newsletter subscriptions

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5. Data Protection Measures

5.1 Technical Measures

  • Encryption: TLS/SSL encryption for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication
  • Pseudonymization: Where appropriate, data is pseudonymized to reduce risk
  • Regular Backups: Encrypted backups with secure storage
  • Security Monitoring: 24/7 intrusion detection and prevention systems

5.2 Organizational Measures

  • Staff Training: Regular GDPR and data protection training for all employees
  • Data Protection Policies: Comprehensive internal policies and procedures
  • Vendor Management: Due diligence and data processing agreements with all processors
  • Incident Response: Documented breach notification procedures
  • Privacy by Design: Data protection integrated into all new systems and processes

5.3 Regular Audits

We conduct regular internal audits and assessments to ensure ongoing compliance with GDPR requirements.

6. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU Commission-approved clauses with all non-EEA processors
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
  • Additional Safeguards: Supplementary measures where required (e.g., encryption, access controls)

Current third-party services with potential non-EEA transfers:

Stripe (Payment Processing): Uses SCCs and additional safeguards

Cloud Hosting: Data stored in EU data centers with contractual protections

7. Data Breach Procedures

In the event of a personal data breach, we will:

  • Within 72 hours: Notify the relevant supervisory authority (Spanish Data Protection Agency - AEPD)
  • Without undue delay: Notify affected individuals if the breach poses a high risk to their rights and freedoms
  • Document: All breaches, including facts, effects, and remedial actions taken
  • Investigate: Root cause and implement measures to prevent recurrence

8. Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for processing activities that are likely to result in high risk to individuals' rights and freedoms. This includes:

  • Large-scale processing of sensitive data
  • Systematic monitoring of publicly accessible areas
  • Use of new technologies
  • Automated decision-making with legal or significant effects

9. Children's Data

Our services are intended for businesses only. We do not knowingly collect data from individuals under 18 years of age. If we become aware of such collection, we will delete the data immediately.

10. How to Exercise Your Rights

To exercise any of your GDPR rights:

Step 1: Submit a Request

Email: info@svartxlab.com

Subject: "[Your Right] Request" (e.g., "Data Access Request")

Include: Your name, company name, and account email

Step 2: Identity Verification

We may request additional information to verify your identity before processing your request.

Step 3: Response

We will respond within 30 days (extendable to 60 days for complex requests)

No fee unless requests are manifestly unfounded or excessive

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

Spanish Data Protection Agency (AEPD)

Website: www.aepd.es

Address: C/ Jorge Juan, 6, 28001 Madrid, Spain

Phone: +34 901 100 099

You may also contact the supervisory authority in your country of residence or place of work.

12. Updates to This Page

We review and update this GDPR Compliance page regularly to reflect changes in our practices or legal requirements. Significant changes will be communicated via email or website notice.

13. Contact Us

For any GDPR-related questions or concerns:

SvartxLab - Data Protection

Email: info@svartxlab.com

Phone: +34 694 241 833

Location: Madrid, Spain