GDPR Compliance
Last Updated: February 2, 2026
1. Our Commitment to Data Protection
SvartxLab is committed to protecting personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This document outlines our data protection practices, your rights as a data subject, and how we ensure compliance.
As a B2B platform, we process data primarily in the context of business relationships. However, we recognize that business contacts are individuals with data protection rights.
2. Data Controller Information
For all data protection inquiries, please contact our data protection team at the email address above.
3. Data Processing Activities
We process personal data for the following purposes:
3.1 Customer Account Management
Data processed: Business contact name, email, phone number, job title
Legal basis: Contractual necessity (Art. 6(1)(b) GDPR)
Retention: Duration of business relationship + 7 years
3.2 Order Processing and Fulfillment
Data processed: Delivery addresses, payment information, order history
Legal basis: Contractual necessity (Art. 6(1)(b) GDPR)
Retention: 10 years (legal/accounting requirements)
3.3 Marketing Communications
Data processed: Email address, communication preferences
Legal basis: Consent (Art. 6(1)(a) GDPR)
Retention: Until consent withdrawal or 2 years of inactivity
3.4 Website Analytics
Data processed: IP address (anonymized), browser data, usage patterns
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
Retention: 26 months (Google Analytics default)
4. Your Rights Under GDPR
As a data subject, you have the following rights under GDPR:
Right of Access (Art. 15)
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data.
Right to Rectification (Art. 16)
You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay.
Right to Erasure (Art. 17)
You have the right to obtain the erasure of personal data concerning you without undue delay where specific grounds apply.
Right to Restriction (Art. 18)
You have the right to obtain restriction of processing where certain conditions are met.
Right to Data Portability (Art. 20)
You have the right to receive personal data concerning you in a structured, commonly used and machine-readable format.
Right to Object (Art. 21)
You have the right to object, on grounds relating to your particular situation, to processing of personal data based on legitimate interests.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, please contact us at: info@svartxlab.com
We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days, with prior notification.
5. Data Protection Measures
We implement the following technical and organizational measures to protect personal data:
5.1 Technical Measures
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Regular security patching and vulnerability scanning
- Multi-factor authentication for administrative access
- Automated backup systems with encrypted storage
- Intrusion detection and prevention systems
5.2 Organizational Measures
- Staff data protection training program
- Access control policies based on least privilege principle
- Data protection impact assessments for new processing activities
- Vendor due diligence and data processing agreements
- Incident response procedures and breach notification protocols
6. Data Processors and Sub-processors
We use the following third-party processors:
Stripe (Payment Processing)
PCI-DSS Level 1 certified. EU data processed within the EEA.
Supabase (Database & Authentication)
SOC 2 Type II compliant. Data hosted in EU regions.
Vercel (Hosting)
SOC 2 Type II compliant. Edge network with EU presence.
Google Analytics (Analytics)
IP anonymization enabled. Data processed under Standard Contractual Clauses.
All processors are contractually bound to process data in compliance with GDPR and our instructions.
7. International Data Transfers
When personal data is transferred outside the EEA, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for specific countries
- Supplementary measures where required by the Schrems II decision
- Transfer impact assessments for each data transfer
8. Data Breach Notification
In the event of a personal data breach:
- We will notify the relevant supervisory authority (AEPD in Spain) within 72 hours of becoming aware of the breach
- If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay
- We maintain a breach register documenting all incidents, their effects, and remedial actions taken
9. Data Protection Impact Assessments
We conduct DPIAs for processing activities that are likely to result in high risk, including:
- Large-scale processing of business contact data
- Implementation of new technologies or processing methods
- Systematic monitoring of publicly accessible areas (if applicable)
- Processing of data relating to vulnerable individuals
10. Children's Data
Our platform is designed exclusively for business use. We do not knowingly collect or process personal data from individuals under 16 years of age. If we become aware that we have inadvertently collected such data, we will delete it promptly.
11. Supervisory Authority
Our lead supervisory authority is:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
Website: www.aepd.es
You have the right to lodge a complaint with the AEPD or any other EU supervisory authority.
12. Updates to This Document
This GDPR compliance document is reviewed and updated annually, or whenever significant changes occur in our data processing activities. The "Last Updated" date at the top of this page indicates the most recent revision.