Data controller
In accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), the controller of your personal data is:
- Company
- Kustiko S.L.
- Tax ID (CIF)
- B-89384758
- Registered address
- Carrer de Frederic Mompou, 5, 08960 Sant Just Desvern, Barcelona, Spain, Spain
- [email protected]
- Website
- kustiko.com
For any matter related to data protection, please contact us at [email protected].
Data we collect
We only process the data we need to provide our service. Specifically:
- Account data: name, email, and password (hashed). If you sign in with Google, we receive the identifier, email, and name provided by Google.
- Order and shipping data: full name, postal address, phone number, order reference, and purchased items.
- Billing data: billing address and, if purchasing as a business, company name and VAT/tax ID.
- Payment data: payments are processed directly by Stripe; we do not store card details on our servers. We only retain a transaction reference for order management.
- User-uploaded content: designs, images, and text you include in the customizer to be engraved on your product.
- Browsing data: IP address, browser type, visited pages, and timestamps, collected through strictly necessary cookies and — with your consent — analytics cookies.
- Communications: the contents of messages you send us and, if you opt in, your email for the newsletter.
Purposes and legal basis
Each processing activity has a specific purpose and a legal basis under Article 6 GDPR:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Manage your account and enable sign-in | Performance of a contract |
| Process your orders, payments, and shipments | Performance of a contract |
| Issue invoices and meet accounting / tax obligations | Legal obligation |
| Handle enquiries, complaints, and refund requests | Performance of a contract / legitimate interest |
| Send newsletters and marketing communications | Consent (revocable at any time) |
| Analyse site usage to improve our service | Consent (analytics cookies) |
| Prevent fraud and secure the site | Legitimate interest |
We do not make automated decisions with legal effects on you, nor do we profile you based on your personal data.
Retention periods
- User account: while your account remains active. If you delete it, your data is removed except where we must keep it by law.
- Order and billing data: 6 years, in line with Article 30 of the Spanish Commercial Code and tax regulations.
- Custom designs: as long as needed to fulfil your order and until the statutory warranty period expires.
- Newsletter: until you withdraw your consent.
- Browsing data: as set out in the cookies section (typically up to 24 months).
After these periods, your data is blocked and then securely erased.
Recipients and processors
We do not sell or transfer your data to third parties for commercial purposes. To deliver our service we share strictly necessary information with the following processors, with whom we have signed (or committed to) a data processing agreement under Article 28 GDPR:
| Provider | Service | Location |
|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing | Ireland (EU) |
| AWS Ireland Ltd. | Website and database hosting | Ireland (EU) |
| Sendcloud | Order and verification emails | Belgium |
| Google Ireland Ltd. (optional) | Google sign-in and analytics, if enabled via cookies | Ireland (EU) |
We may also disclose data to courts, law-enforcement authorities, and public bodies where legally required.
International transfers
Some of the processors above may handle data outside the European Economic Area (EEA). In such cases we rely on the safeguards foreseen in the GDPR (adequacy decisions of the European Commission or standard contractual clauses).
For further information on the safeguards we apply, write to [email protected].
Your rights
Under Articles 15 to 22 GDPR, you may exercise the following rights at any time:
- Access: know what data of yours we process.
- Rectification: correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”): delete your data where no longer necessary.
- Objection: object to processing based on our legitimate interest.
- Restriction: ask us to pause the use of your data in specific cases.
- Portability: receive your data in a structured format or have it moved to another controller.
- Withdraw consent at any time, without retroactive effect.
To exercise your rights, email [email protected] stating your request clearly and attaching a copy of your ID. We will reply within one month.
Security
We apply appropriate technical and organisational measures to protect your data: TLS encryption in transit, secure password hashing, role-based access control, regular backups, and providers that follow recognised security standards.
No system is fully foolproof; if you notice any security issue with your account, contact us immediately at [email protected].
Minors
Our services are intended for people aged 14 or older, as set out in Article 7 of Spanish Organic Law 3/2018. If you are younger, you need your parents' or legal guardians' consent to register or place an order. If we become aware of data belonging to a minor collected without proper consent, we will delete it.
Changes to this policy
We may update this policy to reflect legal or service changes. The current version will always be published on this page, together with the date of the last update. If changes materially affect how we handle your data, we will notify you by email.
Contact
For any question about this policy or the processing of your personal data, write to us:
Kustiko S.L. [email protected]
General support [email protected]