Privacy Policy

The present Privacy Policy describes how we process the personal data collected through this corporate website, as well as the rights of users and how to exercise them. We recommend reading it carefully before providing any personal data.

1. Data Controller

Company name: INWINES ARTISAN COLLECTION S.L.

Tax ID (CIF): B27840982

Registered office: C/ Santiago de Compostela, nº8 36300 Baiona-Pontevedra

Contact email: privacidad@inwines.com

Contact phone: [TELÉFONO DE CONTACTO]

The Data Controller guarantees compliance with current regulations on personal data protection, in particular, Regulation (EU) 2016/679 (GDPR) and applicable national legislation.

2. Personal Data We Collect

Depending on the services you use, we may process the following categories of data:

Contact Forms: name, surname, email address, telephone number, company, subject, and message, as well as any other information you voluntarily include.
Newsletter Subscription: name, surname, and email address.
Online Purchases or Service Contracting: identification data (name, surname, optional DNI/NIF), contact details (email address, telephone number, billing and, where applicable, shipping address), transaction data (purchased products or services, amount, payment method). Card details are managed directly by the secure payment gateway and are not accessible to the Data Controller.
Technical and Personalization Cookies: browsing data necessary for the proper functioning of the site (language, preferences, user session, etc.).
Web Analytics Cookies: anonymized or pseudonymized IP address, device or browser identifiers, pages visited, time spent, clicks, and navigation paths.
Communications with the Data Controller: any data you provide in emails, telephone calls, or other contact channels.

3. Purposes of Processing

We process your personal data for the following purposes:

To address queries and requests: to manage and respond to queries, requests for information, or quotes that you send us through forms or contact channels.
Management of the contractual relationship: to process orders, provide the contracted services, manage payments, billing, collections, and after-sales service.
Sending commercial communications: to send you, by electronic or equivalent means, information about products, services, news, events, or content related to the activity of the Data Controller, provided there is a legal basis to do so.
Management of newsletter subscription: to administer your registration, periodic sending of newsletters, and management of unsubscribes or data modifications.
Website improvement and analytics: to analyze website use, measure the performance of content and campaigns, detect errors, and improve user experience through cookies and similar technologies.
Compliance with legal obligations: to meet requirements from authorities, fiscal, accounting, and fraud prevention obligations.
Website security: to prevent fraudulent activities, unauthorized access, and to ensure the integrity and availability of the systems.

4. Legal Basis for Processing

The legal grounds that legitimize the processing of your personal data are:

Consent: for sending commercial communications by electronic means, subscribing to the newsletter, installing non-technical or non-necessary cookies, and addressing certain requests you make voluntarily. You may withdraw your consent at any time.
Performance of a contract or application of pre-contractual measures: to manage the purchase of products or contracting of services, as well as the procedures prior to the formalization of the contractual relationship.
Legitimate interest: to perform basic analysis of website use (with pseudonymized or aggregated data), improve service quality, address general queries, and guarantee website security, always balancing your rights and freedoms.
Compliance with legal obligations: for necessary processing derived from tax, accounting, consumer, data protection obligations, or any other applicable regulations.

5. Data Retention Periods

We will retain your personal data for the time strictly necessary to fulfill the indicated purposes and, in any case, during the following periods:

Contact and inquiry data: for the time necessary to address your request and, at most, 1 year from the last relevant communication, unless a contractual relationship is generated.
Customer and transaction data: for the duration of the contractual relationship and, subsequently, for the periods required by tax, accounting, and consumer legislation (generally up to 6 years).
Data for commercial communications and newsletter: until you request to unsubscribe, withdraw your consent, or it is verified that they are no longer necessary (for example, due to prolonged inactivity).
Browsing and analytics data: according to the periods indicated in the cookies policy, which can range between the session and a maximum of 24 months, depending on the type of cookie.
Once the indicated periods have elapsed, the data will be kept duly blocked during the limitation periods of potential legal responsibilities and, subsequently, will be securely deleted.

6. Transfers to Third Parties and Providers

Personal data will not be transferred to third parties, except under legal obligation or when necessary for the provision of services. In particular, the following types of providers may have access to your data, acting as data processors:

Web hosting and IT maintenance services: for hosting the website, databases, and backup copies.
Email marketing and newsletter delivery platforms: for managing subscription lists and sending communications.
Payment gateways and financial institutions: for the management of secure collections and payments.
Web analytics services: for analyzing site use and compiling aggregated statistics.
Legal, tax, or accounting advice: when necessary for the fulfillment of legal obligations.
In all cases, the Data Controller will sign the corresponding data processing agreements with said providers, requiring them to apply appropriate security measures and to process data solely in accordance with its instructions.

7. International data transfers

Generally speaking, data is processed within the European Economic Area (EEA). However, where we use service providers located outside the EEA, appropriate safeguards will be put in place to protect your data, such as:

The existence of an adequacy decision by the European Commission regarding the country of destination.
The signing of Standard Contractual Clauses approved by the European Commission with the relevant supplier.
The application of binding corporate rules or other mechanisms recognised by data protection legislation.

You may request further information regarding international data transfers and the safeguards applied via the contact details provided in this Policy.

8. Users' rights

You have the right to:

Access: to obtain confirmation as to whether or not we are processing your personal data and, if so, to access it.
Rectification: to request the correction of inaccurate or incomplete data.
Erasure: to request the deletion of your data when, amongst other reasons, it is no longer necessary for the purposes for which it was collected.
Objection: object to the processing of your data based on legitimate interests, including profiling, as well as to the receipt of marketing communications.
Restriction of processing: request the restriction of the processing of your data in certain circumstances (for example, whilst the accuracy of the data or the legal basis for the processing is being verified).
Portability: to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit it to another controller where the processing is based on consent or a contract and is carried out by automated means.
Withdrawal of consent: to withdraw your consent at any time, without this affecting the lawfulness of the processing carried out prior to its withdrawal.

You also have the right to lodge a complaint with the competent data protection supervisory authority if you consider that the processing of your data infringes applicable regulations.

9. How to exercise your rights

You may exercise your rights at any time and free of charge by submitting a request to the Data Controller, clearly stating the right you wish to exercise and attaching a copy of your identity document or equivalent proof of identity.

You may use the following channels:

:Email: by sending a message to [email@empresa.com] with the subject line "Data protection".
Contact form: via the form available on this website, stating in the message that it is a request relating to data protection.
Post: by sending a letter to [Company name], [Full postal address], marked "For the attention of: Data Protection".

The Data Controller will respond to your request within the maximum timeframe established by the regulations, normally within one month, which may be extended in complex cases.

Should your request not be addressed, you will be informed of the reasons and of the possibility of lodging a complaint with the supervisory authority.10. Data security. The Data Controller will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, amongst others, access controls, encryption where applicable, backups and incident response procedures.

However, no security measure on the internet is completely foolproof, so it is not possible to guarantee the absolute invulnerability of the systems.

10. Data security

The Data Controller will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, but not limited to, access controls, encryption where appropriate, backups and incident response procedures. However, no security measure on the internet is completely foolproof, and it is therefore not possible to guarantee that the systems are completely invulnerable.

11. Changes to the Privacy Policy

The Data Controller reserves the right to amend this Privacy Policy to bring it into line with new legislation, case law or changes to the provision of services. Any amendments will be published on this website and, where significant, you may be notified via the available contact channels. We recommend that you review this Policy periodically to stay informed about how we protect your personal data.

Privacy Policy: Data Security and Changes

We protect personal data using technical and organisational measures designed to minimise the risks of unauthorised access, loss, alteration or disclosure. Among other measures, we use encryption of data in transit and, where appropriate, at rest; profile-based access control systems and strong passwords; as well as activity logs to detect misuse. In addition, we implement regular backups and internal incident management protocols, staff training and regular security reviews.

Despite our reasonable efforts and the use of state-of-the-art security measures, no system is completely invulnerable. Therefore, we cannot guarantee absolute security against attacks or breaches arising from circumstances that are unavoidable, unforeseeable or beyond our reasonable control. In such cases, we will act with the utmost diligence to mitigate the effects, inform the relevant authorities where required and, where appropriate, notify those affected in accordance with applicable regulations.

We are committed to keeping this privacy policy up to date. Any substantial changes will be communicated via a prominent notice on our website and, where appropriate, by email to registered users. In any case, the current version will always be the one published on the website, indicating the date of the last update so that it can be easily consulted.

We act in accordance with applicable data protection regulations, including, where applicable, Regulation (EU) 2016/679 (GDPR) and current local data protection legislation. We review and adapt our internal processes to ensure an adequate level of compliance and the lawful, fair and transparent processing of personal data.