This privacy policy has been prepared in accordance with the provisions of the European Data Protection Regulation, EU 2016/679 (hereinafter, GDPR) and the Organic Law on Data Protection and Guarantee of Digital Rights (hereinafter, LOPDGDD).

In this privacy policy we explain everything you need to know about the processing of personal data in our company. That is, what personal data we process and store when users browse through our website, purchase any of our products or register for any of our services, what are the reasons why we collect and process such data, whether we share it with third parties, how long we store it and what are your rights and how they can be exercised.

Índice

1. Responsible
2. Data processing on this website
3. Social Networks
4. Transfer of data to third parties and international data transfers
5. Where do we store the data? For how long?
6. ights of data subjects and mechanisms to exercise them
7. User responsibility
8. Under age
9. Security measures
10. Can this Privacy Policy be modified?

1. Responsible

Under the provisions of Article 4.7 of the GDPR, the person responsible for the processing of personal data on this website is Ricard Mollon Rius.

Below are the identification and contact details of the person responsible for the processing of personal data on this website:

Ricard Mollon Rius
Fiscal ID: 46960781W
Address: Rambla d’Ègara 283, 2on 1a, 08224 Terrassa, Barcelona
Telephone: +34 662687831
Email: info@xcagix.com

If you have any questions about the processing of your personal data or wish to exercise your rights, you can contact the controller by mail or by e-mail at the addresses indicated above.

2. Processing of personal data on this website

2.1 SSL Encryption

For security reasons, and in particular to prevent leakage or theft of personal or confidential data, our website uses SSL encryption technology. This technology allows us to encrypt the data traffic between your browser and our website, thus preventing third parties from viewing or intercepting the personal or confidential data you send us when you browse or shop through our website.

Those web pages whose URL begins with “https://”, as is the case on our website, offer a secure connection as they are protected by an SSL or TLS certificate that encrypts information flows.


2.2 Server log files

When you access our website we automatically collect and process a series of data that your browser provides us with called “server log files”. This data includes:

• Version and type of browser with which you have accessed our website.
• The operating system you are using on your device
• Referred links
• Length of visit
• IP address
• Time and date of access to the website

The data detailed above are technically necessary for you to be able to navigate through our website in an optimal way, avoiding errors or failures in the reproduction of content or functionality of our website. These data will not be combined with other data sources.

The lawfulness of the processing of this personal data is based on our legitimate interest as operators of this website -Art. 6.1.f) of the GDPR-. The legitimate interest pursued is to offer a website free of technical errors, compatible with the main browsers or operating systems and with a friendly navigability for our users or customers.


2.3 Cookies

This website uses cookies. Cookies are small text files that are stored in your browser for the following purposes:

• Enable the reproduction of content and functionalities of the website.
• Improve the browsing experience of users
• Analyze the use of our website in order to improve our services and products.
• Personalize content and advertising
• Improve the security of our website

For more information about the use of cookies on our website please see our Cookies Policy: xcagix.com/en/cookies-policy

2.4 Contact forms, phone calls and e-mails

If you decide to fill out any of the contact forms available on our website or if you contact us via phone call or email, you may provide us with a series of personal data so that we can respond to your query, complaint or request. Such personal data would be, mainly, the following:

• First name and last name
• Contact telephone number
• E-mail address
• Postal address

The lawfulness of the processing of this personal data is based exclusively on the consent of the data subject -Art. 6.1.a of the RGPD-.

You have the right to revoke, at any time, your consent for this treatment, for this you just have to let us know via email to the address info@xcagix.com, or via mail to the address Rambla d’Ègara 283, 2on 1a, 08224 Terrassa, Barcelona (in any case, it will be necessary to prove your identity by providing a photocopy of your ID card or Passport).

We will store this data until you request its destruction, you revoke your consent to the processing of such data or the reason for which it was collected expires.


2.5 User account/registered customer

In order to activate your account and benefit from the promotions and associated advantages it will be necessary that at the time of registration you provide us with a series of personal data, specifically:

• Name and surname
• Contact telephone number
• E-mail address
• Address

Once you provide us with this information we will send you a welcome email in which we will indicate your username (your email address) and a password so that you can access your account. You can change your password at any time from your account settings.

In addition to the data necessary to register your account, we may also process the following personal data related to your activity on our website; order history, saved or marked products, information about payment methods you have used.

The lawfulness of the processing of this personal data is based on the consent of the data subject – Art. 6.1.a) of the GDPR – or on its necessity for the performance of a contract or for the implementation of pre-contractual measures requested by the data subject – Art. 6.1.b) of the GDPR.

You have the right to revoke, at any time, your consent to this treatment, for this you just have to let us know via email to the address info@xcagix.com, or via mail to the address Rambla d’Ègara 283, 2on 1a, 08224 Terrassa, Barcelona (in any case, it will be necessary to prove your identity by providing a photocopy of your ID card or Passport).

We will store this data until you request its destruction, you revoke your consent, you decide to close your account permanently or the reason for which such data were collected expires.

If you want to close your account permanently, you can do it through the configuration panel of your account or request it to the following email address: info@xcagix.com

2.6 Newsletter

In order to sign up for our Newsletter and receive our news and promotions you will need to provide us with an email address.
All our promotional emails have a link at the bottom of the email that allows you to unsubscribe from our Newsletter. If you want to unsubscribe now, you can do so by sending an email to the following address: info@xcagix.com

Our Newsletter is sent through the Klaviyo platform based in Boston, MA, USA. Being an international transfer of data and to ensure compliance with Article 26 paragraph 2 of the GDPR, Klaviyo has incorporated contractual clauses in order to add appropriate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer to the USA, if you want to know the entire document of the contractual clauses you can do so by following this link.

The lawfulness of the processing of this personal data is based exclusively on the consent of the data subject -Art. 6.1.a) of the GDPR-.

You have the right to revoke, at any time, your consent for this treatment, for this you just have to let us know via email to the address info@xcagix.com, or via mail to the address Rambla d’Ègara 283, 2on 1a, 08224 Terrassa, Barcelona (in any case, it will be necessary to prove your identity by providing a photocopy of your ID card or Passport).

We will store your email address until you request its destruction, revoke your consent or unsubscribe from our Newsletter.

2.7 Google Services/Tools

Our website uses the following services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter Google):

Google Analytics with remarketing: service/tool that allows us to analyze your activity within our website (the duration of your view and where you have browsed). To do this, Google uses cookies that collect and store the following information:

• Your IP address
• The operating system, browser and type of device you used to access our site
• The language in which you browse
• The date and time of your visit to our website
• Your activity on our website

These cookies usually expire after 30 days and are not intended to identify you personally, but allow Google to evaluate visitors’ use of the website, compiling reports on website activity for website operators and to provide other services related to website activity and internet usage.

Google’s remarketing feature allows us to create remarketing audiences and share them with our Google Adwords account. A remarketing audience is a list with cookies or advertising IDs that represents a group of users that we want to reconnect with due to their likelihood of completing a conversion.

With Google AdWords Remarketing, Google sets a cookie on your terminal’s browser that automatically enables interest-based advertising using a pseudonymous cookie ID and based on pages visited. If the user has consented to share their web history with Google, then Google may use the history of the visit to our website together with Google Analytics data and Google AdWords data to create a target audience for cross-device remarketing.

Google reserves the right to store and process personal user data in any country in which Google or any of its sub data processors maintain facilities. Therefore, we must advise you that an international transfer of your personal data may occur.

The data provided to us by Google through these tools or services are purely statistical and do not allow us to draw any conclusions about the identity of users, so that the information we obtain as operators of this website through the use of such tools is completely anonymous.

The lawfulness of the processing of personal data by Google Analytics and Google Adwords is based, exclusively, on the consent of the data subject -Art. 6.1.a) of the GDPR-. On the other hand, the lawfulness of the processing of personal data by Google ReCAPTCHA is based on our legitimate interest as a service provider to provide a secure website and prevent fraudulent conduct, -Art. 6.1.f) of the GDPR-.

For more information about the purpose and scope of data collection and processing by Google, please see:

• How Google uses information from websites or applications that use our services”, available at this link
• Google’s privacy policy, available at this link

Google has developed an opt-out plugin for Google JavaScript that prevents the collection and use of your data. If you want to prevent Google from using your data you must download and install the plugin available at this link.

You can also prevent Google from collecting your data by configuring your browser, from the settings option, not to store third-party cookies or to block conversion tracking cookies.

If you have a Google account, from the control panel of your account you can view and modify certain categories of data associated with your Google account (personalization of ads, choice of activities that you want to be stored in a cookie or similar technology when you use a Google service if you are logged into your account, control with whom you share information from your account, etc.).

2.8 Facebook Pixel

Our website uses so-called Facebook visitor action pixels to measure the conversion rate of visitors who access our website via an advertisement published on the social network Facebook. In this way, we can evaluate the effectiveness of the ads we publish on Facebook, identify market preferences and optimize our advertising campaigns on Facebook.

The provider of this service is Facebook Ireland Limited / Facebook Inc, however / therefore, such data can be / will be transferred to Facebook servers located in the United States.

The provider only provides us with statistics on the number of “clicks” that our ads receive (classified by country, age and gender) and on the conversion rate to sale of these.

The data provided to us by Facebook through this tool does not allow us to draw any conclusions about the identity of users, so the information we obtain through this service is completely anonymous.

However, the service provider, as detailed in the privacy policy of the social network Facebook, will store and process the information of the user who has “clicked” on one of our ads and if the user is registered in any Facebook service, Facebook may associate the visit with your account. Even if the user is not registered with Facebook or is not logged in, it is possible that Facebook can obtain and store your IP address, the operating system used, the browser and type of device used, the language used, the date and time of the visit and the user’s activity on the site during a session. Ricard Mollon Rius, as the operator of this website, has no control over Facebook’s use of this personal data.

The lawfulness of the processing of this personal data is based, exclusively, on the consent of the data subject -Art. 6.1.a) of the GDPR-.

For more information on how to protect your privacy, you can consult this link: (You must be logged in to Facebook to change your privacy preferences).

3. Social networks

The purpose of tools such as Facebook, Twitter, Instagram, etc. or other social networks is to give visibility and diffusion to the activities we develop and the products or services we offer. These tools store personal data on their respective servers and are governed by their own privacy policy. We recommend reviewing and reading the terms of use and privacy policies of the social networks used. Likewise, we also recommend that you review the user privacy settings offered by each of these social networks.

Ricard Mollon Rius reserves the right to remove from its social networks any information published by third parties that violates the law, incites to do so or contains messages that violate the dignity of persons or institutions. As well as the right to block or report the profile author of these messages.

4. Transfer of data to third parties and international data transfers

As a general rule, Ricard Mollon Rius will only communicate or transfer your personal data to third parties under legal obligation (in which case, it will only disclose what is strictly necessary for compliance with the legal obligation).

If the interested party gives its express consent, or unless you have given us your express consent, in which case, your personal data will only be communicated or transferred to group companies or collaborating companies for internal administrative purposes, including the processing of personal data of customers or employees. These companies are the following:

• List of companies:
• If there is an international transfer, to be covered by appropriate guarantees (NCV, standard clauses, certifications, codes of conduct…).

The lawfulness of the processing of these personal data is based exclusively on the consent of the data subject -Art. 6.1.a) of the GDPR-.

Ricard Mollon Rius has contracted service providers that require access to certain personal data in order to provide their services (for example, payment methods providers, delivery companies, hosting services, marketing services, IT support services or accounting administration services).

These service providers act as data processors, which means that they may only use the personal data to which they have access to provide their services or to carry out the instructions of the data controller and, under no circumstances, for their own purposes or to transfer them to third parties.

Ricard Mollon Rius has signed contracts on the protection of personal data with these data processors detailing the object, duration, nature, purpose of the processing, type of personal data, categories of data subjects, legal obligations of both parties on data protection and the rights of the data controller.

List of data processors with international transfer:

• Klaviyo: International data transfer, destination country: the USA, standard contractual clauses.
• Google
• Facebook

5. Where do we store the data and for how long?

The personal data obtained will be stored within the EU, in the case of sending data to third parties outside the EU, we will ensure that they offer a sufficient level of protection and have adequate safeguards, such as legally binding instruments between public authorities or bodies, binding corporate rules within a corporate group, standard data protection clauses, codes of conduct, certification mechanisms.

The data provided and collected through this website are stored on the servers of CDMON 10DENCEHISPAHARD, S.L., with NIF no. B62844725 and address at C/ Girona 81-83 local 6 in Malgrat de Mar 08380, e-mail info@cdmon.com.

The information collected from the interested party will be kept as long as it is necessary to fulfill the purpose for which the personal data were collected, so that, once the purpose has been fulfilled, the data will be cancelled. Such cancellation will result in the blocking of the data being kept only at the disposal of the AAPP, Judges and Courts, to meet the possible liabilities arising from the treatment, during the period of limitation of these, fulfilled the said period will proceed to the destruction of the information.

For information purposes, the following are the legal terms for the conservation of information in relation to different matters:

DOCUMENT  –  PERIOD  –  LEGAL REF.

Accounting and tax documentation for commercial purposes – 6 years – Art. 30 Commercial Code.
Tax documentation for tax debts – 4 years – Articles 66 to 70 of Law 58/2003, of December 17, 2003, General Tax Law.
Crimes against the Public Treasury and Social Security – 10 years – Art. 131 Penal Code (LO 10/1995)

6. Rights of interested parties and mechanism for exercising them

You can address your communications and exercise your rights by sending a request to the following email address: info@xcagix.com

Under the provisions of the GDPR you can request:

• Right of access: you can request information about the personal data we have about you.
• Right of rectification: you can communicate any change in your personal data.
• Right of deletion and oblivion: you can request the deletion after blocking personal data.
• Right to limit processing: this means restricting the processing of personal data.
• Right of opposition: you can withdraw your consent to the processing of data, opposing further processing.
• Right to portability: in some cases, you may request a copy of the personal data in a structured, commonly used and machine-readable format for transmission to another controller.
• Right to be free from individualized decisions: you may request that decisions not be made solely on the basis of automated processing, including profiling, that produce legal effects or significantly affect the data subject.

In some cases, we may not be able to delete all of your personal data in order to comply with legal obligations.

In addition, if you have a complaint about the processing of your data, you can submit a complaint to the data protection authority.

7. User responsibility

The user is solely responsible for the veracity and correctness of the data included, exonerating Ricard Mollon Rius of any responsibility in this regard. Users guarantee and are responsible, in any case, for the accuracy, validity and authenticity of the personal data provided, and undertake to keep them duly updated. The user agrees to provide complete and correct information in the registration or subscription form. Ricard Mollon Rius reserves the right to terminate the contracted services that have been concluded with users, in the event that the data provided are false, incomplete, inaccurate or outdated.

Ricard Mollon Rius is not responsible for the veracity of the information that is not of its own elaboration and of which another source is indicated, so it does not assume any responsibility for hypothetical damages that may arise from the use of such information.

Ricard Mollon Rius reserves the right to update, modify or delete the information contained on its website and may even limit or deny access to such information. Ricard Mollon Rius is exonerated from liability for any loss or damage that the user may suffer as a result of errors, defects or omissions in the information provided by Ricard Mollon Rius provided that it comes from outside sources.

Likewise, the user certifies that he/she is over 14 years of age and that he/she has the necessary legal capacity to consent to the processing of his/her personal data.

8. Under age

In principle, our services are not specifically directed to minors. However, in the event that any of them are directed to minors under fourteen years of age, in accordance with Article 8 of the GDPR and Article 7 of the LO 3/2018, of December 5 (LOPDGDD), Ricard Mollon Rius the valid, free, unequivocal, specific and informed consent of their legal guardians to process the personal data of minors. In this case, the DNI or other form of identification of the person giving consent will be required.

In the case of persons over fourteen years of age, data may be processed with the consent of the user, except in those cases in which the law requires the assistance of the holders of parental authority or guardianship.

9. Security measures

Ricard Mollon Rius has adopted the legally required levels of security for the protection of Personal Data, and tries to install those additional technical means and measures within its reach to prevent the loss, misuse, alteration, unauthorized access and theft of Personal Data provided to Ricard Mollon Rius.

Ricard Mollon Rius is not responsible for hypothetical damages that may arise from interference, omissions, interruptions, computer viruses, telephone breakdowns or disconnections in the operation of this electronic system, caused by reasons beyond Ricard Mollon Rius; delays or blockages in the use of this electronic system caused by deficiencies or overloads of telephone lines or overloads in the Data Processing Center, in the Internet system or in other electronic systems, as well as damages that may be caused by third parties through illegitimate intromissions beyond the control of Ricard Mollon Rius.

Links to other websites: On the website xcagix.com there may be links to other websites. By clicking on one of these links and accessing an external website, the visit will be subject to the privacy policy of that website, being Ricard Mollon Rius disassociated from any responsibility for its privacy policy.

10. Can this privacy policy be changed?

Ricard Mollon Rius reserves the right to modify and/or update this Privacy Policy and data protection to adapt to new legislation, so we recommend reading it before each access and navigation through the website. The current legal texts of this website have been drafted by Qualgest, a company specialized in data protection. Notwithstanding the foregoing, the relationships established with users, prior to the modification of the Privacy Policy, will be governed by the rules provided at the time the user accessed the website for its establishment, without prejudice to the provisions of the GDPR.