Skip to content
BM Decoración
← Back to BM Decoración
01

Legal

Privacy Policy

Last updated: July 2026

1. Data controller

BM DECORACIÓN ESPAÑA SL (“we”), registered at Calle Dublín 21, 29670 Marbella, Málaga, Spain, is the controller of your personal data under Regulation (EU) 2016/679 (the “GDPR”), Spanish Organic Law 3/2018 (“LOPDGDD”) and Portuguese Law 58/2019 (“GDPR-PT”). We sell exclusively to customers in Spain and Portugal; this policy covers both jurisdictions.

No Data Protection Officer (DPO) has been appointed as our primary processing does not reach the thresholds of Article 37 GDPR or Article 34 LOPDGDD. Privacy enquiries: privacy@bmdecor.es.

2. Categories of personal data

We may process the following categories of personal data:

  • Identification and contact: name, email, telephone, postal / billing / shipping address, NIF or CIF (when an invoice is requested), language preference.
  • Account: AWS Cognito identifier (sub), encrypted password, creation and last sign-in dates, group (Customer / Pros / Employee / Administrator).
  • Commercial: order history, basket contents, wishlist, saved Project Palettes, Stripe customer identifier and payment-method token (we never access the full card number), invoice numbers and PDF copies.
  • Professional (Pros): company name, VAT number, project addresses, professional sector.
  • Communications: customer-service email content, newsletter-subscription status, transactional-email metadata (opens, bounces).
  • Technical / device: truncated IP address, browser, OS, screen size, cookie identifiers, session ID, referring URL, city-level geolocation derived from IP.
  • Behavioural (consent-based only): page views, click events, searches, colour viewed, add-to-cart and checkout steps in PostHog; if you sign in or complete an order, this activity is linked to your account identifier and email to measure the full shopping journey. Session recording is currently disabled.
  • Error monitoring: error traces captured by PostHog Error Tracking, route, breadcrumbs, pseudonymous user identifier.

We do not knowingly process special-category data (Article 9 GDPR) nor collect official identification numbers beyond NIF/CIF for invoicing.

3. Purposes and legal bases

PurposeLegal basisRetention
Account creation and authenticationContract (6.1.b)Until account closure
Order management and deliveryContract (6.1.b)6 years (Art. 30 Commercial Code)
Tax and accounting complianceLegal obligation (6.1.c) — Law 58/20036 years
Stripe payment and fraud preventionContract (6.1.b) + legitimate interest (6.1.f)Per Stripe DPA
Customer serviceLegitimate interest (6.1.f)3 years from last contact
Newsletter / marketingConsent (6.1.a) — opt-inUntil unsubscribe
Analytics (PostHog)Consent (6.1.a) — Art. 22.2 LSSI-CE12 months
Error monitoring (PostHog Error Tracking)Legitimate interest (6.1.f)90 days
Saved Project PalettesContract (6.1.b)Until account deletion
Trade quotes and pricingContract / pre-contractual (6.1.b)4 years

4. Data processors and recipients

We rely on the following data processors:

  • Amazon Web Services EMEA SARL — cloud infrastructure (AWS Amplify, Lambda, DynamoDB, S3, Cognito, Secrets Manager, KMS, CloudFront). Primary processing region: Ireland (eu-west-1). Safeguards: AWS DPA and EU Standard Contractual Clauses for any sub-processor outside the EEA. Certifications: ISO 27001 and SOC 2.
  • Amazon Web Services SES — transactional email (order confirmations, password resets, withdrawal acknowledgements). Region: eu-west-1. Safeguard: AWS DPA.
  • Stripe Payments Europe Ltd — payment processing (PSP), card tokenisation and fraud prevention. Region: Ireland; sub-processors at Stripe, Inc. (US). Safeguards: Stripe DPA, EU Standard Contractual Clauses, and EU-US Data Privacy Framework (DPF) where applicable; PCI-DSS Level 1. We never access your full card number.
  • PostHog Inc. — product analytics. Hosting region: European Union (Frankfurt, Germany — PostHog EU Cloud); PostHog is a US-incorporated provider, and its DPA with EU Standard Contractual Clauses covers any residual access from outside the EEA. Activated only with your explicit consent. With your consent, if you sign in or complete an order we link your account identifier and email to your browsing activity to measure the full shopping journey; this analytics profile is deleted through the same account-erasure process as the rest of your data. Supplementary measures: IP anonymisation, PII exclusion, automated PII filtering on autocapture.
  • PostHog Error Tracking — error monitoring built into the same PostHog project as analytics (not a separate provider). Error traces are auto-captured from the browser and from Lambda; PII is filtered before send; session recording is off. Basis: legitimate interest (Article 6.1.f) for diagnostics and security.
  • Carrier (last-mile delivery) — the courier assigned to your shipment receives only the data strictly necessary for delivery (name, address, phone, order weight). The carrier is listed in your shipping email.
  • Accountancy / gestoría — an external advisor in Spain processes invoicing data for tax filings under a confidentiality agreement.
  • Google Ireland Ltd / Google LLC — Google Analytics (web analytics, enabled only with your consent), Google Customer Reviews (post-purchase rating survey: if you opt in, we share your email, order number and estimated delivery date so Google can send you the survey), and Google Merchant Center (product catalogue for Google Shopping). Region: USA. Safeguards: EU Standard Contractual Clauses and the EU–US Data Privacy Framework (DPF); IP anonymisation in Analytics.

We do not sell or rent personal data to third parties for their own marketing.

5. International transfers

Analytics data is hosted by PostHog inside the EU (Frankfurt, Germany) and does not constitute an international transfer. When data is transmitted outside the European Economic Area — primarily to Stripe sub-processors and Google in the US — we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) supplemented with the safeguards required by the CJEU's Schrems II ruling (Case C-311/18). These measures include encryption in transit, pseudonymisation, and contractual restrictions on access by foreign authorities. Where Stripe or Google rely on the EU-US Data Privacy Framework, we also rely on that adequacy decision.

6. Your rights

Under Articles 15-22 GDPR and the LOPDGDD, you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — request deletion, subject to retention periods imposed by tax law.
  • Portability — receive your data in a structured, commonly used and machine-readable format, and transmit it to another controller.
  • Restriction of processing in the cases provided for by law.
  • Objection to processing based on legitimate interest, including objection to direct marketing.
  • Withdrawal of consent at any time, without affecting the lawfulness of prior processing.
  • Not to be subject to automated decisions with legal effects (Article 22).

You can exercise your access and erasure rights directly from your account settings:

  • Download my data — one-click exercise of the right of access (Article 15). Returns a JSON file with every piece of personal data we hold about you, including order history, basket, newsletter subscription, submitted enquiries, and the Cognito profile.
  • Delete my account — one-click exercise of the right of erasure (Article 17). Anonymises your order history (the invoice header is retained for the 6-year period required by the AEAT), fully deletes your basket, newsletter subscription and submitted enquiries, and removes your user record from Cognito. We email you a confirmation in Spanish summarising what was deleted and what was retained.

For the remaining rights — rectification, restriction, objection, portability of data not included in the JSON export — write to privacy@bmdecor.es. We may request proof of identity to verify your request and will respond within one month, extendable by two months for complex requests (Article 12 GDPR).

7. Automated decisions

We do not make fully automated decisions with legal or significant effects. Stripe applies automated fraud filtering (Stripe Radar) to authorise or decline payments; this is a legitimate-interest process operated by the processor and not a decision made by us. You can contact us to obtain a human review of any payment declined for fraud reasons.

8. Minors

Our service is not directed at persons under 14 (the digital-consent age in Spain under Article 7 LOPDGDD). We do not knowingly collect personal data from minors under 14. If you believe a minor has provided us with data, write to privacy@bmdecor.es and we will delete it.

9. Security

Under Article 32 GDPR we apply technical and organisational measures appropriate to the risk: TLS for all traffic, AWS Cognito for password encryption, AWS KMS for encryption at rest, least-privilege IAM, AWS CloudWatch for security logging and alerting, and AWS WAF with rate limiting on the public site. Internal access to personal data is restricted to authorised staff under confidentiality obligations.

10. Cookies

We use essential cookies to maintain your session and shopping cart. Analytics cookies (PostHog) are enabled only with your explicit consent via the cookie banner, in line with Article 22.2 LSSI-CE and the AEPD's 2024 Cookie Guide. See our Cookie Policy for the full inventory.

11. Supervisory authorities

You have the right to lodge a complaint with the supervisory authority of your country of residence, without first contacting us.

Spain — Agencia Española de Protección de Datos (AEPD):

  • Address: C/ Jorge Juan, 6, 28001 Madrid
  • Phone: 901 100 099 / 91 266 35 17
  • Web: www.aepd.es

Portugal — Comissão Nacional de Proteção de Dados (CNPD):

  • Address: Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa
  • Phone: +351 213 928 400
  • Web: www.cnpd.pt

12. Changes to this policy

We may update this policy to reflect operational, legal or technical changes. The “Last updated” date in the header reflects the latest change. Material changes are notified by email and consent is re-obtained via the cookie banner when consent is the affected legal basis.

BM Decoración · Calle Dublín 21, Marbella · © 2026 bmdecor.es

Search BM Decoración

Navigate fast. Press ⌘K anytime.