Privacy policy · Heavy Stone Spain

1. Data controller

Personal data submitted through this website will be processed by Heavy Stone Spain, S.L. as data controller.

Controller: Heavy Stone Spain, S.L.
VAT no.: ESB70603923
Address: Rúa Federico Tapia, no. 12, 1ºC · 15005 A Coruña, Spain
Contact email: info@heavystone.es
DPO: Not appointed (not required under GDPR art. 37)

2. Data we collect

Through the website we may collect the following personal data:

Contact form data: name and company, email address, type of enquiry and message content.
Technical browsing data: IP address, browser and device type, date and time of access (collected in server logs for security and diagnostic purposes).

We do not collect special category data (article 9 GDPR).

3. Purpose of processing

The personal data submitted is processed for the following purposes:

To respond to enquiries, requests for information or quotations submitted through the contact form.
To maintain the commercial or pre-contractual relationship arising from such enquiries.
To ensure the technical security of the website and prevent abuse.
To comply with applicable legal obligations.

Data will not be used for automated profiling with legal effects on the data subject.

4. Legal basis

Consent of the data subject (art. 6.1.a GDPR) when submitting the contact form.
Pre-contractual measures (art. 6.1.b GDPR) where the enquiry frames a potential commercial relationship.
Legitimate interest (art. 6.1.f GDPR) of the controller for the technical security of the website.
Compliance with legal obligations (art. 6.1.c GDPR) where applicable.

5. Retention period

Contact form data will be kept for the time strictly necessary to handle the enquiry and, where applicable, throughout the commercial relationship. Once concluded, the data will be kept blocked for the legally required periods before final deletion (generally up to six years for tax and civil-action reasons under Spanish law).

Server technical logs are kept for the time necessary to ensure security and, except in the event of an incident, do not exceed 12 months.

6. Recipients and disclosures

Personal data will not be disclosed to third parties unless legally required. Access may be granted to the following data processors, with which a contract is in place under GDPR art. 28:

Hosting provider (Sered, S.L. — Spain).
Email service provider linked to the domain.

No international data transfers are made outside the European Economic Area.

7. Data subject rights

The data subject may exercise the following rights at any time:

Access to their personal data.
Rectification of inaccurate data.
Erasure ("right to be forgotten") where applicable.
Objection to processing.
Restriction of processing in the cases foreseen by GDPR.
Data portability in a structured format.
Withdrawal of consent given, without affecting the lawfulness of prior processing.

To exercise these rights, the data subject may contact the controller by email at info@heavystone.es, indicating "Data protection" as the subject and providing a copy of an identity document.

The data subject has the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if they consider that the processing does not comply with the regulations.

8. Security measures

Heavy Stone Spain, S.L. has adopted appropriate technical and organisational measures to ensure the security of personal data and to prevent its alteration, loss or unauthorised processing or access, taking into account the state of the art, the nature of the data and the risks to which it is exposed. Among others: SSL/TLS encryption in communications, access control, backups and activity logging.

9. Modification of the policy

This policy may be updated to reflect regulatory or operational changes. Modifications will be published in this same section, indicating the date of the latest version.

Last update: May 2026 · Indicative text based on GDPR and Spanish LOPDGDD; legal advice recommended before final publication.