1. Data controller
The data controller is SOV GLOBAL VENTURES SL, with tax ID ESB01992601 and registered office at C/ Rufino Gea, 2, 03300 Orihuela, Alicante, España.
For privacy-related matters, including requests to exercise your rights, you can reach us at team@grafiksbox.com. We do not have a designated Data Protection Officer (DPO) under Art. 37 GDPR as our processing activities do not meet the threshold, but the email above is monitored by a privacy-responsible person.
2. What we collect
We collect only what we need to run the service:
Identification & account data
- Email address, full name, username
- Profile picture (optional)
- Preferred language, currency override
- Linked Shopify customer ID (if you sign in via grafiksbox.com)
Billing data
- Billing address and tax-relevant country
- Last 4 digits of payment method, card brand, expiry (from Stripe)
- Invoice and transaction history
We never store full card numbers — payment data is handled directly by Stripe, a PCI-DSS Level 1 certified processor.
Product usage
- Covers browsed, liked, downloaded
- Credits spent, subscription status
- Device type, browser, approximate location (from IP)
Communications
- Emails you send us and our responses
- Chat messages with support (if applicable)
Marketing & analytics (only with your consent)
- Meta Pixel events, Google Analytics 4 events, Google Ads conversions
- Email open / click metrics via Klaviyo (when you subscribe to marketing)
3. Why we collect it
- To create and operate your account
- To provide the subscription service (credits, downloads, wishlist)
- To process payments and issue invoices
- To send transactional messages (receipts, password reset, drop notifications)
- To offer customer support
- To detect fraud, abuse, or breach of our Terms
- To improve the product (aggregated analytics)
- To comply with tax, accounting and legal obligations
- To send marketing communications — only if you opt in
4. Legal basis for processing
Under Art. 6 GDPR, we rely on the following legal bases:
- Performance of a contract (Art. 6.1.b) — account creation, service delivery, payments
- Legal obligation (Art. 6.1.c) — tax records, accounting, anti-fraud regulations
- Consent (Art. 6.1.a) — non-essential cookies, marketing emails, Pixel/Ads tracking
- Legitimate interest (Art. 6.1.f) — product improvement, security, fraud prevention (balanced against your rights)
5. How long we keep it
- Account data: for as long as your account is active, plus up to 12 months after closure for fraud prevention
- Invoices & billing records: 6 years (Spanish Commercial Code)
- Marketing lists: until you unsubscribe, or 3 years of inactivity
- Analytics: up to 26 months for GA4, 90 days for Pixel events (in our systems — platform retention may vary)
- Support conversations: 3 years
6. Who we share data with
We never sell your personal data. We share it only with processors that help us run the service, all of them bound by Data Processing Agreements compliant with Art. 28 GDPR:
| Processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting, CDN and deployment | United States |
| Supabase Inc. | Database, authentication, file storage | EU / United States |
| Stripe Payments Europe Ltd. | Payment processing, subscription billing | Ireland (EU) |
| Resend, Inc. | Transactional email (receipts, magic links, notifications) | United States |
| Klaviyo, Inc. | Marketing email, segmentation, campaigns | United States |
| Cloudflare, Inc. | R2 object storage, CDN, DDoS protection | United States / global edge |
| Instasent | Transactional SMS | Spain (EU) |
| Meta Platforms Ireland Ltd. (Facebook) | Advertising, conversion tracking (Meta Pixel + CAPI) | Ireland (EU) / global |
| Google Ireland Ltd. | Advertising, analytics (Google Ads + GA4) | Ireland (EU) |
We may also share data with tax authorities, legal advisors, auditors and law enforcement when required by law.
7. International transfers
Some processors listed above are located outside the European Economic Area (EEA). Transfers are protected by the European Commission's Standard Contractual Clauses (SCCs, 2021) and, where applicable, the EU-US Data Privacy Framework. You can request a copy of the safeguards applicable to any specific transfer by emailing us.
8. Your rights under GDPR
You can exercise the following rights at any time:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data
- Erasure("right to be forgotten") — request deletion, subject to legal retention duties
- Restriction of processing in certain cases
- Portability — receive your data in a machine-readable format
- Objection to processing based on legitimate interest or direct marketing
- Withdraw consent at any time (without affecting prior lawful processing)
To exercise any right, write to team@grafiksbox.comwith proof of identity. We'll respond within 30 days. If you believe your rights have been infringed, you may also lodge a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es).
9. Minors
Grafiks+ is not directed at people under the age of 16. We do not knowingly collect personal data from minors. If you are a parent or legal guardian and believe your child has provided us with data, contact us and we will delete it.
10. Security
We apply industry-standard technical and organizational measures to protect your data: encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, regular backups, logging, and row-level security at the database layer. No system is 100% secure — if a breach affecting your data occurs, we will notify you within 72 hours as required by Art. 33 GDPR.
11. Changes to this policy
We may update this policy as the product evolves or regulations change. Material changes will be communicated by email or an in-app notice at least 15 days before they take effect. Continued use of the service after the effective date constitutes acceptance.
12. Contact
For any privacy-related question, reach out to team@grafiksbox.com or by post at:
SOV GLOBAL VENTURES SL
C/ Rufino Gea, 2, 03300 Orihuela, Alicante, España
CIF ESB01992601