Skip to main content
Citadex Rack

Privacy policy

How we process your personal data under GDPR (EU) 2016/679 and Spanish LOPDGDD 3/2018.

Last updated: June 1, 2026

This policy explains how Citadex Ibérica S.L. ("Citadex Ibérica", "we") processes the personal data of people who visit citadexrack.es, fill in a form, open an account or place an order. It is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and by the Spanish Organic Law 3/2018 on data protection (LOPDGDD).

1. Data controller

  • Identity: Citadex Ibérica S.L.
  • Tax ID (CIF): B87648531
  • Address: Avenida valdearganda, 23, 28500 Arganda del rey, Madrid, ES
  • Privacy contact email: legal@citadex.es

Citadex Ibérica has not appointed a Data Protection Officer as it is not required under Article 37 GDPR. Privacy enquiries are handled via the email above.

2. Data we process

SourceData
Contact formName, email, company, phone, message.
Quote formSame as contact plus product, quantity and reference.
User registrationEmail, hashed password, name, company, tax ID, phone.
OrdersBilling and shipping data; payment method data processed directly by Stripe.
Technical browsingIP address, session identifier, user-agent — for security and fraud prevention.

3. Purposes and legal basis

  • Replying to enquiries and quote requests. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in responding to the communication initiated by the user.
  • Creating and managing your account and processing orders. Legal basis: contract performance (Art. 6(1)(b) GDPR) or pre-contractual measures at the data subject's request.
  • Complying with legal obligations (tax, accounting, commercial). Legal basis: legal obligation (Art. 6(1)(c) GDPR).
  • Sending technical or commercial communications when you tick the corresponding box. Legal basis: consent (Art. 6(1)(a) GDPR).
  • Security and fraud prevention. Legal basis: legitimate interest of the controller.

4. Retention periods

  • Enquiries and leads: kept for a maximum of 3 years from the last interaction unless the relationship continues.
  • User accounts: while the account is active. After cancellation, data is blocked and kept only to meet potential legal liabilities for the applicable legal periods (commercial: 6 years; tax: 4 years).
  • Orders: tax and commercial retention periods apply to invoicing and accounting documentation.
  • Marketing consent: until you withdraw consent.

5. Recipients

No data is transferred to third parties except where required by law or to the following processors providing services to Citadex under contract (Art. 28 GDPR):

  • Supabase Inc. (database hosting and auth). EU servers.
  • Stripe Payments Europe, Ltd. (payment processing). Independent controller for payment-method data.
  • Vercel Inc. (website hosting and CDN). International transfers may occur, covered by EU Standard Contractual Clauses.
  • Transactional email provider (order, quote and password notifications). EU servers.
  • Tax and accounting advisors contracted by Citadex, for legal compliance.

6. International transfers

Some providers may be based or perform support operations in third countries. In such cases, transfers are covered by European Commission adequacy decisions or Standard Contractual Clauses (SCCs) approved by the Commission, together with additional technical and organisational measures where applicable.

7. Your rights

As a data subject you may exercise the following rights at any time by emailing legal@citadex.es with a copy of a document proving your identity:

  • Access to the personal data we process about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") when data is no longer needed.
  • Restriction of processing in the cases provided in Art. 18 GDPR.
  • Object to processing based on legitimate interest.
  • Portability of your data in a structured format.
  • Withdraw consent at any time without affecting the lawfulness of prior processing.
  • Not be subject to automated decisions producing legal effects. Citadex does not carry out this kind of processing.

We will respond to your request within one month, extendable by two further months in justified cases.

8. Complaints to the supervisory authority

If you believe the processing of your data does not comply with the regulation, you may lodge a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid, or electronically at www.aepd.es. We encourage you to contact us first to try to resolve the matter without a formal complaint.

9. Security

We apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit (HTTPS), role-based access controls, regular backups and audit logs.

10. Changes to this policy

This policy may be updated to reflect legal or technical changes. The current version is always the one published on this page with the "last updated" date shown above.

This is the currently published version. If you spot an error or have a question about how we handle your data, please email legal@citadex.es.