ANDALA NUTRICION, SL (hereinafter, THE ENTITY) provides users of the "Andala" website, located at the URL https://www.andala.life (hereinafter, also the Website), with this Privacy Policy to offer information on how THE ENTITY processes personal data and protects privacy and information. THE ENTITY requests that users take a few minutes to carefully read this Privacy Policy.

INTRODUCTION.

This Privacy Policy applies to the Website, as well as to the interactions that the user makes with THE ENTITY through it.
The Company may modify this Privacy Policy when necessary. If modifications are made, you will be notified through the Website or by other means so that you can be aware of the new Privacy Policy. Your continued use of the functionalities provided by the Company after being notified of these modifications will imply your agreement with them, except in cases where your express consent is required.

WHO IS RESPONSIBLE FOR PROCESSING YOUR PERSONAL DATA?

The data controller for your personal data is ANDALA NUTRICION, SL, located at Avda. Manoteras 24, 28050 Madrid, Spain, with tax identification number (NIF) B13671193. For any questions regarding the processing of your personal data, you can contact us at hola@andala.life

WHAT DATA IS PROCESSED BY THE ENTITY AND FROM WHAT SOURCES DOES IT COME?

The data that THE ENTITY processes as a result of the interactions carried out by the user through the Website comes from the following sources:

• Data provided by the user through the completion of the forms made available by THE ENTITY, through the sending of emails or by any other means by which the user establishes communication with THE ENTITY.
• Data generated as a result of the user's browsing and use of the ENTITY's website.
• Data generated as a result of the development, processing and maintenance of the relationship established between the user and THE ENTITY.
• Third-party data provided by the user.
• Data obtained from external sources

The ENTITY may process personal data of the following types, depending on the relationship established with the user:

• Identifying data (e.g., name and surname, sex, age, email address, postal address, telephone, IP address).
• Data on personal characteristics and social circumstances (e.g., age, tastes, hobbies and lifestyle, habits related to the intake of food supplements, etc.).
• Economic, financial, and insurance data . Under no circumstances will the ENTITY have access to or process payment card data. Your card details are entered directly into the secure payment gateway, without the ENTITY having access to them.
• Transactions of goods and services (e.g., goods and services received by the user, order history, products we have recommended based on the online test.)

• Browsing and location data through third-party cookies and pixels, as specified in the cookie policy (e.g., use of THE ENTITY's website, sections visited, etc.).

• Health data. These categories of data will be processed exclusively for the purpose of developing the dietary supplement best suited to the User's needs and lifestyle, based on the data provided in the online test, as well as to address any queries the user may have submitted should they voluntarily included this type of data in the contact form's free text field, deeming it relevant to their inquiry. In any case, please note that THE ENTITY will apply appropriate security measures according to the type of data processed in each instance.

If you do not wish to provide us with health data through the online test, so that we can offer you the most suitable food supplement for your needs, you can select the situations with which you identify and directly consult the available supplement(s) through the website.

FOR WHAT PURPOSE DO WE PROCESS YOUR PERSONAL DATA?

The personal data provided by users of this Website will be processed by THE ENTITY for the following purposes, depending on the type of data provided by the user, as well as the interactions that the user establishes with THE ENTITY through the Website:

PURPOSE 1. Contact and management of Website users:

• Description of the purpose: the personal data of users who contact THE ENTITY through any of the contact channels made available on the Website managed by THE ENTITY, will be processed for the purpose of managing said contact, attending to the queries and requests received through them and providing the required services, such as, where applicable, providing Customer Service, including the management of incidents and/or complaints.

• Legal basis: 6.1.b) GDPR – the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

• Data processed for this purpose: identification data (name) and contact data (email address), as well as other types of data that may be provided by the User by completing the form.

PURPOSE 2. Recommendation of a suitable food supplement for the User

• Description of the purpose: the personal data provided by users will be processed for the sole purpose of proposing a food supplement that best suits the needs and lifestyle of the User.

 

• Legal basis: 6.1.a) GDPR – the free and explicit consent of the data subject.

 

• Data processed for this purpose: identification and contact data (name and email address), personal characteristics and social circumstances (age, date of birth, sex, weight, height, habits, lifestyles, etc.) and health data.

 

PURPOSE 3 Management of orders placed through the Website (management of subscriptions or one-off orders on demand)

• Description of the purpose : Users' personal data will be processed for the purpose of providing the specific services contracted by the user through the Website, and for the management and processing of their subscription or orders. Users' personal data will also be processed to contact them regarding the contracted services, including communications via electronic means (email, SMS, or others) such as sending email confirmations of the contract, delivery information, or notifications of any issues that may arise in relation to their orders and/or deliveries.

• Legal basis: 6.1.b) GDPR – the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

• Data processed for this purpose: identification and contact data (name, surname, postal address, email address), financial data, transactions of goods and services.

PURPOSE 4. Product delivery management:

 

• Purpose Description : Users' personal data will be processed for the purpose of managing the delivery of products according to the subscription plan selected or the order placed. For delivery management, our transport service provider will contact you by email with your order tracking number. You may also be contacted by email or telephone regarding any issues that may arise in relation to your order or any of the deliveries.

• Legal basis : 6.1.b) GDPR – the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract

• Data processed for this purpose : identification and contact data, transactions of goods and services

PURPOSE 5. Payment management and processing:

• Description of the purpose: Users' personal data will be processed for the purpose of invoicing and collecting payment through the secure payment methods enabled on the Website. Specifically, for online payment processing, users' personal data will be communicated directly by them to our online payment solution providers to process the payment securely and in accordance with applicable regulations.

• Legal basis: 6.1.b) GDPR – the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

• Data processed for this purpose: identification and contact information (name, surname, postal address, email address) and billing information. Under no circumstances will the ENTITY have access to or process payment card details. Your card details are entered directly into the secure payment gateway, without the ENTITY having access to them.

PURPOSE 6. Management and development of activities that allow THE ENTITY to optimize the relationships it maintains with users, as well as the levels of service and satisfaction.

• Description of the purpose: THE ENTITY may carry out statistics that will be applied to studies, promotions and market analysis and, likewise, may be sent by THE ENTITY to users, through electronic means, service surveys, through which it is intended to measure the levels of user satisfaction.

 

• Legal basis: 6.1.f) – the processing is necessary for the satisfaction of the legitimate interest of THE ENTITY in adapting its services to the needs and preferences of users.

• Data processed for this purpose: identification and contact data (email address), data on personal characteristics and social circumstances, commercial information, and transactions of goods and services.

PURPOSE 7. Management of cookies on the website:

• Description of purpose : If you accept our Cookie Policy, your personal data may be processed by THE ENTITY for the purposes described in the Cookie Policy and Cookie Settings Console, which you can consult at any time and decide which type of cookies you accept or reject.

• Legal basis: 6.1.a) GDPR – The data subject gives express and informed consent for the processing of his or her personal data for one or more specific purposes.

• Data processed for this purpose: Browsing data (IP address and the domain from which access is obtained, date and time of the visit, etc.).

PURPOSE 8. Sending personalized commercial communications about the ENTITY's own products and services, based on the creation and analysis of profiles:

• Description of the Purpose : Users' personal data may be processed for the purpose of THE ENTITY sending them advertising, promotional or other information that may be of interest to them, through postal mail, email, SMS and other electronic means of communication, or through telephone marketing, exclusively if the user has consented to such data processing purpose, by expressly accepting the box for commercial, promotional or advertising communications.

• Legal basis : Art. 6.1.a) GDPR – The data subject gives express consent for the processing of his or her personal data for one or more specific purposes.

• Data processed for this purpose: identification and contact data, personal characteristics and social circumstances data, commercial information, transactions of goods and services, and browsing data .

THE ENTITY informs that, in order to optimize and introduce improvements in the sending of advertising, promotional or commercial information, as well as to offer the user appropriate information according to their tastes, hobbies or preferences, it carries out data processing consisting of the creation and analysis of profiles and applies segmentation techniques for commercial and advertising purposes, which will be carried out with data provided by the interested party through registration forms, with data derived from the browsing and use that the user makes of THE ENTITY's web pages (internal data), including the results of test or interaction surveys and the interactions that they make on the content presented on the website (e.g. through the "like" button).

The user may object at any time to the processing of their data for advertising or promotional purposes using the channels enabled for this purpose by THE ENTITY, as detailed in the section What are your rights regarding your personal data?

In any case, and if necessary for the purposes of the processing, THE ENTITY may grant access to the user's personal data to third-party service providers, who will access it as data processors. If this access involves the transfer of personal data outside the European Economic Area, THE ENTITY guarantees the existence of appropriate mechanisms and safeguards provided for by applicable regulations (e.g., an adequacy decision by the European Commission or standard contractual clauses) to ensure that the provider applies a level of security equivalent to that required by European data protection regulations.

WHO IS YOUR DATA SHARED WITH?

The personal data processed by THE ENTITY to achieve the purposes detailed above may be communicated to the following recipients depending on the legal basis for the communication, in order to guarantee the proper development of the commercial relationship and to comply with THE ENTITY's legal obligations:

• Public Bodies and Administrations, for the fulfillment of legal obligations applicable to THE ENTITY.
• Financial entities (for the management of collections and payments), online payment solution providers to process and manage your card payment securely, and insurance entities (for the management of outstanding amounts).
• Transport companies to deliver the products and provide you with information on the delivery process and any potential issues.

HOW LONG DO WE KEEP YOUR DATA?

Regarding the health data that the user has provided to us by completing the test, it will be kept active for a period of 30 days, after which it will be blocked for the period of limitation of responsibilities derived from the processing.

If a subsequent subscription was made, THE ENTITY will retain the customers' personal data for as long as the subscription service relationship is maintained. In the case of a one-off purchase, THE ENTITY will retain the personal data of active customers for a period of twelve months from their last product purchase, after which the data will be blocked.

The data of users who have agreed to receive our commercial or advertising communications will be kept until the user withdraws their consent to receive them.

The personal data of users who contact THE ENTITY through any of the contact channels made available on the Website will be kept for the time necessary to address the queries and requests received and provide the required services, such as, where applicable, providing Customer Service, including the management of incidents and/or complaints, after which they will be blocked.

Data, records and documentation that serve as proof of the service provided and/or compliance with contractual and/or legal obligations will be kept blocked for the periods imposed by the applicable regulations, as well as for the limitation periods of civil, criminal, administrative or any other type of actions that may arise from the contractual relationship.

You can request more information about the retention periods for personal data of THE ENTITY at hola@andala.life

WHAT PERSONAL DATA SHOULD YOU PROVIDE US IN EACH CASE?

The Company informs users that when personal data is collected through a form made available on the Website, the user must provide at least the data marked with an asterisk (*). If this required data is not provided, the Company will be unable to provide the service or address the user's query or complaint.

WHAT MUST YOU GUARANTEE WHEN PROVIDING YOUR PERSONAL DATA?

The user guarantees that the data provided is true, accurate, complete and up-to-date, and is responsible for any damage or loss, direct or indirect, that may be caused as a result of non-compliance with this obligation.

If the user provides data belonging to a third party, they guarantee that they have informed said third party of all aspects contained in this Privacy Policy and obtained their consent to provide their data to us for the relevant processing purpose. All of this must be done prior to providing any third-party data through the Website. THE ENTITY informs you that, to provide your personal data in any way through the Website, you must be over 18 years of age. The user who provides data to THE ENTITY through this Website declares and guarantees that they are over 18 years of age, and assumes full responsibility for this declaration.

WHAT MEASURES DO WE TAKE TO PROTECT YOUR PERSONAL DATA?

In response to the ENTITY's concern for ensuring the security and confidentiality of your data, the required security measures for the protection of personal data have been adopted, and all available technical means have been implemented to prevent the loss, misuse, alteration, unauthorized access, and theft of personal data provided through the Website. However, you should be aware that internet security measures are not infallible.

WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

 

THE ENTITY informs you that you have the right to obtain confirmation as to whether or not we are processing any of your personal data.

The ENTITY also informs you that you have the following rights in relation to your personal data:

• Right to request access to your data: You have the right to access your data, so that you can know what personal data we are processing.

• Right to request rectification or erasure of your data: In certain circumstances, you have the right to rectify your personal data processed by THE ENTITY if you believe there are inaccuracies. You also have the right to request the erasure of your data when, among other reasons, that data is no longer necessary for the purposes for which it was collected.

• Right to restriction of processing of your data: In certain circumstances, you have the right to ask us to restrict the processing of your data, and if you do so, we will only retain possession of the data for which you have requested such restriction of processing in order to initiate or defend against claims.

• Right to data portability: In certain circumstances, you will have the right to receive a copy of your personal data in a structured, commonly used and machine-readable format, or to request THE ENTITY to transfer that data to another data controller.

• Right to object to the processing of your data: In certain circumstances, and for reasons related to your particular situation, you have the right to object to the processing of your data. If this occurs, we will stop processing that data unless we need to continue doing so for compelling legitimate grounds, or to establish or defend against legal claims.

We also remind you that you have the right to object, at any time, to receiving advertising, as well as to the evaluation and analysis of profiles and segmentation that we carry out for this purpose in order to offer you communications tailored to your tastes, hobbies and preferences.

Likewise, you may withdraw any of the consents you have given for the processing of your data, without this affecting the lawfulness of the processing based on the consent prior to its withdrawal.

The ENTITY informs you that you can exercise your rights in relation to your personal data through any of the following channels:

• By means of a letter addressed to ANDALA NUTRICIÓN, SL at the address Avenida de Manoteras, nº 24, 28050, Madrid, (Spain).
• By writing addressed to ANDALA NUTRICIÓN, SL at the email address hola@andala.life .

The identity of the person exercising their rights must be verified; if the Company cannot confirm it through the means used to send the message, it may request additional information.

The entity will provide the requested information within a maximum of one month from the date of receipt of the request. This period may be extended for a further two months if necessary, taking into account the complexity and number of requests.

The ENTITY informs you that you may file a complaint with the competent Data Protection Supervisory Authority www.aepd.es.