Privacy Policy - canna4bliss.com

Date of entry into force: 13 April 2025

1. Introduction

The operator of the canna4bliss.com website (hereinafter referred to as the "Website"), GOEBLYOES LASZLO (hereinafter referred to as the "Data Controller".), is committed to protecting the personal data of visitors. The purpose of this Privacy Policy (hereinafter referred to as the "Privacy Policy") is to protect the privacy of visitors. "Politics".) is to provide you with detailed information about the processing of personal data in our web shop based on WordPress and WooCommerce, in accordance with the General Data Protection Regulation (GDPR) of the European Union and the applicable Spanish data protection legislation.

2. Data of the Data Controller

Name: GOEBLYOES LÁSZLÓ
Registered office: PLAZA DE JANDIA Nº 1, 2ª planta, puerta 2A, 35100 SAN BARTOLOMÉ DE TIRAJANA (LAS PALMAS), Spain
Tax Identification Number (NIF): Y0192822G
E-mail: info@canna4bliss.com
Telephone number: 928148101

3. Scope of personal data processed

In the course of our data processing, we may process the following personal data about you:

3.1. Data provided during registration:

Name
E-mail address
Password (stored encrypted)

3.2. Data provided during the purchase:

Name and billing address
Name and shipping address (if different)
Telephone number
E-mail address

3.3. Data provided when subscribing to the newsletter:

Name
E-mail address

3.4. Data provided through the contact form:

Name
E-mail address
Any other personal data you may include in the message

3.5. Data processed in the CRM system:

The above identification and contact details
Purchase history and preferences
Website interactions (e.g. abandoned carts, products viewed)
Communication history (e.g. e-mails)

3.6. Technical and behavioural data collected automatically (through cookies, pixels and similar technologies):

IP address (anonymised or full, depending on configuration)
Browser type and version
Operating system
Date, time and duration of the visit
Page views, products and clicks
Referrer URL (Referrer URL)
Advertising interactions (e.g. ad clicks, conversions)
Type of device (desktop, mobile)
Detailed information about the cookies and tracking technologies we use can be found in our separate Cookie Policy.

4. Purpose and legal basis of the data processing

We process your personal data for the following purposes and on the following legal bases:

Purpose of processing	Data processed (Examples)	Legal basis (Article 6(1) GDPR)
User account creation and management	Registration data (Name, Email, Password)	Your consent (a) during registration.
Procurement processing and fulfilment, contact	Purchasing data (Name, Addresses, Telephone, Email)	Execution of a contract (b) between you and the Controller.
Invoicing, compliance with accounting obligations	Billing data (Name, Address, VAT number [if applicable])	Compliance with a legal obligation (c) applicable to the Controller, e.g. Spanish tax and accounting legislation.
Sending of newsletters (Newsletter)	Name, E-mail address	Your consent (a) granted upon subscription.
Customer Relationship Management (CRM)	Data processed in CRM (Identifiers, Contact, Purchase History, Interactions)	The legitimate interest (f) of the Controller to improve the quality of customer service and communication, or their consent (a) for certain CRM functions (e.g. preference-based offers).
Marketing automation	CRM data, Email, Purchase history and browsing history	Your consent (a) for the sending of marketing communications (except transactional messages based on the performance of contract (b)).
Website performance analysis and development	automatically collected technical and behavioural data (e.g. Google Analytics)	Your consent (a) for the use of non-essential cookies/analytics technologies.
Targeting and measurement of online advertising (Remarketing)	Automatically collected technical and behavioural data (e.g. Facebook Pixel, Google Ads Tracking Codes)	Your consent (a) for the use of non-essential cookies/marketing/tracking technologies.
Contact, customer service	Data provided in the contact form, E-mail address	Your consent (a) at the initiation of contact, or the legitimate interest (f) of the Controller to handle queries effectively.

5. Data processors

For the processing of your personal data, we may use the following processors, with whom we have entered into appropriate processing contracts in accordance with the GDPR:

5.1. Hosting service provider:

Name: Sybell Informatika Kft.
Headquarters: 1158 Budapest, Késmárk u. 7/b. 2. em. 206., Hungary
Privacy policy: https://sybell.hu/adatvedelmi-tajekoztato/
Task: Physical storage and availability of the Website and the data stored therein (including data processed by FluentCRM and related tools).

5.2. Transport partner:

Name: Correos (Sociedad Estatal Correos y Telegrafos, S.A., S.M.E.)
Privacy policy: https://www.correos.es/es/en/legal/web-privacy
Task: Delivery of ordered products, processing of associated shipping data.

5.3. Accounting service provider:

Name: Carmen Martín Franco
E-mail: carmenmfasesora@gmail.com
Task: Processing of data necessary for the fulfilment of legal obligations related to invoicing and accounting.

5.4. Providers of analytical and advertising services (Data Processors/Receivers):

Google Ireland Ltd. (Gordon House, Barrow Street, Barrow Street, Dublin 4, Ireland)
- Services: Google Analytics, Google Ads
- Privacy policy: https://policies.google.com/privacy
- Task: Compilation of website visitor statistics, management and measurement of online advertising campaigns (based on your consent).
Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
- Service: Facebook Pixel
- Privacy policy: https://www.facebook.com/privacy/policy
- Task: Measuring website activity, creating advertising audiences, ad targeting (based on your consent).

5.5. CRM tools and sending newsletters:

The FluentCRM and related newsletter sending tools (e.g. Fluent Forms) used on the Website process data in the database hosted by the hosting provider (Sybell Kft.).

6. Transfer of data to third countries (outside the EEA)

When using the services of Google Ireland Ltd. and Meta Platforms Ireland Ltd. (Google Analytics, Google Ads, Facebook Pixel), your personal data (in particular technical and behavioural data collected by cookies and pixels) may be transferred outside the European Economic Area (EEA), mainly to the United States of America (USA).

The legal basis for the transfer of data to the USA is the adequacy decision adopted by the European Commission under the EU-US Data Privacy Framework (DPF). (EU-US Data Privacy Framework - DPF), provided that the relevant US company (Google LLC, Meta Platforms, Inc.) is certified under this framework. The Data Controller is informed of the existence of these certifications. The list of certified companies and further information are available on the official website of the DPF: https://www.dataprivacyframework.gov/

If the adequacy decision does not apply to a specific transfer, the Controller shall apply other appropriate safeguards, such as the Standard Contractual Clauses (STCs) approved by the European Commission, together with complementary measures.

Please see the Google and Meta privacy policies linked above for more details on their international data transfers.

7. Data security

The Controller implements appropriate technical and organisational measures to ensure the security of personal data, in particular to protect against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage. Such measures include, but are not limited to

Use of SSL encryption on the Website.
Carrying out regular backups.
Use of firewalls and anti-virus software.
Control and monitoring of access rights.
Establishment of data security requirements in contracts with processors.

8. Rights of data subjects

Under the General Data Protection Regulation (GDPR), you have the following rights in relation to the processing of your personal data:

Right to information: You have the right to request information about the processing of your personal data.
Right of access: You have the right to access personal data stored about you.
Right of rectification: You have the right to request the rectification of your inaccurate personal data or the completion of incomplete data.
Right to erasure ("right to be forgotten"): You have the right to request the deletion of your personal data if certain conditions are met (e.g. if the data are no longer necessary for the purposes for which they were collected, or if you withdraw your consent and there is no other legal basis for the processing). This right is not absolute; for example, in case of legal obligation (retention of invoices), data cannot be deleted before the mandatory period expires.
Right to restriction of processing: In certain circumstances, you have the right to request the restriction of the processing of your data.
Right to data portability: You have the right to receive the personal data concerning you, which you have provided, in a structured, commonly used and machine-readable form and to transmit it to another controller (if the processing is based on consent or a contract and is carried out by automated means).
Right to object: You have the right to object to the processing of your personal data if the processing is based on a legitimate interest. You also have the right to object at any time to the processing of your data for direct marketing purposes (including profiling if it is related to such marketing).
Right to withdraw consent: If the processing is based on your consent (e.g. newsletter, marketing/analytics cookies), you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of the processing based on consent prior to its withdrawal. You can withdraw your consent to cookies through the settings provided on the Website.
Right to lodge a complaint: You have the right to lodge a complaint with the competent data protection supervisory authority if you believe that the processing of your personal data is in breach of the GDPR or other data protection legislation.

You can exercise these rights by sending a request to the e-mail address info@canna4bliss.com. We will respond to your request within one month of receipt.

9. Automated decision-making and profiling

On our website we use profiling for marketing and analytical purposes. This means that, based on your shopping and browsing habits and interests (collected, for example, through cookies and pixels), we can group you with other users to show you more relevant offers, content and advertisements, as well as to better understand our users' needs and improve our services.

This profiling does not usually involve automated decisions that have a legal effect on you or significantly affect you in a similar way (e.g. we do not automatically exclude you from services). You have the right to object to profiling, especially if it is carried out for direct marketing purposes (see point 8).

10. Data retention period

We will retain your personal data only for as long as is necessary for the purposes for which it was collected, in accordance with the following:

Data category	Conservation period
Registration data	Until the user account is deleted. After deletion, the data directly associated with the account (except for data that must be legally retained) will be deleted.
Purchasing and invoicing data	During the mandatory period established by the applicable Spanish tax and accounting legislation, 8 yearseven after deletion of the user account.
Data related to the subscription to the newsletter	Until withdrawal of consent (unsubscription).
Data processed in the CRM system	Until withdrawal of consent (e.g. unsubscribing from marketing communications), deletion of the user account, or as long as necessary to maintain the active customer relationship or to achieve the purpose of the processing. [Define the specific period if different, e.g. X years since last interaction]..
Automatically collected data (cookies, etc.)	Varies according to the type of cookie. The data in Google Analytics are preserved for 14 months. See our Cookie Policy independent to know the exact retention periods of other cookies.
Data provided during contact	Until the resolution of the consultation, or for the time necessary for the possible formulation, exercise or defence of legal claims.

11. Use of cookies

Our Website uses cookies and similar technologies (e.g. pixels) to improve the user experience, to ensure the functioning of the Website, for analytical measurements and for marketing purposes.

For the use of non-essential cookies (e.g. analytics, marketing, tracking cookies), we request your prior and active consent via the cookie banner on the Website (provided by the "Cookie Notice & Compliance for GDPR / CCPA" plugin). We ensure that these technologies are only activated after obtaining your consent. You have the ability to modify or withdraw your consent at any time through the settings options provided on the Website.

You will find detailed information about the cookies we use, their purpose, type, duration and consent management in our Cookie Policy independent.

12. Children's privacy

Our services and the Website are not directed at children under the age of 18. We do not knowingly collect or process data from children under the age of 18. If we become aware that we have processed data of a child under the age of 18, we will immediately take the necessary steps to delete such data.

13. Legal remedies

If you believe that your personal data protection rights have been infringed, you have the right to lodge a complaint with the competent Spanish supervisory authority:

Spanish Data Protection Agency (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
Telephone: +34 91 266 35 17
Website: https://www.aepd.es

14. Modification of the Privacy Policy

We reserve the right to unilaterally modify this Privacy Policy. We will inform our visitors about the changes via the Website. The amended Policy will become effective on the date of its publication. Please review this Policy regularly to be aware of any changes.