Legal

Privacy policy

Last updated: 2 May 2026

This policy explains how Paks SL (“PAKS”, “we”, “us”) collects and uses personal information when you use our website paks.es (the “Site”) or place an order. Use of the Site is also governed by our Terms and conditions. We process data in line with the EU General Data Protection Regulation (“GDPR”) and applicable Spanish law.

1. Data controller

The controller responsible for your personal data is:

Paks SL
Spain
Email: privacy@paks.es (or use the contact details on our Contact page once published)

If you appoint a representative (e.g. a parent), they may exercise your rights on your behalf with appropriate proof of authority.

2. What data we collect

Depending on how you use the Site, we may process:

  • Identity & contact: full name, email address, phone number (including country prefix), and optional university selection when you submit the order form.
  • Order & preferences: selected pack, tier, promotional or discount flags we apply, and related metadata needed to fulfil your order.
  • Payment data: when you pay, Stripe processes card and payment details. We do not store full card numbers on our servers; we may store Stripe identifiers (such as checkout session or payment intent IDs), payment status, and timestamps in our database.
  • Technical & usage data: standard server or hosting logs may include IP address, browser type, device type, referring URL, and date/time of requests. Our analytics (if enabled later) will be described in an updated version of this policy.
  • Communications: content of emails or messages you send us.

3. Why we use your data (purposes)

We use personal data to:

  • Accept, process, and fulfil orders;
  • Communicate with you about order timing, delivery, refunds, and support;
  • Operate, secure, and improve the Site and our services;
  • Comply with legal obligations (e.g. accounting, tax, fraud prevention where applicable);
  • Defend legal claims where necessary.

4. Legal bases (GDPR)

We rely on one or more of the following, depending on the activity:

  • Contract — processing needed to take steps at your request before a contract and to perform our agreement with you (for example processing your order and delivery).
  • Consent — where you tick a box to agree to marketing or similar contact (e.g. product or semester updates), or where consent is required for non-essential cookies or tools we add later.
  • Legitimate interests — for example securing the Site, understanding aggregate demand, and limited direct marketing compatible with your expectations (always balanced against your rights).
  • Legal obligation — where the law requires us to retain or disclose certain records.

You may withdraw consent at any time where processing is based on consent; withdrawal does not affect processing that was lawful before withdrawal.

5. How we share data (processors & recipients)

We share data only with service providers who help us run PAKS, under contracts that require them to protect your information:

  • Supabase — cloud database and related infrastructure to store order records.
  • Stripe — payment processing and related fraud prevention.
  • Hosting / DNS / email — providers that serve the Site or deliver transactional messages.

We do not sell your personal data. We may disclose information if required by law, court order, or competent authority, or to protect the rights, safety, and security of PAKS, our users, or the public.

6. International transfers

Some processors may be located outside the European Economic Area (EEA). Where data is transferred internationally, we use appropriate safeguards recognised under GDPR (for example Standard Contractual Clauses or adequacy decisions), in addition to technical and organisational measures.

7. Retention

We keep personal data only as long as necessary for the purposes above, including legal, tax, and accounting requirements. Indicative periods:

  • Order records — for the lifecycle of fulfilment and support, then archived or deleted according to our retention schedule unless a longer period is required by law.
  • Payment records — as required for accounting, chargebacks, and regulatory obligations (Stripe also retains data under its own policies).
  • Server logs — typically rotated after a limited period unless needed for security investigations.

When data is no longer needed, we delete or anonymise it where possible.

8. Security

We implement appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, alteration, or disclosure. No method of transmission over the Internet is 100% secure; we encourage you to use strong passwords and protect your devices.

9. Your rights

Under GDPR, you may have the right to:

  • Access — request a copy of the personal data we hold about you;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure — request deletion where applicable (“right to be forgotten”);
  • Restriction — limit how we use your data in certain cases;
  • Portability — receive your data in a structured, commonly used format where processing is based on consent or contract and automated;
  • Object — object to processing based on legitimate interests or to direct marketing;
  • Withdraw consent — where processing is consent-based;
  • Lodge a complaint — with the Spanish supervisory authority (Agencia Española de Protección de Datos) or your local authority if you reside elsewhere in the EEA.

To exercise any right, contact us at the email above. We may need to verify your identity before responding. You also have the right to lodge a complaint with the AEPD regardless of other remedies.

10. Cookies & similar technologies

We use cookies and similar technologies as described in our Cookie policy. A consent dialog lets you reject non-essential or accept all optional cookies before they run. Strictly necessary storage (for example remembering your choice and basic session flows) does not require consent under EU ePrivacy rules but is listed for transparency.

11. Children

Our services are aimed at students and their families. If you are under the age at which you can validly consent in your country (often 16 in the EU for online services, unless member states set a lower age not below 13 with parental authorisation), a parent or guardian should complete forms and payments on your behalf. If you believe we have collected a child’s data without appropriate authority, please contact us and we will delete it promptly where required by law.

12. Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. If that changes, we will explain the logic and your rights in an updated policy.

13. Third-party sites

The Site may link to third parties (e.g. social networks). Their privacy practices are governed by their own policies; we are not responsible for their content or processing.

14. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top will change, and for material changes we will provide a clearer notice on the Site or by email where appropriate. Continued use of the Site after changes constitutes notice of the updated policy where permitted by law.

15. Contact

For privacy-specific requests, email privacy@paks.es. For general enquiries, see our Contact page.