Skip to main content
Urko Ruiz logo
Legal

Privacy policy

Information governing the processing of personal data carried out through urkoruiz.com, in accordance with Regulation (EU) 2016/679 (GDPR) and the Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD).

Last updated: April 17, 2026

1. Data controller

  • Owner: Urko Ruiz Ruiz
  • Tax ID (NIF): 12395325G
  • Registered location: Spain
  • Email: hola@urkoruiz.com

No Data Protection Officer (DPO) has been appointed since it is not legally required for the controller’s activities (Art. 37 GDPR).

2. Data collected and purposes of processing

Personal data processed on the Site is collected exclusively through the contact form. Data and purposes are as follows:

2.1. Contact form

  • Data collected: name, email address, project type (optional) and message. Additionally, the IP address is logged as an anti-abuse measure.
  • Purpose: to respond to the enquiry received, prepare quotes where appropriate and, if applicable, establish a subsequent business relationship arising directly from the user’s request.
  • Legal basis: express consent of the data subject provided when submitting the form (Art. 6.1.a GDPR) and, where applicable, the performance of pre-contractual measures taken at the request of the data subject (Art. 6.1.b GDPR).

2.2. Navigation data

  • Aggregated, anonymous site usage metrics (pages visited, load time, approximate device) are collected through Vercel Analytics and Vercel Speed Insights. These tools do not use cookies and do not collect data that identifies the user.
  • Legal basis: legitimate interest of the Owner in understanding aggregated use of the site and maintaining service quality (Art. 6.1.f GDPR).

3. Retention period

Personal data is kept for the minimum time needed to fulfil the purpose for which it was collected:

  • Contact-form data: until the request is answered and for the time strictly necessary to comply with applicable legal obligations (for example, tax obligations in case of a subsequent commercial relationship).
  • IP addresses recorded for security purposes: up to 60 days from reception, after which they are automatically deleted.

4. Recipients and data processors

In order to provide the service, certain providers access the data as processors acting on behalf of the Owner. All of them have signed the corresponding agreements under Art. 28 GDPR:

  • Vercel Inc. (USA): site hosting, anonymous analytics and performance metrics. International transfer covered by Standard Contractual Clauses (SCC) approved by the European Commission.
  • Cloudflare, Inc. (USA): Cloudflare Turnstile anti-spam service protecting the contact form. International transfer covered by SCC.
  • Resend, Inc. (USA): email delivery of the contact form contents to the Owner. International transfer covered by SCC.
  • Upstash, Inc. (USA): temporary storage of anti-abuse counters (rate limiting). Stored data consists of a hashed IP address and a numeric counter, for a maximum duration equal to the control window (one hour by default).
  • Telegram Messenger Inc.: instant notification to the Owner of the form contents, solely within the Owner’s private channel.

Outside these cases, the Owner does not share personal data with third parties except when legally required.

5. International transfers

Some of the providers listed above are located outside the European Economic Area. In all cases, transfers are carried out under the safeguards required by the GDPR, through Standard Contractual Clauses approved by the European Commission or other legally admitted mechanisms.

6. Rights of the data subject

Any person may, at any time and free of charge, exercise the following rights granted by the GDPR and the LOPDGDD:

  • Access to their personal data.
  • Rectification of inaccurate data.
  • Erasure (“right to be forgotten”).
  • Restriction of processing.
  • Objection to processing.
  • Data portability.
  • Not to be subject to automated individual decisions.
  • To withdraw previously given consent, without affecting the lawfulness of prior processing.

To exercise these rights, simply send an email to hola@urkoruiz.com indicating the right to be exercised and attaching a copy of an identification document.

If you consider that the processing does not comply with current regulations, you have the right to file a claim with the Spanish Data Protection Agency ( www.aepd.es).

7. Security measures

The Owner applies appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR), including encryption in transit through HTTPS, minimization of the data requested, access control to management systems and periodic review of providers.

8. Minors

The Site is not directed to children under 14 years of age. The Owner does not knowingly collect personal data from minors. If it detects that it has received data from a minor without valid consent, it will proceed to delete it immediately.

9. Changes to this policy

The Owner may modify this policy to adapt it to legislative updates or service changes. Modifications will be published on this same page and indicated in the update date.

See also the legal notice and the cookie policy.