Privacy Policy
Information about how we process personal data to manage orders, payments, financing, deliveries, customer service, warranties, suppliers, technological tools, communications, cookies, analytics, advertising and artificial intelligence systems.
1Controller and Data Protection Officer
The controller of the personal data processed through the website, sales channels, customer service channels, showroom, WhatsApp, telephone, email, forms, technical services and communications related to the commercial activity is SUNMARKET WELLNESS, S.L.U., hereinafter, “Sunmarket”.
External Data Protection Officer
Sunmarket has appointed an external Data Protection Officer, provided by Grupo Adaptalia, to advise, supervise and assist in complying with the applicable data protection regulations.
Data subjects may contact the Data Protection Officer for any matter relating to the processing of their personal data, the exercise of rights, queries, complaints, privacy incidents or requests related to this policy.
2Personal data we process
Sunmarket may process personal data provided directly by the user, data generated during the commercial relationship and data necessary to provide our services, process orders and comply with legal obligations.
- Identification data: first name, surname, Spanish ID/tax number, foreigner identification number or equivalent document where necessary, company, position, language and country.
- Contact data: email address, telephone number, postal address, delivery address, installation address and billing details.
- Order and commercial relationship data: products consulted or purchased, quotes, orders, invoices, warranties, returns, incidents, repairs, serial number, spare parts, technical documentation, photographs or videos provided by the user.
- Payment and financing data: payment method, amount, currency, order identifier, transaction status, transaction references, partial or tokenised payment data where applicable, and data necessary for authentication, fraud prevention, financing or refunds.
- Navigation and technology data: IP address, online identifiers, device or browser identifiers, cookies, consent preferences, security logs, navigation events, pages visited, products viewed, clicks, forms, carts, conversions and technical data.
- Communication data: emails, calls, WhatsApp messages, online chat, forms, requests, complaints, call recordings where applicable, customer service history and internal summaries.
- Data derived from digital tools: opens and clicks in communications, unsubscribes, bounces, automation events, campaigns, source of visit, usage analytics, conversion measurement and aggregated or individualised behaviour where consent exists.
Special categories of data or sensitive information
Sunmarket does not generally request special categories of data, such as health data, ethnic origin, political opinions, religious beliefs, biometric data, data relating to minors or similar information.
The user must refrain from sending special categories of data or sensitive information that is not necessary to process their order, query, warranty or incident. If, exceptionally, the user voluntarily provides sensitive information, photographs, videos or data relating to treatments, injuries, physical condition, health or third parties, Sunmarket will process such information only to the extent strictly necessary to respond to the query, manage the incident or provide the requested support, applying data minimisation, confidentiality and security criteria.
3Purposes and legal bases
The legal basis for processing will depend on the specific purpose. Acceptance of this policy does not turn all processing into consent-based processing. Sunmarket will use the appropriate legal basis in each case: performance of a contract, application of pre-contractual measures, compliance with legal obligations, legitimate interest or consent where applicable.
| Purpose | Data processed | Legal basis |
|---|---|---|
| Order and purchase management | Identification, contact details, address, order, product, payment, invoice and delivery. | Performance of the contract and pre-contractual measures. |
| Quotes and commercial assistance | Contact details, company, requested product, preferences and communications. | Pre-contractual measures, legitimate interest and consent where applicable. |
| Payments, financing and fraud prevention | Amount, payment method, transaction identifier, billing data, technical data and transaction status. | Performance of the contract, legal compliance and legitimate interest in preventing fraud. |
| Shipping, deliveries, assembly and installation | Name, telephone, email, address, product, packages, weight, schedule, notes and logistics documents. | Performance of the contract and legitimate interest in coordinating delivery. |
| Warranties, repairs and incidents | Order, product, serial number, invoice, photographs, videos, technical description and communications. | Performance of the contract, compliance with statutory warranties and legitimate interest. |
| Commercial communications | Email, telephone, preferences, commercial history, opens, clicks and subscription. | Consent or legitimate interest in communications about similar products to existing customers, with an unsubscribe option. |
| Analytics, advertising and behaviour | Cookies, identifiers, events, conversions, browsing, source of visit and campaigns. | Consent for non-essential technologies; legitimate interest only for technical measurement, security or aggregated analysis where applicable. |
| AI, automation and operational improvement | Queries, messages, order data, incidents, summaries and strictly necessary data. | Performance of the contract, pre-contractual measures, legitimate interest and consent where required. |
| Legal, tax and accounting compliance | Invoices, orders, payments, identification, communications and necessary documentation. | Compliance with legal obligations. |
4Orders, payments, financing and fraud prevention
Payments made on the website may be managed through external payment and financing providers, such as Redsys, Stripe, Klarna, SeQura, SIBS/Multibanco, banking institutions, card issuers or other methods available at checkout.
When the user chooses a payment or financing method, the data necessary to process the transaction may be communicated to the relevant provider. This data may include first name and surname, contact details, billing and delivery address, order identifier, amount, currency, technical transaction data, payment status and any information strictly necessary to authorise, authenticate, finance, prevent fraud or confirm the transaction.
Sunmarket does not store the full bank card number or card security codes when payment is made through secure external gateways. In these cases, financial data is processed directly in the payment provider environment, and Sunmarket may receive only limited information about the result of the transaction, transaction identifiers, payment status, references, tokens or partial data necessary for administrative order management.
Certain payment, financing or deferred payment providers may act as independent controllers to verify the user’s identity, assess risk, prevent fraud, comply with financial legal obligations or decide on the approval of financing. In such cases, the user should also consult the privacy policy and terms of the chosen provider.
5Shipping, logistics, suppliers and external technicians
Transport and logistics companies
In order to deliver purchased products, Sunmarket may communicate the necessary data to transport companies, courier companies, logistics operators, warehouses, delivery operators, customs agencies or companies specialising in bulky goods transport. These companies may include GLS, Rhenus, DHL or other national or international logistics operators selected according to the product, destination, volume, weight, availability and delivery conditions.
The data communicated may include first name and surname, company, delivery address, telephone number, email address, order reference, number of packages, weight, delivery notes, logistics documentation and any information necessary to organise delivery, provide tracking information, manage incidents, process returns or prove receipt.
Manufacturers, distributors, warehouses and technical services
In certain orders, Sunmarket may communicate personal data to manufacturers, distributors, external warehouses, logistics providers, installers, official technical services, spare part suppliers or product suppliers where necessary to prepare the order, ship the product directly, carry out an installation, activate a warranty, manage a repair, request parts, verify technical compatibility or resolve an after-sales incident.
Technicians, assemblers, installers, operators and external collaborators
To prepare, deliver, install, assemble, repair, inspect or provide support for certain products, Sunmarket may work with technicians, assemblers, installers, operators, technical services, manufacturers, distributors, warehouses, specialised carriers or external professionals who are not part of the Sunmarket Wellness workforce.
Where necessary to process an order, delivery, installation, warranty, repair, incident or after-sales service, Sunmarket may communicate to these collaborators the data strictly necessary to provide the relevant service. This data may include first name and surname, company, telephone number, email address, delivery or installation address, order reference, purchased product, serial number, photographs, videos, technical documentation, incident description, delivery notes and any information necessary to coordinate the service correctly.
These collaborators may use the data only for the specific purpose entrusted by Sunmarket and may not use it for their own purposes, commercial or advertising purposes or purposes unrelated to the order, installation, repair, warranty or requested service, unless they have their own legal basis that allows this and the user is duly informed.
Where these collaborators process personal data on behalf of Sunmarket, they will act as processors and must assume contractual commitments regarding confidentiality, security, limited use of information, prohibition of unauthorised disclosure, assistance in the exercise of rights and deletion or return of data once the service has been completed. Where they must process the data to comply with their own legal, technical, traceability, security, warranty, billing or professional liability obligations, they may act as independent controllers for such processing.
6Chat, WhatsApp, AI, OpenAI and automation
Sunmarket may handle queries through online chat, WhatsApp, email, telephone or other digital channels. In some of these channels, we may use virtual assistants, artificial intelligence tools and automation systems to collect initial information, identify the reason for the query, classify requests, prepare summaries for our team, translate communications, suggest responses or speed up the management of orders, quotes, incidents, warranties and after-sales support.
These tools act as support for the Sunmarket team. They do not make solely automated decisions that produce legal effects concerning the user or similarly significantly affect them. Relevant decisions regarding acceptance of orders, payments, financing, warranties, returns, repairs, complaints or complex incidents will be reviewed or managed by Sunmarket personnel.
Through these channels we may process data provided by the user during the conversation, such as first name and surname, company, email address, telephone number, order number, delivery or installation address, product consulted or purchased, serial number, photographs, videos, technical documentation, incident description, communication history and any other information necessary to respond to the request.
The user must avoid sending information that is not necessary for the query, such as special categories of data, health data, data relating to minors, identity documents, full bank details, passwords or information about third parties unrelated to the order or incident.
OpenAI, DPA and transfers to the United States
Sunmarket may use artificial intelligence tools, including services provided by OpenAI or by technology providers that integrate OpenAI services, to support customer service, online chat, WhatsApp, email, order management, quotes, after-sales support, incidents, warranties, translation of communications, classification of queries, preparation of internal summaries and assistance to the Sunmarket team.
The use of artificial intelligence services, including OpenAI services, may involve the communication and transfer of certain personal data to the United States or other countries outside the European Economic Area. These transfers will take place only where necessary to provide the service, manage the query, prepare the response, classify the request, summarise the conversation or provide internal assistance to the Sunmarket team.
Where OpenAI processes personal data on behalf of Sunmarket, it will do so as a processor under the Data Processing Agreement entered into between Sunmarket and OpenAI, also known as the Data Processing Addendum or DPA. This agreement regulates, among other matters, Sunmarket’s documented instructions, confidentiality, security measures, assistance with the exercise of rights, incident management, involvement of subprocessors and deletion or return of data at the end of the service provision.
International transfers of data to the United States or other third countries will be carried out by applying the safeguards required by data protection regulations, including, where applicable, the Standard Contractual Clauses approved by the European Commission, applicable adequacy decisions, additional contractual, technical and organisational measures, and any other valid mechanism under the GDPR.
Where the chat, WhatsApp, CRM, helpdesk or automation tool is provided by a technology provider that integrates OpenAI services or other artificial intelligence providers, that provider may act as Sunmarket’s processor, and OpenAI or other AI providers may act as subprocessors or technology providers of the service, depending on the applicable contractual configuration.
Unless otherwise configured, specifically consented to or expressly enabled by Sunmarket, conversations, queries, order data and customer incidents processed through OpenAI business or professional tools will not be used to train public or general artificial intelligence models. Sunmarket will endeavour to configure these services to limit processing to the provision of the contracted service, avoiding the use of data for unnecessary purposes.
The user may request human assistance at any time and may exercise their data protection rights by writing to [email protected], [email protected] or to the external Data Protection Officer indicated in this policy.
7Google Analytics, Google Ads, Brevo and behaviour analysis
Sunmarket may use its own and third-party tools, such as Google Analytics, Google Ads, Google Tag Manager, Google Consent Mode, Brevo and other internal measurement, communication, automation and behaviour analysis systems, to measure website use, improve the user experience, detect errors, optimise checkout, analyse conversions, send transactional communications, manage newsletters, commercial campaigns, automations, cart recovery and after-sales follow-up.
These tools may process technical and browsing data, such as online identifiers, device, browser, pages visited, events, clicks, scrolling, products viewed, source of visit, date and time, approximate location, consent status, email opens, clicks in communications, unsubscribes, bounces, purchase history and other data necessary for the relevant purpose.
Where these tools use analytics cookies, marketing cookies, persistent identifiers, pixels, tracking of opens or clicks, heatmaps, session recordings, personalisation or similar non-essential technologies, the processing will be based on the user’s consent, which may be accepted, rejected or configured from the cookie panel.
Sunmarket may use Google Ads, Google Analytics and conversion measurement systems to understand whether an advertising campaign has generated visits, requests, purchases, forms, calls, contacts, carts, conversions or other relevant actions. In the European Economic Area, Sunmarket will endeavour to transmit the user’s consent preferences to Google through tools such as Google Consent Mode or equivalent solutions.
Sunmarket may use Brevo or equivalent providers to manage communications by email, SMS or other digital channels, including newsletters, commercial campaigns, transactional emails, order confirmations, payment notices, shipping communications, cart recovery, quotes, reminders, after-sales follow-up, satisfaction surveys, basic segmentation and automations related to user activity.
The user may unsubscribe from commercial communications at any time using the link included in each communication or by writing to [email protected] or [email protected].
8Cookies and CookieYes
Sunmarket uses necessary technical cookies and, with the user’s consent, analytics, advertising, conversion, personalisation, remarketing, advanced measurement, behaviour or other similar technologies.
Sunmarket uses CookieYes as a consent management platform. Through the banner and settings panel, the user may accept all cookies, reject non-essential cookies or configure their preferences by category.
Technical or strictly necessary cookies may be installed without consent where they are essential for the operation of the website, security, cart, checkout, session management, fraud prevention, maintenance of essential preferences or provision of a service requested by the user.
Analytics, advertising, conversion, personalisation, remarketing, advanced measurement, behaviour cookies or similar non-essential technologies will only be installed or activated if the user has given the corresponding consent.
CookieYes is configured to block or prevent the activation of non-essential scripts, cookies and technologies when the user has not given consent or has rejected a specific category. Sunmarket periodically reviews the cookie and provider configuration to keep the consent panel up to date and correct any unclassified cookies or new technologies that may be added to the website.
The user may modify or withdraw consent at any time from the cookie settings panel available on the website. For more information about specific cookies, providers, duration and categories, the user may consult the Cookie Policy.
9Communications, calls and video surveillance
Commercial and transactional communications
Sunmarket may send communications necessary to manage orders, quotes, payments, billing, deliveries, incidents, warranties, returns, support, security or the contractual relationship. These communications are based on the performance of the contract, pre-contractual measures, compliance with legal obligations or legitimate interest.
Newsletters, promotions, commercial campaigns and non-essential communications will be sent where consent exists or where legitimate interest applies for existing customers regarding similar products or services, always providing a simple and free mechanism to unsubscribe or object.
WhatsApp, chat and email
Conversations held through WhatsApp, online chat, email or other service channels may be kept for the time necessary to respond to the query, manage the order, provide support, process warranties, resolve incidents, handle complaints and comply with legal obligations.
Where they are linked to orders, quotes, warranties, incidents, repairs, deliveries, returns or complaints, they may be kept for the period necessary to address potential legal, contractual or administrative liabilities.
Call recording
Telephone calls may be recorded to improve service quality, keep a record of instructions, quotes, orders or incidents, resolve complaints, strengthen security and train staff. Recordings will be kept for the time necessary for the purpose that justified the recording and, where applicable, to address potential liabilities.
Video surveillance and audio recording
For reasons of security, access control, protection of assets, prevention of incidents and labour control in accordance with applicable regulations, Sunmarket premises may have video surveillance systems with image recording and, where applicable, sound recording. These recordings will be used exclusively for the indicated purposes and will be kept for the legally permitted period, unless they must be kept for longer to prove facts, address liabilities or comply with requests from authorities.
10Recipients, processors and collaborators
In order to manage purchases, payments, financing, deliveries, customer service, warranties, repairs, installations, communications, analytics, security and legal obligations, Sunmarket may communicate certain personal data to third parties where necessary.
These third parties may act, depending on each case, as processors, independent controllers, joint controllers, subprocessors or mere recipients of the data. Where a provider processes data on behalf of Sunmarket, the corresponding data processing agreement will be formalised in accordance with the GDPR. Where the third party acts as an independent controller, its processing will also be governed by its own privacy policy.
Sunmarket applies data minimisation and necessity criteria when communicating data to suppliers, technicians, carriers, assemblers, installers, operators and external collaborators. Only the data necessary to carry out the specific purpose will be communicated: delivering an order, installing equipment, managing a warranty, resolving an incident, providing technical support or complying with a legal obligation.
Sunmarket requires its employees, suppliers and external collaborators to comply with obligations of confidentiality, security and limited use of information. External collaborators may not use data communicated by Sunmarket for their own purposes, commercial or advertising purposes or purposes unrelated to the entrusted service, unless there is an independent legal basis, adequate information to the user and compliance with applicable regulations.
11International transfers
As a general rule, Sunmarket seeks to use providers located in the European Economic Area or in countries that have an adequate level of data protection. However, certain technology, payment, advertising, analytics, communication, artificial intelligence, security, hosting, CRM, email, automation or infrastructure providers may be located outside the European Economic Area or use international subproviders.
The use of services such as OpenAI, Google, Stripe, Brevo, WhatsApp Business, Meta, chat providers, CRM, advertising, analytics, automation or infrastructure may involve international transfers of data to the United States or other third countries.
Where international transfers take place, Sunmarket will apply the safeguards required by applicable regulations, including adequacy decisions, Standard Contractual Clauses approved by the European Commission, data processing agreements, additional contractual, technical and organisational measures or other mechanisms valid under the GDPR.
The user may request additional information about the safeguards applied by writing to [email protected], [email protected] or to the external Data Protection Officer indicated in this policy.
12Data retention
Sunmarket will retain personal data for the time necessary to fulfil the purposes for which it was collected and, subsequently, for the periods necessary to address legal, contractual, tax, accounting, administrative or warranty liabilities.
- Order, billing and accounting data: during the contractual relationship and the applicable legal retention and limitation periods.
- Warranty, repair, incident and complaint data: for the time necessary to manage the request and address liabilities.
- Commercial communications: until the user withdraws consent, unsubscribes or objects to processing, without prejudice to minimum retention to prove the unsubscribe or blocking.
- Cookies and browsing data: according to the Cookie Policy and the applicable consent settings.
- WhatsApp, chat, email or call conversations: for the time necessary to respond to the query, order or incident and the applicable liability periods.
- Video surveillance: for the legally permitted period, unless retention is necessary due to incidents, complaints or requests.
Once the applicable periods have expired, data will be securely deleted, blocked or anonymised, unless there is a legal obligation to retain it.
13Rights of users and data subjects
The user may exercise their rights of access, rectification, erasure, objection, restriction of processing, portability and, where applicable, the right not to be subject to individual automated decisions.
To exercise these rights, the user may contact us through the following channels:
- Sunmarket: [email protected]
- Privacy mailbox: [email protected]
- External Data Protection Officer: [email protected]
- DPO telephone: 91 553 34 08 · 618 857 567
- Postal address: Av. Maestro Rodrigo 99, 46015 Valencia, Spain
Where necessary to verify the requester’s identity, Sunmarket or the Data Protection Officer may request additional information or supporting documentation, limited to what is strictly necessary to process the request.
If the user considers that the processing of their personal data does not comply with applicable regulations, they may lodge a complaint with the Spanish Data Protection Agency, without prejudice to contacting Sunmarket or its Data Protection Officer beforehand to try to resolve the matter.
14Security and confidentiality
Sunmarket applies appropriate technical and organisational measures to protect personal data against loss, unauthorised access, destruction, alteration, disclosure or improper processing. These measures include access control, permission management, confidentiality, backups, encryption where applicable, training, supplier review, contractual measures, incident logging and internal procedures.
Sunmarket personnel are subject to confidentiality and data protection obligations. Providers, technicians, assemblers, carriers, installers, technical services, advisers and external collaborators who may access personal data must assume commitments of confidentiality, security and limited use of the information in accordance with applicable regulations.
In the event of a personal data breach that may pose a risk to the rights and freedoms of natural persons, Sunmarket will adopt the necessary measures and, where applicable, notify the incident to the supervisory authority and to the affected persons in accordance with the GDPR.
15Minors, changes and acceptance
Minors
The Sunmarket website and services are not aimed at children under 14 years of age. Children under 14 must not provide personal data without authorisation from their parents or legal guardians.
Links to third-party websites
The website may contain links to third-party websites. Sunmarket is not responsible for the privacy policies, security or practices of those websites. Users are advised to read the privacy policies of each external website they visit.
Policy updates
Sunmarket may update this policy to adapt it to regulatory, technical, organisational, supplier, payment method, logistics, technology tool, artificial intelligence, cookie, advertising or service changes. The current version will be the one published on the website at any time.
Acceptance
Use of the website, making purchases, submitting forms, communicating by WhatsApp, chat, telephone or email and contracting products or services implies that the user has received information about the processing of their personal data. Where processing requires consent, Sunmarket will request it specifically through the corresponding mechanism.
AAnnex. Recipient table and data communicated
| Category | Examples | Purpose | Data communicated | Legal basis | Role and transfers |
|---|---|---|---|---|---|
| Payment gateways and financial institutions | Redsys, Stripe, banks, card issuers, SIBS/Multibanco and other checkout methods | Process payments, authenticate transactions, prevent fraud, confirm payment status and manage refunds | Name, email, billing address, order, amount, currency, transaction status and technical data | Performance of the contract, legal obligation and legitimate interest | Independent controllers or processors. International transfers may occur depending on provider |
| Deferred payment and financing | Klarna, SeQura and other financing providers | Deferred payment, financing, verification, risk analysis, approval and collection | Identification, contact, address, amount, order, billing and data necessary to assess the transaction | Performance of the contract, user request and legitimate interest or provider’s own legal bases | Usually independent controllers for their financial assessment |
| Transport and logistics | GLS, Rhenus, DHL, logistics operators, warehouses and specialised carriers | Prepare, transport, deliver, track, manage incidents, returns and bulky deliveries | Name, company, address, telephone, email, order, packages, weight and delivery notes | Performance of the contract and legitimate interest | Independent controllers or processors depending on service |
| Manufacturers, distributors and product suppliers | Manufacturers, importers, distributors, external warehouses and stock suppliers | Prepare orders, direct shipments, warranties, spare parts, technical compatibility and incidents | Contact, address, product, serial number, invoice, incident, images and technical documentation | Performance of the contract, statutory warranty and legitimate interest | Processors or independent controllers depending on action |
| Technicians, assemblers, installers and external operators | Technical services, installers, assemblers, repairers, maintenance providers and professional collaborators | Install, assemble, repair, inspect, maintain, diagnose and resolve incidents | Name, telephone, address, product, serial number, incident, photos, videos and technical documentation | Performance of the contract, statutory warranty and legitimate interest | Processors or independent controllers. We require confidentiality and limited use |
| Artificial intelligence, online chat, WhatsApp and automation | OpenAI, chat providers, WhatsApp Business, CRM, helpdesk, automation, translation and classification | Collect initial information, classify queries, prepare summaries, suggest responses and speed up support | Identification, contact, order, product, conversation, images, documents and incident | Performance of the contract, pre-contractual measures, legitimate interest and consent where applicable | May involve transfers to the United States with DPA, SCCs, adequacy decisions or equivalent safeguards |
| Analytics, advertising and conversions | Google Analytics, Google Ads, Google Tag Manager, Google Consent Mode and own systems | Measure visits, events, conversions, campaigns, checkout, browsing and commercial performance | Identifiers, device, browser, pages, events, clicks, products viewed, conversions and consent | Consent for non-essential technologies; legitimate interest for security or permitted technical measurement | May involve international transfers with safeguards under the GDPR |
| Communication, email marketing and automation | Brevo and equivalent email, SMS, CRM and automation providers | Transactional emails, newsletters, campaigns, cart recovery, after-sales follow-up and campaign measurement | Name, email, telephone, language, country, purchases, subscription, opens, clicks, unsubscribes and bounces | Performance of the contract, legitimate interest and consent depending on communication | Processor or independent controller depending on service. Transfers with safeguards may occur |
| Consent and cookie management | CookieYes and equivalent tools | Manage consent, record preferences, allow acceptance, rejection or configuration and block non-essential scripts | Preferences, technical identifiers, date, time, banner version, categories and consent data | Legal compliance, legitimate interest and consent where applicable | Processor or technology provider. Transfers may occur depending on infrastructure |
| Hosting, e-commerce and maintenance | Arsys, PrestaShop, store modules, security, backups, web maintenance and technical support | Hosting, store operation, security, maintenance, support, updates and backups | Account data, order, browsing, forms, logs, images, communications and technical data | Performance of the contract, legitimate interest and legal compliance | Processors or subprocessors. EEA preference; safeguards if transfer occurs |
| Public administrations, advisers and authorities | Tax Agency, courts, consumer authorities, security forces, tax, accounting or legal advisers | Tax, accounting and administrative compliance, requests, claims and defence of rights | Identification, billing, orders, payments, communications and necessary documentation | Legal compliance and legitimate interest in defence of rights | Independent controllers or legally authorised recipients |
Av. Maestro Rodrigo 99, 46015 Valencia, Spain · [email protected] · 961 040 660
External Data Protection Officer: Grupo Adaptalia · Jessenia Asti · [email protected]