Sunmarket Wellness, S.L.U. - www.sunmarket.es

Privacy Policy

Information about how we process personal data to manage orders, payments, financing, deliveries, customer service, warranties, suppliers, technological tools, communications, cookies, analytics, advertising and artificial intelligence systems.

Last updated: 24 May 2026 Scope: Spain, European Union and European Economic Area Version: English

1Controller and Data Protection Officer

The controller of the personal data processed through the website, sales channels, customer service channels, showroom, WhatsApp, telephone, email, forms, technical services and communications related to the commercial activity is SUNMARKET WELLNESS, S.L.U., hereinafter, “Sunmarket”.

Controller details
Company nameSUNMARKET WELLNESS, S.L.U.
Spanish Tax IDB97238372
Registered addressAv. Maestro Rodrigo 99, 46015 Valencia, Spain
Telephone961 040 660
General email[email protected]
Websitewww.sunmarket.es

External Data Protection Officer

Sunmarket has appointed an external Data Protection Officer, provided by Grupo Adaptalia, to advise, supervise and assist in complying with the applicable data protection regulations.

Data Protection Officer contact
External DPOGrupo Adaptalia
Contact personJessenia Asti
DepartmentCustomer Service / Data Protection Legal Area
Telephone91 553 34 08
Sunmarket internal privacy mailbox[email protected]

Data subjects may contact the Data Protection Officer for any matter relating to the processing of their personal data, the exercise of rights, queries, complaints, privacy incidents or requests related to this policy.

2Personal data we process

Sunmarket may process personal data provided directly by the user, data generated during the commercial relationship and data necessary to provide our services, process orders and comply with legal obligations.

  • Identification data: first name, surname, Spanish ID/tax number, foreigner identification number or equivalent document where necessary, company, position, language and country.
  • Contact data: email address, telephone number, postal address, delivery address, installation address and billing details.
  • Order and commercial relationship data: products consulted or purchased, quotes, orders, invoices, warranties, returns, incidents, repairs, serial number, spare parts, technical documentation, photographs or videos provided by the user.
  • Payment and financing data: payment method, amount, currency, order identifier, transaction status, transaction references, partial or tokenised payment data where applicable, and data necessary for authentication, fraud prevention, financing or refunds.
  • Navigation and technology data: IP address, online identifiers, device or browser identifiers, cookies, consent preferences, security logs, navigation events, pages visited, products viewed, clicks, forms, carts, conversions and technical data.
  • Communication data: emails, calls, WhatsApp messages, online chat, forms, requests, complaints, call recordings where applicable, customer service history and internal summaries.
  • Data derived from digital tools: opens and clicks in communications, unsubscribes, bounces, automation events, campaigns, source of visit, usage analytics, conversion measurement and aggregated or individualised behaviour where consent exists.

Special categories of data or sensitive information

Sunmarket does not generally request special categories of data, such as health data, ethnic origin, political opinions, religious beliefs, biometric data, data relating to minors or similar information.

The user must refrain from sending special categories of data or sensitive information that is not necessary to process their order, query, warranty or incident. If, exceptionally, the user voluntarily provides sensitive information, photographs, videos or data relating to treatments, injuries, physical condition, health or third parties, Sunmarket will process such information only to the extent strictly necessary to respond to the query, manage the incident or provide the requested support, applying data minimisation, confidentiality and security criteria.

3Purposes and legal bases

The legal basis for processing will depend on the specific purpose. Acceptance of this policy does not turn all processing into consent-based processing. Sunmarket will use the appropriate legal basis in each case: performance of a contract, application of pre-contractual measures, compliance with legal obligations, legitimate interest or consent where applicable.

PurposeData processedLegal basis
Order and purchase managementIdentification, contact details, address, order, product, payment, invoice and delivery.Performance of the contract and pre-contractual measures.
Quotes and commercial assistanceContact details, company, requested product, preferences and communications.Pre-contractual measures, legitimate interest and consent where applicable.
Payments, financing and fraud preventionAmount, payment method, transaction identifier, billing data, technical data and transaction status.Performance of the contract, legal compliance and legitimate interest in preventing fraud.
Shipping, deliveries, assembly and installationName, telephone, email, address, product, packages, weight, schedule, notes and logistics documents.Performance of the contract and legitimate interest in coordinating delivery.
Warranties, repairs and incidentsOrder, product, serial number, invoice, photographs, videos, technical description and communications.Performance of the contract, compliance with statutory warranties and legitimate interest.
Commercial communicationsEmail, telephone, preferences, commercial history, opens, clicks and subscription.Consent or legitimate interest in communications about similar products to existing customers, with an unsubscribe option.
Analytics, advertising and behaviourCookies, identifiers, events, conversions, browsing, source of visit and campaigns.Consent for non-essential technologies; legitimate interest only for technical measurement, security or aggregated analysis where applicable.
AI, automation and operational improvementQueries, messages, order data, incidents, summaries and strictly necessary data.Performance of the contract, pre-contractual measures, legitimate interest and consent where required.
Legal, tax and accounting complianceInvoices, orders, payments, identification, communications and necessary documentation.Compliance with legal obligations.

4Orders, payments, financing and fraud prevention

Payments made on the website may be managed through external payment and financing providers, such as Redsys, Stripe, Klarna, SeQura, SIBS/Multibanco, banking institutions, card issuers or other methods available at checkout.

When the user chooses a payment or financing method, the data necessary to process the transaction may be communicated to the relevant provider. This data may include first name and surname, contact details, billing and delivery address, order identifier, amount, currency, technical transaction data, payment status and any information strictly necessary to authorise, authenticate, finance, prevent fraud or confirm the transaction.

Sunmarket does not store the full bank card number or card security codes when payment is made through secure external gateways. In these cases, financial data is processed directly in the payment provider environment, and Sunmarket may receive only limited information about the result of the transaction, transaction identifiers, payment status, references, tokens or partial data necessary for administrative order management.

Certain payment, financing or deferred payment providers may act as independent controllers to verify the user’s identity, assess risk, prevent fraud, comply with financial legal obligations or decide on the approval of financing. In such cases, the user should also consult the privacy policy and terms of the chosen provider.

5Shipping, logistics, suppliers and external technicians

Transport and logistics companies

In order to deliver purchased products, Sunmarket may communicate the necessary data to transport companies, courier companies, logistics operators, warehouses, delivery operators, customs agencies or companies specialising in bulky goods transport. These companies may include GLS, Rhenus, DHL or other national or international logistics operators selected according to the product, destination, volume, weight, availability and delivery conditions.

The data communicated may include first name and surname, company, delivery address, telephone number, email address, order reference, number of packages, weight, delivery notes, logistics documentation and any information necessary to organise delivery, provide tracking information, manage incidents, process returns or prove receipt.

Manufacturers, distributors, warehouses and technical services

In certain orders, Sunmarket may communicate personal data to manufacturers, distributors, external warehouses, logistics providers, installers, official technical services, spare part suppliers or product suppliers where necessary to prepare the order, ship the product directly, carry out an installation, activate a warranty, manage a repair, request parts, verify technical compatibility or resolve an after-sales incident.

Technicians, assemblers, installers, operators and external collaborators

To prepare, deliver, install, assemble, repair, inspect or provide support for certain products, Sunmarket may work with technicians, assemblers, installers, operators, technical services, manufacturers, distributors, warehouses, specialised carriers or external professionals who are not part of the Sunmarket Wellness workforce.

Where necessary to process an order, delivery, installation, warranty, repair, incident or after-sales service, Sunmarket may communicate to these collaborators the data strictly necessary to provide the relevant service. This data may include first name and surname, company, telephone number, email address, delivery or installation address, order reference, purchased product, serial number, photographs, videos, technical documentation, incident description, delivery notes and any information necessary to coordinate the service correctly.

These collaborators may use the data only for the specific purpose entrusted by Sunmarket and may not use it for their own purposes, commercial or advertising purposes or purposes unrelated to the order, installation, repair, warranty or requested service, unless they have their own legal basis that allows this and the user is duly informed.

Where these collaborators process personal data on behalf of Sunmarket, they will act as processors and must assume contractual commitments regarding confidentiality, security, limited use of information, prohibition of unauthorised disclosure, assistance in the exercise of rights and deletion or return of data once the service has been completed. Where they must process the data to comply with their own legal, technical, traceability, security, warranty, billing or professional liability obligations, they may act as independent controllers for such processing.

6Chat, WhatsApp, AI, OpenAI and automation

Sunmarket may handle queries through online chat, WhatsApp, email, telephone or other digital channels. In some of these channels, we may use virtual assistants, artificial intelligence tools and automation systems to collect initial information, identify the reason for the query, classify requests, prepare summaries for our team, translate communications, suggest responses or speed up the management of orders, quotes, incidents, warranties and after-sales support.

These tools act as support for the Sunmarket team. They do not make solely automated decisions that produce legal effects concerning the user or similarly significantly affect them. Relevant decisions regarding acceptance of orders, payments, financing, warranties, returns, repairs, complaints or complex incidents will be reviewed or managed by Sunmarket personnel.

Through these channels we may process data provided by the user during the conversation, such as first name and surname, company, email address, telephone number, order number, delivery or installation address, product consulted or purchased, serial number, photographs, videos, technical documentation, incident description, communication history and any other information necessary to respond to the request.

The user must avoid sending information that is not necessary for the query, such as special categories of data, health data, data relating to minors, identity documents, full bank details, passwords or information about third parties unrelated to the order or incident.

OpenAI, DPA and transfers to the United States

Sunmarket may use artificial intelligence tools, including services provided by OpenAI or by technology providers that integrate OpenAI services, to support customer service, online chat, WhatsApp, email, order management, quotes, after-sales support, incidents, warranties, translation of communications, classification of queries, preparation of internal summaries and assistance to the Sunmarket team.

The use of artificial intelligence services, including OpenAI services, may involve the communication and transfer of certain personal data to the United States or other countries outside the European Economic Area. These transfers will take place only where necessary to provide the service, manage the query, prepare the response, classify the request, summarise the conversation or provide internal assistance to the Sunmarket team.

Where OpenAI processes personal data on behalf of Sunmarket, it will do so as a processor under the Data Processing Agreement entered into between Sunmarket and OpenAI, also known as the Data Processing Addendum or DPA. This agreement regulates, among other matters, Sunmarket’s documented instructions, confidentiality, security measures, assistance with the exercise of rights, incident management, involvement of subprocessors and deletion or return of data at the end of the service provision.

International transfers of data to the United States or other third countries will be carried out by applying the safeguards required by data protection regulations, including, where applicable, the Standard Contractual Clauses approved by the European Commission, applicable adequacy decisions, additional contractual, technical and organisational measures, and any other valid mechanism under the GDPR.

Where the chat, WhatsApp, CRM, helpdesk or automation tool is provided by a technology provider that integrates OpenAI services or other artificial intelligence providers, that provider may act as Sunmarket’s processor, and OpenAI or other AI providers may act as subprocessors or technology providers of the service, depending on the applicable contractual configuration.

Unless otherwise configured, specifically consented to or expressly enabled by Sunmarket, conversations, queries, order data and customer incidents processed through OpenAI business or professional tools will not be used to train public or general artificial intelligence models. Sunmarket will endeavour to configure these services to limit processing to the provision of the contracted service, avoiding the use of data for unnecessary purposes.

The user may request human assistance at any time and may exercise their data protection rights by writing to [email protected], [email protected] or to the external Data Protection Officer indicated in this policy.

7Google Analytics, Google Ads, Brevo and behaviour analysis

Sunmarket may use its own and third-party tools, such as Google Analytics, Google Ads, Google Tag Manager, Google Consent Mode, Brevo and other internal measurement, communication, automation and behaviour analysis systems, to measure website use, improve the user experience, detect errors, optimise checkout, analyse conversions, send transactional communications, manage newsletters, commercial campaigns, automations, cart recovery and after-sales follow-up.

These tools may process technical and browsing data, such as online identifiers, device, browser, pages visited, events, clicks, scrolling, products viewed, source of visit, date and time, approximate location, consent status, email opens, clicks in communications, unsubscribes, bounces, purchase history and other data necessary for the relevant purpose.

Where these tools use analytics cookies, marketing cookies, persistent identifiers, pixels, tracking of opens or clicks, heatmaps, session recordings, personalisation or similar non-essential technologies, the processing will be based on the user’s consent, which may be accepted, rejected or configured from the cookie panel.

Sunmarket may use Google Ads, Google Analytics and conversion measurement systems to understand whether an advertising campaign has generated visits, requests, purchases, forms, calls, contacts, carts, conversions or other relevant actions. In the European Economic Area, Sunmarket will endeavour to transmit the user’s consent preferences to Google through tools such as Google Consent Mode or equivalent solutions.

Sunmarket may use Brevo or equivalent providers to manage communications by email, SMS or other digital channels, including newsletters, commercial campaigns, transactional emails, order confirmations, payment notices, shipping communications, cart recovery, quotes, reminders, after-sales follow-up, satisfaction surveys, basic segmentation and automations related to user activity.

The user may unsubscribe from commercial communications at any time using the link included in each communication or by writing to [email protected] or [email protected].

8Cookies and CookieYes

Sunmarket uses necessary technical cookies and, with the user’s consent, analytics, advertising, conversion, personalisation, remarketing, advanced measurement, behaviour or other similar technologies.

Sunmarket uses CookieYes as a consent management platform. Through the banner and settings panel, the user may accept all cookies, reject non-essential cookies or configure their preferences by category.

Technical or strictly necessary cookies may be installed without consent where they are essential for the operation of the website, security, cart, checkout, session management, fraud prevention, maintenance of essential preferences or provision of a service requested by the user.

Analytics, advertising, conversion, personalisation, remarketing, advanced measurement, behaviour cookies or similar non-essential technologies will only be installed or activated if the user has given the corresponding consent.

CookieYes is configured to block or prevent the activation of non-essential scripts, cookies and technologies when the user has not given consent or has rejected a specific category. Sunmarket periodically reviews the cookie and provider configuration to keep the consent panel up to date and correct any unclassified cookies or new technologies that may be added to the website.

The user may modify or withdraw consent at any time from the cookie settings panel available on the website. For more information about specific cookies, providers, duration and categories, the user may consult the Cookie Policy.

9Communications, calls and video surveillance

Commercial and transactional communications

Sunmarket may send communications necessary to manage orders, quotes, payments, billing, deliveries, incidents, warranties, returns, support, security or the contractual relationship. These communications are based on the performance of the contract, pre-contractual measures, compliance with legal obligations or legitimate interest.

Newsletters, promotions, commercial campaigns and non-essential communications will be sent where consent exists or where legitimate interest applies for existing customers regarding similar products or services, always providing a simple and free mechanism to unsubscribe or object.

WhatsApp, chat and email

Conversations held through WhatsApp, online chat, email or other service channels may be kept for the time necessary to respond to the query, manage the order, provide support, process warranties, resolve incidents, handle complaints and comply with legal obligations.

Where they are linked to orders, quotes, warranties, incidents, repairs, deliveries, returns or complaints, they may be kept for the period necessary to address potential legal, contractual or administrative liabilities.

Call recording

Telephone calls may be recorded to improve service quality, keep a record of instructions, quotes, orders or incidents, resolve complaints, strengthen security and train staff. Recordings will be kept for the time necessary for the purpose that justified the recording and, where applicable, to address potential liabilities.

Video surveillance and audio recording

For reasons of security, access control, protection of assets, prevention of incidents and labour control in accordance with applicable regulations, Sunmarket premises may have video surveillance systems with image recording and, where applicable, sound recording. These recordings will be used exclusively for the indicated purposes and will be kept for the legally permitted period, unless they must be kept for longer to prove facts, address liabilities or comply with requests from authorities.

10Recipients, processors and collaborators

In order to manage purchases, payments, financing, deliveries, customer service, warranties, repairs, installations, communications, analytics, security and legal obligations, Sunmarket may communicate certain personal data to third parties where necessary.

These third parties may act, depending on each case, as processors, independent controllers, joint controllers, subprocessors or mere recipients of the data. Where a provider processes data on behalf of Sunmarket, the corresponding data processing agreement will be formalised in accordance with the GDPR. Where the third party acts as an independent controller, its processing will also be governed by its own privacy policy.

Sunmarket applies data minimisation and necessity criteria when communicating data to suppliers, technicians, carriers, assemblers, installers, operators and external collaborators. Only the data necessary to carry out the specific purpose will be communicated: delivering an order, installing equipment, managing a warranty, resolving an incident, providing technical support or complying with a legal obligation.

Sunmarket requires its employees, suppliers and external collaborators to comply with obligations of confidentiality, security and limited use of information. External collaborators may not use data communicated by Sunmarket for their own purposes, commercial or advertising purposes or purposes unrelated to the entrusted service, unless there is an independent legal basis, adequate information to the user and compliance with applicable regulations.

11International transfers

As a general rule, Sunmarket seeks to use providers located in the European Economic Area or in countries that have an adequate level of data protection. However, certain technology, payment, advertising, analytics, communication, artificial intelligence, security, hosting, CRM, email, automation or infrastructure providers may be located outside the European Economic Area or use international subproviders.

The use of services such as OpenAI, Google, Stripe, Brevo, WhatsApp Business, Meta, chat providers, CRM, advertising, analytics, automation or infrastructure may involve international transfers of data to the United States or other third countries.

Where international transfers take place, Sunmarket will apply the safeguards required by applicable regulations, including adequacy decisions, Standard Contractual Clauses approved by the European Commission, data processing agreements, additional contractual, technical and organisational measures or other mechanisms valid under the GDPR.

The user may request additional information about the safeguards applied by writing to [email protected], [email protected] or to the external Data Protection Officer indicated in this policy.

12Data retention

Sunmarket will retain personal data for the time necessary to fulfil the purposes for which it was collected and, subsequently, for the periods necessary to address legal, contractual, tax, accounting, administrative or warranty liabilities.

  • Order, billing and accounting data: during the contractual relationship and the applicable legal retention and limitation periods.
  • Warranty, repair, incident and complaint data: for the time necessary to manage the request and address liabilities.
  • Commercial communications: until the user withdraws consent, unsubscribes or objects to processing, without prejudice to minimum retention to prove the unsubscribe or blocking.
  • Cookies and browsing data: according to the Cookie Policy and the applicable consent settings.
  • WhatsApp, chat, email or call conversations: for the time necessary to respond to the query, order or incident and the applicable liability periods.
  • Video surveillance: for the legally permitted period, unless retention is necessary due to incidents, complaints or requests.

Once the applicable periods have expired, data will be securely deleted, blocked or anonymised, unless there is a legal obligation to retain it.

13Rights of users and data subjects

The user may exercise their rights of access, rectification, erasure, objection, restriction of processing, portability and, where applicable, the right not to be subject to individual automated decisions.

To exercise these rights, the user may contact us through the following channels:

Where necessary to verify the requester’s identity, Sunmarket or the Data Protection Officer may request additional information or supporting documentation, limited to what is strictly necessary to process the request.

If the user considers that the processing of their personal data does not comply with applicable regulations, they may lodge a complaint with the Spanish Data Protection Agency, without prejudice to contacting Sunmarket or its Data Protection Officer beforehand to try to resolve the matter.

14Security and confidentiality

Sunmarket applies appropriate technical and organisational measures to protect personal data against loss, unauthorised access, destruction, alteration, disclosure or improper processing. These measures include access control, permission management, confidentiality, backups, encryption where applicable, training, supplier review, contractual measures, incident logging and internal procedures.

Sunmarket personnel are subject to confidentiality and data protection obligations. Providers, technicians, assemblers, carriers, installers, technical services, advisers and external collaborators who may access personal data must assume commitments of confidentiality, security and limited use of the information in accordance with applicable regulations.

In the event of a personal data breach that may pose a risk to the rights and freedoms of natural persons, Sunmarket will adopt the necessary measures and, where applicable, notify the incident to the supervisory authority and to the affected persons in accordance with the GDPR.

15Minors, changes and acceptance

Minors

The Sunmarket website and services are not aimed at children under 14 years of age. Children under 14 must not provide personal data without authorisation from their parents or legal guardians.

Links to third-party websites

The website may contain links to third-party websites. Sunmarket is not responsible for the privacy policies, security or practices of those websites. Users are advised to read the privacy policies of each external website they visit.

Policy updates

Sunmarket may update this policy to adapt it to regulatory, technical, organisational, supplier, payment method, logistics, technology tool, artificial intelligence, cookie, advertising or service changes. The current version will be the one published on the website at any time.

Acceptance

Use of the website, making purchases, submitting forms, communicating by WhatsApp, chat, telephone or email and contracting products or services implies that the user has received information about the processing of their personal data. Where processing requires consent, Sunmarket will request it specifically through the corresponding mechanism.

AAnnex. Recipient table and data communicated

CategoryExamplesPurposeData communicatedLegal basisRole and transfers
Payment gateways and financial institutionsRedsys, Stripe, banks, card issuers, SIBS/Multibanco and other checkout methodsProcess payments, authenticate transactions, prevent fraud, confirm payment status and manage refundsName, email, billing address, order, amount, currency, transaction status and technical dataPerformance of the contract, legal obligation and legitimate interestIndependent controllers or processors. International transfers may occur depending on provider
Deferred payment and financingKlarna, SeQura and other financing providersDeferred payment, financing, verification, risk analysis, approval and collectionIdentification, contact, address, amount, order, billing and data necessary to assess the transactionPerformance of the contract, user request and legitimate interest or provider’s own legal basesUsually independent controllers for their financial assessment
Transport and logisticsGLS, Rhenus, DHL, logistics operators, warehouses and specialised carriersPrepare, transport, deliver, track, manage incidents, returns and bulky deliveriesName, company, address, telephone, email, order, packages, weight and delivery notesPerformance of the contract and legitimate interestIndependent controllers or processors depending on service
Manufacturers, distributors and product suppliersManufacturers, importers, distributors, external warehouses and stock suppliersPrepare orders, direct shipments, warranties, spare parts, technical compatibility and incidentsContact, address, product, serial number, invoice, incident, images and technical documentationPerformance of the contract, statutory warranty and legitimate interestProcessors or independent controllers depending on action
Technicians, assemblers, installers and external operatorsTechnical services, installers, assemblers, repairers, maintenance providers and professional collaboratorsInstall, assemble, repair, inspect, maintain, diagnose and resolve incidentsName, telephone, address, product, serial number, incident, photos, videos and technical documentationPerformance of the contract, statutory warranty and legitimate interestProcessors or independent controllers. We require confidentiality and limited use
Artificial intelligence, online chat, WhatsApp and automationOpenAI, chat providers, WhatsApp Business, CRM, helpdesk, automation, translation and classificationCollect initial information, classify queries, prepare summaries, suggest responses and speed up supportIdentification, contact, order, product, conversation, images, documents and incidentPerformance of the contract, pre-contractual measures, legitimate interest and consent where applicableMay involve transfers to the United States with DPA, SCCs, adequacy decisions or equivalent safeguards
Analytics, advertising and conversionsGoogle Analytics, Google Ads, Google Tag Manager, Google Consent Mode and own systemsMeasure visits, events, conversions, campaigns, checkout, browsing and commercial performanceIdentifiers, device, browser, pages, events, clicks, products viewed, conversions and consentConsent for non-essential technologies; legitimate interest for security or permitted technical measurementMay involve international transfers with safeguards under the GDPR
Communication, email marketing and automationBrevo and equivalent email, SMS, CRM and automation providersTransactional emails, newsletters, campaigns, cart recovery, after-sales follow-up and campaign measurementName, email, telephone, language, country, purchases, subscription, opens, clicks, unsubscribes and bouncesPerformance of the contract, legitimate interest and consent depending on communicationProcessor or independent controller depending on service. Transfers with safeguards may occur
Consent and cookie managementCookieYes and equivalent toolsManage consent, record preferences, allow acceptance, rejection or configuration and block non-essential scriptsPreferences, technical identifiers, date, time, banner version, categories and consent dataLegal compliance, legitimate interest and consent where applicableProcessor or technology provider. Transfers may occur depending on infrastructure
Hosting, e-commerce and maintenanceArsys, PrestaShop, store modules, security, backups, web maintenance and technical supportHosting, store operation, security, maintenance, support, updates and backupsAccount data, order, browsing, forms, logs, images, communications and technical dataPerformance of the contract, legitimate interest and legal complianceProcessors or subprocessors. EEA preference; safeguards if transfer occurs
Public administrations, advisers and authoritiesTax Agency, courts, consumer authorities, security forces, tax, accounting or legal advisersTax, accounting and administrative compliance, requests, claims and defence of rightsIdentification, billing, orders, payments, communications and necessary documentationLegal compliance and legitimate interest in defence of rightsIndependent controllers or legally authorised recipients
Sunmarket Wellness, S.L.U.
Av. Maestro Rodrigo 99, 46015 Valencia, Spain · [email protected] · 961 040 660
External Data Protection Officer: Grupo Adaptalia · Jessenia Asti · [email protected]