Legal
Privacy policy
Last updated: 12 June 2026
This policy describes how EngineBuildFlow S.L. (trading as EngineBuildFlow, "we", "us") collects, uses and protects personal data when you visit enginebuildflow.com (the "site") or engage us for services. We are the data controller for any personal data you provide.
This policy is written in plain English. If anything is unclear, write to us at info@enginebuildflow.com and we\'ll explain.
1. Who we are
EngineBuildFlow S.L. is registered in Spain.
- Trading address: Carrer del Carme, 62, 08302 Mataró, Barcelona, Spain
- Company registration: CIF: B-67452318
- VAT: ES B67452318
- Contact: info@enginebuildflow.com · +34 932 11 87 91
2. The data we collect
We collect personal data when you submit a contact form, start a checkout, sign up to our care plan, or correspond with us by email or phone. Specifically:
| Data | When collected | Why we hold it |
|---|---|---|
| Name (first & last) | Contact form, checkout, project intake | To address you and identify the engagement |
| Email address | Contact form, checkout, billing | To reply, send proposals, and issue receipts/invoices |
| Phone number | Contact form, checkout | To call you when email isn\'t the right channel |
| Country & billing address | Checkout, invoicing | To determine VAT obligations and produce a valid invoice |
| Company / project name | Contact form, project intake | To understand context and tailor our reply |
| Message contents | Contact form, email correspondence | To respond and to retain a project record |
| Payment metadata | Checkout via Stripe | To verify and reconcile a payment (we never see card numbers) |
| Server logs (IP, user-agent, timestamp) | Every request to the site | Security, abuse prevention, debugging |
3. Lawful bases for processing
We rely on the following lawful bases under Article 6 of the GDPR:
- Contract — to perform a contract with you or take steps before entering one (e.g. preparing a proposal, processing a payment, delivering services).
- Legitimate interests — for security logging, fraud prevention, and replying to enquiries you initiate. We balance these against your rights and only process what is necessary.
- Legal obligation — to retain invoicing records as required by Spanish tax law (typically six years).
- Consent — where you have explicitly opted in (for example, the optional analytics cookie, or any future newsletter).
4. How we use your data
- Replying to your enquiry and preparing proposals.
- Delivering the services you have engaged us for.
- Issuing invoices, taking payments, and meeting tax-law obligations.
- Maintaining a record of work done for the duration of the engagement and for the legal retention period afterwards.
- Improving the site (only with anonymised, aggregated metrics, and only if you accept the analytics cookie).
We do not sell or rent personal data. We do not use it for automated decision-making or profiling.
5. Sharing data with third parties
We only share data with carefully chosen processors that help us run the studio:
- Stripe Payments Europe, Ltd. — payment processing. Stripe receives your name, email, billing address and payment information directly from your browser; we never see card numbers.
- Our hosting provider (within the EU) — server logs and any data submitted via the site is stored on EU-based servers.
- Our email provider — used for sending and receiving correspondence.
- Our accountant — receives invoice records as required for tax filing.
All processors are bound by contractual data-processing agreements compliant with Article 28 of the GDPR.
6. International transfers
Your data is processed inside the European Economic Area. Where a processor operates infrastructure outside the EEA (Stripe is the primary example), the transfer is governed by Standard Contractual Clauses approved by the European Commission.
7. How long we keep data
- Contact-form messages with no follow-up: 12 months, then deleted.
- Active project records: for the duration of the engagement plus 24 months for warranty and dispute support.
- Invoicing records: 6 years, as required by Spanish tax law.
- Server logs: 30 days, then automatically rotated.
8. Your rights
Under the GDPR, you have the right to: access the data we hold about you; have inaccurate data corrected; have data erased where there is no overriding legal basis to keep it; restrict or object to processing; receive a copy in a portable format; and lodge a complaint with the supervisory authority — in Spain, the Agencia Española de Protección de Datos (www.aepd.es).
To exercise any of these rights, email info@enginebuildflow.com. We will respond within 30 days.
9. Security
The site is served exclusively over HTTPS. Sessions are signed and HTTP-only. Backups are encrypted at rest and rotated weekly. Access to project records is limited to the four members of the studio. We do not store payment-card data on our servers; that is handled entirely by Stripe.
10. Cookies
We describe the site\'s cookie use separately in the cookie policy.
11. Changes to this policy
If we change how we handle data — adding a new processor, retaining data for a different period — we will update this page and adjust the "last updated" date. Material changes will be communicated by email to active clients.
12. Contact
Questions, requests or complaints: info@enginebuildflow.com or by post to Carrer del Carme, 62, 08302 Mataró, Spain.