Privacy Policy

1. Introduction

This Privacy Policy has been developed taking into account the provisions of the current Organic Law on Personal Data Protection, as well as Regulation 2016/679 of the European Parliament and Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free movement of such data, hereinafter the GDPR.

This Privacy Policy aims to inform the holders of personal data, from whom information is being collected, about specific aspects related to the processing of their data, including the purposes of processing, contact details to exercise their rights, data retention periods, and security measures, among other things.

2. Data Controller

The data controllers are:

HABITUS GLOBAL RETAIL, S.L.U, the company currently operating as the supplier of products for the brand “MUY MUCHO”:
Tax ID: B‑26612754
Postal address: Carrera de Sant Esteve 29, 08173, Sant Cugat del Vallès, Barcelona, Spain.
DPO Contact: 932890410
Email: Contac@muymucho.com

3. Types of data we will process

We inform you that the categories of data we may process are those defined below:

Identification and contact data: name, postal addresses, phone numbers, email addresses, ID or passport number, as well as details of your social media profiles and other identification and contact data that may be necessary for the purposes set out in this policy.
Professional Data: for curriculum management.
Purchase Data: Order number, details of purchased items or commissioned service, details of the payment method used, delivery and billing addresses, messages and direct communications related to the purchase and service execution.
Payment Data: billing addresses, credit card details
Data related to website use: When you interact with our website as informed in the cookie policy.
Social Networks: If you use social networks, the social network operators determine the nature, scope, and purposes of data processing on them.
Image: based on video surveillance cameras.

4. Data Processing

The personal data requested, if applicable, will consist only of those strictly necessary to identify and address the request made by the data subject, hereinafter the interested party. This information will be processed fairly, lawfully, and transparently in relation to the interested party. Furthermore, personal data will be collected for specific, explicit, and legitimate purposes and will not be further processed in a way incompatible with those purposes.

The data collected from each data subject will be adequate, relevant, and not excessive in relation to the corresponding purposes for each case, and will be updated whenever necessary.

The data subject will be informed, prior to the collection of their data, of the general terms regulated in this policy so that they can give their explicit, precise, and unequivocal consent for the processing of their data, according to the following aspects.

5. Purposes of the processing.

The explicit purposes for which each processing is carried out are included in the information clauses incorporated in each data collection method (web forms, paper forms, recordings or posters, and informational notes).

Depending on how you use our website, we will process your personal data for the following purposes:

PURPOSE	MORE INFORMATION
Data for user registration	Anyone interested who decides to register as a user on our website must provide their data to identify themselves as a user; only in this way can we grant access to the features, products, and services available to you as a registered user. The interested party may cancel their data at any time.
Data for the development, fulfillment, and execution of the sales or service contract contracted with Us on the website	The purposes included in this data processing are: 1. Contact the Customer regarding modifications, updates, or informational communications related to the contracted products. 2. Manage payment for products purchased by the Customer, as well as billing and management of tickets and invoice issuance. 3. Prevent and detect misuse of the website, as well as potential fraud. 4. Manage shipments and possible exchanges or returns, as well as product warranties, claims, and requests for information about products. 5. Customer service management.
To handle requests made by the Customer and/or user through the "Customer Service" channel.	When necessary to respond to a request for information from users and/or Customers. Management of requests to exercise your data protection rights.
For Marketing	Data will be processed to carry out promotional actions. They will also be used to manage subscriptions and to send personalized information about the controller’s products or services using various electronic means (such as email or SMS). Newsletter management Managing participation in possible contests or sweepstakes
Data for the development, fulfillment, and execution of the sales or service contract contracted with Us in the store	Managing requests made by the data subject for the sale of products and services. Purchasing management and invoice issuance. Managing shipments and possible exchanges or returns, as well as product warranties, claims, and requests for product information.
Video surveillance	Video surveillance to ensure the safety of people, property, and facilities.
Resumes	Managing personnel selection processes and evaluating the suitability of candidates for future positions within the company
Collaboration with administration and third parties	When required for collaboration with: Judges and courts. The Spanish Data Protection Agency. The State Tax Administration Agency. State security forces and bodies
Whistleblowing channel	Personal data will be processed to manage the Whistleblowing Channel information system and specifically to manage, process, and investigate all acts or omissions contrary to ethics and legality, ensure compliance, and adopt the corresponding disciplinary or legal measures; and, if applicable, the prosecution of criminal offenses and enforcement of criminal sanctions related to the received complaint and its processing and resolution.

However, the personal data of the data subject will be processed solely to provide an effective response and address the requests made by the user, specified alongside the option, service, form, or data collection system used by the controller.

6. Legal basis for data processing

TYPE OF DATA	LEGAL BASIS
Data for user registration	The legal basis for processing is based on the necessity of processing the data to execute the terms governing the use of the website, as registration is only possible if the data is processed. If the data comes from a social network, the consent given for the transfer on that network is the basis legitimizing the processing. (Art. 6.1 a) and b) GDPR)
Data for the development, fulfillment, and execution of the sales or service contract contracted with Us on the website	The processing of your data is necessary for the execution of the sales contract that binds us with the Customer. (Art. 6.1 b) GDPR) The legal basis for processing such data will vary, with some processing related to the purchase process being activated by the Customer's consent (e.g., storage of payment data), while other data may be processed based on our legitimate interest (e.g., conducting checks to prevent possible fraud). (Art. 6.1 f GDPR)
To attend to requests made by the Customer and/or user through the "Customer Service" channel	The legal basis for processing is based on the necessity of processing for the execution of the contract or the provision of services that bind us to the user or on the user's own consent. (Art. 6.1 b) GDPR) If the processing occurs due to the exercise of the rights of the data subjects, or with claims related to products or services of the controller, the legal basis will be compliance with legal obligations on our part. (Art. 6.1 c) GDPR) If the processing occurs regarding the management of incidents related to the purchased product, the processing will be necessary for the execution of the sales contract.
Marketing and Newsletter	The legal basis for processing is based on the user's consent. (Art. 6.1 a) GDPR) It legitimizes the possibility of showing personalized information to users and the legitimate interest to carry out profiling with the information we have about users. (Art. 6.1 f) GDPR).
Data for the development, fulfillment, and execution of the sales or service contract contracted with Us in the store	Contract execution, in relation to the sale of products. (Article 6.1.b of the GDPR)
Video surveillance	Legitimate interest of the data controller (Article 6.1.f of the GDPR)
Resumes	Consent of the data subject (art. 6.1.a GDPR) when submitting your resume and the application of pre-contractual measures (art. 6.1.b) GDPR) if considered for a vacancy.
Collaboration with administration and third parties	Based on compliance with a legal obligation. (Art. 6.1 c) GDPR)
Whistleblowing channel	Compliance with the legal obligations applicable to the data controller (art. 6.1c) GDPR), regarding the duty to have a whistleblowing channel and in accordance with articles 24 and 8 of LO 3/2018 on Data Protection and Guarantee of Digital Rights and article 30.2 of Law 2/2023.

7. Data retention period

As a general rule, we store your personal data as long as necessary to fulfill the purpose for which it was collected, and according to the legal basis for its processing in accordance with applicable law. We will keep your personal information while there is a contractual and/or commercial relationship with you, or while you do not exercise your right to deletion or restriction of the processing of your data. In these cases, we will keep the information properly blocked, without using it, as long as it may be necessary for the exercise or defense of claims or if any type of judicial, legal, or contractual liability may arise from its processing, which must be addressed and for which its processing is necessary.

The retention period of personal data will vary depending on the purposes for which they are being processed, according to the following:

TYPE OF DATA	RETENTION PERIOD
Data for user registration	We will process your data as long as you remain a user, that is, until you unsubscribe.
Data for the development, fulfillment, and execution of the sales or service contract contracted with Us on the website	We will process your data as long as necessary to manage the purchased products, including possible changes, returns, complaints, or claims regarding the purchased product.
To attend to requests made by the Customer and/or user through the "Customer Service" channel	We will process your data as long as necessary to attend to the request made.
Marketing	We will process your data until you unsubscribe from our Newsletter or revoke your consent to receive commercial actions.
Data for the development, fulfillment, and execution of the sales or service contract contracted with Us in the store	During the commercial relationship, deletion request, and the legally required deadlines for tax matters
Data collected for the Loyalty Program	Data related to loyalty cards will be kept as long as the program remains active, unless deletion is requested, except for legal reasons.
Video surveillance	Maximum period of 30 days, except for security reasons.
Resumes	They will be kept for a maximum of 1 year from receipt, after which they will be deleted, unless the candidate renews their consent or is hired.
Whistleblowing channel	The data will be retained for the time necessary to decide whether to initiate an investigation into the reported facts. In any case, if three (3) months have passed since receiving the complaint without any investigation actions being initiated, the data will be deleted, except when it is necessary to keep them to provide evidence of the system's operation. In no case will the retention of communications and internal investigations exceed ten years.

8. Recipients

As a general rule, we do not transfer or disclose data to third parties, except those legally required, necessary for the management of purchase and shipment of products (logistics and transport companies), or those providing us with technological services (storage and processing of information, security services) with whom we have signed the corresponding data processing agreements. However, if necessary, such data transfers or disclosures will be informed to the data subject through the informed consent clauses contained in the different personal data collection methods.

9. Origin

As a general rule, personal data is always collected directly from the data subject; however, in certain exceptions, data may be collected through third parties, entities, or services other than the data subject. In this regard, this will be communicated to the data subject through the informed consent clauses contained in the different data collection methods and within a reasonable time frame, once the data is obtained, and no later than one month.

10. Browsing data

Regarding browsing data that may be processed through the website, if data subject to regulations is collected, it is recommended to consult the Cookie Policy published on our website.

11. Minors

If you are underage, please do not attempt to register as a user of our websites, applications, or products. If we discover that we have accidentally obtained personal information from a minor, we will delete that information as soon as possible.

12. Rights of data subjects

Data protection regulations grant a series of rights to data subjects or data owners, users of this website, users of our social media profiles, and the companies bound by this policy,
These rights available to the data subjects are as follows:

Right of access: the right to obtain information about whether your own data is being processed, the purpose of the processing being carried out, the categories of data involved, the recipients or categories of recipients, the retention period, and the source of such data.
Right to rectification: the right to obtain correction of inaccurate or incomplete personal data.
Right to deletion: the right to obtain deletion of data in the following cases:
- When the data is no longer necessary for the purpose for which it was collected
- When the data controller withdraws consent
- When the data subject objects to the processing
- When they must be deleted in compliance with a legal obligation
- When the data was obtained under an information society service based on the provisions of Article 8, section 1 of the European Data Protection Regulation.
Right to object: the right to object to a specific processing based on the data subject's consent. Therefore, they have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to restriction: the right to obtain restriction of data processing when any of the following applies:
- When the data subject challenges the accuracy of the personal data, during a period that allows the company to verify their accuracy.
- When the processing is unlawful and the data subject objects to the deletion of the data.
- When the company no longer needs the data for the purposes for which they were collected, but the data subject needs them for the formulation, exercise, or defense of claims.
- When the data subject has objected to the processing while it is verified whether the legitimate grounds of the company override those of the data subject.
Right to data portability: the right to obtain the data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller when:
- The processing is based on consent
- The processing is carried out by automated means
Right to file a complaint with the competent supervisory authority.

Interested parties may exercise the indicated rights by contacting HABITUS GLOBAL RETAIL, S.L.U in writing, sent to the following email address (DPD): contact@muymucho.es, indicating in the Subject line the right they wish to exercise, or to the postal address Carrera de Sant Esteve 29, 08173, Sant Cugat del Vallès, Barcelona, Spain. You can also file a complaint with the competent supervisory authority by contacting the AEPD: C/ Jorge Juan, 6. 28001 - Madrid.