Privacy policy.

1. Who we are

Viva Grafix is a graphic design and print studio based in Tenerife, Spain ("Viva Grafix", "we", "us", "our"). For the purposes of the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and Spain's Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales (LOPDGDD), Viva Grafix is the data controller for any personal data you provide via this website (vivagrafix.com) or our client portal (portal.vivagrafix.com).

• Studio name: Viva Grafix
• Location: Tenerife, Islas Canarias, Spain
• Email: [email protected]

2. What data we collect

We collect only the data you choose to give us. Specifically:

Contact form (vivagrafix.com/contact)

• Your name
• Email address
• Company name (optional)
• Project type, budget range, timeline (optional)
• Free-text message you write us
• Approximate country (derived from IP for spam protection — not stored long-term)

Client portal (portal.vivagrafix.com)

If we set up a portal account for you as part of an engagement, we store:

• Your email address (used as your login)
• Optional profile fields you choose to fill — full name, company, phone, avatar
• Project-related records — project titles, milestones, invoices, files, messages — created by us in the course of working with you
• Authentication metadata — sign-in timestamps, IP addresses for the most recent sessions (handled by Supabase Auth, our authentication provider)

What we do NOT collect

• No analytics tracking, no third-party advertising trackers, no Google Analytics
• No cookies for marketing or behavioural profiling
• No social-media pixels (Facebook, LinkedIn, etc.)

3. Why we collect it — legal basis

Under GDPR Article 6, we process your personal data on the following legal bases:

• Consent (Art. 6.1.a) — when you submit the contact form, you consent to us using your details to reply to your enquiry.
• Contractual necessity (Art. 6.1.b) — once we begin working together, we process your data to deliver the design / print services you've engaged us for.
• Legitimate interests (Art. 6.1.f) — limited use, e.g. spam protection on the contact form, ensuring portal accounts are secure.
• Legal obligation (Art. 6.1.c) — invoice / accounting records are kept as required by Spanish tax law (typically 6 years).

4. Third parties & data processors

We use the following third-party services to operate the website and portal. Each is a data processor acting on our instructions, bound by GDPR-compliant data processing agreements:

• Cloudflare, Inc. (USA / EU) — hosting (Cloudflare Pages), DNS, and CDN. Cloudflare may temporarily process your IP address for routing and security. Privacy: cloudflare.com/privacypolicy
• Supabase, Inc. (USA, EU data residency) — client portal authentication and database. Stores portal account data and project records. Privacy: supabase.com/privacy
• Resend, Inc. (USA / EU) — transactional email delivery (magic-link login emails, contact form notifications). Privacy: resend.com/legal/privacy-policy
• Microsoft 365 (Microsoft Ireland) — business email for [email protected] correspondence. Privacy: privacy.microsoft.com

Some of these providers are based in or transfer data to the United States. They participate in the EU–US Data Privacy Framework or use Standard Contractual Clauses to ensure adequate protection.

We do not sell, rent, or share your data with anyone for marketing purposes — full stop.

5. How long we keep your data

• Contact form submissions — kept in our email inbox for as long as is reasonable for the conversation. Deleted on request.
• Active portal accounts — kept while the engagement is active.
• Closed engagements — portal access removed; project archive kept for 12 months unless deletion requested.
• Invoices & tax records — kept for 6 years as required by Spanish tax law (Ley General Tributaria).

6. Your rights

Under GDPR and LOPDGDD, you have the right to:

• Access a copy of the personal data we hold about you (Art. 15)
• Rectify inaccurate or incomplete data (Art. 16)
• Erase your data ("right to be forgotten") (Art. 17), subject to legal-retention obligations
• Restrict processing in certain circumstances (Art. 18)
• Data portability — receive your data in a structured, machine-readable format (Art. 20)
• Object to processing based on legitimate interests (Art. 21)
• Withdraw consent at any time without affecting prior lawful processing
• Lodge a complaint with the Spanish data protection authority — Agencia Española de Protección de Datos (AEPD), aepd.es

To exercise any of these rights, email us at [email protected] with the subject line "Data request". We aim to respond within 30 days.

7. Cookies & similar tech

This site uses cookies only where strictly necessary for the service to function. We do not use any analytics, advertising, or third-party tracking cookies.

• vivagrafix.com (marketing) — no cookies are set by our code. Cloudflare may set short-lived security cookies (e.g. __cf_bm) for bot protection.
• portal.vivagrafix.com (client portal) — sets a session cookie / localStorage entry to keep you logged in (managed by Supabase Auth). This is strictly necessary for the portal to work and is exempt from cookie-consent requirements under EU law.

You can clear or block cookies via your browser settings; doing so for the portal will sign you out.

8. How to contact us

Questions about this policy, or want to make a data request? Email us:

[email protected]

We aim to reply within one working day. For formal data-protection requests, please use the subject line "Data request" and we'll respond within the GDPR-mandated 30 days.

9. Changes to this policy

We may update this policy from time to time — for example if we change service providers or add new features. We'll update the "Last updated" date at the top, and for material changes we'll notify portal account holders by email. The current version is always at this URL.