Privacy Policy and Data Protection (GDPR)

LUDICO operates a digital marketplace platform that connects people with workshop experiences in Spain.

Until LUDICO is formally incorporated, responsibility lies with:

• Holder: Joana Maria Martins Ramos
• NIE/DNI: Y8363573M
• Address: Rambla del Poblenou 187
• E-mail: [email to be defined]

2.1 Information you provide

For Users:

• Name, email, phone, billing address, and profile preferences.
• Payment information (processed securely and encrypted by Stripe. LUDICO does not store credit card numbers).
• Communication data (messages, comments, support requests).

For Partners:

• Workshop descriptions, prices, and availability schedules.
• Bank account details for payment transfers.
• Business registration information (VAT/NIF number).
• Photographs, videos, and promotional materials.
• Identity verification documents.
• Professional credentials and teaching experience.
• Teaching certifications or qualifications.

2.2 Information collected automatically

Technical data:

• IP address, cookies, and geolocation (via Mapbox, with authorization).

2.3 Payment processors

• Card data processed in a tokenized and secure manner by Stripe.
• Transaction verification and fraud prevention data.

We process your data based on Contract Performance (booking management), Legitimate Interest (security and site improvement), and Consent (marketing and newsletters).

Data is used to validate bookings, manage credit balances, send service notifications via Resend, and comply with tax obligations before the Spanish Hacienda.

We do not sell data. We share only what is strictly necessary with:

• Infrastructure: Vercel and Supabase.
• Payments: Stripe Connect.
• Geolocation: Mapbox.
• Partners: only the data needed for the workshop attendance list.

Some of our providers (Stripe, Google) may process data outside the EEA. We guarantee that these transfers comply with the Standard Contractual Clauses approved by the European Commission.

In Spain, you have the right to Access, Rectification, Cancellation (Erasure), and Objection. You can exercise these rights by sending an email to [email to be defined]. We will respond within 30 days.

We may request verification of your identity for security reasons.

7.1 Data Subject Rights (ARCO Rights)

File a complaint with the Spanish Data Protection Authority:

• Agencia Española de Protección de Datos (AEPD)
• Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
• Website: www.aepd.es

We keep your information only for the time necessary:

• Account data: kept while the account is active.
• Financial records: kept for 7 years (Spanish tax requirement).
• Analytics data: maximum 2 years.

We implement SSL/TLS encryption protocols, firewalls, and automatic backups on Supabase to protect the integrity of your data.

We use cookies and similar technologies to improve your experience. For detailed information about:

• Types of cookies we use.
• How to manage cookie preferences.
• Third-party cookies.
• Opt-out options.

Check our Cookies Policy: [link].

Quick summary

• Essential cookies: required for platform functionality (cannot be disabled).
• Analytics cookies: help us improve the platform (can be disabled).
• Marketing cookies: personalize ads and content (can be disabled).

You can manage your preferences through the cookie banner or the footer link.

11.1 Types of communication

Transactional (you cannot opt out):

• Booking confirmations and receipts.
• Workshop reminders.
• Payment notifications.
• Account security alerts.

Marketing (Opt-In required):

• Newsletter with featured workshops.
• Personalized recommendations.
• Special offers and discounts.
• Announcements of new Partners.
• Blog posts and content.

11.2 How we use your preferences

Email Marketing (Resend):

• Tracking of email opens and clicks.
• Content personalization based on interests.
• Segmentation by location and preferences.
• Measurement of campaign effectiveness.

11.3 How to unsubscribe

Multiple options:

• Click “Unsubscribe” in any marketing email.
• Account settings > Email preferences.

12.1 Age requirements

Our policy:

• LUDICO is not intended for children under 16 years of age.
• We do not intentionally collect data from children under 16.
• Parents may book activities for their children using the parent's account.

If you are under 16:

• You must have parental authorization to use LUDICO.
• Your parent/guardian must create and manage the account.
• Workshop registrations must be carried out by parents/guardians.

12.2 Parental responsibility

If your child uses LUDICO:

• You are responsible for their use of the platform.
• You must supervise their participation in the workshop.
• Contact us if your child has provided information without consent.

If we discover use by minors:

• We will delete the account and data immediately.
• We will notify the registered email address.
• We will not process further data.

Contact us if you believe we have inadvertently collected data from a child under 16.

13.1 External websites

Our platform may contain links to:

• Personal websites of Partners.
• Social media profiles.
• Payment processor websites.

We are not responsible for:

• The privacy practices of these third parties.
• The content of external websites.
• The security of external services.
• Data collection by third parties.

Recommendation: review the privacy policy of any external site before providing information.

13.2 Social media integration

When you link social networks:

• We receive basic profile information (name, email, photo).
• You control what information social platforms share with us.

Social sharing:

• When you share activities on social networks, the privacy policy of that platform applies.

In general, we avoid collecting sensitive personal data, but we may receive it:

Health data:

• Dietary restrictions (allergies, vegetarian/vegan).
• Accessibility needs (wheelchair access, hearing/visual assistance).
• Medical conditions (only if voluntarily shared for safety reasons).

We may use algorithms to suggest workshops based on your interests, but never to make decisions that affect your legal rights without human supervision.

16.1 Partner-specific data processing

• Professional experience and credentials.
• Workshop content and materials.
• Pricing and availability.
• Student bookings and attendance.
• Payment and tax information (NIF/VAT).
• Performance metrics (rankings, evaluation scores, booking rates).

16.2 Commission and payments

Financial processing:

• We calculate the platform commission of 10% on bookings.
• Partners receive 90% of the booking value (87.59% after payment fees).
• Payments made by bank transfer.
• Tax documentation generated annually.
• Transaction history available in the Partner dashboard.

16.3 Partner responsibilities

You are responsible for:

• Protection of user data received through bookings.
• Complying with the GDPR when handling user information.
• Not using user data for unauthorized purposes.
• Maintaining the confidentiality of user information.
• Deleting user data when no longer needed.

16.4 Partner reviews and ratings

Public information:

• User reviews of activities are public.
• Average ratings are shown on the profile.
• Review history is retained indefinitely (for platform trust).

You cannot:

• Delete negative reviews (unless they violate the Terms of Service).

You can:

• Report reviews that violate our guidelines.

If a security breach occurs that compromises personal data, we will notify the AEPD and the affected users within 72 hours.

You have the right to file a complaint with the Spanish Data Protection Authority:

• Agencia Española de Protección de Datos (AEPD)
• Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
• Website: www.aepd.es

When to contact the AEPD:

• If we do not respond to your request within 30 days.
• If you are not satisfied with our response.
• If you believe we are not complying with the GDPR.
• For general questions about data protection.