Privacy Policy

Last updated: July 8, 2026

This Privacy Policy explains how personal data is collected and processed through the website https://tuplestrategy.com (the “Website”) and in connection with our business development activities. It is drafted in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), Spanish Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (“LOPDGDD”), and Spanish Law 34/2002 (LSSI-CE).

1. Data Controller

  • Controller: Marina Larskaia, self-employed professional (autónoma), operating under the trade name Tuple Strategy
  • Tax ID (NIF): ESZ1712586B
  • Address: Barcelona, Spain
  • Email for privacy matters: solutions@tuplestrategy.com

We have not appointed a Data Protection Officer, as our processing activities do not meet the thresholds of Article 37 GDPR or Article 34 LOPDGDD. You can direct all privacy inquiries to the email above.

2. What Data We Collect, Why, and on What Legal Basis

2.1. Contact form and email inquiries

When you contact us through the form on our Contact Us page (powered by Contact Form 7) or by email, we collect the data you provide: typically your name, email address, company, and the content of your message.

  • Purpose: to respond to your inquiry and, where relevant, to take steps toward a potential business engagement.
  • Legal basis: Article 6(1)(b) GDPR (steps prior to entering into a contract, at your request) and Article 6(1)(f) GDPR (our legitimate interest in responding to business communications addressed to us).
  • Retention: for the duration of our exchange and up to 24 months after our last contact, unless a business relationship is established (in which case data is kept for the duration of that relationship and any legally required periods thereafter, up to 6 years for accounting and tax records under Spanish law).

Messages submitted through the contact form are delivered to our email inbox. The form is protected against automated abuse by Cloudflare Turnstile (see Section 4).

2.2. Business-to-business outreach (prospecting)

As part of our business development activity, we contact professionals and companies in the jewelry, fashion, and beauty industries who may be interested in our services. For this purpose we process limited business contact data of company representatives: name, business email address, job title, company name, and publicly available professional information. This data is obtained from publicly accessible professional sources (such as company websites and professional networks) or from business databases. We use the Smartlead platform to manage and send this correspondence.

  • Purpose: to send relevant, non-automated-decision business proposals to professionals whose role suggests a legitimate professional interest in our services.
  • Legal basis: Article 6(1)(f) GDPR — our legitimate interest in direct marketing to businesses (Recital 47 GDPR expressly recognizes direct marketing as a possible legitimate interest), balanced against the limited, professional nature of the data processed.
  • Your rights: every outreach email we send identifies us and includes a simple way to object (opt out). If you object, we stop contacting you and add your address to a suppression list (kept solely to make sure we honor your objection — Article 21 GDPR). You may also object at any time by writing to solutions@tuplestrategy.com.
  • Source of data (Article 14 GDPR): where we did not obtain your data from you directly, this section, together with the first email we send you, serves as the information notice required by Article 14 GDPR.
  • Retention: prospect data is kept while it remains relevant to the purpose above and is deleted or suppressed upon objection.

2.3. Technical and security data

Our hosting provider and our security plugin (Wordfence) automatically process technical data such as IP addresses, browser and device information, requested URLs, and timestamps, in server logs and security logs.

  • Purpose: operating the Website, preventing attacks, fraud, and abuse (firewall, rate limiting, blocking of malicious traffic).
  • Legal basis: Article 6(1)(f) GDPR — our legitimate interest in keeping the Website secure and available.
  • Retention: security and server logs are kept for short rolling periods (typically up to 30 days) unless needed to investigate a specific incident.

2.4. Analytics

With your consent, we use Google Analytics 4 to understand how visitors use the Website (pages visited, approximate location at city level, device type, traffic source). IP anonymization features of Google Analytics 4 are used, and we do not use analytics data to identify individual visitors.

  • Purpose: audience measurement and improvement of our content and services.
  • Legal basis: Article 6(1)(a) GDPR — consent, given through our cookie banner (CookieYes). You can withdraw consent at any time via “Cookie Settings” in the footer.
  • Retention: analytics identifiers and cookie lifetimes are described in our Cookie Policy; Google Analytics event data is retained for 14 months.

2.5. Cookies

Details of all cookies and similar technologies, including how to accept, reject, or withdraw consent, are set out in our Cookie Policy.

3. What We Do NOT Do

  • We do not sell personal data.
  • We do not use personal data for automated decision-making or profiling producing legal or similarly significant effects (Article 22 GDPR).
  • We do not knowingly collect data from anyone under 14 years of age (the age of digital consent in Spain under Article 7 LOPDGDD). This Website is directed at business professionals.
  • We do not process special categories of personal data (Article 9 GDPR) through this Website.

4. Recipients and Processors

We share personal data only with service providers (processors) who help us operate, and only to the extent necessary:

  • DreamHost, LLC (USA) — website and email hosting.
  • Google Ireland Ltd / Google LLC (Ireland/USA) — Google Analytics 4 (only with your consent).
  • Cloudflare, Inc. (USA) — Turnstile anti-bot verification on the contact form; Cloudflare processes limited technical data (such as IP address and browser signals) to distinguish humans from bots.
  • CookieYes Ltd (UK) — cookie consent management (stores your consent choices).
  • Smartlead (USA) — sending and managing business outreach email (Section 2.2 only).

These providers act under data processing agreements consistent with Article 28 GDPR. We may also disclose data where required by law, court order, or competent authority, or to establish, exercise, or defend legal claims.

5. International Data Transfers

Some of the providers above are located in the United States or process data there. Transfers are protected by one or both of the following safeguards: certification under the EU-U.S. Data Privacy Framework, and/or the European Commission’s Standard Contractual Clauses (Article 46(2)(c) GDPR), supplemented where appropriate by additional technical measures. You can request more information about the safeguards applicable to a specific transfer at solutions@tuplestrategy.com.

6. Data Security

We apply technical and organizational measures appropriate to the risk, including: HTTPS/TLS encryption for all Website traffic, a web application firewall and malware scanning (Wordfence), restricted administrative access with strong authentication, minimization of the data we collect in the first place, and reputable providers with their own certified security programs. No system is absolutely secure; if a personal data breach occurs that risks your rights and freedoms, we will notify the competent authority and, where required, affected individuals, in accordance with Articles 33 and 34 GDPR.

7. Your Rights

Under the GDPR and LOPDGDD you have the right to:

  • Access your personal data (Article 15);
  • Rectify inaccurate or incomplete data (Article 16);
  • Erase your data (Article 17);
  • Restrict processing (Article 18);
  • Data portability (Article 20);
  • Object to processing based on legitimate interest, including direct marketing at any time and without justification (Article 21);
  • Withdraw consent at any time, without affecting prior processing (Article 7(3)).

To exercise these rights, email solutions@tuplestrategy.com with the subject line “Data Protection Request,” describing the right you wish to exercise. We may ask you to verify your identity by reasonable means. We will respond within 1 month, extendable by 2 further months for complex requests (with notice to you). Exercising these rights is free of charge.

If you believe your rights have been violated, you may lodge a complaint with the Spanish supervisory authority: Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, Spain — www.aepd.es. We would appreciate the chance to address your concern first, but you are not required to contact us before complaining to the AEPD.

8. Third-Party Websites

This Website contains links to external websites (including our social media profiles on Instagram, LinkedIn, and Pinterest). We are not responsible for the privacy practices of those sites; please review their own policies.

9. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or in the law. The current version, with its “Last updated” date, is always available on this page. Material changes will be highlighted on the Website for a reasonable period.

10. Contact

Marina Larskaia — Tuple Strategy Barcelona, Spain solutions@tuplestrategy.com