Privacy Policy

Last updated: 29 Sep 2025

This Privacy Policy explains how Boho Creativa (“we”, “us”, “our”) collects, uses, and protects personal data when you visit our website, contact us, or collaborate with us on exhibitions, events, and creative services.

We are established in Spain and process personal data in accordance with the EU GDPR and Spain’s LOPDGDD.

1) Data Controller

Boho Creativa

Email: deformagestion@gmail.com

Address: C.C San Agustín — Calle las Dalias, 12 (Spain)

For any questions or to exercise your rights, contact us at deformagestion@gmail.com.

2) What data we collect

We only collect data that is necessary and relevant:

Website usage & logs: IP address (short-lived), device/browser info, pages viewed, referrers, cookie/consent choices, security logs.

Contact & enquiries: name, email, optional phone/company, and your message.

Newsletter (optional): name, email, preferences.

Projects, quotes & events: contact details, legally required billing data, briefs and materials you provide.

Media uploads/portfolio (optional): images, captions, credits, and any metadata supplied.

Admin/CMS accounts (internal): credentials, roles, activity logs (for security/audit).

We do not intentionally collect special category data. Please avoid sending sensitive information unless strictly necessary.

3) Purposes and legal bases (GDPR Art. 6)

Respond to enquiries, prepare proposals, deliver projects and events

Legal basis: Contract and steps prior to contract (Art. 6(1)(b)).

Send newsletters, event invites, or promotions you opted into

Legal basis: Consent (Art. 6(1)(a)) — you can withdraw at any time.

Run and protect the website (security, debugging, fraud prevention)

Legal basis: Legitimate interests (Art. 6(1)(f)).

Privacy-friendly analytics and performance measurement

Legal basis: Legitimate interests (Art. 6(1)(f)) or Consent (Art. 6(1)(a)), depending on your cookie choices.

Comply with legal obligations (invoicing, tax, accounting)

Legal basis: Legal obligation (Art. 6(1)(c)).

You may object to processing based on legitimate interests at any time (see §8).

4) Cookies & similar technologies

We use:

Strictly necessary cookies (security, session, consent records), and

Optional cookies (e.g., analytics/marketing) set only with your consent.

You can change or withdraw consent at any time via Cookie Settings. See also our Cookie Policy for details.

5) How long we keep data

Enquiries: up to 12 months after the last contact if no project starts.

Client/project materials: 5–10 years (contractual/defence needs).

Invoices & accounting: 6–10 years (legal obligation).

Newsletter data: until you unsubscribe or withdraw consent.

Security logs: typically ≤ 90 days, unless needed for investigation.

6) Who processes your data (processors)

We use trusted service providers under written data-processing agreements and our instructions, for example:

Infrastructure/storage: cloud providers (e.g., AWS S3 in EU regions where feasible).

Email delivery: transactional email providers (e.g., Amazon SES).

CMS/Database & hosting: professional platforms managed by us (e.g., Payload CMS / Postgres / managed hosting).

Collaboration & files: professional tools (e.g., office suites, project management, design platforms).

We do not sell your personal data.

7) International data transfers

Some providers may process data outside the EEA. Where transfers occur, we apply appropriate safeguards (e.g., Standard Contractual Clauses, EU adequacy decisions, or EU-hosted regions). Details are available upon request.

8) Your rights

Under the GDPR you have the right to:

Access your data and obtain a copy

Rectify inaccurate or incomplete data

Erase your data (“right to be forgotten”)

Restrict processing in certain cases

Object to processing based on legitimate interests or for direct marketing

Data portability where applicable

Withdraw consent at any time (processing before withdrawal remains lawful)

To exercise your rights, email deformagestion@gmail.com. We may need to verify your identity.

Supervisory authority (Spain):

Agencia Española de Protección de Datos (AEPD) — www.aepd.es — C/Jorge Juan, 6, 28001 Madrid.

You have the right to lodge a complaint with the AEPD or your local authority.

9) Security

We apply appropriate technical and organisational measures (encryption in transit, access controls, least-privilege access, monitoring, and backups) to protect personal data. No method is 100% secure, but we work to reduce risks of unauthorised access, disclosure, alteration, or loss.

10) Children

Our website and services are not directed to children under 16. If you believe a child has provided personal data, contact us and we will delete it.

11) Third-party links & social media

Our site may link to external websites or embed third-party content. Those services operate under their own privacy policies, and we are not responsible for their practices.

12) Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. If changes are material, we will provide a clear notice on the website. The “Last updated” date shows the latest version.