Privacy Policy

1. Data controller

The website https://www.lightingdiy.com (the “Website”) is operated by GRUPO ILUMINABLE S.L., a company incorporated under the laws of Spain, with registered office at Av. Roma 101, entresuelo 2ª escalera derecha, 08021 Barcelona, Spain, VAT number ESB66730482.

Contact email for data protection: support@lightingdiy.com
Phone: +34 672 134 000

GRUPO ILUMINABLE S.L. acts as the Data Controller for the personal data processed through the Website, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and applicable EU and Spanish data protection laws.

2. Personal data we process

We may process the following categories of personal data:

  • Identification data: name, surname, postal address, country, VAT number where applicable.
  • Contact details: email address, phone number.
  • Account data: login details, encrypted password, order history, professional account information where relevant.
  • Order and billing data: products purchased, amounts, billing address, tax details.
  • Payment data: information processed by third-party payment providers (card processors, PayPal, Bizum, Scalapay, Google Pay, etc.). We only receive limited information necessary to confirm payment status; full card data are never stored by LIGHTING DIY.
  • Communications: messages sent via contact forms, email or customer service channels.
  • Usage and technical data: IP address, device identifiers, logs, browsing data, cookies and similar technologies.

In general, personal data are obtained directly from you (for example, when creating an account or placing an order) or generated by your use of the Website (for example, through cookies or server logs). In some cases, certain data may be verified or enriched using information from payment providers or carriers (for fraud prevention and delivery purposes).

3. Purposes and legal bases

We process your personal data for the following purposes and on the following legal bases:

  • Order management and contract performance:
    Processing orders, arranging shipment and delivery, handling returns, issuing invoices and managing payments.
    Legal basis: performance of a contract to which you are a party.
  • Customer support:
    Responding to requests for information, complaints, product queries and after-sales support.
    Legal basis: performance of a contract and our legitimate interest in providing a good level of customer service.
  • Compliance with legal obligations:
    Accounting, tax, consumer protection and other mandatory obligations (for example, retention of invoices and documentation).
    Legal basis: compliance with legal obligations under EU and national laws.
  • Marketing communications:
    Sending newsletters and offers about our products and services, based on your preferences.
    Legal basis: your consent (for example, when you subscribe to the newsletter) or, where permitted by law, our legitimate interest in keeping existing customers informed about similar products or services. You may unsubscribe at any time using the link in each email or by contacting us.
  • Professional accounts:
    Verification of professional activity and management of special discounts and commercial conditions for professionals, distributors and shops.
    Legal basis: performance of a contract and our legitimate interest in preventing misuse of professional conditions.
  • Fraud prevention and security:
    Verification of payment transactions, detection and prevention of fraudulent or abusive use of the Website, protection of our IT systems and our business.
    Legal basis: our legitimate interest in protecting our activity, our customers and our systems.
  • Statistics and service improvement:
    Analysis of Website usage (for example, most visited pages, navigation flows) to improve layout, navigation, performance and user experience.
    Legal basis: our legitimate interest in improving our services and, in the case of non-essential cookies or similar technologies, your consent.

4. Recipients of personal data

Your personal data may be shared with:

  • Logistics and courier companies responsible for delivering orders.
  • Payment service providers (card processors, PayPal, Bizum, Scalapay, Google Pay, etc.), which process data in order to handle payments and refunds. These providers generally act as independent data controllers for the payment processing they perform.
  • IT and hosting providers, email delivery platforms, analytics services and similar technical service providers.
  • Professional advisers (lawyers, accountants, tax advisers) when reasonably necessary for legal, tax or compliance purposes.
  • Public authorities or courts when required by law, by a valid legal request, or for the defence of our rights and legitimate interests.

We do not sell your personal data to third parties.

5. International data transfers

Some service providers may be located outside the European Economic Area (EEA) or may process data from locations outside the EEA. In such cases, we will ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the European Commission, and/or
  • an adequacy decision by the European Commission recognising that the country offers an adequate level of data protection.

Where required, we will also assess any additional technical or organisational measures necessary to ensure an essentially equivalent level of protection to that guaranteed in the EU.

6. Data retention periods

We retain personal data only for as long as is necessary to fulfil the purposes described above and to comply with legal obligations. In particular:

  • Customer account and order data: for the duration of the contractual relationship and for the statutory limitation periods for legal or tax claims.
  • Billing and tax data: for the period required by applicable tax and accounting laws.
  • Marketing data: until you withdraw your consent or object to such processing, and for a limited period thereafter to record your opt-out.
  • Technical logs and security data: for a reasonable period necessary to ensure the security and proper operation of the Website, usually a few months unless a security incident requires longer retention.

7. Your rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: to obtain information about whether we process your data and, if so, to access that data.
  • Right to rectification: to request the correction of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”): to request deletion of your data in the cases provided for by law.
  • Right to restriction of processing: to request restriction of processing in certain circumstances.
  • Right to data portability: to receive your data in a structured, commonly used and machine-readable format and to transmit it to another controller, where technically feasible.
  • Right to object: to object at any time, on grounds relating to your particular situation, to processing based on legitimate interests, and in particular to processing for direct marketing purposes (including profiling related to such marketing).
  • Right to withdraw consent: where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

You can exercise your rights by contacting us at support@lightingdiy.com, clearly indicating your request and providing proof of identity where necessary.

You also have the right to lodge a complaint with a supervisory authority, in particular the Spanish Data Protection Agency (Agencia Española de Protección de Datos) or the data protection authority of your EU country of residence.

8. Cookies

The Website uses cookies and similar technologies. Strictly necessary cookies are used to ensure the proper functioning of the Website (for example, to manage the shopping cart or maintain sessions).

Other cookies (such as analytics or marketing cookies) are only used with your consent, which is collected via the cookie banner or preference management tool. You can change your preferences at any time through the cookie settings available on the Website or by adjusting your browser settings.

More detailed information about the cookies we use and their purposes is available in our Cookie Policy.

9. Data security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account the state of the art, the nature of the data and the risks involved in processing.

10. Changes to this policy

We may update this Privacy Policy from time to time, for example to reflect changes in our processing activities, in the services we offer or in applicable laws. The latest version will always be available on the Website and will apply from the date of publication.

We recommend that you review this Privacy Policy periodically to stay informed about how we process your personal data.