Privacy Policy

Last updated: April 25, 2026

The short version. We only collect the data we need to make MuebleLab work (your email, a hashed password and the projects you design). We don't sell it, we don't profile you for ads, and you can ask us to delete everything at any time by emailing {EMAIL_CONTACTO}.

1. Who is the controller

The data controller is {EMPRESA}, tax ID {NIF}, registered at {DOMICILIO}. For any privacy-related question, write to {EMAIL_CONTACTO}.

2. What we collect

Account data: username, email, bcrypt-hashed password.
Usage data: the furniture projects you save, board and hardware selections, exports performed.
Billing data (only if you subscribe): tax name, address, VAT/tax ID. Card details are handled by Stripe directly — we never store them.
Technical data: IP address, browser, access timestamps, kept in logs for up to 90 days for abuse prevention.

3. What we use it for

Letting you sign in and keep your designs across sessions.
Processing your subscription, issuing invoices, providing support.
Notifying you of important changes to the Service.
Detecting and preventing abuse (mass account creation, scraping, attacks).

4. Legal basis

Performance of contract — for everything related to your account and subscription.
Legal obligation — for invoicing and tax compliance.
Legitimate interest — for security logs and service integrity.

5. Who else sees your data

We work with the following data processors. All comply with GDPR and only process your data for the services we engage them for:

Stripe Payments Europe Ltd. — payment gateway (Ireland; data may transfer to the US under Standard Contractual Clauses).
{HOSTING} — web servers hosting the application and database.
{EMAIL_PROVIDER} — transactional emails (verification, password reset, invoices).
Google Ireland Ltd. — advertising on public pages (Google AdSense). May use cookies to serve ads; data may transfer to the US under Standard Contractual Clauses.
Cloudflare, Inc. — anonymous, cookieless visit analytics (Cloudflare Web Analytics) that does not identify individuals.

6. How long we keep your data

Account data and projects: as long as your account is active. If you ask to delete it, we remove it within 30 days.
Invoices and accounting: 6 years, as required by Spanish tax law.
Technical logs: 90 days.

7. Your rights

As an EU resident, you can:

Access the data we hold about you.
Rectify it if it's wrong.
Erase it ("right to be forgotten").
Restrict or object to processing.
Port your data in standard JSON format.
Lodge a complaint with the Spanish Data Protection Agency (aepd.es) if you feel we breach your rights.

To exercise any of them, send an email to {EMAIL_CONTACTO}. We answer within 30 days.

8. Cookies and local storage

We use:

One session cookie (PHP) to keep you logged in while you browse.
localStorage in your browser to save preferences and unsaved drafts.
Anonymous analytics (Cloudflare Web Analytics): no cookies, no personal identification.
Advertising cookies (Google AdSense) on public content pages, to serve ads. These do require your consent: we ask permission via a consent message before enabling advertising, and you can decline or change your choice at any time.

The session cookie and localStorage are technically necessary and don't require prior consent. You can read how Google uses advertising data in Google's policies.

9. Changes to this policy

If we change anything important (new processors, additional purposes), we email you at least 15 days before the change takes effect.