Lapsula, SL (VAT: ESB19784248) ("Lapsula") takes the protection of your personal data very seriously.
This privacy notice provides information on which data is collected by Lapsula through the online platform
accessible under the domain lapsula.com ("online platform") and how we process and use this data.
This privacy notice is subject to changes to account for ongoing improvements to our online presence and the
implementation of new technologies to enhance our services.
We reserve the right to make changes to this privacy notice.
We recommend consulting this privacy notice on a regular basis to account for any changes.
1. Information on the collection of personal data
This privacy notice provides information on the collection of personal data when you visit our website.
Personal data comprises all information that can be used to personally identify you, e.g. name, address, email
addresses, user behaviour.
The data controller for this website pursuant to Art. 4(7) GDPR is:
When you contact us by email or using a contact form, we will store the data you disclose (your email address,
name, phone number, etc.) to answer your query.
The legal basis for this is Art. 6(1)(f) GDPR (our legitimate interest in responding to your request).
Data collected for this purpose shall be erased as soon as storage is no longer required, or we shall restrict
the processing thereof in the case of statutory retention obligations (e.g. under tax or commercial law).
If we commission third-party services for the provision of individual features on our website or would like to
use your data for advertising purposes, we shall notify you in advance and, where required by law, obtain your
consent.
In this case, we would like to point out that you will still be able to use our services as usual even if you do
not consent to the use of your data for other purposes.
We only process your data for the purpose it was collected and based on the applicable legal basis (notably Art.
6(1)(a), (b), or (f) GDPR, see also Section 8 below).
We would be happy to provide you with more information on your rights in this regard at any time.
2. Your rights
You are entitled to the following rights regarding your personal data stored by us:
Right to information (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR)
Right to restrict data processing (Art. 18 GDPR)
Right to object to processing (Art. 21 GDPR)
Right to data portability (Art. 20 GDPR)
You also reserve the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR) in
relation to the processing of your personal data carried out by us.
3. Collection of personal data when you visit our website
Informational Use In the case of purely informational use of our website—i.e. if you do not register or otherwise
transmit information to us—we shall only collect the personal data that is transmitted to our server by your
browser.
If you wish to view our website, we collect the following data, which is technically required to display our
website and ensure the stability and security thereof (Art. 6(1)(f) GDPR):
IP address
Date and time of the visit
Time difference to Greenwich Mean Time (GMT)
Content of the request (specific pages)
Access status/HTTP status code
Data volume transmitted per visit
Website from which the request originated
Browser type and version
Operating system and the corresponding user interface
Language and version of the browser software
Cookies In addition to the data stipulated above, cookies will also be saved on your device when you visit our
website.
Cookies are small text files that are allocated to your browser and saved on your hard drive, which enables the
website that sets the cookie (us, in this case) to receive certain information.
Cookies are not able to execute programs or transfer viruses to your computer.
Their purpose is to make the website as user-friendly and effective as possible.
Transient cookies (e.g. session cookies) are automatically erased when you close your browser.
These store a session ID, which is used to assign various requests made during one session to your browser.
This enables the future recognition of your device when you return to the website.
Session cookies are deleted when you log out or close your browser.
Persistent cookies are automatically erased after a defined period, which varies from cookie to cookie.
You can erase cookies in the security settings of your browser at any time.
You can configure your browser settings to your preferences and, for example, block third-party cookies or all
cookies.
We would like to note that blocking cookies may prevent the proper functioning of certain features on this
website.
If you create an account, we may use cookies to identify you in subsequent visits.
Otherwise, you would need to log in again upon each visit.
The use of cookies for analytics or marketing (if any) is based on your consent under Art. 6(1)(a) GDPR.
You can withdraw your consent at any time via our cookie banner or by adjusting your browser settings.
4. Third parties we use on our website
Below, we describe the third-party tools and integrations that may be used on our website.
Whenever we process or allow the processing of personal data via these tools, it is either:
based on your consent (Art. 6(1)(a) GDPR),
required for contract performance or pre-contractual measures (Art. 6(1)(b) GDPR),
or carried out in pursuit of our legitimate interests (Art. 6(1)(f) GDPR) in providing and optimizing our
services.
We only integrate these third-party tools and services in compliance with the applicable data protection rules.
Below, we detail what types of data each provider may collect, how the data is used, shared, or transferred, and
the relevant legal bases under the GDPR.
Alphabet Inc. (Google Cloud, Google Calendar, Google Meet)
Data Types Collected: Contact details (e.g., name, email address), calendar details, usage
data (e.g., IP address, device/browser information), and metadata. If you use our Google Calendar
integration while logged into your Google account, certain data may be associated with that account.
Purpose and Usage: We rely on Google Cloud for IT and cloud services (including hosting),
and use Google Calendar and Google Meet for scheduling integrations. This enables us to provide reliable
infrastructure, streamline appointment bookings, and facilitate virtual meetings.
How We Share, Transfer, or Disclose Google User Data:
We do not sell, rent, transfer or disclose or otherwise disclose your Google user data to third parties for purposes
beyond those necessary to provide our services or to comply with applicable laws.
Where sharing with third parties is necessary (e.g., hosting or synchronization purposes), such
sharing is strictly limited to service providers under contractual obligations to process the data
only on our behalf and in accordance with our instructions.
We do not transfer or disclose your Google user data for marketing or advertising purposes. Any data
shared with Google itself is governed by Google’s own privacy policies (Google’s
Privacy Policy).
Should international transfers of your Google user data occur (e.g., if Google’s servers are located
outside your country of residence), we rely on appropriate safeguards such as Standard Contractual
Clauses, in line with the GDPR.
If the URL to this Privacy Policy changes, we will update our Google OAuth consent screen
configuration in the Cloud Console accordingly. Otherwise, we will directly respond to the relevant
email notification from the OAuth Verification team once any required updates are complete.
Legal Basis: Art. 6(1)(b) GDPR if the data processing is necessary for the performance of
our contract with you (e.g., scheduling appointments), Art. 6(1)(f) GDPR (legitimate interest in providing
stable services and a user-friendly platform), or Art. 6(1)(a) GDPR (consent) if analytics or certain
optional integrations require explicit permission.
Supabase Inc.
Data Types Collected: Database records, user identifiers, usage logs (depending on the
function used, e.g., if you create an account or submit forms).
Purpose and Usage: Supabase provides managed database and backend services, allowing us to
store user account information, form submissions, and other data necessary to operate our platform.
Sharing and Transfer: We do not sell, transfer or disclose your data. Data may be transferred to Supabase or its
subprocessors for hosting and database management. Transfers may involve servers outside the EEA, with
Supabase implementing adequate safeguards to ensure compliance with GDPR (e.g., Standard Contractual
Clauses).
Legal Basis: Depending on the function, Art. 6(1)(b) GDPR (contract performance) or Art.
6(1)(f) GDPR (legitimate interest in secure and efficient database management). In certain cases, your
consent (Art. 6(1)(a) GDPR) may apply (e.g., if you opt in to specific features that store or process
additional data).
Vercel Inc.
Data Types Collected: Website deployment and usage data, such as request logs (IP address,
time of access, etc.).
Purpose and Usage: Vercel provides hosting infrastructure and front-end deployment
services, helping us deliver our web application quickly and reliably.
Sharing and Transfer: We do not sell, transfer or otherwise disclose your personal data beyond what
is needed for hosting and deployment. Data may be transferred to Vercel’s infrastructure, potentially
outside your country of residence, subject to GDPR-appropriate safeguards.
Legal Basis: Typically Art. 6(1)(f) GDPR (legitimate interest in providing stable,
performant hosting). If hosting is essential to fulfilling a contract with you (e.g., providing the platform
features you signed up for), Art. 6(1)(b) GDPR may also apply.
Cloudflare Inc.
Data Types Collected: IP addresses, security-related data (e.g., to detect malicious
traffic), and limited request logs.
Purpose and Usage: Cloudflare acts as a Content Delivery Network (CDN) and provides
security features (e.g., DDoS protection). This ensures fast loading times and protection against threats.
Sharing and Transfer: We share traffic information with Cloudflare to enable these CDN and
security services. We do not sell, transfer or disclose your data. Cloudflare may process data in different regions; however, it
implements safeguards like Standard Contractual Clauses to comply with GDPR.
Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring website security and
performance).
Stripe Inc.
Data Types Collected: Payment details (e.g., credit card token), billing information (e.g.,
name, address), and transaction metadata.
Purpose and Usage: Stripe enables secure payment processing for subscriptions or one-time
purchases, managing billing cycles and payment confirmations.
Sharing and Transfer: We do not sell, transfer or disclose your payment data. Payment information is securely
transmitted to Stripe for processing, which may involve global transfers to banking partners. Stripe and its
subprocessors follow PCI-DSS and GDPR compliance measures.
Legal Basis: Art. 6(1)(b) GDPR (fulfilment of payment obligations under contract). Where
financial regulations apply, Art. 6(1)(c) GDPR (legal obligations) may also be relevant.
Odoo SA
Data Types Collected: Billing details, invoicing records, and other financial information
required for issuing invoices.
Purpose and Usage: We use Odoo to manage billing and invoicing. Your data is processed to
generate and manage invoices and related financial documents.
Sharing and Transfer: We do not sell, transfer or disclose your personal data. Certain data may be stored on
Odoo’s servers or its subprocessors, potentially located outside your jurisdiction, under GDPR-approved
safeguards.
Legal Basis: Art. 6(1)(b) GDPR (contractual performance) and Art. 6(1)(c) GDPR (compliance
with accounting and tax obligations).
tawk.to Inc. / Alaio Inc. (Bitrix24)
Data Types Collected: Chat transcripts, contact information (e.g., name, email), and any
additional details you voluntarily provide via chat.
Purpose and Usage: These customer service tools enable real-time support and user inquiry
management.
Sharing and Transfer: We do not sell, transfer or disclose your chat data. It is stored with tawk.to or Bitrix24
and may be transferred internationally, with contractual and technical safeguards ensuring GDPR compliance.
Legal Basis: Art. 6(1)(b) GDPR (to respond to customer requests under a contract) or Art.
6(1)(f) GDPR (legitimate interest in providing efficient support).
MailerLite Inc.
Data Types Collected: Email addresses, names (if provided), and newsletter usage data
(e.g., open rates, link clicks).
Purpose and Usage: MailerLite handles our newsletter services and email marketing, sending
updates and offers to subscribers.
Sharing and Transfer: We do not sell, transfer or disclose your email data. It is shared with MailerLite solely
to facilitate email creation, delivery, and analytics. Data may be processed on servers outside the EEA,
subject to appropriate contractual clauses or equivalent safeguards.
Legal Basis: Art. 6(1)(a) GDPR (consent) for receiving newsletters and related analytics.
Meta Platforms Inc. (WhatsApp Integration)
Data Types Collected:
Phone numbers, message content, technical data (e.g., device information, timestamps), and any additional details you choose to share via WhatsApp. If you are logged into your WhatsApp account, certain data (e.g., your profile name or photo) may also be visible and linked to that account.
Purpose and Usage:
We integrate WhatsApp to facilitate efficient customer communication and support, allowing you to inquire about our services, receive timely updates, and address any questions or issues. Where necessary, we may also send transactional information (e.g., confirmation messages regarding a booking or order).
Sharing and Transfer:
We do not sell, transfer, or otherwise disclose your WhatsApp data to any unrelated third parties. Message content, phone numbers, and other relevant data are transmitted through WhatsApp’s servers, which may be located globally. Meta may process and store this data under its own privacy policy. We only share or transfer your data as needed to:
Provide the requested communication or service (e.g., responding to your inquiries via WhatsApp).
Comply with applicable laws or valid legal requests (e.g., a court order).
In all cases, we require that any third party (including Meta) receiving such data upholds equivalent levels of protection and only uses the data for the specific purposes requested. You may choose to avoid such data sharing by contacting us through an alternative communication channel (e.g., email).
International Data Transfers:
WhatsApp may route data through servers outside the European Economic Area (EEA). Where this occurs, such transfers are governed by appropriate safeguards (e.g., Standard Contractual Clauses) in accordance with the GDPR. We encourage you to review WhatsApp’s Privacy Policy to understand how Meta manages your data.
Legal Basis:
We rely on:
Art. 6(1)(b) GDPR (performance of a contract or steps taken at your request prior to entering into a contract) if WhatsApp is used to facilitate or finalize bookings, orders, or customer service inquiries tied to a contractual relationship.
Art. 6(1)(f) GDPR (our legitimate interest in providing effective customer communication) when you voluntarily opt to contact us through WhatsApp for information or support.
You may withdraw consent to communicate via WhatsApp at any time or choose a different communication channel, without affecting your access to our services.
Twilio Inc. / Celerity Systems (Pty) Ltd.
Data Types Collected: Phone numbers, SMS message content, delivery/receipt metadata.
Purpose and Usage: These providers power SMS gateway services for notifications, two-factor
authentication, and other verification needs.
Sharing and Transfer: We do not sell, transfer or disclose your phone number or SMS content. Data is transmitted
to Twilio or Celerity Systems solely to deliver SMS messages. They may route data globally, under
GDPR-approved mechanisms for cross-border transfers.
Legal Basis: Art. 6(1)(b) GDPR (contract performance) if the SMS is necessary for a service
you requested, or Art. 6(1)(f) GDPR (legitimate interest in secure and timely notifications).
Zoom Communications Inc.
Data Types Collected: Audio/video streams, names, email addresses, and any other personal
data you share during video conferences (e.g., chat messages).
Purpose and Usage: Zoom is used for video conferencing and virtual appointments, supporting
remote communication and collaboration.
Sharing and Transfer: We do not sell, transfer or disclose your meeting or conference data. It is shared with
Zoom solely to establish and maintain the session. Zoom may store or process data on servers located
worldwide, but implements security measures and contractual provisions to ensure GDPR compliance.
Legal Basis: Art. 6(1)(b) GDPR if the video conference is necessary for fulfilling a
contract (e.g., scheduled session) or Art. 6(1)(f) GDPR (legitimate interest in providing remote
communication).
Zapier Inc.
Data Types Collected:
Relevant data from integrated services (e.g., form submissions, contact details, or other information you provide) depending on the automated workflows set up.
Purpose and Usage:
Zapier automates workflows between multiple applications (for example, syncing form submissions to a CRM or sending you notifications) to streamline data flows and reduce manual handling.
Sharing and Transfer:
We do not sell, transfer, or otherwise share your data with unrelated third parties. Data may transit through or be stored on Zapier’s servers, which could be located outside the European Economic Area (EEA). Where international transfers occur, Zapier implements contractual and technical safeguards (such as Standard Contractual Clauses) to ensure compliance with GDPR.
Legal Basis:
Art. 6(1)(f) GDPR (our legitimate interest in efficient process automation). If an automated workflow is necessary for the performance of a contract with you (e.g., processing your order data), Art. 6(1)(b) GDPR may also apply.
5. Social Media Presence
Lapsula maintains a presence on social media networks or platforms (e.g. Facebook, Instagram, LinkedIn) to
communicate with potential and current customers and provide information about our services.
If you visit our official page on such platforms, the operators of the social networks process personal data
under their own responsibility.
We may receive statistical data (e.g. via "Page Insights") regarding the use of our page.
These statistics may contain aggregated demographic and interaction data.
Such data is typically anonymized to us, and we process it based on our legitimate interest (Art. 6(1)(f) GDPR)
in evaluating the reach and effectiveness of our social media presence.
For details on how social network providers handle personal data (including any profiling activity), please refer
to the privacy policies of the respective platform operators.
You may also assert your data subject rights directly with these operators.
6. Using the Booking Platform (Registration and Account Management)
Our website features an online booking platform.
As a user, you may register for an account or book specific services.
When you do so, we collect only the data necessary for processing your booking or account setup (e.g. name, email
address, payment details, booking preferences).
Data Storage: We store such data on secure servers.
If you have an account, you may review, edit, or request deletion of your account data.
Where we are legally obliged to retain certain data (e.g. for tax or bookkeeping reasons), we will restrict its
processing instead of deleting it.
Log Data: When you use our booking platform, log files may be stored temporarily for IT security and error
analysis. These logs are regularly erased or anonymized unless a longer retention is necessary for evidence
purposes (Art. 6(1)(f) GDPR).
7. Data Protection for Bookings and Other Transactions
If you make a booking or transaction through lapsula.com, we process your personal data (e.g., contact details,
payment data, booking details) in order to perform our contractual obligations (Art. 6(1)(b) GDPR).
We also maintain records to satisfy legal obligations (Art. 6(1)(c) GDPR), such as tax and commercial laws, which
may require retaining transaction data for certain statutory periods.
If the contractual relationship is concluded or if you withdraw from it, your data will be erased or restricted
unless further retention is required by law or legitimate interests (Art. 6(1)(f) GDPR) exist, such as the
defense of legal claims.
8. General terms: Legal basis
Whenever we obtain consent for a specific purpose of processing, Art. 6(1)(a) GDPR is the legal basis.
If the processing of personal data is necessary for the performance of a contract to which you are a party, such
as for billing or providing our booking services, Art. 6(1)(b) GDPR is the basis.
This also applies to pre-contractual measures, for example, responding to your inquiries regarding our services.
If we are subject to a legal obligation requiring the processing of personal data (e.g., retention obligations
under tax law), the basis is Art. 6(1)(c) GDPR.
Processing may also be based on Art. 6(1)(d) GDPR if it is necessary to protect your vital interests or those of
another natural person (rare emergency scenarios).
Processing may take place on the basis of Art. 6(1)(f) GDPR if it is necessary for the purposes of legitimate
interests pursued by us or by a third party, except where these interests are overridden by your fundamental
rights and freedoms.
9. Newsletter
If you provide your consent (Art. 6(1)(a) GDPR), you can subscribe to our newsletter to receive information about
our latest offers and services.
The services and offers we promote in the newsletter are mentioned in the consent form.
We use a triple opt-in process: after you register, we send you an email asking you to subscribe to a plan.
If you do not confirm within a reasonable time, we will send you a reminder;
if no answer is given your data is blocked and automatically erased after one month.
The only mandatory information to receive the newsletter is your email address.
Providing additional information (e.g., your name) is optional and serves to address you personally.
You can withdraw your consent to receive the newsletter at any time and unsubscribe.
To do so, click on the link in every newsletter email or send an email to [email protected].
We analyze your user behaviour in relation to our newsletters (e.g., opens, link clicks) in pseudonymized form.
The legal basis for this analysis is also Art. 6(1)(a) GDPR (consent).
You may opt out of tracking by unsubscribing from the newsletter.
10. Social media plugins
We may use social media plugins (e.g., from Instagram, Twitter, LinkedIn, YouTube) on our website.
We use the "double-click solution," meaning that your personal data is not transferred to the plugin providers
until you click the plugin button.
Once activated, the plugin provider receives the information that you have accessed the corresponding page on our
website.
In addition, the data mentioned in Section 3 of this notice is transmitted to them.
This occurs regardless of whether you have an account with the plugin provider or are logged in.
If you are logged into your account with the plugin provider, the data we collect will be directly associated
with your existing account.
If you click the activated button and link to the page, for example, the plugin provider will also store this
information in your user account and share it publicly with your contacts, depending on your account settings.
We do not have any influence on the data collected or the processing and are not aware of the full extent of data
collection, the purpose of processing, or the storage periods.
For more information, please refer to the privacy notices of the respective plugin providers.
We offer these plugins to allow you to interact with social networks and other users, which helps us improve our
platform.
The legal basis for the use of such plugins is typically Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR
(legitimate interest in offering an interactive website).
Further Information and Contact
We retain personal data only for as long as it is necessary for the relevant purpose or if we are legally obliged
to do so.
Afterwards, we erase or anonymize the data in accordance with statutory provisions.
If you have any questions or concerns about this privacy notice, or would like to exercise your data subject
rights, please contact us at: