Privacy Policy

Last Updated: 2025-02-13

Lapsula, SL (VAT: ESB19784248) ("Lapsula") takes the protection of your personal data very seriously.

This privacy notice provides information on which data is collected by Lapsula through the online platform accessible under the domain lapsula.com ("online platform") and how we process and use this data.

This privacy notice is subject to changes to account for ongoing improvements to our online presence and the implementation of new technologies to enhance our services.

We reserve the right to make changes to this privacy notice.

We recommend consulting this privacy notice on a regular basis to account for any changes.

1. Information on the collection of personal data

This privacy notice provides information on the collection of personal data when you visit our website.

Personal data comprises all information that can be used to personally identify you, e.g. name, address, email addresses, user behaviour.

The data controller for this website pursuant to Art. 4(7) GDPR is:

Lapsula, SL
VAT: ESB19784248
Barcelona, Spain
Email: [email protected]

When you contact us by email or using a contact form, we will store the data you disclose (your email address, name, phone number, etc.) to answer your query.

The legal basis for this is Art. 6(1)(f) GDPR (our legitimate interest in responding to your request).

Data collected for this purpose shall be erased as soon as storage is no longer required, or we shall restrict the processing thereof in the case of statutory retention obligations (e.g. under tax or commercial law).

If we commission third-party services for the provision of individual features on our website or would like to use your data for advertising purposes, we shall notify you in advance and, where required by law, obtain your consent.

In this case, we would like to point out that you will still be able to use our services as usual even if you do not consent to the use of your data for other purposes.

We only process your data for the purpose it was collected and based on the applicable legal basis (notably Art. 6(1)(a), (b), or (f) GDPR, see also Section 8 below).

We would be happy to provide you with more information on your rights in this regard at any time.

2. Your rights

You are entitled to the following rights regarding your personal data stored by us:

  • Right to information (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR)
  • Right to restrict data processing (Art. 18 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to data portability (Art. 20 GDPR)

You also reserve the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR) in relation to the processing of your personal data carried out by us.

3. Collection of personal data when you visit our website

Informational Use In the case of purely informational use of our website—i.e. if you do not register or otherwise transmit information to us—we shall only collect the personal data that is transmitted to our server by your browser.

If you wish to view our website, we collect the following data, which is technically required to display our website and ensure the stability and security thereof (Art. 6(1)(f) GDPR):

  • IP address
  • Date and time of the visit
  • Time difference to Greenwich Mean Time (GMT)
  • Content of the request (specific pages)
  • Access status/HTTP status code
  • Data volume transmitted per visit
  • Website from which the request originated
  • Browser type and version
  • Operating system and the corresponding user interface
  • Language and version of the browser software

Cookies In addition to the data stipulated above, cookies will also be saved on your device when you visit our website.

Cookies are small text files that are allocated to your browser and saved on your hard drive, which enables the website that sets the cookie (us, in this case) to receive certain information.

Cookies are not able to execute programs or transfer viruses to your computer.

Their purpose is to make the website as user-friendly and effective as possible.

Transient cookies (e.g. session cookies) are automatically erased when you close your browser.

These store a session ID, which is used to assign various requests made during one session to your browser.

This enables the future recognition of your device when you return to the website.

Session cookies are deleted when you log out or close your browser.

Persistent cookies are automatically erased after a defined period, which varies from cookie to cookie.

You can erase cookies in the security settings of your browser at any time.

You can configure your browser settings to your preferences and, for example, block third-party cookies or all cookies.

We would like to note that blocking cookies may prevent the proper functioning of certain features on this website.

If you create an account, we may use cookies to identify you in subsequent visits.

Otherwise, you would need to log in again upon each visit.

The use of cookies for analytics or marketing (if any) is based on your consent under Art. 6(1)(a) GDPR.

You can withdraw your consent at any time via our cookie banner or by adjusting your browser settings.

4. Third parties we use on our website

Below, we describe the third-party tools and integrations that may be used on our website.

Whenever we process or allow the processing of personal data via these tools, it is either:

  • based on your consent (Art. 6(1)(a) GDPR),
  • required for contract performance or pre-contractual measures (Art. 6(1)(b) GDPR),
  • or carried out in pursuit of our legitimate interests (Art. 6(1)(f) GDPR) in providing and optimizing our services.

We only integrate these third-party tools and services in compliance with the applicable data protection rules. Below, we detail what types of data each provider may collect, how the data is used, shared, or transferred, and the relevant legal bases under the GDPR.

Alphabet Inc. (Google Cloud, Google Calendar, Google Meet)

  • Data Types Collected: Contact details (e.g., name, email address), calendar details, usage data (e.g., IP address, device/browser information), and metadata. If you use our Google Calendar integration while logged into your Google account, certain data may be associated with that account.
  • Purpose and Usage: We rely on Google Cloud for IT and cloud services (including hosting), and use Google Calendar and Google Meet for scheduling integrations. This enables us to provide reliable infrastructure, streamline appointment bookings, and facilitate virtual meetings.
  • How We Share, Transfer, or Disclose Google User Data:
    • We do not sell, rent, transfer or disclose or otherwise disclose your Google user data to third parties for purposes beyond those necessary to provide our services or to comply with applicable laws.
    • Where sharing with third parties is necessary (e.g., hosting or synchronization purposes), such sharing is strictly limited to service providers under contractual obligations to process the data only on our behalf and in accordance with our instructions.
    • We do not transfer or disclose your Google user data for marketing or advertising purposes. Any data shared with Google itself is governed by Google's own privacy policies (Google's Privacy Policy).
    • Should international transfers of your Google user data occur (e.g., if Google's servers are located outside your country of residence), we rely on appropriate safeguards such as Standard Contractual Clauses, in line with the GDPR.
    • If the URL to this Privacy Policy changes, we will update our Google OAuth consent screen configuration in the Cloud Console accordingly. Otherwise, we will directly respond to the relevant email notification from the OAuth Verification team once any required updates are complete.
  • Legal Basis: Art. 6(1)(b) GDPR if the data processing is necessary for the performance of our contract with you (e.g., scheduling appointments), Art. 6(1)(f) GDPR (legitimate interest in providing stable services and a user-friendly platform), or Art. 6(1)(a) GDPR (consent) if analytics or certain optional integrations require explicit permission.

Supabase Inc.

  • Data Types Collected: Database records, user identifiers, usage logs (depending on the function used, e.g., if you create an account or submit forms).
  • Purpose and Usage: Supabase provides managed database and backend services, allowing us to store user account information, form submissions, and other data necessary to operate our platform.
  • Sharing and Transfer: We do not sell, transfer or disclose your data. Data may be transferred to Supabase or its subprocessors for hosting and database management. Transfers may involve servers outside the EEA, with Supabase implementing adequate safeguards to ensure compliance with GDPR (e.g., Standard Contractual Clauses).
  • Legal Basis: Depending on the function, Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in secure and efficient database management). In certain cases, your consent (Art. 6(1)(a) GDPR) may apply (e.g., if you opt in to specific features that store or process additional data).

Vercel Inc.

  • Data Types Collected: Website deployment and usage data, such as request logs (IP address, time of access, etc.).
  • Purpose and Usage: Vercel provides hosting infrastructure and front-end deployment services, helping us deliver our web application quickly and reliably.
  • Sharing and Transfer: We do not sell, transfer or otherwise disclose your personal data beyond what is needed for hosting and deployment. Data may be transferred to Vercel's infrastructure, potentially outside your country of residence, subject to GDPR-appropriate safeguards.
  • Legal Basis: Typically Art. 6(1)(f) GDPR (legitimate interest in providing stable, performant hosting). If hosting is essential to fulfilling a contract with you (e.g., providing the platform features you signed up for), Art. 6(1)(b) GDPR may also apply.

Cloudflare Inc.

  • Data Types Collected: IP addresses, security-related data (e.g., to detect malicious traffic), and limited request logs.
  • Purpose and Usage: Cloudflare acts as a Content Delivery Network (CDN) and provides security features (e.g., DDoS protection). This ensures fast loading times and protection against threats.
  • Sharing and Transfer: We share traffic information with Cloudflare to enable these CDN and security services. We do not sell, transfer or disclose your data. Cloudflare may process data in different regions; however, it implements safeguards like Standard Contractual Clauses to comply with GDPR.
  • Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring website security and performance).

Stripe Inc.

  • Data Types Collected: Payment details (e.g., credit card token), billing information (e.g., name, address), and transaction metadata.
  • Purpose and Usage: Stripe enables secure payment processing for subscriptions or one-time purchases, managing billing cycles and payment confirmations.
  • Sharing and Transfer: We do not sell, transfer or disclose your payment data. Payment information is securely transmitted to Stripe for processing, which may involve global transfers to banking partners. Stripe and its subprocessors follow PCI-DSS and GDPR compliance measures.
  • Legal Basis: Art. 6(1)(b) GDPR (fulfilment of payment obligations under contract). Where financial regulations apply, Art. 6(1)(c) GDPR (legal obligations) may also be relevant.

Odoo SA

  • Data Types Collected: Billing details, invoicing records, and other financial information required for issuing invoices.
  • Purpose and Usage: We use Odoo to manage billing and invoicing. Your data is processed to generate and manage invoices and related financial documents.
  • Sharing and Transfer: We do not sell, transfer or disclose your personal data. Certain data may be stored on Odoo's servers or its subprocessors, potentially located outside your jurisdiction, under GDPR-approved safeguards.
  • Legal Basis: Art. 6(1)(b) GDPR (contractual performance) and Art. 6(1)(c) GDPR (compliance with accounting and tax obligations).

tawk.to Inc. / Alaio Inc. (Bitrix24)

  • Data Types Collected: Chat transcripts, contact information (e.g., name, email), and any additional details you voluntarily provide via chat.
  • Purpose and Usage: These customer service tools enable real-time support and user inquiry management.
  • Sharing and Transfer: We do not sell, transfer or disclose your chat data. It is stored with tawk.to or Bitrix24 and may be transferred internationally, with contractual and technical safeguards ensuring GDPR compliance.
  • Legal Basis: Art. 6(1)(b) GDPR (to respond to customer requests under a contract) or Art. 6(1)(f) GDPR (legitimate interest in providing efficient support).

MailerLite Inc.

  • Data Types Collected: Email addresses, names (if provided), and newsletter usage data (e.g., open rates, link clicks).
  • Purpose and Usage: MailerLite handles our newsletter services and email marketing, sending updates and offers to subscribers.
  • Sharing and Transfer: We do not sell, transfer or disclose your email data. It is shared with MailerLite solely to facilitate email creation, delivery, and analytics. Data may be processed on servers outside the EEA, subject to appropriate contractual clauses or equivalent safeguards.
  • Legal Basis: Art. 6(1)(a) GDPR (consent) for receiving newsletters and related analytics.

Meta Platforms Inc. (WhatsApp Integration)

  • Data Types Collected:
    Phone numbers, message content, technical data (e.g., device information, timestamps), and any additional details you choose to share via WhatsApp. If you are logged into your WhatsApp account, certain data (e.g., your profile name or photo) may also be visible and linked to that account.
  • Purpose and Usage:
    We integrate WhatsApp to facilitate efficient customer communication and support, allowing you to inquire about our services, receive timely updates, and address any questions or issues. Where necessary, we may also send transactional information (e.g., confirmation messages regarding a booking or order).
  • Sharing and Transfer:
    We do not sell, transfer, or otherwise disclose your WhatsApp data to any unrelated third parties. Message content, phone numbers, and other relevant data are transmitted through WhatsApp's servers, which may be located globally. Meta may process and store this data under its own privacy policy. We only share or transfer your data as needed to:
    • Provide the requested communication or service (e.g., responding to your inquiries via WhatsApp).
    • Comply with applicable laws or valid legal requests (e.g., a court order).
    In all cases, we require that any third party (including Meta) receiving such data upholds equivalent levels of protection and only uses the data for the specific purposes requested. You may choose to avoid such data sharing by contacting us through an alternative communication channel (e.g., email).
  • International Data Transfers:
    WhatsApp may route data through servers outside the European Economic Area (EEA). Where this occurs, such transfers are governed by appropriate safeguards (e.g., Standard Contractual Clauses) in accordance with the GDPR. We encourage you to review WhatsApp's Privacy Policy to understand how Meta manages your data.
  • Legal Basis:
    We rely on:
    • Art. 6(1)(b) GDPR (performance of a contract or steps taken at your request prior to entering into a contract) if WhatsApp is used to facilitate or finalize bookings, orders, or customer service inquiries tied to a contractual relationship.
    • Art. 6(1)(f) GDPR (our legitimate interest in providing effective customer communication) when you voluntarily opt to contact us through WhatsApp for information or support.
    You may withdraw consent to communicate via WhatsApp at any time or choose a different communication channel, without affecting your access to our services.

Twilio Inc. / Celerity Systems (Pty) Ltd.

  • Data Types Collected: Phone numbers, SMS message content, delivery/receipt metadata.
  • Purpose and Usage: These providers power SMS gateway services for notifications, two-factor authentication, and other verification needs.
  • Sharing and Transfer: We do not sell, transfer or disclose your phone number or SMS content. Data is transmitted to Twilio or Celerity Systems solely to deliver SMS messages. They may route data globally, under GDPR-approved mechanisms for cross-border transfers.
  • Legal Basis: Art. 6(1)(b) GDPR (contract performance) if the SMS is necessary for a service you requested, or Art. 6(1)(f) GDPR (legitimate interest in secure and timely notifications).

Zoom Communications Inc.

  • Data Types Collected: Audio/video streams, names, email addresses, and any other personal data you share during video conferences (e.g., chat messages).
  • Purpose and Usage: Zoom is used for video conferencing and virtual appointments, supporting remote communication and collaboration.
  • Sharing and Transfer: We do not sell, transfer or disclose your meeting or conference data. It is shared with Zoom solely to establish and maintain the session. Zoom may store or process data on servers located worldwide, but implements security measures and contractual provisions to ensure GDPR compliance.
  • Legal Basis: Art. 6(1)(b) GDPR if the video conference is necessary for fulfilling a contract (e.g., scheduled session) or Art. 6(1)(f) GDPR (legitimate interest in providing remote communication).

Zapier Inc.

  • Data Types Collected: Relevant data from integrated services (e.g., form submissions, contact details, or other information you provide) depending on the automated workflows set up.
  • Purpose and Usage: Zapier automates workflows between multiple applications (for example, syncing form submissions to a CRM or sending you notifications) to streamline data flows and reduce manual handling.
  • Sharing and Transfer: We do not sell, transfer, or otherwise share your data with unrelated third parties. Data may transit through or be stored on Zapier's servers, which could be located outside the European Economic Area (EEA). Where international transfers occur, Zapier implements contractual and technical safeguards (such as Standard Contractual Clauses) to ensure compliance with GDPR.
  • Legal Basis: Art. 6(1)(f) GDPR (our legitimate interest in efficient process automation). If an automated workflow is necessary for the performance of a contract with you (e.g., processing your order data), Art. 6(1)(b) GDPR may also apply.

5. Social Media Presence

Lapsula maintains a presence on social media networks or platforms (e.g. Facebook, Instagram, LinkedIn) to communicate with potential and current customers and provide information about our services.

If you visit our official page on such platforms, the operators of the social networks process personal data under their own responsibility.

We may receive statistical data (e.g. via "Page Insights") regarding the use of our page.

These statistics may contain aggregated demographic and interaction data.

Such data is typically anonymized to us, and we process it based on our legitimate interest (Art. 6(1)(f) GDPR) in evaluating the reach and effectiveness of our social media presence.

For details on how social network providers handle personal data (including any profiling activity), please refer to the privacy policies of the respective platform operators.

You may also assert your data subject rights directly with these operators.

6. Using the Booking Platform (Registration and Account Management)

Our website features an online booking platform.

As a user, you may register for an account or book specific services.

When you do so, we collect only the data necessary for processing your booking or account setup (e.g. name, email address, payment details, booking preferences).

Data Storage: We store such data on secure servers.

If you have an account, you may review, edit, or request deletion of your account data.

Where we are legally obliged to retain certain data (e.g. for tax or bookkeeping reasons), we will restrict its processing instead of deleting it.

Log Data: When you use our booking platform, log files may be stored temporarily for IT security and error analysis. These logs are regularly erased or anonymized unless a longer retention is necessary for evidence purposes (Art. 6(1)(f) GDPR).

7. Data Protection for Bookings and Other Transactions

If you make a booking or transaction through lapsula.com, we process your personal data (e.g., contact details, payment data, booking details) in order to perform our contractual obligations (Art. 6(1)(b) GDPR).

We also maintain records to satisfy legal obligations (Art. 6(1)(c) GDPR), such as tax and commercial laws, which may require retaining transaction data for certain statutory periods.

If the contractual relationship is concluded or if you withdraw from it, your data will be erased or restricted unless further retention is required by law or legitimate interests (Art. 6(1)(f) GDPR) exist, such as the defense of legal claims.

8. General terms: Legal basis

Whenever we obtain consent for a specific purpose of processing, Art. 6(1)(a) GDPR is the legal basis.

If the processing of personal data is necessary for the performance of a contract to which you are a party, such as for billing or providing our booking services, Art. 6(1)(b) GDPR is the basis.

This also applies to pre-contractual measures, for example, responding to your inquiries regarding our services.

If we are subject to a legal obligation requiring the processing of personal data (e.g., retention obligations under tax law), the basis is Art. 6(1)(c) GDPR.

Processing may also be based on Art. 6(1)(d) GDPR if it is necessary to protect your vital interests or those of another natural person (rare emergency scenarios).

Processing may take place on the basis of Art. 6(1)(f) GDPR if it is necessary for the purposes of legitimate interests pursued by us or by a third party, except where these interests are overridden by your fundamental rights and freedoms.

9. Newsletter

If you provide your consent (Art. 6(1)(a) GDPR), you can subscribe to our newsletter to receive information about our latest offers and services.

The services and offers we promote in the newsletter are mentioned in the consent form.

We use a triple opt-in process: after you register, we send you an email asking you to subscribe to a plan.

If you do not confirm within a reasonable time, we will send you a reminder;

if no answer is given your data is blocked and automatically erased after one month.

The only mandatory information to receive the newsletter is your email address.

Providing additional information (e.g., your name) is optional and serves to address you personally.

You can withdraw your consent to receive the newsletter at any time and unsubscribe.

To do so, click on the link in every newsletter email or send an email to [email protected].

We analyze your user behaviour in relation to our newsletters (e.g., opens, link clicks) in pseudonymized form.

The legal basis for this analysis is also Art. 6(1)(a) GDPR (consent).

You may opt out of tracking by unsubscribing from the newsletter.

10. Social media plugins

We may use social media plugins (e.g., from Instagram, Twitter, LinkedIn, YouTube) on our website.

We use the "double-click solution," meaning that your personal data is not transferred to the plugin providers until you click the plugin button.

Once activated, the plugin provider receives the information that you have accessed the corresponding page on our website.

In addition, the data mentioned in Section 3 of this notice is transmitted to them.

This occurs regardless of whether you have an account with the plugin provider or are logged in.

If you are logged into your account with the plugin provider, the data we collect will be directly associated with your existing account.

If you click the activated button and link to the page, for example, the plugin provider will also store this information in your user account and share it publicly with your contacts, depending on your account settings.

We do not have any influence on the data collected or the processing and are not aware of the full extent of data collection, the purpose of processing, or the storage periods.

For more information, please refer to the privacy notices of the respective plugin providers.

We offer these plugins to allow you to interact with social networks and other users, which helps us improve our platform.

The legal basis for the use of such plugins is typically Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest in offering an interactive website).

Further Information and Contact

We retain personal data only for as long as it is necessary for the relevant purpose or if we are legally obliged to do so.

Afterwards, we erase or anonymize the data in accordance with statutory provisions.

If you have any questions or concerns about this privacy notice, or would like to exercise your data subject rights, please contact us at:

Lapsula, SL
VAT: ESB19784248
Barcelona, Spain
Email: [email protected]

We will address your inquiry promptly, in compliance with the GDPR and other applicable data protection regulations.