Skip to content
CoreDevStructure Engineering studio · Barcelona
EN ES
Brief us →

Updated · June 12, 2026

Privacy policy

This policy is published under the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD). It is written to be read — not signed under duress.

1. Data controller

CoreDevStructure SL · Spanish NIF B-67248953 · Carrer del Camp, 74, 08022 Barcelona, Spain. For any data-related question: support@coredevstructure.com.

2. What we collect

  • Brief intake form: first and last name, email, phone (optional), company (optional), country, engagement type, indicative budget, free-text message.
  • Checkout: first and last name, email, phone, country. Card details never reach our servers — they are entered directly into Stripe.
  • Strictly necessary cookies: PHP session ID (CDSSESSID), language preference (cds_locale), cookie choice (cds_cookie_consent stored in localStorage).
  • Server logs: IP address, user agent, and requested URL, retained for 14 days for abuse detection.

3. Lawful bases & purposes

  • Performance of a contract (Art. 6(1)(b) GDPR): taking your order, invoicing, and delivering the service.
  • Legal obligation (Art. 6(1)(c) GDPR): 6-year accounting retention under the Spanish Code of Commerce, and invoice issuance under the Spanish Invoicing Regulation.
  • Legitimate interest (Art. 6(1)(f) GDPR): site security, fraud prevention, responding to your brief before any contract is signed.
  • Consent (Art. 6(1)(a) GDPR): brief form submission after you tick the consent box; you can withdraw at any time.

4. Retention

Checkout data and invoices: 6 years from last activity, mandated by the Spanish Code of Commerce. Briefs that did not become an engagement: 24 months from last contact, unless you ask us to delete sooner. Server logs: 14 days.

5. Processors

We share data only with the providers strictly necessary to run the service:

  • Stripe Payments Europe Ltd (Ireland) — payment processing. Card data does not reach our servers.
  • Hetzner Online GmbH (Germany) — website hosting.
  • Postmark / ActiveCampaign or equivalent (EU / USA under Standard Contractual Clauses) — transactional email delivery.
  • Google Fonts — web font delivery. When a font is served from Google, its CDN may log your browser IP.

6. International transfers

Where a processor handles data outside the EEA, the transfer is covered by an adequacy decision or, failing that, by Standard Contractual Clauses approved by the European Commission, with additional technical measures where required.

7. Your rights

You may exercise the rights of access, rectification, erasure, objection, restriction, and portability at any time by writing to support@coredevstructure.com. We answer within 30 days. If you believe we have not handled your request well, you may lodge a complaint with the Spanish Data Protection Agency (aepd.es), the relevant supervisory authority.

8. Changes

If we update this policy materially, we note the date at the top of the page. When a change introduces new purposes, we email you before applying it to prior data.