Privacy Policy

Last updated: May 2026

This Privacy Policy describes how Orange Wave S.L., trading as Organic Blank (hereinafter "Organic Blank", "we", or "the Company"), collects, uses, and protects the personal data of users and customers who interact with our website, products, and services.

This document has been drafted in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

1. Data Controller

The controller of your personal data is:

  • Company name: Orange Wave S.L.

  • Tax ID (CIF): B16708976

  • Registered office: Plaza Urquinaona 10, 08010, Barcelona, Spain

  • Email: info@organicblank.com

  • Website: www.organicblank.com

We have not appointed a Data Protection Officer (DPO), as none of the cases set out in Article 37 GDPR apply. For any privacy-related queries, please contact us at the email address above.

2. Personal Data We Collect

We process the following categories of personal data:

Identification and contact data

  • First name and surname

  • Shipping and billing address

  • Email address

  • Phone number

Professional data (B2B clients)

  • Company name, VAT number, position or role

  • Tax address

Transaction and order data

  • Order history

  • Purchased products

  • Payment-related data (processed securely by third parties; we do not store full card details)

Communication data

  • Emails and exchanged messages

  • WhatsApp messages

  • Customer service interactions

Browsing and device data

  • IP address

  • Browser and device type

  • Cookies and usage data

  • Interactions with our website

3. Purposes of Processing and Legal Bases

We process your personal data for the following purposes, each with its corresponding legal basis:

Purpose

Legal basis

Processing your orders, shipments, and returns

Contract performance (Art. 6.1.b GDPR)

Payment and invoicing management

Contract performance and legal obligation

Compliance with accounting, tax, and commercial obligations

Legal obligation (Art. 6.1.c GDPR)

Customer service and responding to inquiries

Contract performance or legitimate interest

Sending quotes and commercial communications to existing B2B clients

Legitimate interest (Art. 6.1.f GDPR)

Sending commercial communications (newsletter, offers) to individuals

Consent (Art. 6.1.a GDPR)

Statistical analysis and website improvement via analytical cookies

Consent

Personalized advertising and remarketing

Consent

Fraud prevention and website security

Legitimate interest


4. Recipients and Data Sharing

In order to provide our services, we share data with the following third parties, who act as data processors under contracts that guarantee the protection of your data:

Platform and infrastructure

  • Shopify Inc. (eCommerce platform)

Payment processors

  • Stripe

  • PayPal

  • Klarna

  • Google Pay

  • Revolut

Email marketing

  • Mailchimp (current provider). We may migrate to other platforms such as Klaviyo in the future, in which case this policy will be updated.

Analytics and digital advertising

  • Google Analytics (web analytics)

  • Google Ads (advertising and remarketing)

Logistics and shipping

  • Carriers and courier companies we work with for the delivery of your orders. The specific carrier may vary per shipment based on available conditions, as we use logistics comparators to optimize delivery times and costs. All operate under confidentiality agreements and process your data exclusively for order delivery.

Communication

  • Meta Platforms Ireland Ltd. (when contacting us via WhatsApp)

Public authorities

  • When required by law (Tax Authorities, Law Enforcement, Courts, etc.)

We do not sell your personal data to third parties under any circumstances.

5. International Data Transfers

Some of our service providers are based in or process data outside the European Economic Area (EEA), mainly in the United States. This includes:

  • Shopify Inc. (Canada / U.S.)

  • Google LLC (U.S.)

  • Meta Platforms Inc. (U.S.)

  • Stripe, Inc. (U.S.)

  • Mailchimp / Intuit Inc. (U.S.)

These transfers take place under the safeguards provided by the GDPR:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.

  • EU-U.S. Data Privacy Framework (when the provider is certified under this framework).

  • Additional technical and organizational measures such as encryption and pseudonymization where appropriate.

6. Data Retention Periods

We retain your data for the following periods:

Type of data

Period

Customer and order data

Up to 6 years (accounting and tax obligations)

B2B contacts without purchase

Up to 24 months or until deletion is requested

Newsletter subscriptions

As long as consent is maintained

Email/WhatsApp communications

Duration of the business relationship + applicable legal periods

Browsing data and cookies

As per the Cookie Policy


Once these periods have elapsed, data will be deleted or, where applicable, blocked in accordance with Article 32 LOPDGDD.

7. Your Data Protection Rights

As a data subject, you may exercise the following rights at any time:

  • Access: obtain confirmation of whether we process your data and, where applicable, access it.

  • Rectification: request the correction of inaccurate data.

  • Erasure ("right to be forgotten"): request the deletion of your data when no longer necessary.

  • Restriction of processing: request that we limit the use of your data in certain cases.

  • Objection: object to the processing of your data on grounds relating to your particular situation.

  • Portability: receive your data in a structured format or request its transfer to another controller.

  • Withdraw consent: at any time, without affecting the lawfulness of prior processing.

  • Not be subject to automated decisions producing significant legal effects.

To exercise these rights, send us an email at info@organicblank.com indicating the right you wish to exercise and attaching a copy of your ID or equivalent document proving your identity. We will respond within a maximum period of one month.

If you believe the processing of your data does not comply with applicable regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):

  • Website: www.aepd.es

  • Address: C/ Jorge Juan, 6. 28001 Madrid, Spain

  • Phone: +34 901 100 099 / +34 912 663 517

8. Commercial Communications

We may send you commercial communications in the following cases:

  • Existing B2B clients: regarding products or services similar to those already contracted, based on legitimate interest (Art. 21.2 of the Spanish LSSI).

  • Other recipients: only with your express consent (newsletter subscription, opt-in checkbox in a form, etc.).

In all cases, you can unsubscribe easily and free of charge via the link included in each communication or by emailing us at info@organicblank.com.

9. WhatsApp Communications

If you choose to contact us via WhatsApp, please note that:

  • Your data will also be processed by Meta Platforms Ireland Ltd. and, where applicable, Meta Platforms Inc. (U.S.).

  • This may involve international transfers of data to the U.S.

  • WhatsApp's and Meta's privacy policies will additionally apply.

  • We use this channel solely for order management and customer service, not for unsolicited commercial communications.

10. Cookies

We use first-party and third-party cookies to ensure the operation of the website, analyze its use, and display personalized advertising. For detailed information on the cookies we use, their purposes, and how to manage them, please consult our Cookie Policy, accessible from the website footer.

You can accept, reject, or configure cookie use at any time from our cookie management panel.

11. Minors

Our services are aimed at individuals over 14 years of age (the minimum age of consent in Spain pursuant to Article 7 LOPDGDD). For B2B clients, services are aimed exclusively at adults with legal capacity to act on behalf of the relevant company.

If we detect that we have collected data from a minor under 14 without the consent of their parents or legal guardians, we will proceed to delete it immediately.

12. Data Security

We apply appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or destruction. These measures include, among others:

  • SSL/TLS encryption in communications with our website.

  • Access control to information through credentials and authentication.

  • Staff training in data protection.

  • Selection of providers with equivalent security guarantees.

  • Backups and continuity plans.

In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the Spanish Data Protection Agency within a maximum of 72 hours, as well as affected individuals when legally required, in accordance with Articles 33 and 34 of the GDPR.

13. Changes to the Privacy Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. The most recent version will always be available on our website, clearly indicating the date of the latest update. Where changes are substantial, we will notify you through our usual communication channels.

14. Applicable Law and Jurisdiction

This Privacy Policy is governed by Spanish and European data protection law. Any dispute will be submitted to the courts of Barcelona, without prejudice to the jurisdiction that may correspond to consumers under applicable law.