Privacy Policy

Last updated: March 2026

1. Identity of the Data Controller

The data controller responsible for the processing of personal data collected through this website (kosmetikon.io) is:

Kosmetikon 2006 SL (registered in El Perelló, Tarragona, Spain) is a related operational and commercial entity. It is not the data controller for this website. Kosmetikon S.L. (Andorra) is the sole data controller for all personal data processed through kosmetikon.io.

2. Applicable Law & Global Scope

The processing of personal data through this website is governed by a layered framework of applicable laws, reflecting the international nature of KosmetikOn's user base:

Primary Framework — Andorra

The primary applicable law is Llei 29/2021, del 28 d'octubre, qualificada de protecció de dades personals (LQPD) and its implementing regulations (Decret 391/2022). The Principality of Andorra has been granted EU adequacy status under Commission Decision 2010/625/EU, meaning that personal data flows from the EU/EEA to Andorra are treated as equivalent to intra-EU transfers.

EU/EEA Users

Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation — GDPR) applies to users located in the European Union or European Economic Area. KosmetikOn processes the personal data of EU/EEA users in compliance with the GDPR.

Global Acknowledgement

KosmetikOn serves users worldwide. We apply the principles of LQPD/GDPR as a global baseline and additionally acknowledge the following jurisdictional frameworks:

• United States — California: The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to California residents. We do not sell personal data. We do not share personal data for cross-context behavioural advertising. California residents may exercise their rights as described in Section 6.
• United Kingdom: UK GDPR (retained post-Brexit under the Data Protection Act 2018) applies to users located in the United Kingdom. The UK Information Commissioner's Office (ICO) is the relevant supervisory authority.
• Canada: We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) for Canadian users.
• Australia: We respect the Australian Privacy Principles under the Privacy Act 1988 (Cth) for Australian users.
• Mexico: We acknowledge the rights of Mexican users under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP).
• Other jurisdictions: We apply the principles of LQPD/GDPR as a global baseline regardless of user location. Users from any country may contact us to exercise their data rights.

We do not sell personal data to any third party, in any jurisdiction, under any circumstances.

3. What Personal Data We Collect and Why

This website is a static informational site. We do not operate a backend database for user accounts or form submissions. The following describes all personal data that may be collected in connection with this website:

3.1 Demo Booking Data (via Calendly)

• Data: Name, email address, and scheduling preference data provided when booking a demo call via Calendly.
• Purpose: To schedule and conduct product demonstration calls.
• Legal basis (GDPR/LQPD): Pre-contractual steps at the request of the data subject and legitimate interest (Article 6(1)(b) and Article 6(1)(f) GDPR).
• Retention: Duration of the business relationship, plus 3 years thereafter.
• Note: Calendly, Inc. acts as a data processor. Calendly's own privacy policy governs their handling of this data (see Section 4).

3.2 Email Correspondence

• Data: Email address and message content when a user contacts us via a mailto link.
• Purpose: To respond to enquiries.
• Legal basis (GDPR/LQPD): Legitimate interest (Article 6(1)(f) GDPR).
• Retention: 2 years from the date of last contact.

3.3 Server Log Data

• Data: IP address, browser type, operating system, referring URL, pages visited, and timestamp. This data is collected automatically by the web hosting provider as part of normal hosting operations.
• Purpose: Security monitoring, performance monitoring, and abuse prevention.
• Legal basis (GDPR/LQPD): Legitimate interest (Article 6(1)(f) GDPR).
• Retention: 90 days.

3.4 Analytics Data

We do not currently use tracking analytics tools (such as Google Analytics, Plausible, or similar services) on this website. Should analytics be introduced in the future, this policy will be updated accordingly and, where required by applicable law, user consent will be obtained before any tracking commences.

4. Third-Party Processors

We engage the following third-party data processors in connection with the operation of this website:

4.1 Calendly, Inc. (USA)

Calendly provides scheduling and booking management services. When a user books a demo via the link on this website, Calendly collects and processes name, email address, and scheduling data. Calendly is subject to Standard Contractual Clauses for EU personal data transfers under Article 46 GDPR. For details, please refer to Calendly's Privacy Policy.

4.2 Hosting Provider

This website is hosted on a third-party hosting platform. The hosting provider collects standard server log data (IP address, browser, timestamp) as part of normal infrastructure operations. Server log data is subject to the hosting provider's data processing agreement.

5. International Data Transfers

Personal data may be transferred to the United States via Calendly, Inc. Such transfers are conducted under appropriate safeguards, specifically Standard Contractual Clauses (SCCs) pursuant to Article 46 GDPR.

Data transfers from the EU/EEA to Andorra (Kosmetikon S.L.) require no additional safeguards, as Andorra has been granted EU adequacy status under Commission Decision 2010/625/EU.

6. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any of these rights, contact us at info@kosmetikon.io. We will respond within 30 days.

EU/EEA, UK, and Andorra Users (GDPR / UK GDPR / LQPD)

• Right of access — to know what personal data we hold about you (Article 15 GDPR / Article 15 LQPD).
• Right to rectification — to have inaccurate data corrected (Article 16 GDPR).
• Right to erasure — to have your personal data deleted ("right to be forgotten") (Article 17 GDPR).
• Right to restriction of processing — to request that we limit how we use your data (Article 18 GDPR).
• Right to data portability — to receive your data in a structured, machine-readable format (Article 20 GDPR).
• Right to object — to object to processing based on legitimate interest (Article 21 GDPR).
• Rights related to automated decision-making — this website does not use automated decision-making or profiling (Article 22 GDPR).
• Right to withdraw consent — where consent is the legal basis for processing, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to lodge a complaint — with the competent supervisory authority (see Section 7).

California Residents (CCPA / CPRA)

• Right to know what categories and specific pieces of personal information we have collected about you.
• Right to delete personal information we have collected from you, subject to certain exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioural advertising.
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.

To submit a CCPA/CPRA request: info@kosmetikon.io.

Canadian Users (PIPEDA)

• Right to access personal information held about you.
• Right to challenge accuracy and request correction.
• Right to withdraw consent (subject to legal or contractual restrictions).

Australian Users (Privacy Act 1988)

• Right to access and correct personal information we hold about you.
• Right to complain to the Office of the Australian Information Commissioner (OAIC) if you are unsatisfied with our response.

Mexican Users (LFPDPPP)

Mexican users have ARCO rights: Acceso, Rectificación, Cancelación, Oposición (Access, Rectification, Cancellation, Opposition). To exercise these rights: info@kosmetikon.io.

All Other Users

We apply GDPR/LQPD principles as our global baseline. Any user from any country may contact us at info@kosmetikon.io to request access to, correction of, or deletion of any personal data we hold about them. We will respond within 30 days.

7. Supervisory Authorities

We encourage you to contact us first at info@kosmetikon.io to resolve any concern before escalating to a supervisory authority.

8. Cookies

This website uses only strictly necessary cookies required for basic functionality. We do not currently use analytics or tracking cookies. For full details, including how to manage cookie preferences, please see our Cookie Policy.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices or applicable law. The "Last updated" date at the top of this page will be revised accordingly. We encourage you to review this policy periodically. Where changes are material, we will take reasonable steps to bring them to your attention.