Privacy Policy and Cookies

Last updated: May 2026

1. Data controller

Controller: Todolux Ingeniería S.L.
Tax ID (CIF/NIF): B72946189
Address: C/ Campus, 24. 30100, Murcia. Spain
Email: legal@todo-lux.com
Data Protection Officer: Not appointed (not mandatory under Art. 37 GDPR).

2. Personal data we collect

Depending on the user's interaction with the Platform, we may collect the following data:

2.1. Data provided by the user

Account registration: first name, last name, email address, password (encrypted), user type (manufacturer, professional, distributor).
Professional profile: company, position, phone number, address, country.
Contact forms: name, email address, message.

2.2. Data obtained from third parties

Google sign-in (OAuth): name, email address, profile picture, and Google identifier. Only data that the user expressly authorizes through the Google consent process is accessed.

2.3. Automatically collected data

Technical data: IP address, browser type, operating system, screen resolution, preferred language.
Browsing data: pages visited, time spent, actions performed on the Platform.
Monitoring data: application performance metrics collected by a third-party performance monitoring service to ensure service stability and performance.

3. Purpose of data processing

We process personal data for the following purposes:

Purpose	Legal basis (GDPR)
Management of user registration and account	Art. 6.1.b — Performance of a contract
Provision of Platform services	Art. 6.1.b — Performance of a contract
Responding to inquiries and requests	Art. 6.1.b — Performance of a contract
Identity verification via reCAPTCHA	Art. 6.1.f — Legitimate interest (security)
Performance monitoring and improvement	Art. 6.1.f — Legitimate interest (service quality)
Compliance with legal obligations	Art. 6.1.c — Legal obligation

4. Data recipients

Personal data may be disclosed to:

Google LLC (reCAPTCHA v3): for security verification on forms. Google may collect hardware and software data, such as device and application data. Collected data is used to improve reCAPTCHA and for general security purposes. Google Privacy Policy.
Google LLC (OAuth / social sign-in): when the user chooses to sign in with Google. Google Privacy Policy.
Infrastructure and hosting providers: for hosting the Platform and its services.
Third-party performance monitoring services: currently Laravel Nightwatch, used to detect errors, degradations and technical service metrics.
Competent authorities: when required by law.

No international data transfers outside the European Economic Area are made, except to providers that have adequate safeguards under the GDPR (standard contractual clauses, adequacy decisions, or certified privacy frameworks).

5. Data retention

Personal data will be retained for the time necessary to fulfill the purpose for which it was collected:

Account data: while the account remains active and for the applicable legal period after cancellation.
Contact data: for the time necessary to address the inquiry, plus the legal limitation period.
Browsing and technical data: maximum 26 months.
Performance monitoring data: according to the third-party service retention configuration.

6. User rights

In accordance with the GDPR and the Spanish LOPDGDD, the user may exercise the following rights:

Access: know what personal data is being processed.
Rectification: correct inaccurate or incomplete data.
Erasure: request the deletion of data when it is no longer necessary.
Objection: object to data processing under certain circumstances.
Restriction: request the restriction of data processing.
Portability: receive data in a structured, commonly used format.

To exercise these rights, send an email to legal@todo-lux.com indicating the right you wish to exercise and attaching a copy of your identity document.

If you believe your rights have not been properly addressed, you may file a complaint with the Spanish Data Protection Agency (www.aepd.es).

7. Security

Todolux Ingeniería S.L. has adopted appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

Encryption of passwords and sensitive data.
Encrypted communications via HTTPS/TLS.
Session tokens with httpOnly and SameSite protection.
Security verification via Google reCAPTCHA v3.

8. Cookie Policy

8.1. What are cookies?

Cookies are small text files stored on the user's device when visiting a website. They allow the site to remember information about the visit, such as the preferred language and other settings.

8.2. Cookies used on the Platform

Cookie	Type	Duration	Purpose
`todolux_session`	Technical (necessary)	120 minutes	User session management. Required for the Platform to function.
`locale`	Technical (necessary)	1 year	Stores the user's language preference (Spanish/English).
`XSRF-TOKEN`	Technical (necessary)	Session	Protection against cross-site request forgery (CSRF) attacks.
`remember_web_*`	Technical (functional)	5 years	Keeps the user signed in if they select "Remember me".
Google reCAPTCHA cookies	Third-party	Variable	Google reCAPTCHA may set cookies for security verification. See the Google Cookie Policy.

8.3. Legal basis

Technical and necessary cookies are installed based on the controller's legitimate interest (Art. 6.1.f GDPR) and are exempt from the consent requirement under Article 22.2 of the LSSI-CE, as they are strictly necessary for the provision of the service.

Google reCAPTCHA cookies are used based on the legitimate interest of security (Art. 6.1.f GDPR).

8.4. Managing cookies

You can configure your browser to reject cookies or to alert you when a website attempts to install them. Below are links to the cookie settings of the main browsers:

Please note that disabling technical cookies may affect the proper functioning of the Platform.

9. Changes

Todolux Ingeniería S.L. reserves the right to modify this policy to adapt it to legislative developments or changes to the Platform. Any changes will be published on this page with the updated date.