Privacy Policy
Last updated: 18 April 2026
This Privacy Policy describes how FORGELAB DIGITAL PRODUCTS, S.L. (hereinafter, "FORGELAB", "the Company", "I", or "us") collects, uses, stores, and protects the personal data of visitors, clients, and users (hereinafter, "User" or "you") of the website forgelab.studioand the professional services offered through it (hereinafter, "the Service").
This policy is drafted in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (General Data Protection Regulation, GDPR), Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE).
1. Data Controller
The entity responsible for the processing of your personal data is:
- Company name: FORGELAB DIGITAL PRODUCTS, S.L.
- NIF (Tax ID): B56945764
- Registered office: Calle Amor de Dios, 1, 3-2, 29012, Malaga, Spain
- Email: [email protected]
- Website: forgelab.studio
2. Data We Collect
FORGELAB collects and processes the minimum amount of personal data necessary to provide the Service.
2.1. Contact & correspondence data
When you contact me through the website, I may collect:
- Name and email address — to identify you and respond to your inquiry.
- Company or project information — only if you voluntarily provide it.
- Message content — to understand your need and evaluate potential fit.
2.2. Account data (admin/editor access)
- Username and email address — used for authentication and account recovery.
- Password — stored exclusively in hashed form using the bcrypt algorithm. FORGELAB never stores plain-text passwords.
2.3. Analytics data (conditional on consent)
The website uses Google Analytics 4 with IP anonymization. No data is sent to Google until you explicitly accept analytics cookies. If you accept, GA4 may collect anonymized IP, device type, browser, OS, pages visited, session duration, referrer. No cross-site tracking, no advertising features, no remarketing.
2.4. Technical data
- IP address: Processed temporarily for rate limiting and abuse prevention. Not stored permanently.
2.5. Data we do NOT collect
- Payment information (the website does not process payments).
- Location data beyond what is inherent in an IP address during rate limiting.
- Data from social media accounts.
- Biometric or health data, or special categories under Article 9 GDPR.
3. Legal Basis for Processing
- Consent (Art. 6.1.a GDPR): for analytics data, given via the cookie banner. Withdrawable at any time.
- Pre-contractual and contractual steps (Art. 6.1.b GDPR): for contact data necessary to respond to your inquiry.
- Legitimate interest (Art. 6.1.f GDPR): for temporary IP processing for rate limiting and security.
4. Purpose of Data Processing
- To respond to your inquiries and evaluate potential collaboration.
- To deliver contracted services.
- To authenticate administrator access to the blog management system.
- To understand, in aggregate, how visitors use the website (only with consent).
- To prevent abuse and maintain the security of the Service.
- To comply with applicable legal obligations.
FORGELAB does not process your data for profiling, automated decision-making, advertising, or any other purpose.
5. Data Sharing and Third-Party Transfers
FORGELAB does not sell, rent, trade, or share your personal data with third parties for their own purposes. Limited disclosure occurs only to:
- Infrastructure providers (data processors under Art. 28 GDPR).
- Analytics provider (Google LLC) if you consent. IP anonymization is enabled.
- AI providers (OpenAI) for blog content processing only. Visitor personal data is never sent.
- Legal obligations: if required by law or governmental request.
6. International Data Transfers
Where data is processed outside the EEA, FORGELAB ensures Standard Contractual Clauses (SCCs) approved by the European Commission, in compliance with Chapter V GDPR.
7. Data Storage and Security
- Database: MongoDB, restricted to authorized application processes.
- Password security: bcrypt hashing. No plain-text storage.
- Authentication: httpOnly JWT cookies.
- Transport security: HTTPS (TLS) end-to-end.
- Access control: production access restricted to authorized personnel.
- Input validation: all user inputs sanitized.
8. Data Retention
- Contact data: retained while the inquiry or engagement is active, plus the period legally required (typically 6 years in Spain).
- Administrator account data: while the account exists. Deleted on request.
- Analytics data: retained by GA4 for max 14 months.
- IP addresses: in memory only for rate limiting.
9. Your Rights
Under the GDPR (Articles 15-22) and the LOPDGDD, you have the rights of access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent.
To exercise any of these rights:
- Email [email protected] with subject "Data Rights Request", providing enough information to verify your identity.
- Or write to: FORGELAB DIGITAL PRODUCTS, S.L., Calle Amor de Dios, 1, 3-2, 29012, Malaga, Spain.
FORGELAB will respond within one (1) month per Art. 12.3 GDPR, extendable by two (2) further months when necessary.
10. Right to Lodge a Complaint
If you believe your data is being processed unlawfully, you may lodge a complaint with the Spanish Data Protection Agency (AEPD):
- Website: www.aepd.es
- Postal address: C/ Jorge Juan, 6, 28001, Madrid, Spain
11. Cookies
The website uses one essential authentication cookie and, conditional on your consent, Google Analytics 4 cookies. See the Cookie Policy.
12. Data Protection of Minors
The Service is not directed at children under 16. Contact [email protected] if you believe a minor has provided data.
13. Changes to This Privacy Policy
FORGELAB reserves the right to modify this Privacy Policy. Updates are posted with a refreshed "Last updated" date.
14. Contact