Privacy Policy

Last updated: 18 April 2026

This Privacy Policy describes how FORGELAB DIGITAL PRODUCTS, S.L. (hereinafter, "FORGELAB", "the Company", "I", or "us") collects, uses, stores, and protects the personal data of visitors, clients, and users (hereinafter, "User" or "you") of the website forgelab.studioand the professional services offered through it (hereinafter, "the Service").

This policy is drafted in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (General Data Protection Regulation, GDPR), Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE).

1. Data Controller

The entity responsible for the processing of your personal data is:

• Company name: FORGELAB DIGITAL PRODUCTS, S.L.
• NIF (Tax ID): B56945764
• Registered office: Calle Amor de Dios, 1, 3-2, 29012, Malaga, Spain
• Email: [email protected]
• Website: forgelab.studio

2. Data We Collect

FORGELAB collects and processes the minimum amount of personal data necessary to provide the Service. The categories of data collected are as follows:

2.1. Contact & correspondence data

When you contact me through the website (email, form, or any other direct channel), I may collect:

• Name and email address — to identify you and respond to your inquiry.
• Company or project information — only if you voluntarily provide it to frame your inquiry.
• Message content — to understand your need and evaluate potential fit.

2.2. Account data (admin/editor access)

Where authorized personnel access the blog management area, the following data is collected:

• Username and email address — used for authentication and account recovery.
• Password — stored exclusively in hashed form using the bcrypt algorithm. FORGELAB never stores, accesses, or has the ability to retrieve your plain-text password.

2.3. Analytics data (conditional on consent)

The website uses Google Analytics 4 (GA4) with IP anonymization enabled. No data is collected or sent to Google until you explicitly accept analytics cookies via the cookie consent banner. If you reject, GA4 remains in "denied" state and collects nothing. If you accept, GA4 may collect:

• Anonymized IP address, device type, browser, and operating system.
• Pages visited, session duration, referrer.
• No cross-site tracking, no advertising features, no remarketing.

2.4. Technical data

• IP address: Processed temporarily for rate limiting and abuse prevention (e.g., on login and form submissions). Not stored permanently and not associated with User accounts.

2.5. Data we do NOT collect

• Payment information (the website does not process payments).
• Location data beyond what is inherent in an IP address during rate limiting.
• Data from social media accounts.
• Biometric data, health data, or any special categories of personal data as defined in Article 9 GDPR.

3. Legal Basis for Processing

In accordance with Article 6 of the GDPR, the legal bases for processing your personal data are:

• Consent (Art. 6.1.a GDPR): Processing of analytics data is based on your explicit consent given via the cookie banner. You may withdraw this consent at any time.
• Pre-contractual and contractual steps (Art. 6.1.b GDPR): Processing of contact data is necessary to respond to your inquiry and to take steps at your request prior to entering into a contract.
• Legitimate interest (Art. 6.1.f GDPR):Temporary processing of IP addresses for rate limiting and abuse prevention is based on FORGELAB's legitimate interest in maintaining the security of the Service.

4. Purpose of Data Processing

Your personal data is processed exclusively for the following purposes:

• To respond to your inquiries and evaluate potential collaboration.
• To deliver contracted services (once a contract exists).
• To authenticate and manage administrator access to the blog management system.
• To understand, in aggregate, how visitors use the website (only with consent).
• To prevent abuse and maintain the security of the Service.
• To comply with applicable legal obligations.

FORGELAB does not process your data for profiling, automated decision-making, advertising, or any purpose other than those listed above.

5. Data Sharing and Third-Party Transfers

FORGELAB does not sell, rent, trade, or otherwise share your personal data with third parties for their own purposes. Your data may be disclosed only in the following limited circumstances:

• Infrastructure providers: Data is stored on servers provided by the hosting provider. These providers act as data processors under contractual instructions and are bound by data processing agreements in compliance with Article 28 GDPR.
• Analytics provider (Google LLC): If you consent to analytics cookies, aggregated and anonymized usage data is sent to Google Analytics 4. Google acts as a data processor. IP anonymization is enabled.
• AI providers (OpenAI): The internal blog management system may send blog post content to OpenAI for translation, correction, and image-generation purposes. Personal data of website visitors is never sent to AI providers.
• Legal obligations: Data may be disclosed if required by law, regulation, legal process, or governmental request.

6. International Data Transfers

Your data may be processed on servers located outside the European Economic Area (EEA), depending on the hosting and analytics providers' infrastructure. In such cases, FORGELAB ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, in compliance with Chapter V of the GDPR.

7. Data Storage and Security

• Database: MongoDB, with access restricted to authorized application processes only.
• Password security: All passwords are hashed using the bcrypt algorithm before storage. Plain-text passwords are never stored or logged.
• Authentication: Administrator sessions are managed through httpOnly JWT cookies, which cannot be accessed by client-side JavaScript.
• Transport security: All data transmitted between your browser and the servers is encrypted using HTTPS (TLS).
• Access control: Access to production databases and servers is restricted to authorized FORGELAB personnel only.
• Input validation: All user inputs are validated and sanitized to prevent injection attacks.

8. Data Retention

• Contact data: Retained while the inquiry or the resulting engagement is active, and for the duration legally required to comply with tax and commercial obligations (typically 6 years in Spain).
• Administrator account data: Retained for as long as the account exists. Deleted on request.
• Analytics data: Retained by Google Analytics 4 for a maximum of 14 months, per the configured retention policy.
• IP addresses: Processed in memory for rate limiting only. Not stored permanently.

9. Your Rights

In accordance with the GDPR (Articles 15-22) and the LOPDGDD, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7.3 GDPR)

To exercise any of these rights, you may:

• Send an email to [email protected]with the subject "Data Rights Request", specifying the right you wish to exercise and providing sufficient information to verify your identity.
• Send a written request to: FORGELAB DIGITAL PRODUCTS, S.L., Calle Amor de Dios, 1, 3-2, 29012, Malaga, Spain.

FORGELAB will respond to your request within one (1) month of receipt, as required by Article 12.3 GDPR. This period may be extended by two (2) further months where necessary.

10. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR or applicable Spanish data protection legislation, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD):

• Website: www.aepd.es
• Postal address: C/ Jorge Juan, 6, 28001, Madrid, Spain

11. Cookies

The website uses one essential authentication cookie and, conditional on your consent, Google Analytics 4 cookies. For complete information about cookies, see the Cookie Policy.

12. Data Protection of Minors

The Service is not directed at children under the age of 16. FORGELAB does not knowingly collect personal data from individuals under 16. If you believe a minor has provided personal data, contact [email protected].

13. Changes to This Privacy Policy

FORGELAB reserves the right to modify this Privacy Policy at any time. Changes will be posted on this page with an updated "Last updated" date.

14. Contact

• Email: [email protected]
• Postal address: FORGELAB DIGITAL PRODUCTS, S.L., Calle Amor de Dios, 1, 3-2, 29012, Malaga, Spain
• Website: forgelab.studio