BodaLab — A product of Estrategias Madrigal Marketing S.L.

Last Updated: April 6, 2026

Effective Date: April 6, 2026

Data Controller Identification
Information We Collect
How We Use Your Information
How We Share Your Information
International Data Transfers
Data Retention
Your Rights
Your California Privacy Rights (CCPA)
Additional US State Privacy Rights
UK GDPR — Supplemental Provisions
Cookies and Tracking Technologies
Cookie Policy
Data Security
Children's Privacy
Changes to This Policy
Contact Us
Legal Notice (Aviso Legal)

1. Data Controller Identification

The data controller responsible for the processing of your personal data is:

Company Name: Estrategias Madrigal Marketing S.L.
Legal Form: Sociedad Limitada (Spanish Limited Liability Company)
Registered Address: Calle Concepcion Arenal 95, Entresuelo 2A, 03201 Elche, Alicante, Spain
Tax Identification Number (CIF): B75398545
Email: [email protected]
Website: https://bodalab.app / https://app.bodalab.app

For the purposes of the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and all other applicable data protection laws, Estrategias Madrigal Marketing S.L. (hereinafter "BodaLab," "we," "us," or "our") is the data controller with respect to your personal data when you use our platform, visit our website, or otherwise interact with our services.

When you, as a wedding professional, enter data about your own clients (wedding couples, guests, vendors) into BodaLab, we act as a Data Processor on your behalf. You remain the Data Controller for that client data. Our obligations as a Data Processor are governed by our Data Processing Agreement, which forms part of our Terms of Service.

2. Information We Collect

We collect and process the following categories of personal data:

2.1 Information You Provide Directly

(a) Account Registration Information

When you create a BodaLab account, we collect:

Full name
Email address
Password (stored in hashed form; we never store plaintext passwords)
Phone number (optional)
Business name and business type
Business address
Country and language preference
Tax identification number (for invoicing features)
Professional role or job title

(b) Profile and Business Information

When you set up and use your BodaLab workspace, you may provide:

Business logo and brand assets
Business description and service offerings
Social media links
Website URL
Preferred currency and payment terms
Custom branding and template preferences
Professional certifications or memberships

(c) Payment and Billing Information

When you subscribe to a paid plan, we collect:

Billing name and billing address
Payment card details (processed and stored exclusively by Stripe; we do not store full card numbers on our servers)
Transaction history and invoice records
Subscription plan and billing cycle
VAT/tax identification number (where applicable)

(d) Communications

When you contact us or use our communication features, we collect:

Email correspondence with our support team
In-app support requests and messages
Feedback, feature requests, and survey responses
WhatsApp integration messages sent through the platform (message content, timestamps, recipient information)

2.2 Information Collected Automatically

When you access or use BodaLab, we automatically collect:

(a) Device and Technical Information

Device type (desktop, tablet, mobile)
Operating system and version
Browser type and version
Screen resolution
Device identifiers
Language and locale settings

(b) Usage and Log Information

IP address
Date and time of access
Pages and features accessed
Click patterns and navigation paths
Session duration and frequency of use
Referring URL and exit pages
Feature usage patterns (which modules you use, how frequently)
Error logs and performance data

(c) Cookie and Tracking Data

Session identifiers
Authentication tokens
User preferences stored in cookies
Analytics data (where consent is provided; see Section 11)

2.3 Information from Third Parties

We may receive personal data from the following third-party sources:

Stripe: Payment confirmation, subscription status, billing events, and fraud prevention signals.
Supabase Authentication: If you authenticate using a magic link or other supported authentication flow, Supabase may provide us with your email address and authentication tokens.
Public Sources: If you have a publicly available business website or social media profile, we may use that information to improve our understanding of our user base in aggregate.

2.4 Client Data You Enter (Data Processor Role)

As a wedding professional using BodaLab, you may input data about your own clients into the platform. This data may include, but is not limited to:

Names, email addresses, and phone numbers of wedding couples
Guest lists with names, contact details, dietary requirements, attendance status, and seating assignments
Contract details, including signatures collected via our e-signature feature
Invoice and payment records for your clients
Wedding timeline details and event schedules
Photos, videos, and other media uploaded to galleries
Form responses from your clients or their guests
Vendor contact information and service details
Notes, tags, and custom fields you create

Important: With respect to this client data, you (the wedding professional) are the Data Controller, and BodaLab acts as a Data Processor. You are responsible for obtaining all necessary consents and legal bases for collecting and processing your clients' personal data. We process this data solely on your instructions and in accordance with our Data Processing Agreement. We do not use your client data for our own purposes, sell it, or share it with third parties except as strictly necessary to provide the BodaLab service to you.

3. How We Use Your Information

We process your personal data for the following purposes, each mapped to its corresponding legal basis under Article 6 of the GDPR:

Purpose	Legal Basis (GDPR Art. 6)
To create, maintain, and manage your account	Performance of a contract (Art. 6(1)(b))
To provide and operate the BodaLab platform and its features	Performance of a contract (Art. 6(1)(b))
To process payments, manage subscriptions, and issue invoices	Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
To send transactional emails (account verification, password resets, subscription confirmations, billing receipts)	Performance of a contract (Art. 6(1)(b))
To provide customer support and respond to inquiries	Performance of a contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f))
To send product updates, feature announcements, and service notifications	Legitimate interest (Art. 6(1)(f)) — keeping you informed about the service you use
To send marketing communications (newsletters, promotional offers, tips for wedding professionals)	Consent (Art. 6(1)(a)) — you may withdraw consent at any time
To analyze usage patterns and improve our platform	Legitimate interest (Art. 6(1)(f)) — improving and optimizing our service
To run analytics via Google Analytics	Consent (Art. 6(1)(a)) — only with your prior consent via our cookie banner
To serve targeted advertising via Meta Pixel	Consent (Art. 6(1)(a)) — only with your prior consent via our cookie banner
To detect, prevent, and address technical issues, fraud, and security threats	Legitimate interest (Art. 6(1)(f)) — protecting our platform and users
To comply with legal and regulatory obligations (tax records, fraud prevention, law enforcement requests)	Legal obligation (Art. 6(1)(c))
To enforce our Terms of Service and protect our legal rights	Legitimate interest (Art. 6(1)(f))
To aggregate and anonymize data for statistical analysis and business intelligence	Legitimate interest (Art. 6(1)(f)) — anonymized data is no longer personal data

Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request a copy of our legitimate interest assessments by contacting us at [email protected].

Where we rely on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

4. How We Share Your Information

We do not sell your personal data. We share your personal data only with the following categories of service providers, each of which is bound by contractual obligations to protect your data:

4.1 Supabase (Database Hosting and Authentication)

Provider: Supabase, Inc.
Data Shared: Account data, authentication credentials, all platform data stored in our PostgreSQL database (encrypted at rest and in transit)
Purpose: Database hosting, user authentication, real-time data synchronization, and serverless edge functions
Data Location: European Union (EU region)
Transfer Mechanism: Data remains within the EU; no international transfer required for primary database operations
Safeguards: SOC 2 Type II certified; data encrypted at rest (AES-256) and in transit (TLS 1.2+); row-level security enforced at the database level

4.2 Stripe (Payment Processing)

Provider: Stripe, Inc. / Stripe Payments Europe, Ltd.
Data Shared: Billing name, billing address, payment card details, transaction amounts, subscription plan information, email address, IP address
Purpose: Processing subscription payments, managing billing, issuing receipts, fraud detection
Data Location: United States and European Union (Stripe maintains infrastructure in both regions)
Transfer Mechanism: EU-US Data Privacy Framework (Stripe is a certified participant); Standard Contractual Clauses (SCCs) as a supplementary measure
Safeguards: PCI DSS Level 1 certified; SOC 1 and SOC 2 reports; full card numbers are never transmitted to or stored on BodaLab servers

4.3 Resend (Transactional Email)

Provider: Resend, Inc.
Data Shared: Recipient email addresses, email subject lines, email body content (for transactional messages such as password resets, billing receipts, e-signature requests, and form notifications)
Purpose: Delivering transactional and system-generated emails on behalf of BodaLab
Data Location: United States
Transfer Mechanism: Standard Contractual Clauses (SCCs); Data Processing Agreement in place
Safeguards: TLS encryption for email transmission; data retained only as long as necessary for delivery and logging

4.4 Backblaze B2 (File Storage)

Provider: Backblaze, Inc.
Data Shared: Files uploaded by users, including photos, videos, documents, contracts, and other media stored in galleries or attached to records; file metadata (file name, size, upload timestamp, MIME type)
Purpose: Secure, durable storage of user-uploaded files; serving files via CDN for gallery sharing and document access
Data Location: United States
Transfer Mechanism: Standard Contractual Clauses (SCCs); Data Processing Agreement in place
Safeguards: Server-side encryption (SSE-B2); TLS encryption in transit; files are accessible only through authenticated, time-limited URLs or authorized CDN endpoints

4.5 Cloudflare (CDN, Edge Workers, Security)

Provider: Cloudflare, Inc.
Data Shared: IP addresses, HTTP request headers, request URLs, request bodies (for API calls routed through Cloudflare Workers), cached static assets, file content served via CDN (cdn.bodalab.es)
Purpose: Content delivery network for static assets and uploaded files; edge compute (Cloudflare Workers) for file upload processing, PDF generation, email dispatch, file download handling, and scheduled cleanup tasks; DDoS protection and web application firewall (WAF)
Data Location: Global edge network (data is processed at the edge node nearest to the user; origin data is stored in the EU and US)
Transfer Mechanism: EU-US Data Privacy Framework (Cloudflare is a certified participant); Standard Contractual Clauses (SCCs)
Safeguards: SOC 2 Type II; ISO 27001; TLS 1.3 encryption; data processed transiently at edge nodes and not persistently stored beyond caching duration

4.6 Sentry (Error Monitoring)

Provider: Functional Software, Inc. (Sentry)
Data Shared: Error stack traces, browser and device metadata, IP addresses (anonymized), user identifiers (anonymized or pseudonymized), breadcrumb events leading to errors
Purpose: Real-time error tracking, performance monitoring, and debugging to maintain platform stability
Data Location: United States
Transfer Mechanism: Standard Contractual Clauses (SCCs); Data Processing Agreement in place
Safeguards: SOC 2 Type II; data scrubbing rules applied to strip sensitive information from error reports before transmission; IP addresses anonymized; personal data minimization enforced

4.7 Google Analytics (Optional, Consent-Based)

Provider: Google LLC / Google Ireland Limited
Data Shared: Pseudonymized usage data, page views, session data, device and browser information, approximate geographic location (derived from IP, with IP anonymization enabled), referral sources
Purpose: Understanding how users interact with our website and platform to improve user experience and inform product decisions
Data Location: United States and European Union (Google Analytics 4 with EU data residency settings where available)
Transfer Mechanism: EU-US Data Privacy Framework (Google LLC is a certified participant); Standard Contractual Clauses (SCCs)
Safeguards: IP anonymization enabled; data retention set to 14 months; no cross-site tracking; consent obtained via cookie banner before any tracking scripts are loaded
Consent: Google Analytics cookies are only activated if you provide explicit consent through our cookie consent banner. You may withdraw consent at any time.

4.8 Meta Pixel (Optional, Consent-Based)

Provider: Meta Platforms, Inc. / Meta Platforms Ireland Limited
Data Shared: Pseudonymized browsing data, page views, conversion events (e.g., sign-up, subscription), device and browser information, IP address
Purpose: Measuring the effectiveness of our advertising campaigns on Meta platforms (Facebook, Instagram); creating custom and lookalike audiences for targeted advertising
Data Location: United States and European Union
Transfer Mechanism: EU-US Data Privacy Framework (Meta Platforms, Inc. is a certified participant); Standard Contractual Clauses (SCCs)
Safeguards: Consent obtained via cookie banner before the pixel is loaded; limited data processing enabled; Conversions API used where possible to reduce reliance on browser cookies
Consent: Meta Pixel is only activated if you provide explicit consent through our cookie consent banner. You may withdraw consent at any time.

4.9 Other Disclosures

We may also disclose your personal data in the following limited circumstances:

Legal Requirements: If required to do so by law, regulation, court order, subpoena, or other legal process.
Protection of Rights: To protect the rights, property, or safety of BodaLab, our users, or the public.
Business Transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, in which case personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your data.
With Your Consent: For any purpose not described above, we will seek your explicit consent before sharing your data.

5. International Data Transfers

BodaLab is operated by a company established in Spain (EU). However, some of our service providers are located outside the European Economic Area (EEA). We ensure that all international transfers of personal data comply with applicable data protection laws.

5.1 EU/EEA to United Kingdom

The European Commission has issued an adequacy decision for the United Kingdom (Commission Implementing Decision (EU) 2021/1772), confirming that the UK provides an adequate level of data protection. Personal data may therefore flow freely from the EU/EEA to the UK without the need for additional safeguards. We monitor the status of this adequacy decision on an ongoing basis.

5.2 EU/EEA to United States

For transfers of personal data from the EU/EEA to the United States, we rely on the following mechanisms:

(a) EU-US Data Privacy Framework (DPF)

Where our US-based service providers are certified participants in the EU-US Data Privacy Framework (as designated by the European Commission's adequacy decision of July 10, 2023), we rely on this framework as the primary transfer mechanism. As of the date of this policy, the following providers are DPF-certified: Stripe, Cloudflare, Google, and Meta.

(b) Standard Contractual Clauses (SCCs)

For US-based providers that are not DPF-certified, or as a supplementary safeguard alongside the DPF, we enter into the European Commission's Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914. We use SCCs with the following providers: Resend, Backblaze, and Sentry.

(c) Supplementary Measures

In addition to the above, we implement appropriate supplementary measures as recommended by the European Data Protection Board (EDPB), including:

Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
Access controls limiting data access to authorized personnel only
Contractual commitments from providers to challenge government access requests where legally permissible
Regular assessments of the legal framework in the recipient country

5.3 UK to Other Countries

For transfers of personal data from the UK to countries outside the UK, we rely on:

UK Adequacy Regulations: Where the UK Secretary of State has made adequacy regulations for the recipient country (including EEA member states).
UK International Data Transfer Agreement (IDTA): Or the UK Addendum to the EU SCCs, as approved by the ICO.
UK Extension to the EU-US Data Privacy Framework: For transfers to DPF-certified US organizations.

5.4 Your Right to Information

You have the right to obtain a copy of the safeguards we have put in place for international data transfers. To request this information, contact us at [email protected].

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following table outlines our retention periods by data category:

Data Category	Retention Period	Justification
Account registration data (name, email, password hash)	Duration of your account plus 30 days after account deletion	Necessary for service provision; 30-day grace period for account recovery
Profile and business information	Duration of your account plus 30 days after account deletion	Necessary for service provision
Payment and billing records (invoices, transaction history)	7 years after the transaction date	Required by Spanish tax law (Ley General Tributaria) and EU VAT regulations
Subscription and plan data	Duration of your account plus 7 years for financial records	Contractual necessity and legal obligation
Client data you enter (wedding client records, guest lists, contracts, galleries)	Duration of your account; deleted within 30 days of account deletion or upon your earlier request	Processed as Data Processor on your instruction
Uploaded files (photos, videos, documents, contracts)	Duration of your account; deleted within 30 days of account deletion or upon your earlier request	Processed as Data Processor on your instruction
E-signature records (signed contracts, audit trails)	Duration of your account plus 7 years	Legal obligation; evidentiary value of signed contracts
Transactional email logs	12 months from the date of sending	Legitimate interest in service monitoring and troubleshooting
Customer support correspondence	3 years from the date of the last communication	Legitimate interest in maintaining service quality and resolving recurring issues
Server and access logs (IP addresses, request logs)	12 months from the date of creation	Legitimate interest in security monitoring; legal obligation for certain logs
Error monitoring data (Sentry)	90 days from the date of the error event	Legitimate interest in maintaining platform stability
Analytics data (Google Analytics)	14 months (configured in Google Analytics settings)	Consent-based; data automatically purged by Google after the retention period
Cookie consent records	3 years from the date of consent	Legal obligation to demonstrate valid consent
Marketing consent records	Duration of consent plus 3 years after withdrawal	Legal obligation to demonstrate valid consent and honor withdrawal

Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymized. Anonymized data may be retained indefinitely for statistical and analytical purposes, as it no longer constitutes personal data.

If you request deletion of your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., billing records for tax compliance).

7. Your Rights

7.1 If You Are in the EU/EEA (GDPR Rights)

Under the General Data Protection Regulation (Regulation (EU) 2016/679), you have the following rights with respect to your personal data:

(a) Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data together with information about the purposes of processing, the categories of data concerned, the recipients to whom data has been disclosed, the retention periods, and your rights. We will provide this information free of charge within one month of your request.

(b) Right to Rectification (Article 16)

You have the right to obtain the correction of inaccurate personal data and the completion of incomplete personal data. You can update most of your account information directly through the BodaLab platform settings. For data you cannot update yourself, contact us.

(c) Right to Erasure ("Right to Be Forgotten") (Article 17)

You have the right to request the deletion of your personal data where: (i) the data is no longer necessary for the purpose for which it was collected; (ii) you withdraw consent and no other legal basis applies; (iii) you object to processing and there are no overriding legitimate grounds; (iv) the data has been unlawfully processed; or (v) deletion is required to comply with a legal obligation. This right is not absolute and may be limited where retention is necessary for compliance with legal obligations, the establishment, exercise, or defense of legal claims, or reasons of public interest.

(d) Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data where: (i) you contest the accuracy of the data (for the period needed to verify accuracy); (ii) the processing is unlawful and you prefer restriction over erasure; (iii) we no longer need the data but you require it for legal claims; or (iv) you have objected to processing pending verification of whether our legitimate grounds override yours.

(e) Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV) and to transmit that data to another controller without hindrance, where: (i) the processing is based on consent or a contract; and (ii) the processing is carried out by automated means.

(f) Right to Object (Article 21)

You have the right to object, on grounds relating to your particular situation, to processing of your personal data based on legitimate interest (Article 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. You have an absolute right to object to processing for direct marketing purposes at any time.

(g) Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. BodaLab does not currently engage in solely automated decision-making that produces legal or similarly significant effects.

(h) Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You may withdraw consent by: (i) adjusting your cookie preferences via our cookie consent banner; (ii) unsubscribing from marketing emails via the link in each email; or (iii) contacting us at [email protected].

(i) Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. As BodaLab is established in Spain, our lead supervisory authority is the:

Agencia Espanola de Proteccion de Datos (AEPD)

Website: https://www.aepd.es
Address: C/ Jorge Juan 6, 28001 Madrid, Spain
Phone: +34 901 100 099

You may also lodge a complaint with the supervisory authority in your EU/EEA member state of residence or place of work.

How to Exercise Your Rights:

To exercise any of the above rights, please contact us at:

Email: [email protected]
Subject Line: "Data Subject Rights Request - [Your Right]"
Postal Mail: Estrategias Madrigal Marketing S.L., Calle Concepcion Arenal 95, Entresuelo 2A, 03201 Elche, Alicante, Spain

We will respond to your request within one month of receipt. This period may be extended by two additional months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

We may request additional information to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

7.2 If You Are in the United Kingdom (UK GDPR Rights)

If you are located in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation (UK GDPR, as retained under the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018). These rights mirror those described in Section 7.1 above. Please refer to Section 10 of this policy for further details on UK-specific provisions.

7.3 If You Are in the United States

If you are located in the United States, your rights depend on the state in which you reside. Please refer to:

Section 8 for comprehensive details on your rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
Section 9 for information on your rights under the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and other state privacy laws.

8. Your California Privacy Rights (CCPA)

This section applies to you if you are a California resident. It is provided pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA," Cal. Civ. Code Section 1798.100 et seq.).

Under the CCPA, "personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

8.1 Categories of Personal Information Collected in the Last 12 Months

The following table describes the categories of personal information we have collected from consumers in the preceding twelve (12) months, the sources of that information, and the business or commercial purposes for which it was collected:

CCPA Category	Examples of Data Collected	Sources	Business Purpose
A. Identifiers	Real name, email address, account name, IP address, unique personal identifier, online identifier	Directly from you; automatically collected	Providing the service; account management; security; customer support
B. Personal information categories listed in Cal. Civ. Code Section 1798.80(e)	Name, address, telephone number, financial information (billing details processed via Stripe)	Directly from you	Providing the service; payment processing; billing
C. Protected classification characteristics under California or federal law	None intentionally collected	N/A	N/A
D. Commercial information	Records of subscriptions purchased, subscription history, payment history, services used	Directly from you; generated from your use of the service	Providing the service; billing; improving the service
E. Biometric information	None collected	N/A	N/A
F. Internet or other similar network activity	Browsing history on our platform, search history within the app, information regarding interaction with our website and application, clickstream data	Automatically collected	Improving the service; analytics (with consent); security
G. Geolocation data	Approximate location derived from IP address (city/region level)	Automatically collected	Service customization; security; analytics (with consent)
H. Sensory data	Photos and videos uploaded to galleries (uploaded by you, as a wedding professional, on behalf of your clients)	Directly from you	Providing the gallery and file storage features of the service
I. Professional or employment-related information	Business name, business type, professional role, job title	Directly from you	Providing the service; customizing the experience
J. Non-public education information	None collected	N/A	N/A
K. Inferences drawn from other personal information	User preferences, feature usage patterns, likelihood of subscription renewal	Generated internally from your use of the service	Improving the service; personalizing the experience
L. Sensitive personal information	Account login credentials (email and password); precise geolocation is NOT collected; financial account details are processed only by Stripe	Directly from you	Providing the service; authentication; payment processing

8.2 Categories of Sources of Personal Information

We collect personal information from the following categories of sources:

Directly from you when you create an account, subscribe to a plan, enter data into the platform, upload files, contact support, or otherwise interact with BodaLab.
Automatically when you access or use our website or platform, through cookies, log files, and similar technologies.
From service providers such as Stripe (payment confirmation data) and Supabase (authentication events).
From publicly available sources such as your business website or public social media profiles (only for aggregate market understanding, not individual profiling).

8.3 Business and Commercial Purposes for Collection

We collect and use personal information for the following business and commercial purposes:

Providing and maintaining the BodaLab platform, including account registration, authentication, and all core features (CRM, invoicing, contracts, galleries, guest management, calendar, automation, forms, timelines, vendor directory, WhatsApp integration).
Processing payments and managing subscriptions through Stripe.
Communicating with you, including transactional emails, customer support, service notifications, and (with your consent) marketing communications.
Improving and optimizing our service, including analyzing usage patterns, conducting A/B tests, and developing new features.
Ensuring security and preventing fraud, including monitoring for suspicious activity, enforcing our Terms of Service, and protecting against unauthorized access.
Complying with legal obligations, including tax reporting, responding to lawful government requests, and maintaining required records.
Advertising and marketing (with your consent), including measuring the effectiveness of our advertising campaigns.

8.4 We Do Not Sell Your Personal Information

BodaLab does not sell your personal information. We have not sold personal information in the preceding twelve (12) months, and we do not have plans to sell personal information in the future.

For the avoidance of doubt, we do not:

Sell personal information to data brokers, advertisers, or any other third parties.
Share personal information for cross-context behavioral advertising without your explicit, opt-in consent.
Use or disclose sensitive personal information for purposes other than those permitted under CCPA Section 1798.121.

If we use consent-based cookies (Google Analytics, Meta Pixel), these are activated only with your prior, explicit opt-in consent and are not considered "sales" under the CCPA. You may opt out of these cookies at any time through our cookie consent banner.

8.5 We Do Not Share Your Personal Information for Cross-Context Behavioral Advertising

As amended by the CPRA, the CCPA defines "sharing" as making personal information available to a third party for cross-context behavioral advertising purposes. BodaLab does not "share" your personal information for cross-context behavioral advertising, except where you have provided explicit opt-in consent (e.g., by consenting to Meta Pixel via our cookie banner). You may withdraw this consent at any time.

8.6 Your CCPA Rights

As a California resident, you have the following rights under the CCPA:

(a) Right to Know (Right to Access)

You have the right to request that we disclose to you:

The categories of personal information we have collected about you.
The categories of sources from which the personal information was collected.
The business or commercial purpose for collecting or selling personal information.
The categories of third parties with whom we share personal information.
The specific pieces of personal information we have collected about you.

You may make a verifiable request to know up to two (2) times in a twelve (12) month period.

(b) Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions. We may deny your deletion request if retaining the information is necessary for us or our service providers to:

Complete a transaction for which the personal information was collected.
Provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship.
Perform a contract between us and you.
Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible.
Debug to identify and repair errors that impair existing functionality.
Exercise free speech or another right provided by law.
Comply with the California Electronic Communications Privacy Act.
Engage in public or peer-reviewed scientific, historical, or statistical research.
Enable solely internal uses reasonably aligned with your expectations.
Comply with a legal obligation.
Otherwise use the personal information internally in a lawful manner compatible with the context in which you provided it.

(c) Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you, taking into account the nature of the personal information and the purposes of the processing.

(d) Right to Opt-Out of Sale or Sharing

You have the right to opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising. As stated above, BodaLab does not sell personal information and does not share personal information for cross-context behavioral advertising without your consent.

(e) Right to Limit Use and Disclosure of Sensitive Personal Information

You have the right to limit our use and disclosure of your sensitive personal information to uses that are necessary to perform the services reasonably expected by you. BodaLab only uses sensitive personal information (account login credentials) for the purpose of providing the service and does not use it for any additional, non-essential purposes.

(f) Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising any of your CCPA rights. We will not:

Deny you goods or services.
Charge you different prices or rates for goods or services.
Provide you with a different level or quality of goods or services.
Suggest that you will receive a different price or rate or a different level or quality of goods or services.

8.7 How to Exercise Your CCPA Rights

To exercise your rights under the CCPA, you may submit a verifiable consumer request to us by:

Email: [email protected] (subject line: "CCPA Rights Request")

Please include in your request:

Your full name
Your email address associated with your BodaLab account
The specific right(s) you wish to exercise
Sufficient information for us to verify your identity

Response Time: We will acknowledge receipt of your request within ten (10) business days and provide a substantive response within forty-five (45) calendar days of receiving your verifiable request. If we require additional time (up to an additional 45 days), we will inform you in writing of the reason and the extension period.

Cost: There is no charge for processing your request, unless it is manifestly unfounded or excessive.

8.8 Verification Process

To protect your privacy and security, we must verify your identity before fulfilling your request. Our verification process may include:

Account holders: We will verify your identity by confirming your email address and matching it to an existing BodaLab account. We may ask you to confirm additional account details (e.g., the date you created your account, your subscription plan, or your business name).
Non-account holders: If you do not have a BodaLab account, we will verify your identity by requesting that you provide at least two (2) pieces of personal information that we can match against our records. If we cannot verify your identity to a reasonable degree of certainty, we will explain why and inform you of your options.
Requests for specific pieces of personal information: For requests to know specific pieces of personal information, we apply a higher standard of verification and may require you to provide a signed declaration under penalty of perjury confirming your identity.

We will not fulfill a request if we cannot verify your identity or authority to make the request.

8.9 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. To do so:

The authorized agent must provide a written authorization signed by you or a power of attorney.
We may still require you to verify your own identity directly with us, unless the agent provides a valid power of attorney under California Probate Code Sections 4000-4465.

To designate an authorized agent, contact us at [email protected] with the subject line "CCPA Authorized Agent Request."

8.10 Financial Incentives

BodaLab does not offer financial incentives, price differences, or service differences in exchange for the retention or sale of personal information.

8.11 Metrics

In accordance with CCPA regulations, BodaLab will compile and disclose metrics regarding consumer requests received in the prior calendar year upon request. These metrics include the number of requests to know, requests to delete, and requests to opt out received, complied with (in whole or in part), and denied, along with the median response time.

9. Additional US State Privacy Rights

9.1 Virginia Consumer Data Protection Act (VCDPA)

If you are a Virginia resident, effective January 1, 2023, you have the following rights under the VCDPA (Va. Code Section 59.1-575 et seq.):

Right to Access: You may confirm whether we are processing your personal data and access that data.
Right to Correct: You may correct inaccuracies in your personal data.
Right to Delete: You may request deletion of personal data you have provided or that we have obtained about you.
Right to Data Portability: You may obtain a copy of your personal data in a portable, readily usable format.
Right to Opt Out: You may opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise your rights, contact us at [email protected]. We will respond within 45 days. You may appeal our decision by contacting us with the subject line "VCDPA Appeal." If your appeal is denied, you may contact the Virginia Attorney General at https://www.oag.state.va.us.

9.2 Colorado Privacy Act (CPA)

If you are a Colorado resident, effective July 1, 2023, you have similar rights under the Colorado Privacy Act (C.R.S. Section 6-1-1301 et seq.), including the rights to access, correct, delete, obtain a portable copy of your data, and opt out of targeted advertising, the sale of personal data, and profiling. To exercise your rights, contact us at [email protected]. We will respond within 45 days. You may appeal our decision; if your appeal is denied, you may contact the Colorado Attorney General at https://coag.gov.

9.3 Connecticut Data Privacy Act (CTDPA)

If you are a Connecticut resident, effective July 1, 2023, you have similar rights under the Connecticut Data Privacy Act (Conn. Gen. Stat. Section 42-515 et seq.), including the rights to access, correct, delete, obtain a portable copy of your data, and opt out of targeted advertising, the sale of personal data, and profiling. To exercise your rights, contact us at [email protected]. We will respond within 45 days. You may appeal our decision; if your appeal is denied, you may contact the Connecticut Attorney General at https://portal.ct.gov/AG.

9.4 Other US State Privacy Laws

If you reside in another US state that has enacted comprehensive consumer privacy legislation (including but not limited to Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Rhode Island, and Kentucky), we will honor your data privacy rights as required by applicable law. To exercise any rights available to you, contact us at [email protected].

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit a website. Cookies are widely used to make websites work, work more efficiently, and provide reporting information. We also use similar technologies such as local storage, session storage, and pixel tags.

11.2 Categories of Cookies We Use

(a) Strictly Necessary Cookies (Essential)

These cookies are essential for the operation of BodaLab and cannot be disabled. They include:

Cookie Name	Purpose	Duration	Provider
Session cookie	Maintains your authenticated session	Session (expires on browser close) or up to 7 days	BodaLab (Supabase Auth)
CSRF token	Prevents cross-site request forgery attacks	Session	BodaLab
Cookie consent preferences	Stores your cookie consent choices	12 months	BodaLab
Language/locale preference	Remembers your selected language	12 months	BodaLab
Security cookies	Fraud detection and platform security	Session to 30 days	Cloudflare

Legal basis: Strictly necessary cookies do not require consent under the ePrivacy Directive (Directive 2002/58/EC) or the UK Privacy and Electronic Communications Regulations (PECR), as they are essential for the provision of the service you have requested.

(b) Analytics Cookies (Consent Required)

These cookies help us understand how visitors interact with our website and platform by collecting and reporting information. They are only activated with your prior, explicit consent.

Cookie Name	Purpose	Duration	Provider
_ga	Distinguishes unique users for Google Analytics	2 years	Google
_ga_[ID]	Maintains session state for Google Analytics 4	2 years	Google

Legal basis: Consent (GDPR Art. 6(1)(a)). These cookies are not loaded until you provide consent via our cookie consent banner.

(c) Marketing Cookies (Consent Required)

These cookies are used to measure the effectiveness of our advertising campaigns and may be used to deliver relevant advertisements to you. They are only activated with your prior, explicit consent.

Cookie Name	Purpose	Duration	Provider
_fbp	Identifies browsers for Meta advertising attribution	3 months	Meta
_fbc	Stores click identifiers from Meta ads	3 months	Meta

Legal basis: Consent (GDPR Art. 6(1)(a)). These cookies are not loaded until you provide consent via our cookie consent banner.

11.3 How to Manage Cookies

You can manage your cookie preferences in the following ways:

Cookie Consent Banner: When you first visit BodaLab, you will see a cookie consent banner allowing you to accept or reject non-essential cookies. You can change your preferences at any time by clicking the "Cookie Settings" link in the footer of our website.
Browser Settings: Most web browsers allow you to control cookies through their settings. You can set your browser to block or delete cookies, although this may affect the functionality of BodaLab. Instructions for managing cookies in common browsers:
- Chrome: Settings > Privacy and Security > Cookies and other site data
- Firefox: Settings > Privacy & Security > Cookies and Site Data
- Safari: Preferences > Privacy > Manage Website Data
- Edge: Settings > Cookies and site permissions
Opt-Out Links:
- Google Analytics: Install the Google Analytics Opt-out Browser Add-on
- Meta Pixel: Adjust your ad preferences at https://www.facebook.com/adpreferences
Do Not Track (DNT): Some browsers offer a "Do Not Track" signal. There is currently no industry-wide standard for how websites should respond to DNT signals. BodaLab does not currently respond to DNT signals, but we honor your cookie consent preferences as described above.

13. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

13.1 Technical Measures

Encryption in Transit: All data transmitted between your device and BodaLab is encrypted using TLS 1.2 or higher (HTTPS).
Encryption at Rest: All data stored in our database (Supabase/PostgreSQL) is encrypted at rest using AES-256 encryption. Files stored in Backblaze B2 are encrypted at rest using server-side encryption (SSE-B2).
Password Security: User passwords are hashed using bcrypt with a high cost factor. We never store plaintext passwords.
Access Controls: Database access is governed by Row-Level Security (RLS) policies, ensuring strict multi-tenant data isolation. Each user can only access data belonging to their own workspace.
Authentication: Secure session management via Supabase Auth, with token-based authentication and automatic session expiry.
Infrastructure Security: Our infrastructure providers (Supabase, Cloudflare, Stripe) maintain SOC 2 Type II certifications and/or ISO 27001 certifications.
Web Application Firewall (WAF): Cloudflare WAF protects against common web application attacks, including SQL injection, cross-site scripting (XSS), and DDoS attacks.
Monitoring: Continuous error monitoring via Sentry; access logging for audit trails.

13.2 Organizational Measures

Principle of Least Privilege: Access to personal data is restricted to authorized personnel who need it to perform their duties.
Vendor Due Diligence: All third-party service providers are vetted for their security practices and are bound by Data Processing Agreements.
Incident Response: We maintain an incident response plan for detecting, investigating, and responding to personal data breaches. In the event of a breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform you without undue delay, as required by Article 33 and Article 34 of the GDPR.
Regular Review: We periodically review and update our security measures to address new threats and vulnerabilities.

13.3 Your Role in Security

While we take extensive measures to protect your data, security is a shared responsibility. We encourage you to:

Use a strong, unique password for your BodaLab account.
Keep your login credentials confidential and do not share them with unauthorized individuals.
Log out of your account when using shared devices.
Notify us immediately at [email protected] if you suspect unauthorized access to your account.

14. Children's Privacy

BodaLab is a business-to-business SaaS platform designed for wedding professionals. Our service is not directed at, marketed to, or intended for use by individuals under the age of eighteen (18).

We do not knowingly collect personal information from children under the age of 18. If we become aware that we have collected personal information from a child under 18, we will take immediate steps to delete that information.

If you are a parent or guardian and believe that your child has provided personal information to BodaLab, please contact us at [email protected], and we will promptly delete the information.

For the purposes of the US Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under the age of 13.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, changes in applicable law, or for other operational, legal, or regulatory reasons.

15.1 Notification of Changes

Material Changes: If we make material changes to this Privacy Policy (e.g., changes to the categories of personal data we collect, new purposes for processing, new third-party recipients, or changes to your rights), we will notify you by: (i) posting a prominent notice on our website; (ii) sending an email notification to the address associated with your account; and (iii) updating the "Last Updated" date at the top of this policy. We will provide at least thirty (30) days' advance notice before material changes take effect.
Non-Material Changes: For non-material changes (e.g., typographical corrections, formatting updates), we will update this page and the "Last Updated" date without additional notice.

15.2 Your Continued Use

Your continued use of BodaLab after the effective date of any changes to this Privacy Policy constitutes your acknowledgment of the changes. If you do not agree with the updated policy, you should discontinue your use of BodaLab and delete your account.

15.3 Prior Versions

We will maintain an archive of prior versions of this Privacy Policy. You may request a copy of any prior version by contacting us at [email protected].

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your rights, please contact us:

Estrategias Madrigal Marketing S.L.

Email: [email protected]
Postal Address: Calle Concepcion Arenal 95, Entresuelo 2A, 03201 Elche, Alicante, Spain
CIF: B75398545

16.1 Supervisory Authorities

If you are not satisfied with our response to your inquiry or complaint, you have the right to lodge a complaint with the relevant supervisory authority:

European Union / Spain:

Agencia Espanola de Proteccion de Datos (AEPD)

Website: https://www.aepd.es
Address: C/ Jorge Juan 6, 28001 Madrid, Spain
Phone: +34 901 100 099
Email: [email protected]

If you reside in another EU/EEA member state, you may also contact your local supervisory authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

United Kingdom:

Information Commissioner's Office (ICO)

Website: https://ico.org.uk
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Phone: +44 (0)303 123 1113
Email: [email protected]

United States / California:

Office of the California Attorney General

Website: https://oag.ca.gov/privacy
Address: 1300 I Street, Sacramento, CA 95814, United States
Phone: (916) 210-6276
Online Complaint Form: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

17. Legal Notice (Aviso Legal)

In compliance with Article 10 of Spanish Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (Ley 34/2002, de 11 de julio, de Servicios de la Sociedad de la Informacion y de Comercio Electronico, LSSI-CE), the following information is provided about the owner of this website:

17.1 Website Owner

Company Name: Estrategias Madrigal Marketing S.L.
Legal Form: Sociedad Limitada (Spanish Limited Liability Company), incorporated under the laws of Spain
Registered Address: Calle Concepcion Arenal 95, Entresuelo 2A, 03201 Elche, Alicante, Spain
Tax Identification Number (CIF): B75398545
Email: [email protected]
Website: https://bodalab.app / https://app.bodalab.app

17.2 Object and Purpose

BodaLab is a software-as-a-service (SaaS) platform designed for wedding professionals. The platform provides tools for client relationship management, invoicing, contract management with electronic signatures, photo and video gallery management, guest list management, workflow automation, booking calendars, form creation, wedding day timeline planning, vendor directories, and WhatsApp integration.

17.3 Intellectual Property

All content on the BodaLab website and application, including but not limited to text, graphics, logos, icons, images, audio clips, software, and the compilation thereof, is the property of Estrategias Madrigal Marketing S.L. or its content licensors and is protected by Spanish, European, and international intellectual property laws.

The BodaLab name, logo, and all related names, logos, product and service names, designs, and slogans are trademarks of Estrategias Madrigal Marketing S.L. You may not use such marks without our prior written permission.

17.4 User Obligations

By using BodaLab, you agree to:

Use the platform in accordance with applicable law, this Legal Notice, the Terms of Service, and this Privacy Policy.
Not use the platform for any illegal, fraudulent, or unauthorized purpose.
Not attempt to gain unauthorized access to the platform, other user accounts, or our systems.
Not interfere with or disrupt the platform's operation.
Not reproduce, duplicate, copy, sell, resell, or exploit any portion of the platform without our express written permission.

17.5 Limitation of Liability

To the maximum extent permitted by applicable law, Estrategias Madrigal Marketing S.L. shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or relating to your use of or inability to use BodaLab, including but not limited to loss of revenue, loss of profits, loss of data, or service interruptions, even if we have been advised of the possibility of such damages.

Our total aggregate liability for any claims arising out of or relating to the use of BodaLab shall not exceed the greater of (a) the total amount you have paid to us in the twelve (12) months preceding the event giving rise to the claim, or (b) one hundred euros (EUR 100).

Nothing in this section shall limit our liability for death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by applicable law.

17.6 Governing Law and Jurisdiction

This Legal Notice, the Privacy Policy, and any disputes arising out of or relating to BodaLab shall be governed by and construed in accordance with the laws of Spain, without regard to its conflict of law provisions.

For consumers residing in the European Union, nothing in this clause shall deprive you of the protection afforded by the mandatory provisions of the law of your country of habitual residence, in accordance with Regulation (EC) No 593/2008 (Rome I).

Any disputes that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the courts of Elche, Alicante, Spain, except where mandatory consumer protection laws require a different forum.

17.7 Online Dispute Resolution

In accordance with Regulation (EU) No 524/2013 of the European Parliament and of the Council, we inform you that the European Commission provides an Online Dispute Resolution (ODR) platform, accessible at: https://ec.europa.eu/consumers/odr.

17.8 Severability

If any provision of this Legal Notice or Privacy Policy is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

Estrategias Madrigal Marketing S.L.
Calle Concepcion Arenal 95, Entresuelo 2A, 03201 Elche, Alicante, Spain
CIF: B75398545
Email: [email protected]

This document was last updated on April 6, 2026.

Privacy Policy, Cookie Policy & Legal Notice

Table of Contents