Privacy policy.

1 · Who we are.

This site is operated by Velvetgriddesign Estudio S.L., a private limited company registered in Spain, tax identifier ESB-87654321, with a registered address at P.º de la Marina Española, 15, 51001 Ceuta, Spain. For any privacy questions you can write to studio@velvetgriddesign.com or by post to the address above.

2 · The short version.

We collect what you send us through the contact form, what you provide when you book an engagement, and what is required for the technical operation of this website. We use that information to do the work you have asked us to do, to invoice you for it, and to comply with our legal obligations. We do not sell your data. We do not run analytics, ad networks, or tracking pixels on this site. We use a single technical cookie to remember whether you have accepted or declined the cookie banner.

3 · What we collect, why, and on what legal basis.

Contact form submissions. When you submit the contact form, we collect your first and last name, email address, optionally a phone number, optionally your company and country, optionally a budget range, and the message you wrote. Legal basis: legitimate interest under Article 6(1)(f) GDPR — namely, our interest in being able to respond to inbound enquiries. We retain submissions for twenty-four months, then delete.

Checkout details. When you book an engagement through the pricing pages, we collect your first and last name, email address, phone number, and country, plus the engagement you have selected. Legal basis: performance of a contract under Article 6(1)(b) GDPR. Payment is processed by Stripe Payments Europe, Ltd.; we never see, store, or have access to your card details. Stripe is a separate data controller for the payment data it processes — see stripe.com/privacy.

Invoicing. When we issue an invoice we collect your billing name, billing address, VAT number where applicable, and the engagement details. Legal basis: legal obligation under Article 6(1)(c) GDPR (Spanish accounting and tax law). Retention period: ten years, as required by Spanish accounting law (Código de Comercio, Art. 30).

Working files during an engagement. During an active engagement we will receive, store, and process whatever materials you send us — brand documents, copy, photography, internal context. Legal basis: performance of a contract. We retain those files for the duration of the engagement plus twelve months, then delete unless you ask us to keep them for longer.

Technical operation of the website. Our hosting provider stores standard web-server access logs (IP address, request URL, timestamp, user agent) for fourteen days for security and abuse-prevention purposes. Legal basis: legitimate interest. We do not run client-side analytics or advertising trackers.

4 · Cookies and similar technologies.

We use one cookie. It is named vg-cookie-consent, it is stored in your browser via localStorage, and its only purpose is to remember whether you have accepted or declined the cookie banner so that we do not show it to you again on the next page load. It does not transmit any data back to our servers. You can read more on the cookie policy page.

5 · Who we share data with.

The processors who handle data on our behalf, and the purpose for each: Stripe Payments Europe, Ltd. (payment processing), our hosting provider (web hosting, log retention for fourteen days), our email provider (transmission of contact-form submissions and engagement correspondence), and our accounting software (invoice and bookkeeping records). We have data processing agreements in place with each of these providers. We do not sell or rent personal data to any third party, ever.

6 · International transfers.

Most of our processors are based in the European Economic Area. Stripe processes some data in the United States under the EU–US Data Privacy Framework and standard contractual clauses. Where personal data is transferred outside the EEA, we rely on the safeguards published by the European Commission.

7 · Your rights under GDPR.

You have the right to: access the personal data we hold on you, ask us to correct anything that is wrong, ask us to erase it (subject to our legal obligations to retain invoicing records for ten years), restrict our processing of it, object to processing based on legitimate interest, and request portability of data you have given us. You can also withdraw any consent you have given at any time, without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, write to studio@velvetgriddesign.com. We respond to all requests within one month. If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) at aepd.es, or with the supervisory authority of the EU member state where you live or work.

8 · Security.

We use HTTPS across the entire site, including for the contact form. Working files during an engagement are stored on encrypted disks. Access to client data inside the studio is limited to the three senior designers and the producer, all of whom have signed confidentiality terms in their employment contracts. We do not have a CMS, an admin panel, or a public-facing database; the surface area for compromise is small by design.

9 · Children.

This is a B2B service for organisations and professional clients. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have inadvertently collected such data, please write and we will delete it immediately.

10 · Updates to this policy.

If we materially change how we handle personal data, we will update this page and update the "Last updated" date at the top. We will also notify any clients on active engagements by email when there is a material change. Minor changes — clarifications, typo fixes — happen without notice and are reflected in the version date above.