Data protection
Privacy policy
Effective from 25 April 2026. Last updated: 25 April 2026.
At Marc & Structures (www.marcandstructures.com) we process personal data in line with Regulation (EU) 2016/679 (GDPR) and applicable Spanish data-protection law. This notice explains how, in plain language.
1. Data controller
Identity: the Marc & Structures web project, controller for data collected through this site.
Contact for rights and privacy queries: marc@marcandstructures.com.
We do not publish a Data Protection Officer (DPO) contact unless one becomes mandatory or is appointed voluntarily.
2. Purposes, legal bases, and data
Processing depends on the activity. Where the site states no economic activity, typical bases are consent (e.g. newsletter checkbox, voluntary chat or bot use) and legitimate interests (e.g. answering a message you send, site security, aggregated metrics where permitted). If pre-contractual or contractual steps arise later, bases such as “performance of a contract” or “pre-contractual measures” may also apply.
| Activity | Typical data | Purpose | Legal bases (indicative) |
|---|---|---|---|
| Contact or request forms | Name, email, company, phone (if provided), message content, technical submission data, attachments you choose to upload | Handle your request, reply, organise related information | Consent and/or legitimate interests; pre-contractual measures if applicable |
| Transactional email (e.g. via Resend) | Email address, delivery metadata, content needed to notify you | Send communications related to your request | Consent and/or legitimate interests; pre-contractual measures if applicable |
| CRM / workflow in Odoo or similar | Data originating from the form or flow (contact, notes, possible appointments) | Track the request and organise information | Consent and/or legitimate interests; pre-contractual measures if applicable |
| Appointment booking (link to app.marcandstructures.com or other subdomain) | Name, email, time slot, data the calendar collects, technical logs | Manage a booking or informational call | Consent and/or legitimate interests; pre-contractual measures if applicable |
| WhatsApp and Telegram bots | Platform user identifier, phone number (WhatsApp), profile name if visible, message content needed to book or confirm | Schedule, change, or remind appointments; automated scheduling-related messages | Consent when starting or continuing the chat and/or legitimate interests, depending on design |
| AI consultation assistant (e.g. OpenAI) | Text you type, files you upload if enabled, session identifiers, usage metadata | Provide informational answers | Consent (voluntary use) and/or legitimate interest in service improvement, depending on setup |
| Microsoft Clarity (behaviour analytics) | Identifiers in cookies or similar technologies, interaction logs (e.g. heatmaps as described by the vendor) | Understand site usage and improve experience | Consent (recommended in the EEA). See section 8 if no cookie banner is deployed yet |
| Newsletter | Email address; preferences if collected | Send content if you subscribe | Explicit consent. If the form is not yet wired to a provider, no mailings occur until a proper basis and tooling exist |
| Browsing, security, hosting (e.g. Cloudflare Pages/Workers) | IP address, date/time, browser type, technical logs | Deliver the site, mitigate abuse (DDoS, bots), technical statistics | Legitimate interests and/or technical necessity |
3. Retention
We keep data as long as needed for each purpose: while we handle your request, for applicable limitation periods if relevant, or until you withdraw consent where consent is the basis. Technical logs are kept for limited periods unless a longer retention is legally required. Specific criteria may be updated in this policy.
4. Recipients and processors
To run the site we may use providers that process data on our behalf, including:
- Cloudflare, Inc. (infrastructure, CDN, Workers/Pages): Privacy policy
- Odoo or another CRM/scheduling stack on app.marcandstructures.com: see the policy of the operator hosting the instance
- Resend (email delivery): Privacy
- OpenAI (models / Assistants API): Privacy
- Microsoft (Clarity): Microsoft privacy, Clarity
- Meta Platforms (WhatsApp): WhatsApp privacy
- Telegram: Privacy
We do not sell your personal data. We may disclose information if required by law or to defend legal rights before authorities or courts.
5. International transfers
Some providers may process data outside the European Economic Area (e.g. the United States). Where required, we rely on GDPR safeguards (e.g. EU Commission Standard Contractual Clauses or other recognised mechanisms). You may request more detail at marc@marcandstructures.com.
6. Your rights
You may exercise access, rectification, erasure, restriction, objection, and where applicable data portability, and withdraw consent at any time, by emailing marc@marcandstructures.com. We may ask for reasonable identity verification. You may also lodge a complaint with a supervisory authority; in Spain, the Agencia Española de Protección de Datos (AEPD): www.aepd.es.
Step-by-step instructions to request data deletion (including forms, bookings, bots, and the AI assistant): Data deletion instructions. Spanish version: Instrucciones de borrado de datos.
7. Children
The site is not directed at children under 14 (or the age required in your jurisdiction). If you are a parent or guardian and believe we collected a child’s data, contact us for deletion.
8. Cookies, Clarity, and a consent banner (recommended)
This site may load Microsoft Clarity or other tools that use cookies or similar technologies. In the EEA, cookie and privacy rules typically require clear information and, for non-essential / intrusive analytics, prior consent unless a legal exception applies.
Practical recommendation: implement a cookie banner or modal that lets users accept or reject analytics before loading Clarity, and store the choice. Until that is deployed, the site operator bears the risk of misalignment with regulator expectations. This policy describes intended use to support transparency.
9. Automated decisions
Bots and the AI assistant may generate automatic replies. We do not make decisions that significantly affect you with legal or similar effects based solely on automated processing within the meaning of GDPR Article 22, unless a different flow is introduced and clearly disclosed.
10. Security
We apply reasonable technical and organisational measures (e.g. encrypted connections where supported, access controls, API keys via server-side proxies). No system is perfectly secure; report suspected incidents to the contact address.
11. Changes
We will post updates on this page and adjust the “effective from” date. Please review periodically.
12. Informational text
This document is not a substitute for legal advice. If you expand processing (advertising, profiling, etc.) or begin economic activity, update this policy and consent mechanisms as needed.
Website terms of use · Data deletion · marc@marcandstructures.com