1. Data Controller
In accordance with EU Regulation 2016/679 (GDPR) and applicable Spanish data protection law (LOPDGDD), the data controller for personal data collected through guardianweb.es and the Guardian Web application is:
| Field | Details |
|---|---|
| Name | Sergio González Gil |
| Tax ID | 48532109Q |
| Address | Calle Diagonal, 30, Elche - Alicante, 03206 Spain |
| privacy@guardianweb.es | |
| Website | https://guardianweb.es |
2. Personal Data We Process
2.1 Registered user data (as data controller)
- Identification and contact: name or pseudonym, email address, password (stored as bcrypt hash, never in plain text).
- Service usage data: registered websites, API keys, configuration preferences, language preference, last access.
- Subscription data: plan, start/end dates, payment reference (LemonSqueezy order number). We do not store credit card data.
- Technical session data: IP address at login (for security and fraud prevention), panel access logs.
- Communications: messages sent through the support ticket system.
2.2 Data processed as data processor (on behalf of the customer)
When a customer installs gw-shield.php on their website, Guardian Web processes on behalf of the customer:
- IP addresses of visitors to the customer's protected site.
- HTTP request metadata: user-agent, requested URL, response code, timestamp.
- Attack logs and malicious access attempts detected by the shield.
- Country-level geolocation data (derived from IP, no city or address precision).
In this case, the customer is the data controller and Guardian Web acts as processor under GDPR Article 28.
2.3 Website navigation data
- Language preference (functional cookie
gw_lang, 30-day duration). - Technical navigation data processed by the guardianweb.es security shield (IP, user-agent, suspicious activity).
3. Processing Purposes and Legal Basis
| Purpose | Data processed | Legal basis (GDPR Art. 6) |
|---|---|---|
| Service provision and account management | Identification, service usage, configuration | Art. 6.1.b — Contract performance |
| Payment and subscription management | Subscription data, payment reference | Art. 6.1.b — Contract performance |
| Service security and fraud prevention | Login IP, session logs | Art. 6.1.f — Legitimate interest |
| Customer site protection (shield) | Visitor IPs, attack logs | Art. 6.1.b — Contract performance (as processor) |
| Technical support | Email, ticket messages | Art. 6.1.b — Contract performance |
| Legal compliance | Billing data, logs | Art. 6.1.c — Legal obligation |
| Service improvement (aggregated, anonymised) | Aggregated usage statistics | Art. 6.1.f — Legitimate interest |
We do not conduct direct marketing without prior consent, nor do we share data with third parties for advertising purposes.
4. Data Retention
| Data category | Retention period |
|---|---|
| Active account data | While the account is active |
| Cancelled account data | 3 years from cancellation |
| Billing and payment data | 5 years (commercial law) / 4 years (tax law) |
| Shield activity logs (visitor IPs) | By plan: 7 days (Free), 30 days (Basic), 90 days (Pro) |
| Support tickets | 2 years from ticket closure |
| Panel access logs (user IP) | 90 days |
5. Recipients and International Transfers
5.1 Service providers (data processors)
| Provider | Function | Country | Safeguards |
|---|---|---|---|
| LemonSqueezy | Payment processing and subscription management | USA | EU Standard Contractual Clauses. Privacy policy |
| AbuseIPDB | IP reputation lookup (visitor IP only) | USA | Minimal data transfer. Privacy policy |
| Telegram | Security alerts (only if user activates it) | UAE / EU | Optional configuration. Privacy policy |
| Hosting provider | Server infrastructure | Spain | Data processing agreement available on request |
5.2 International transfers
When data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards under GDPR Article 46, primarily through Standard Contractual Clauses approved by the European Commission.
5.3 What we do NOT do
- We do not sell or rent personal data to third parties.
- We do not share data with third parties for advertising or marketing purposes.
- We do not share data with authorities except as required by law.
6. Your Rights
Under the GDPR, you have the following rights:
- Access (Art. 15): obtain confirmation of whether we process your data and a copy of it.
- Rectification (Art. 16): correct inaccurate or incomplete data.
- Erasure / "right to be forgotten" (Art. 17): request deletion of your data when it is no longer necessary.
- Restriction of processing (Art. 18): request suspension of processing in certain circumstances.
- Data portability (Art. 20): receive your data in a structured, machine-readable format.
- Objection (Art. 21): object to processing based on our legitimate interest.
- No automated decisions (Art. 22): Guardian Web does not make decisions based solely on automated processing.
To exercise your rights, email privacy@guardianweb.es with your name, account email, and the right you wish to exercise. We will respond within 30 days.
6.1 Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. In Spain, that is the Agencia Española de Protección de Datos (AEPD): www.aepd.es. You may also contact the supervisory authority in your country of residence.
7. Data Security
Guardian Web implements appropriate technical and organisational measures, including: bcrypt password hashing, HTTPS/TLS encryption, role-based access control, login rate limiting, and HttpOnly/Secure/SameSite session cookies. In the event of a personal data breach posing a high risk to your rights, we will notify you in accordance with GDPR Article 34.
8. Minors
Guardian Web is not directed at persons under 14 years of age. If we become aware that we have collected data from a minor without verified parental consent, we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy periodically. For material changes, we will notify you by email at least 15 days in advance.
10. Data Protection Contact
For privacy-related queries, requests, or complaints:
Guardian Web Privacy
Email: privacy@guardianweb.es
Web: https://guardianweb.es