1. Data Controller
In accordance with EU Regulation 2016/679 (GDPR) and applicable Spanish data protection law (LOPDGDD), the data controller for personal data collected through guardianweb.es and the Guardian Web application is:
| Field | Details |
|---|---|
| Name / Company | [TO COMPLETE: Full name or company name] |
| Tax ID (NIF/CIF) | 48532109Q |
| Registered address | Calle Diagonal, 30, Elche - Alicante, 03206 España |
| privacidad@guardianweb.es | |
| Website | https://guardianweb.es |
2. Personal Data We Process
2.1 Registered user data (as data controller)
- Identification and contact: name or username, email address, password (stored as bcrypt hash — never in plain text).
- Service usage data: registered websites, generated API keys, configuration preferences, language preference, last login.
- Subscription data: plan, subscription start/end dates, payment reference (LemonSqueezy order ID). We do not store credit card data — payments are processed entirely by LemonSqueezy.
- Session technical data: IP address on login (for security and fraud prevention), panel access logs.
- Communications: messages sent through the support ticket system.
2.2 Data processed as data processor (on behalf of the customer)
When a customer installs gw-shield.php on their website, Guardian Web processes on behalf of the customer:
- IP addresses of visitors to the customer's protected site.
- HTTP request metadata: user-agent, requested URL, response code, timestamp.
- Attack logs and detected malicious access attempts.
- Country-level geolocation (derived from IP — no city or street precision).
In this case, the customer is the data controller and Guardian Web acts as processor under GDPR Article 28. Customers must inform their own users in their privacy policy about the use of Guardian Web as a security tool.
2.3 Website navigation data
- Language preference (functional cookie
gw_lang, 30-day duration). - Technical browsing data processed by the Guardian Web security shield (IP, user-agent, suspicious activity).
3. Processing Purposes and Legal Basis
| Purpose | Data processed | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Service delivery and account management | Identification, service usage, configuration | Art. 6(1)(b) — Contract performance |
| Payment and subscription management | Subscription data, payment reference | Art. 6(1)(b) — Contract performance |
| Service security and fraud prevention | Login IP, session logs | Art. 6(1)(f) — Legitimate interest |
| Protecting customer websites (shield) | Visitor IPs, attack logs | Art. 6(1)(b) — Contract performance (as processor) |
| Technical support | Email, ticket messages | Art. 6(1)(b) — Contract performance |
| Legal compliance | Billing data, logs | Art. 6(1)(c) — Legal obligation |
| Service improvement (aggregated, anonymised) | Aggregated usage statistics | Art. 6(1)(f) — Legitimate interest |
We do not conduct direct marketing without prior consent, nor do we share data with third parties for advertising purposes.
4. Data Retention
| Data category | Retention period |
|---|---|
| Active account data | While the account is active |
| Cancelled account data | 3 years from cancellation (contractual obligations and claims) |
| Billing and payment data | 5 years (Spanish commercial law) / 4 years for tax purposes |
| Shield activity logs (visitor IPs) | By plan: 7 days (Free), 30 days (Basic), 90 days (Pro). Users may delete them earlier from the panel. |
| Support tickets | 2 years from ticket closure |
| Panel access logs (user IP) | 90 days |
5. Recipients and International Transfers
5.1 Service providers (data processors)
| Provider | Function | Country | Safeguards |
|---|---|---|---|
| LemonSqueezy (Lemon Squeezy LLC) | Payment processing and subscription management | USA | EU Standard Contractual Clauses (SCCs). Privacy policy |
| AbuseIPDB (Marathon Studios Inc.) | IP reputation check (only visitor public IP — no user personal data) | USA | Minimal data transfer (public IP only). Privacy policy |
| Telegram (Telegram FZ LLC) | Security alerts (only if activated and configured by the user) | UAE / EU | Optional user configuration. Privacy policy |
| Hosting provider | Server infrastructure | Gestión de Activos Tecnológicos, S.L. (MasBaratoImposible.com) — Spain | Request a Data Processing Agreement (DPA) at info@g-a-t.es |
5.2 International transfers
When data is transferred to third parties outside the European Economic Area (EEA), we ensure appropriate safeguards under GDPR Article 46, primarily through Standard Contractual Clauses approved by the European Commission.
5.3 What we do NOT do
- We do not sell or rent personal data to third parties.
- We do not share data with third parties for advertising or marketing purposes.
- We do not share data with authorities except as required by law.
6. Your Rights
Under the GDPR, you have the following rights:
- Access (Art. 15): obtain confirmation of whether we process your data and a copy.
- Rectification (Art. 16): correct inaccurate or incomplete data (many fields are editable directly in your panel).
- Erasure / 'right to be forgotten' (Art. 17): request deletion of your data when no longer needed, unless we have a legal obligation to retain it.
- Restriction (Art. 18): request suspension of processing in certain circumstances.
- Portability (Art. 20): receive your data in a structured, machine-readable format.
- Objection (Art. 21): object to processing based on our legitimate interest.
- No automated decision-making (Art. 22): Guardian Web does not make legally significant decisions based solely on automated processing.
To exercise your rights, email privacy@guardianweb.es with your name, account email, and the right you wish to exercise. We will respond within 30 days (extendable to 60 days for complex requests, with prior notice).
You may also delete your account directly from the control panel, which will trigger data deletion according to the timelines in Section 4.
6.1 Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. In Spain, that is the Agencia Española de Protección de Datos (AEPD): www.aepd.es. You may also contact the supervisory authority in your country of residence.
7. Data Security
Guardian Web implements appropriate technical and organisational measures, including: bcrypt password hashing, HTTPS/TLS encryption, role-based access control, login rate limiting, and HttpOnly/Secure/SameSite session cookies. In the event of a personal data breach posing a high risk to your rights, we will notify you in accordance with GDPR Article 34.
8. Minors
Guardian Web is not directed at persons under 14 years of age. If we become aware that we have collected data from a minor without verified parental consent, we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy periodically. We will publish the updated version on this page with a new date. For material changes, we will notify you by email at least 15 days in advance.
10. Data Protection Contact
For privacy-related queries, requests, or complaints, please contact:
Guardian Web Privacy
Email: privacy@guardianweb.es