Privacy policy

1. Data controller

The data controller for personal data processed on this site is Luba Media S.L. ("Luba Media"), a limited-liability company incorporated in Spain.

Email (privacy): privacy@luba.media
Email (general): info@luba.media
Postal address: available on request for service of legal notices.

We have not appointed a Data Protection Officer (DPO) because we do not meet the thresholds in Art. 37 GDPR. The operator (mediabuyer staff at Luba Media S.L.) is the responsible contact for all privacy matters.

2. Categories of personal data we process

Account data (when you sign in): Google OAuth profile fields — email, full name, profile picture URL, stable Google subject ID. Legal basis: Art. 6(1)(b) GDPR (performance of a contract / your account).
Contact-form submissions: name, email, subject, message, IP address (for abuse prevention), submission timestamp. Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest in handling correspondence).
Analytics and measurement data (only with your consent under LSSI-CE art. 22.2): pseudonymous identifiers, page URL, referrer, screen size, approximate location derived from IP, user-agent. Legal basis: Art. 6(1)(a) GDPR (consent).
Server logs: IP address, request path, user-agent, response status, timestamp. Retained for security and abuse-prevention purposes. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in network and information security, as recognised by Recital 49 GDPR).

We do not knowingly process special categories of personal data (Art. 9 GDPR) such as health, political opinions, religious beliefs, or biometric data.

3. Purposes of processing

To provide and secure the website and your account.
To respond to messages you send through the contact form.
With your consent, to measure traffic and improve the product via aggregated analytics.
To comply with legal obligations (e.g. fiscal record-keeping under Spanish law, response to lawful authority requests).

4. Cookies and similar technologies

Strictly necessary cookies are set without prior consent under the exemption in LSSI-CE art. 22.2 second paragraph. All other cookies and similar trackers (analytics, performance, marketing) are loaded only after you grant consent through our cookie banner. You can withdraw consent at any time by reopening the banner from the footer.

The full list of cookies, their purposes, providers, and retention periods is on the dedicated cookie policy page, as required by the guidance of the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) "Guía sobre el uso de las cookies" (last revised by AEPD 2023).

4a. Advertising — Google AdSense

We display advertising served by Google AdSense, a service provided by Google LLC and Google Ireland Ltd. As an AdSense publisher under account pub-6043961736091377, we and Google use cookies and similar identifiers to serve, measure, and improve the relevance of the ads you see, and to combat fraud and abuse on the ad platform.

Personalised vs non-personalised ads. If you grant advertising consent through our cookie banner, Google may serve personalised ads based on your prior interests and activity across sites that participate in the Google ad ecosystem. If you decline advertising consent, only non-personalised, contextual ads are served (no advertising cookies are set or read).
Data Google may process for AdSense: IP address (for approximate location and fraud prevention), user-agent and device fingerprinting signals, the page URL and referrer, cookies such as __gads, __gpi, and NID set on the google.com /doubleclick.net domains, and ad-interaction events (impressions, clicks, viewability). The Google Tag also reads consent state from our cookie banner via Google Consent Mode v2.
Third-party vendors. Google AdSense may, with your consent, use a long list of certified third-party ad-tech vendors for measurement and attribution. The current vendor list is published by Google at support.google.com/admanager/answer/9012903.
How to opt out.You can disable personalised advertising at any time via Google’s Ad Settings, withdraw consent from the cookie banner on this site, or use the cross-industry opt-out tools at youronlinechoices.eu (EU) and aboutads.info/choices (US).
Google’s privacy policyapplies to Google’s processing as an independent controller for advertising: policies.google.com/technologies/ads and policies.google.com/privacy.

We do not pass any personal data we collect on this site (account email, contact-form payload) to Google for ad targeting. Google’s advertising data flows are independent of our first-party data flows.

5. Third-party processors and recipients

We share personal data with the following processors strictly to provide the service. Each acts under a written data-processing agreement (DPA) compliant with Art. 28 GDPR.

Processor	Purpose	Data categories	Location / transfer mechanism
Google LLC / Google Ireland Ltd.	OAuth sign-in; Google Analytics 4 (with consent)	Account data; pseudonymous analytics identifiers	EU/US — EU-US Data Privacy Framework (Commission decision 2023/1795) plus Standard Contractual Clauses
Microsoft Ireland Operations Ltd. (Clarity)	Heatmaps and session recordings (with consent)	Pseudonymous interaction data	EU/US — DPF + SCCs
Cloudflare, Inc.	CDN, DDoS protection, bot mitigation	IP address, request metadata	EU/US — DPF + SCCs; EU data centres preferred
Vercel Inc.	Application hosting and edge delivery	IP address, server logs, request metadata	EU/US — DPF + SCCs
Resend, Inc.	Transactional email for contact-form submissions	Form payload (name, email, message)	US — DPF + SCCs
Stripe Payments Europe Ltd.	Billing and payment processing (paid tiers only)	Billing identifiers, payment metadata	EU; sub-processors per Stripe DPA

Where personal data is transferred outside the European Economic Area, we rely on (in order of preference): an adequacy decision of the European Commission, the EU-US Data Privacy Framework, or the European Commission’s Standard Contractual Clauses (Decision 2021/914) accompanied by a transfer impact assessment.

6. Retention periods

Account data: kept while the account is active and for 12 months after deletion request, then erased except where retention is required by law.
Contact submissions: kept for up to 24 months after the inquiry is closed.
Analytics: GA4 user-property retention set to 14 months (the lowest available); Microsoft Clarity retention is controlled by Microsoft and is up to 13 months.
Server logs: 30 days at the edge, 90 days in cold archive for security investigations.
Billing: invoices retained for 6 years as required by Spanish commercial law (Código de Comercio art. 30) and tax law (Ley General Tributaria art. 66).

7. Your rights as a data subject

Under Articles 15–22 GDPR and Title III LOPDGDD you have:

The right of access (Art. 15).
The right to rectification (Art. 16).
The right to erasure ("right to be forgotten", Art. 17).
The right to restriction of processing (Art. 18).
The right to data portability (Art. 20).
The right to object to processing based on legitimate interest, including profiling (Art. 21).
The right not to be subject to a decision based solely on automated processing that produces legal effects (Art. 22). We do not carry out such automated decision-making.
The right to withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7(3)).
The rights to digital testament and access by heirs as provided in LOPDGDD arts. 3 and 96.

To exercise these rights, email privacy@luba.media. We will acknowledge within 72 hours and respond substantively within one month, extendable by two further months for complex requests as permitted by Art. 12(3) GDPR. We may ask for proof of identity if we have reasonable doubt about who is making the request.

8. Right to lodge a complaint

You may lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD) at www.aepd.es, C/ Jorge Juan, 6, 28001 Madrid, Spain — or with your local supervisory authority in your EEA country of residence. Before filing a complaint with the AEPD, the LOPDGDD encourages you to contact the controller first; we treat such contacts as priority.

9. Children

The service is not directed to children under 14 (the threshold for valid consent in Spain under LOPDGDD art. 7). We do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact us so we can delete it.

10. Security

We apply technical and organisational measures appropriate to the risk under Art. 32 GDPR, including TLS in transit, encryption at rest at our hosting providers, role-based access control to admin surfaces, and quarterly review of access logs. No system is perfectly secure; in the event of a personal data breach likely to result in a risk to your rights and freedoms we will notify the AEPD within 72 hours and you without undue delay (Arts. 33–34 GDPR).

10a. Your California privacy rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA / CPRA, Cal. Civ. Code §§ 1798.100–1798.199.100) gives you the following rights with respect to your personal information:

Right to know what categories and specific pieces of personal information we have collected, the sources, the business or commercial purpose, and the categories of third parties to whom it has been disclosed (§ 1798.100, § 1798.110, § 1798.115).
Right to delete personal information we have collected about you, subject to statutory exceptions (§ 1798.105).
Right to correct inaccurate personal information (§ 1798.106).
Right to opt out of sale or sharing of your personal information for cross-context behavioral advertising (§ 1798.120, § 1798.135). See Do Not Sell or Share My Personal Information.
Right to limit use of sensitive personal information (§ 1798.121). We do not use sensitive personal information to infer characteristics about you.
Right to data portability — receive your personal information in a portable, machine-readable format (§ 1798.100(d)).
Right to non-discrimination for exercising any of these rights (§ 1798.125).

Global Privacy Control.We honor the Global Privacy Control (GPC) browser signal as a valid opt-out of sale and sharing under § 1798.135(b) and the California AG’s implementing regulations.

Sale vs. sharing. We do notsell personal information for monetary consideration. However, personalized advertising — once Google AdSense personalized ads are active — may qualify as “sharing” under CPRA § 1798.140(ah) because cross-context behavioral advertising signals are passed to ad-tech vendors. You may opt out at any time on /do-not-sell, by sending a GPC signal from your browser, or by declining advertising consent in our cookie banner.

How to submit a request. California residents (or authorized agents acting on their behalf) may submit verifiable consumer requests by emailing privacy@luba.mediawith the subject line “California rights request”. We will respond within 45 days, extendable by an additional 45 days where reasonably necessary (§ 1798.130(a)(2)). We may need to verify your identity before fulfilling the request.

Authorized agent. You may designate an authorized agent to submit requests on your behalf. We will require written authorization and verification of your identity per § 1798.135(c).

11. Changes to this policy

We will post material changes here and update the "Last updated" date at the top. For significant changes affecting your rights we will additionally notify you by email (if we have one for you) or through a banner.

12. Related pages

Cookie policy — full list of cookies and trackers.
Do Not Sell or Share My Personal Information — California opt-out.
DSA point of contact — EU Digital Services Act.
Terms of service — rules for using the site.
DMCA / takedown — copyright procedure.
Editorial standards — how content is produced and corrected.