Privacy policy
Last updated: March 2026
⚠ Important notice: This document is a general-purpose template provided for informational purposes only. It does not constitute legal advice or a substitute for professional consultation. STUDIOSMIT, S.L. recommends that this document be reviewed and adapted with the assistance of a qualified lawyer or Data Protection Officer (DPO) before final publication, in order to ensure its suitability for the company's specific circumstances and applicable regulations.
1. Data controller
- Legal entity: STUDIOSMIT, S.L.
- Trading name: Stand-Out
- Tax ID (NIF): B65855520
- Registered address: C/ Amigó, 70, 08021 Barcelona, Spain
- Phone: +34 930 311 066
- Privacy contact email: info@stand-out.es
- Data Protection Officer (DPO): STUDIOSMIT, S.L. has not appointed a Data Protection Officer, as it does not meet the criteria set out in Article 37 GDPR.
2. Categories of personal data processed
Depending on the purpose of processing, STUDIOSMIT, S.L. may collect and process the following categories of personal data:
- Identity data: first name, surname(s), company name, professional role.
- Contact data: email address, phone number, postal address (where applicable).
- Professional data: company, industry sector, information about fairs or events of interest, stand number, estimated budget.
- Browsing data: IP address (anonymised where technically feasible), browser type, pages visited, time spent on the site, traffic source. These data are collected primarily via cookies and web analytics tools, subject to prior user consent.
- Communications content: messages sent through the contact form, enquiry emails or quotation requests.
- Account data: where a user or exhibitor account is created, the data necessary to manage the account (username, hashed password, preferences).
No special categories of personal data are collected or processed (as defined in Article 9 GDPR), including data relating to health, racial or ethnic origin, religious beliefs, political opinions, sexual orientation or similar.
3. Purposes, legal bases and retention periods
The table below sets out the purposes for which personal data are processed, together with the applicable legal basis under Article 6 of the General Data Protection Regulation (GDPR, EU 2016/679) and Spanish Organic Law 3/2018 (LOPDGDD):
| Purpose | Data processed | Legal basis (Art. 6 GDPR) | Retention period |
|---|---|---|---|
| Handling and responding to enquiries submitted via the contact form or email | Name, company, email, phone (optional), message content | Consent of the data subject (Art. 6.1.a) or legitimate interest of the controller (Art. 6.1.f) | 3 years from the last communication, unless rights are exercised |
| Preparation and submission of quotations and commercial proposals | Contact and company data, project or event details | Pre-contractual measures at the request of the data subject (Art. 6.1.b) | 5 years from the proposal or last commercial interaction |
| Contract performance and service delivery | Full client/exhibitor data, project details, contract documentation | Performance of a contract (Art. 6.1.b) | 10 years after contract completion (accounting, tax and commercial obligations) |
| Management of registered user and exhibitor accounts | Name, email, hashed password, account preferences, project history | Performance of a contract / consent (Art. 6.1.a and 6.1.b) | While the account is active + 3 years after deregistration |
| Newsletter and commercial communications (direct marketing) | Email address, name (optional) | Explicit consent of the data subject (Art. 6.1.a); consent may be withdrawn at any time | Until consent is withdrawn or unsubscription is requested |
| Web analytics and website improvement | Anonymised IP, browsing behaviour, pages visited, session duration | Consent (Art. 6.1.a) or legitimate interest (Art. 6.1.f) where data are sufficiently anonymised | 26 months (Google Analytics 4 default configuration) |
| Digital advertising and remarketing | Marketing cookie identifiers, browsing and interaction data | Explicit consent of the data subject (Art. 6.1.a) | Per the lifetime of each cookie (see Cookie Policy) |
| Compliance with legal obligations | Data strictly necessary in each case | Legal obligation (Art. 6.1.c) | As required by applicable law in each case |
4. Recipients and international data transfers
Personal data are not disclosed to third parties for their own commercial purposes. However, STUDIOSMIT, S.L. works with service providers who, acting as data processors (Art. 28 GDPR), have access to personal data to the extent necessary to provide their services. These processors are bound by a data processing agreement and the obligations set out in the GDPR.
Certain processors and service providers may involve international transfers of data to countries outside the European Economic Area (EEA):
| Provider | Service | Country / Entity | Transfer safeguard |
|---|---|---|---|
| Google LLC | Google Analytics 4 (web analytics), Google Ads (advertising) | USA | EU-US Data Privacy Framework (adopted July 2023) and Standard Contractual Clauses (SCCs) |
| Meta Platforms Ireland Ltd. | Meta Pixel (advertising and remarketing on Facebook/Instagram) | Ireland (EEA) / USA | EU data controller: Meta Platforms Ireland Ltd. Transfers to USA: SCCs approved by the European Commission |
| LinkedIn Ireland Unlimited Company | LinkedIn Insight Tag (advertising and analytics on LinkedIn) | Ireland (EEA) / USA | EU data controller: LinkedIn Ireland. Transfers to USA: SCCs and EU-US Data Privacy Framework |
| Hostinger International Ltd. | Website hosting | Lithuania (EEA) | Transfer within the European Economic Area. No additional safeguards required. |
In all cases, STUDIOSMIT, S.L. ensures that international data transfers are made with appropriate safeguards as set out in Chapter V of the GDPR. Further information on applicable safeguards is available on request at info@stand-out.es.
Regarding post-Brexit transfers: the United Kingdom has been granted adequacy status by the European Commission (Adequacy Decision of 28 June 2021, valid until 27 June 2025 and subject to renewal). STUDIOSMIT, S.L. will keep the safeguards applicable to any transfer to the UK updated as required.
5. Data subjects' rights
Under the GDPR and LOPDGDD, any person whose personal data are processed by STUDIOSMIT, S.L. has the right to exercise the following rights:
- Right of access (Art. 15 GDPR): to know what personal data we process about you, for what purposes and for how long.
- Right to rectification (Art. 16 GDPR): to correct inaccurate, incorrect or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17 GDPR): to request deletion of your data when, among other reasons, they are no longer necessary for the purposes for which they were collected.
- Right to restriction of processing (Art. 18 GDPR): to request the suspension of processing of your data in certain circumstances provided for in the GDPR.
- Right to data portability (Art. 20 GDPR): to receive your data in a structured, commonly used and machine-readable format and to transmit them to another controller.
- Right to object (Art. 21 GDPR): to object at any time to the processing of your data for legitimate interest purposes or direct marketing.
- Rights in relation to automated decision-making (Art. 22 GDPR): not to be subject to decisions based solely on automated processing that produce significant legal effects.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, send a written request to info@stand-out.es or by post to C/ Amigó, 70, 08021 Barcelona, Spain, clearly indicating the right you wish to exercise and enclosing a copy of your passport, national ID or other valid identification document. We will respond to your request within one month of receipt, extendable to three months in cases of particular complexity.
If you consider that the processing of your personal data infringes applicable regulations, you have the right to lodge a complaint with the competent supervisory authority. In Spain, the supervisory authority is the Agencia Española de Protección de Datos (AEPD), accessible at www.aepd.es. Users residing in other EU Member States may also contact the supervisory authority in their country of habitual residence.
6. Data Protection Officer (DPO)
STUDIOSMIT, S.L. is not required to appoint a Data Protection Officer under the criteria set out in Article 37 GDPR. However, the company remains committed to compliance with data protection regulations and welcomes any related queries at info@stand-out.es.
7. Data security
STUDIOSMIT, S.L. implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These include, among others: encrypted communications (HTTPS/TLS), access controls on systems, secure password management, regular backups and staff training on data protection.
In the event of a personal data breach that may pose a risk to the rights and freedoms of natural persons, STUDIOSMIT, S.L. will notify the AEPD within 72 hours of becoming aware of it, and, where appropriate, will communicate the breach to the affected data subjects.
8. Minors
The Website services are aimed at businesses and professionals. Personal data of persons under the age of 14 are not intentionally collected. If STUDIOSMIT, S.L. becomes aware that data of a minor have been collected without the consent of their legal guardian, such data will be deleted immediately. If you are a parent or legal guardian and are aware that a minor has provided their data through the Website, please notify us at info@stand-out.es.
9. Changes to this privacy policy
STUDIOSMIT, S.L. reserves the right to update this privacy policy to reflect legislative changes, court rulings or guidance from the AEPD or other supervisory authorities. Any significant changes will be notified to users by updating the date shown at the beginning of this document and, where appropriate, by means of a notice on the Website or by email to registered users.