This Privacy Policy explains how personal data is processed when you use ONVBA.ES in accordance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights (LOPDGDD), and other applicable Spanish and European rules.
For the identity of the website owner and general terms of use, see our Legal Notice. For cookies and similar technologies, see our Cookie Policy.
1. Data controller
The data controller responsible for processing described in this policy is:
- Controller: [FULL NAME]
- Tax ID (NIF/NIE): [NIF/NIE]
- Address: [ADDRESS]
- Email: info@onvba.es
ONVBA.ES is operated as a personal, non-profit project. The controller does not charge users for access to the platform and does not receive revenue from listings or transactions between users.
2. Scope
This policy applies to personal data processed through the website onvba.es and its related features, including registration, profiles, shops, service bookings, restaurant reservations, equipment rental, messaging, notifications, and technical operation of the platform.
When you interact with another user (for example a seller or service provider), that user may also process your data as a separate controller for their own purposes (fulfilling an order, providing a service, customer support). Their practices are governed by their own obligations and, where published, their own information.
3. Categories of personal data we process
3.1 Account and profile data
When you create an account or update your profile, we may process:
- email address and email verification status;
- username, public profile slug, and optional unique user ID;
- password (stored in hashed form, never in plain text);
- first name and last name (if provided);
- phone number and phone verification status (if provided);
- account role (client or business);
- profile avatar and derived thumbnails;
- optional business name and business description;
- display and catalogue preferences (tabs, feed message, currency, and similar settings).
3.2 Social login (Google / Facebook)
If you sign in with Google or Facebook, we receive information from the provider you choose (typically email address and basic profile data needed to create or link your account). The provider processes data under its own privacy policy before data reaches us.
3.3 Business and public listing data
If you use a business account, we may also process content you publish, such as shop names and descriptions, product or service listings, prices, images, addresses, map coordinates, restaurant or venue details, rental items, and availability information visible to other users.
3.4 Transactions and bookings
Depending on the features you use, we may process:
- Shop orders: buyer and seller identifiers, customer name, phone, email, order contents, status, comments, and timestamps;
- Service bookings: service and provider details, appointment times, status, customer comments, and optional visit address for home services;
- Equipment rental: rental period, selected items and options, pricing snapshot, contract text accepted, payment method selection, status, and related comments;
- Restaurant table bookings: reservation date and time, party size, table assignment, customer name and email, and reservation status;
- Guest bookings created by a business user on behalf of a third party: guest name, phone, and/or email where entered.
This information is used to operate the platform and is typically visible to the parties involved in the transaction (for example the seller or provider).
3.5 Messages, chats, and notifications
We may process messages and comments linked to orders, bookings, rentals, or table reservations, as well as in-app notifications (title, link, read status) sent to your account. If you enable web push notifications, we store browser push subscription data (endpoint and cryptographic keys) and related technical metadata such as user agent.
3.6 Workers and team access (business accounts)
Business account owners may invite workers to a shared workspace. In that context we may process invitation email addresses, role assignments, membership status, and audit logs related to team access.
3.7 Business verification
For certain business features (such as public catalogue visibility or phone verification), we may process phone numbers and records related to verification requests and their review status.
3.8 Technical data, logs, and cookies
We automatically process technical data necessary to run the website, such as session identifiers, security tokens, language preference, server and security logs (which may include IP address, browser type, and request timestamps), and information described in our Cookie Policy (including localStorage used to remember cookie consent).
With your consent, we use Google Analytics to collect aggregated usage statistics. Registration forms may use Google reCAPTCHA to reduce spam.
4. Purposes and legal bases
We process personal data for the following purposes and on the following legal bases under Article 6 GDPR:
- Providing the platform and your account (registration, login, profile, publishing listings, bookings, orders, notifications): performance of a contract or steps at your request (Art. 6(1)(b)); where applicable, legitimate interest in operating a functional platform (Art. 6(1)(f)).
- Security, fraud prevention, and abuse protection (including reCAPTCHA, session management, rate limiting): legitimate interest (Art. 6(1)(f)); in some cases legal obligation (Art. 6(1)(c)).
- Transactional communications (for example booking or order confirmations by email): performance of contract or legitimate interest (Art. 6(1)(b) / (f)).
- Web push notifications (only if you opt in): consent (Art. 6(1)(a)).
- Analytics cookies (Google Analytics, only after you accept in the cookie banner): consent (Art. 6(1)(a)).
- Compliance with law where required: legal obligation (Art. 6(1)(c)).
We do not use your data for automated decision-making that produces legal or similarly significant effects solely by automated means.
5. Who receives your data
Personal data may be shared with:
- Other users when necessary for a feature (for example a seller receiving your contact details for an order you place, or a provider seeing your booking information);
- Service providers that help us operate the website (hosting, email delivery, infrastructure), under appropriate confidentiality and data processing arrangements where required;
- Google (social login, reCAPTCHA, and Analytics if consented) and Meta / Facebook (social login), each under their own terms and privacy policies;
- Map and content delivery services when you load maps or external assets (for example tile or geocoding providers); your browser may send technical data to those providers;
- Public authorities when we are legally required to do so.
We do not sell your personal data.
6. International transfers
Some third-party providers (notably Google and Meta) may process data outside the European Economic Area. Where required, such transfers rely on appropriate safeguards recognised under GDPR (for example Standard Contractual Clauses or adequacy decisions). You can read more in the providers' privacy documentation.
7. Retention
We keep personal data only as long as necessary for the purposes above:
- Account data: while your account is active and for a reasonable period afterwards if needed for security, dispute resolution, or legal obligations;
- Transaction and booking records: for the life of the relevant record and as needed for operation of the feature and legal compliance;
- Notifications and logs: for limited periods appropriate to their purpose (security, troubleshooting, or unread notification display);
- Cookie / analytics data: as stated in the Cookie Policy.
When data is no longer needed, we delete or anonymise it where feasible.
8. Your rights
Under GDPR and LOPDGDD, you have the right to:
- Access your personal data;
- Rectify inaccurate or incomplete data (many fields can be updated in your account settings);
- Erase your data in certain circumstances (you may also request account deletion via your account settings or by emailing us);
- Restrict processing in certain cases;
- Object to processing based on legitimate interests;
- Data portability for data you provided, where applicable;
- Withdraw consent at any time for processing based on consent (for example analytics cookies or push notifications), without affecting prior lawful processing;
- Lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.
To exercise your rights, contact info@onvba.es. We may need to verify your identity before responding.
9. Children
ONVBA.ES is not directed at children. You must be at least 14 years old to create an account, in line with Spanish rules on information society services. If you believe we have collected data from a child without appropriate authority, please contact us so we can take appropriate action.
10. Security
We apply appropriate technical and organisational measures to protect personal data, including access controls, encrypted connections (HTTPS), hashed passwords, and restricted administrative access. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
11. Changes to this policy
We may update this Privacy Policy when our practices or legal requirements change. The current version will always be published on this page with an updated date. We encourage you to review it periodically.
12. Contact
For any question about this Privacy Policy or your personal data:
Last updated: June 2026