Legal

Privacy Policy

This policy explains how Evocultiva.org collects, uses, and protects your personal data when you use our website and services.

Last updated: March 2026

Your rights at a glance: Under the EU General Data Protection Regulation (GDPR), you have the right to access, correct, delete, restrict, or export your personal data at any time. To exercise any of these rights, contact us via the Contact page.

Data Controller: Evocultiva.org, based in Navarra, Spain.

Evocultiva.org operates a website and marketplace platform (AlimentaMapa) that connects buyers with local farmers. When you use our services, we act as the data controller for your personal information.

For any privacy-related questions or requests, please contact us via our Contact page. We aim to respond within 5 working days.

We collect the following categories of personal data depending on how you use the platform:

CategoryExamplesWhen collected
Account data Name, email address, password (hashed), profile photo When you register an account
Farm data Farm name, location, GPS coordinates, phone number, product listings, photos When you register a farm on AlimentaMapa
Transaction data Order details, amounts, product IDs, fulfilment status When you place or receive an order
Shipping data Delivery address, recipient name, phone number When you request delivery
Communications Messages sent via the contact form or dispute system When you contact us or raise a dispute
Usage data Pages visited, filters applied, browser type, IP address Automatically when you use the Site
Payment data Payment confirmation, transaction ID When a payment is processed (card details handled by Stripe — never stored by us)

We do not collect sensitive data such as health information, racial or ethnic origin, political opinions, or biometric data.

We use your personal data only for the purposes for which it was collected:

  • To operate your account — creating and managing your user or farm profile.
  • To process transactions — facilitating orders, payments, and fulfilment between buyers and farmers.
  • To provide customer support — responding to enquiries, disputes, and complaints.
  • To display your farm on AlimentaMapa — showing your farm location, products, and profile to potential buyers.
  • To send service communications — order confirmations, dispute updates, and important platform notices. We do not send marketing emails without your explicit consent.
  • To improve the platform — analysing usage patterns to improve performance and user experience (using anonymised or aggregated data where possible).
  • To comply with legal obligations — retaining records as required by Spanish and EU law.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

Under GDPR, we must have a lawful basis for processing your personal data. Our bases are:

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the services you've signed up for, including running your account, processing orders, and operating AlimentaMapa.
  • Legitimate interests (Art. 6(1)(f)) — improving the platform, preventing fraud, and maintaining security, where these interests are not overridden by your rights.
  • Legal obligation (Art. 6(1)(c)) — retaining transaction records and complying with applicable Spanish and EU law.
  • Consent (Art. 6(1)(a)) — for any optional marketing communications, if and when we introduce them. You can withdraw consent at any time.
We never sell your personal data. We only share it where strictly necessary to operate the platform.
  • Stripe — our payment processor. Card details and payment data are handled entirely by Stripe and are never stored on our servers. Stripe's privacy policy is available at stripe.com/privacy.
  • Farmers (sellers) — when you place an order, the relevant farmer receives your name, delivery address, and order details necessary to fulfil it. They are bound by these Terms and by GDPR to use that data only for fulfilment purposes.
  • Shippo — our shipping rates provider, where delivery is offered. Shippo may receive your delivery address to calculate rates. Shippo's privacy policy is available at goshippo.com/privacy.
  • Hosting and infrastructure providers — our web hosting provider processes data on our behalf under a Data Processing Agreement (DPA) in compliance with GDPR.
  • Law enforcement or regulatory authorities — where we are legally required to disclose data, for example in response to a court order or regulatory investigation.

All third parties we work with are required to handle your data securely and in accordance with GDPR.

We use cookies and similar technologies to operate the Site. The cookies we use are:

CookiePurposeType
Session cookie Keeps you logged in and maintains your cart during a visit Strictly necessary
CSRF token Security token to prevent cross-site request forgery attacks Strictly necessary
Language preference Remembers your chosen language (EN/ES) across visits Functional (localStorage)
Stripe cookies Set by Stripe during payment processing for fraud prevention Third-party / necessary for payments

We do not currently use advertising cookies, tracking pixels, or third-party analytics cookies (such as Google Analytics). If this changes, we will update this policy and ask for your consent where required.

You can control cookies through your browser settings. Disabling strictly necessary cookies may affect Site functionality.

  • Account data — retained for as long as your account is active, plus up to 12 months after deletion to allow for dispute resolution.
  • Transaction and order data — retained for 7 years to comply with Spanish tax and commercial record-keeping obligations.
  • Dispute and communication records — retained for 3 years after a dispute is resolved.
  • Usage and log data — retained for up to 12 months, then deleted or anonymised.

When retention periods expire, data is securely deleted or anonymised so it can no longer identify you.

As a data subject under GDPR, you have the following rights:

  • Right of access — request a copy of all personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion of your data, subject to legal retention requirements.
  • Right to restriction — request that we limit how we process your data in certain circumstances.
  • Right to data portability — request your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us via the Contact page. We will respond within 30 days as required by GDPR. We may need to verify your identity before processing a request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at aepd.es.

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

  • HTTPS encryption for all data transmitted between your browser and our servers.
  • Passwords stored as secure hashes — we never store plaintext passwords.
  • Payment data handled entirely by Stripe's PCI-DSS compliant infrastructure.
  • Access to user data restricted to authorised personnel only.
  • Regular security reviews and software updates.

No method of transmission over the internet is 100% secure. In the unlikely event of a data breach that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority as required by GDPR (within 72 hours of becoming aware).

Your data is primarily stored and processed within the European Economic Area (EEA). Where we use third-party services (such as Stripe) that may process data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

Evocultiva.org is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data without appropriate parental consent, we will delete it promptly.

If you believe a child under 16 has registered on our platform, please contact us immediately via the Contact page.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page.

For significant changes that affect how we use your data, we will notify registered users by email or via a prominent notice on the Site before the changes take effect.

We encourage you to review this policy periodically. Continued use of the Site after changes are posted constitutes acceptance of the updated policy.

For any privacy-related questions, requests, or concerns, please contact us via the Contact page or write to:

Evocultiva.org
Navarra, Spain

We aim to respond to all privacy requests within 30 days.

If you are unhappy with our response or believe we are processing your data unlawfully, you have the right to complain to the Spanish Data Protection Authority:

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
www.aepd.es