PRIVACY POLICY
1. Identity of the Data Controller
This Privacy Policy applies to the digital services and platform operated by:
Estudio Cactus Media S.L.
Rda. Circunvalación 188, Castellón de la Plana, Spain
CIF: B12962957
Email: support@stowlog.com
Depending on the type of data and activity, Estudio Cactus Media S.L. (Stowlog", "we", "our", or "us") may act as either:
- a Data Controller, for account registration, authentication, security, analytics, marketing, and communication; or
- a Data Processor, on behalf of each Facility that uses the Stowlog Platform to manage its own users and operational data.
2. Scope of Application
This Policy applies to:
- Users of the Stowlog App (mobile, web, or desktop),
- Users of the Stowlog Admin Dashboard,
- Visitors to the Stowlog website (www.stowlog.com),
- Potential customers or contacts who interact with Stowlog through demos, email, or contact forms, and
- Suppliers and service providers with whom Stowlog maintains business relationships.
Each Facility that operates within Stowlog may define its own data collection requirements (e.g., ID photo, driver's license, or passport number). Stowlog processes that data on behalf of the Facility but does not determine its content or purpose.
3. Categories of Data Processed
A. Data Controlled by Stowlog (as Data Controller)
Collected when Users register, authenticate, or interact with the Platform at a general level:
- Identification data (name, email, phone number).
- Account credentials and authentication data.
- Device and usage data (IP, browser, access logs).
- Technical cookies and analytics data (for service improvement).
- Contact data submitted through forms, demos, or newsletters.
- Supplier data for billing, contracts, and compliance.
- Optional geolocation data (when Facilities enable location-based modules).
B. Data Processed on Behalf of Facilities (as Data Processor)
Collected only when the User selects or interacts with a Facility:
- Custom data fields defined by that Facility (e.g., ID, driver's license, photo, training certificate).
- Activity data within modules (check-ins, safety forms, visit logs, etc.).
- Communication records between Users and Facility Admins.
Each Facility decides:
- which data to collect,
- why it is required, and
- how long it is retained.
Stowlog stores and secures this data but does not use it for any purpose other than providing the contracted service.
4. Purpose and Legal Basis of Processing
| Purpose | Legal Basis | Controller |
|---|---|---|
| Account creation, authentication, and user management | Contract performance (Art. 6.1(b) GDPR) | Estudio Cactus |
| Platform maintenance, analytics, and security | Legitimate interest (Art. 6.1(f)) | Estudio Cactus |
| Marketing and contact management | Consent or legitimate interest (Art. 6.1(a)/(f)) | Estudio Cactus |
| Supplier management and billing | Legal and contractual obligations (Art. 6.1(b)/(c)) | Estudio Cactus |
| Facility-specific data collection and processing | Execution of contract between Facility and User | Facility (Stowlog acts as Processor) |
| Legal compliance and safety record retention | Legal obligation or legitimate interest (Art. 6.1(c)/(f)) | Facility / Estudio Cactus |
5. Data Retention, Deletion, and Pseudonymization
5.1 General Retention
- Stowlog retains account and login data as long as the user maintains an active account.
- Prospect or contact data will be kept while commercial relations remain active or until consent is withdrawn.
- Supplier and administrative data will be stored for the legally required retention period.
5.2 Account Deletion Requests
When a user requests the deletion of their account:
- Stowlog permanently deletes or anonymizes all personal data it directly controls (e.g., name, email, phone, credentials).
- The deletion of the Stowlog account does not automatically delete Facility-related operational data, since this information belongs to the Facility that collected it.
5.3 Dual Retention Model for Facility Records
- Each Facility is the Data Controller for data collected during user interactions (e.g., safety courses, visitor check-ins, contractor validations).
- These records may be retained by the Facility under legal or compliance obligations, even after a users account is deleted.
- Upon deletion, Stowlog will pseudonymize the user identifiers within Facility records — replacing the user's name, email, or ID with an anonymized internal reference (e.g., "Deleted User" or "User #A12F").
- The Facility can still view the operational record (e.g., "Safety Induction completed by Deleted User on March 10, 2025"), but the personal identity is no longer visible or recoverable within Stowlog.
- Stowlog does not control the retention or deletion of data collected by Facilities. Each Facility defines its own data retention policy as an independent Data Controller.
5.4 Facility Notification and Autonomy
- When a user deletion request is processed, Stowlog notifies all Facilities associated with that user's account.
- retain the pseudonymized records for legal or audit purposes, or
- further anonymize or delete them according to their own data policies.
- Stowlog never shares deleted user data; this notification is purely operational, ensuring Facilities are aware that user identifiers have been removed.
- Facilities may then choose to:
5.5 Legal Basis for Retention
This process complies with Article 17(3) GDPR, which permits retention or pseudonymization when:
- Data is required for compliance with a legal obligation; or
- Retention is necessary for the establishment, exercise, or defense of legal claims; or
- The Facility has a legitimate interest in maintaining audit or safety compliance records.
All deletion and pseudonymization actions are logged for audit and accountability purposes.
6. Data Sharing and Recipients
Stowlog does not sell or rent personal data. Data may be shared only with:
- Facilities that users interact with,
- Technical service providers (hosting, infrastructure, email, analytics, support),
- Authorities or courts if legally required,
- Financial institutions and tax authorities when required for accounting or compliance, and
- Suppliers or subcontractors performing activities on behalf of Stowlog under data processing agreements.
All data is hosted in MongoDB Atlas (AWS) data centers located within the European Union or in countries with adequate data protection guarantees under GDPR.
7. Processor Obligations (Article 28 GDPR)
When acting as a Data Processor, Stowlog shall:
- Process personal data only under documented instructions from the Facility.
- Ensure that persons authorized to process data are bound by confidentiality.
- Implement technical and organizational measures required under Article 32 GDPR.
- Keep records of processing activities and assist the Facility in fulfilling GDPR obligations.
- Notify the Facility of any personal data breach without undue delay.
- Not engage any sub-processors without prior authorization from the Facility.
- Upon termination of services, delete or return all personal data as instructed by the Facility.
- Pseudonymize or anonymize personal data when deletion is requested but legal or compliance grounds require retention.
8. Rights of Data Subjects
Users may exercise the following rights under GDPR:
- Access to their personal data.
- Rectification of inaccurate data.
- Deletion (“"right to be forgotten").
- Limitation or objection to processing.
- Portability of their data.
- Withdrawal of consent at any time (without affecting prior lawful processing).
How to exercise your rights:
- If your data was provided directly to Stowlog (e.g., for your account, contact form, or marketing communications): contact support@stowlog.com.
- If your data was collected by a Facility (e.g., license, passport, photo): contact that Facility directly, as it is the Data Controller for that information.
Stowlog will assist Facilities in responding to such requests when necessary.
9. Data Security
Stowlog applies security measures consistent with ISO 27001 certification and industry standards, including:
- Encrypted data transmission (HTTPS / TLS 1.2+).
- Role-based access controls.
- Redundant cloud hosting and continuous backups.
- Logging and monitoring for unauthorized access.
- Regular audits and employee confidentiality obligations.
In the event of a data breach, Stowlog will notify affected parties and relevant authorities in compliance with GDPR Articles 33–34.
10. Cookies and Analytics
Stowlog uses necessary and analytical cookies to ensure functionality and improve user experience.
Details about cookie types and preferences are available in the Cookies Policy at https://stowlog.com/legal/cookies.
11. Relationship with Facilities
Each Facility operating within Stowlog is an independent organization that controls its own data. When you provide data through Facility forms or modules:
- The Facility acts as Data Controller,
- Stowlog acts as Data Processor,
- Stowlog stores and secures the data but cannot alter or delete it without the Facility's instruction.
Facilities may have their own privacy notices — we recommend reviewing them for more details on their specific use of your data.
12. Source of Data
Personal data may be obtained directly from users, through Facility interactions, or via automated logs and cookies generated by use of the Platform. Optional geolocation data is only collected if the Facility enables it and the user consents.
13. Minors
The Stowlog Platform is intended for professional use only and is not directed at minors under 18 years old. If Stowlog becomes aware of accidental registration by a minor, the account will be deleted.
14. Updates to this Policy
Stowlog may update this Policy periodically to reflect legal, technical, or business changes.All updates will be published at https://stowlog.com/legal/privacy. Continued use of the Platform implies acceptance of the revised version.
15. Contact and Supervisory Authority
For questions or complaints regarding data protection, contact: support@stowlog.com
If you are not satisfied with our response, you may file a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.
Estudio Cactus Media S.L.
Rda. Circunvalación 188, Castellón de la Plana, Spain