Privacy policy

Effective Date: April 2026

Welcome to ATEN Skincare ("we", "us", or "our"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your personal information when you use our service through our website. We comply with the General Data Protection Regulation (GDPR) and applicable Spanish data protection laws.

1. Data Protection Roles (GDPR)

ATEN Skincare assumes the primary role of Data Controller for customer and user data.

  • Data Controller: ATEN Skincare, operated by Cher H. D. Stickells

    • Address: Lepant 270, Bajos, 08013, Barcelona, Spain

    • CIF/NIF: ESX3413483F

2. Purposes and Legal Basis for Processing

We process your data for the following purposes, based on the corresponding legal grounds:

Purposes of Processing

Legal Basis

Contractual Relationship: Management of product sales, payment processing, and order fulfilment (shipping).

Performance of a Contract (Art. 6.1.b of the GDPR).

Marketing: Sending commercial communications, updates, and promotional content.

Consent (Art. 6.1.a of the GDPR) or Legitimate Interest (if you are an active client) (Art. 6.1.f of the GDPR).

Service Improvement: Improving and personalising the service.

Legitimate Interest. (Art. 6.1.f of the GDPR).

Legal Compliance: Fulfilling statutory and fiscal requirements.

Legal Obligation (Art. 6.1.c of the GDPR).


3. Data Processor Role and Contractual Obligation

Brands and logistics suppliers act as Data Processors concerning the data strictly necessary for product shipping (name, address, telephone). This consideration also applies to any third party who accesses or hosts personal data due to service provision to ATEN Skincare.

  • Contractual Obligation: We formalise a Data Processing Agreement (DPA) with each brand or logistics provider, as required by Article 28 of the GDPR. This contract specifies the object, duration, purpose (only shipping/fulfilment), the type of data treated, and the security obligations.

  • Principle of Minimisation: We only transfer the indispensable data necessary for order management and shipping.

4. Key Third-Party Processors

We do not sell your data. Your information is shared with the following key service providers, all bound by Data Processing Agreements (DPAs):

  • Fulfilment & E-commerce:

    • SIA Cosmetics Nord: Processes data for product manufacturing and shipping.

    • Shopify: E-commerce platform that hosts our website and manages core transactional data.

  • Marketing & Advertising:

    • Klaviyo: Processes data for email marketing communications.

    • Meta (Facebook, Instagram, WhatsApp): Used for advertising and enabling direct product purchases on their platforms.

    • Google Ads (including Google and YouTube), Meta Ads (Facebook, Instagram, and WhatsApp), and TikTok Ads: Used for advertising, remarketing, and measuring campaign performance. These platforms may use cookies, pixels, and similar tracking technologies to collect information about your interactions with our website and ads.

In some cases, these platforms may enable direct interactions or purchases within their own environments (such as shopping features on social media platforms). Where applicable, your data may be processed by these platforms in accordance with their own privacy policies. 

    • Google Analytics: Used to analyse website traffic, user behaviour, and improve our services and marketing effectiveness.

  • Technical Services: Technical service providers (e.g., hosting, email).

We also share data with public authorities only when legally required to do so.

5. What Personal Data We Collect

  • We collect the following data of users:

    • Identification and Contact data: Name and surname, email, phone number, and country.

    • Transaction and Shipping data: Payment details, purchase history, and delivery address (for order fulfilment).

    • Usage data: Website interactions.

    • Technical data: IP address, device info, browser type.

    • Single Sign-On: When you choose to log in using a Single Sign-On (SSO) provider (such as Google or Facebook), we may receive certain personal data from that provider to facilitate your authentication and account creation. This data may include your name, email address, unique user identifier and profile information, depending on the permissions you grant.

    We only collect and process the information necessary to authenticate your identity  and provide access to our services. We do not receive or store your SSO account passwords. The data shared with us is subject to your privacy settings with the SSO provider and we encourage you to review those settings to understand how your information is managed.

    By using SSO to access our website, you authorize us to process the data provided by the third-party authentication service in accordance with this Privacy Policy.

6. Minimum Age

In accordance with the General Data Protection Regulation and applicable Spanish data protection laws, including the LOPDGDD, we only knowingly collect and process personal data from individuals who are at least 14 years old.

If we become aware that personal data has been collected from a person under 14, we will take appropriate steps to delete such data without undue delay.

To make a purchase on our website, you must be at least 18 years old. If you are under 18, you may only use our services with the involvement and consent of a parent or legal guardian. For more information, please refer to our Terms and Conditions.

7. How Long We Keep Your Data (Data Retention Policy)

We only keep your data for as long as necessary for the purposes explained above:

  • Account data: Kept until you delete your account or request removal.

  • Profile data (e.g., preference data): Stored for up to 2 years after your last activity.

  • Legal/administrative records: Retained as required by Spanish law.

You may request deletion of your data at any time (see section 8).

8. Your Rights Under GDPR

You have the right to:

  • Access your personal data.

  • Correct any inaccurate information.

  • Delete your data (right to be forgotten).

  • Restrict or object to processing.

  • Data portability – Request your data in a common format.

  • Withdraw consent at any time.

To exercise your rights, contact us at (Email). You can also file a complaint with the Spanish Data Protection Authority (AEPD): www.aepd.es.

9. Data Breach Notification

If a data breach occurs that may affect your rights or freedoms, you will be informed without undue delay, in compliance with Articles 33 and 34 of the GDPR. We will also notify the relevant data protection authority as required.

10. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Secure encrypted storage.

  • Role-based access controls.

  • Regular audits and backups.

11. Changes to This Policy

We may update this Privacy Policy. If we make important changes, we will notify you via email.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, contact us:

  • Email: hello@atenskincare.com

  • Phone: (+34) 607221173

  • Address: Lepant 270, Bajos, 08013, Barcelona, Spain