Privacy Policy
Last updated: February 2026
1. Data Controller
The data controller responsible for your personal data is:
- Company: Semental S.L.
- Trading as: Red Stallion
- Place of registration: Spain
- Company number: 26054442
- Contact email: [email protected]
This privacy policy explains how we collect, use, store, and protect your personal data when you visit our website, use our services, or purchase our products. It applies to all pages of the website at red-stallion.com, including the online shop, and is provided in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), and the Spanish Ley Org\u00e1nica 3/2018 (LOPDGDD).
2. What Personal Data We Collect
We collect the following categories of personal data:
2.1 Data You Provide Directly
- Order information: name, email address, phone number, shipping address (street, city, province, postal code), billing address
- Age verification data: date of birth (used to verify you are 18 or older, as required by Spanish law)
- Contact form submissions: name, email address, and message content
- Communication preferences: whether you opt in to marketing communications
- Ambassador programme data: referral codes used at checkout
2.2 Data Collected Automatically
- Technical data: IP address (hashed for age verification logging), browser type and version, device type, operating system
- Usage data: pages visited, time spent on pages, referring URL (limited by our Referrer-Policy header)
- Client-side storage: shopping cart contents (stored in your browser's localStorage), age verification status (stored in your browser's sessionStorage for the current session only), cookie consent preferences
2.3 Data We Do Not Collect
We do not collect or have access to your payment card details. All payment processing is handled directly by Stripe (see Section 6 below). Your card number, expiry date, and CVV are transmitted directly from your browser to Stripe's PCI DSS-compliant infrastructure and are never sent to or stored on our servers.
3. Lawful Basis for Processing
Under GDPR Article 6, we process your personal data only where we have a valid lawful basis. The table below sets out the lawful basis for each processing activity:
| Processing Activity | Lawful Basis | GDPR Article |
|---|---|---|
| Processing your order (name, email, address, phone) | Performance of a contract | Art. 6(1)(b) |
| Age verification (date of birth, IP hash) | Legal obligation | Art. 6(1)(c) |
| Sending transactional emails (order confirmation, shipping updates) | Performance of a contract | Art. 6(1)(b) |
| Marketing communications (if you opt in) | Consent | Art. 6(1)(a) |
| Analytics (when enabled, with your consent) | Consent | Art. 6(1)(a) |
| Responding to contact form enquiries | Legitimate interest | Art. 6(1)(f) |
| Recording cookie consent preferences | Legitimate interest (accountability) | Art. 6(1)(f) |
| Fraud prevention and security monitoring | Legitimate interest | Art. 6(1)(f) |
| Retaining order records for tax compliance | Legal obligation | Art. 6(1)(c) |
| Live chat support (Voiceflow widget) | Legitimate interest | Art. 6(1)(f) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest (see Section 8).
4. Age Verification
Our products are tobacco-free nicotine pouches intended for adults aged 18 years or older only. Under Spanish law (Ley 28/2005, as amended, and Royal Decree 579/2017), we are required to take reasonable measures to verify the age of purchasers.
Our age verification measures include:
- Age gate: Before accessing the shop, you must confirm your date of birth. This is checked client-side and the verified status (not your actual date of birth) is stored in your browser's sessionStorage for the current session only.
- Checkout verification: Your date of birth is collected again at checkout and validated server-side before your order is processed.
- Audit logging: Age verification events are logged with hashed IP addresses for regulatory compliance. We do not store your full IP address.
The lawful basis for age verification processing is legal obligation (GDPR Art. 6(1)(c)) under Spanish nicotine product regulations.
5. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are:
| Data Category | Retention Period | Justification |
|---|---|---|
| Order data (customer PII, order details) | 6 years from order date | Spanish tax law (Ley General Tributaria) requires 4 years; Spanish C\u00f3digo de Comercio requires 6 years |
| Age verification logs | 5 years from verification date | Regulatory audit trail for nicotine product sales |
| Contact form submissions | 2 years from submission | Legitimate interest in customer service and dispute resolution |
| Cookie consent records | Until consent is withdrawn or policy version changes | GDPR accountability principle (Art. 5(2)) |
| Shopping cart (localStorage) | Persistent until cleared by you | Client-side only, under your control |
| Age verification status (sessionStorage) | Until you close your browser | Session-scoped, automatically cleared |
| Chat conversations (Voiceflow) | Subject to Voiceflow's retention policy | See Voiceflow's privacy policy (Section 6) |
When the retention period expires, or if you request erasure (see Section 8), we will either delete your data or anonymise it so that it can no longer identify you. Where we are required by law to retain certain records (e.g., for tax compliance), we will anonymise your identifying information while preserving the financial record.
6. Third-Party Data Processors
We share your personal data with the following third-party service providers, who process it on our behalf and under our instructions. Each processor is bound by a Data Processing Agreement (DPA) that requires them to protect your data in accordance with GDPR:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Cloudflare, Inc. | Website hosting, CDN, DNS, DDoS protection, edge computing | IP addresses, request metadata, page URLs | Global (US-headquartered) |
| Stripe, Inc. | Payment processing (PCI DSS Level 1 certified) | Name, email, billing/shipping address, payment card data (sent directly from your browser to Stripe) | US / Ireland (EU processing) |
| Mailgun Technologies, Inc. | Transactional email delivery (order confirmations, shipping updates) | Customer email address and name | EU (api.eu.mailgun.net) |
| Voiceflow, Inc. | Live chat support widget | Chat messages, IP address, session metadata | US / Canada |
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.
7. International Data Transfers
Some of our third-party processors (see Section 6) are headquartered outside the European Economic Area (EEA). When your personal data is transferred to a country outside the EEA, we ensure that appropriate safeguards are in place, as required by GDPR Articles 44-49:
- Cloudflare: Processes data through its global network under EU Standard Contractual Clauses (SCCs) approved by the European Commission.
- Stripe: Operates EU data processing through its Irish entity (Stripe Payments Europe, Ltd.) and maintains EU Standard Contractual Clauses for any data transferred to the US.
- Mailgun: Processes data through its EU endpoint (api.eu.mailgun.net) under EU Standard Contractual Clauses.
- Voiceflow: Processes data under applicable data transfer mechanisms. Chat conversations may be processed in the US or Canada.
EU position: Semental S.L. is registered in Spain, an EU Member State. Data processed within the EU/EEA does not require additional safeguards under GDPR.
8. Your Rights as a Data Subject
Under GDPR, you have the following rights regarding your personal data. These rights apply unconditionally to all users of our website, regardless of your country of residence:
8.1 Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you. We will provide this in a structured, commonly used, machine-readable format within 30 days of your request.
8.2 Right to Rectification (Art. 16)
You have the right to request correction of any inaccurate personal data we hold about you, or to have incomplete data completed.
8.3 Right to Erasure (Art. 17)
You have the right to request deletion of your personal data. We will comply unless we are legally required to retain the data (for example, order records retained for tax compliance under Spanish law). In such cases, we will anonymise your identifying information (name, email, street address) while preserving the financial record for the legally required retention period.
8.4 Right to Restriction of Processing (Art. 18)
You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have challenged.
8.5 Right to Data Portability (Art. 20)
Where we process your data on the basis of consent or contract performance, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and to transmit it to another controller.
8.6 Right to Object (Art. 21)
You have the right to object to processing of your personal data that is based on our legitimate interest. Upon objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
8.7 Right Not to Be Subject to Automated Decision-Making (Art. 22)
We do not make any decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Age verification involves a straightforward date-of-birth calculation, not profiling.
8.8 Right to Withdraw Consent (Art. 7(3))
Where we process your data based on consent (e.g., marketing communications, analytics), you can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
How to Exercise Your Rights
To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days (Art. 12(3)). If your request is complex or we receive a large number of requests, we may extend this by a further 60 days, in which case we will inform you within the initial 30-day period.
We will verify your identity before processing your request, to protect against unauthorised disclosure of personal data.
9. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes your rights under GDPR, you have the right to lodge a complaint with a supervisory authority:
- Agencia Espa\u00f1ola de Protecci\u00f3n de Datos (AEPD) -- as the supervisory authority for Semental S.L.'s jurisdiction of registration and where our customers reside. Website: www.aepd.es
We encourage you to contact us first at [email protected] so that we can try to resolve your concern directly.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, as required by GDPR Article 32. These measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (enforced via HSTS with preload)
- Content Security Policy: Strict CSP headers on all pages to prevent cross-site scripting (XSS) attacks
- DDoS protection: Cloudflare's global network provides always-on DDoS mitigation
- Payment security: Payment card data is handled exclusively by Stripe (PCI DSS Level 1) and never touches our servers
- Access control: Administrative access to systems is restricted by the principle of least privilege with multi-factor authentication
- IP address hashing: Where IP addresses are logged (age verification), they are stored as cryptographic hashes, not in plain text
While no system can guarantee absolute security, we continuously review and improve our security measures.
11. Cookies and Local Storage
Our website uses cookies, localStorage, and sessionStorage. For detailed information about each storage item we use -- including its name, purpose, provider, and duration -- please see our Cookie Policy.
In summary:
- Essential storage: Shopping cart contents, age verification status, and cookie consent preferences. These are necessary for the website to function and do not require your consent under the ePrivacy Directive.
- Analytics cookies: If enabled and with your consent only, used to understand how visitors interact with the website.
- Marketing cookies: If enabled and with your consent only, used for targeted advertising.
You can manage your cookie preferences at any time using the cookie settings button on our website, or by clearing your browser's storage.
12. Children and Minors
Our products and website are intended exclusively for adults aged 18 years or older. We do not knowingly collect personal data from anyone under 18. If you are under 18, you must not use this website or provide any personal information.
If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe that a minor has provided us with personal data, please contact us at [email protected].
13. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or third-party processors. The "Last updated" date at the top of this page indicates when the most recent revision was published.
For material changes that affect how we process your personal data, we will make reasonable efforts to notify you (for example, by displaying a notice on the website). Where a change affects processing based on your consent, we will seek renewed consent where required.
14. Contact
For questions about this privacy policy, to exercise your data subject rights, or to raise any privacy concern, contact us at:
- Email: [email protected]
- Company: Semental S.L., Spain (Company No. 26054442)
Red Stallion is a trading name of Semental S.L., registered in Spain (Company No. 26054442). You must be 18 or older to use this website. This policy is governed by the General Data Protection Regulation (EU) 2016/679.