LEGAL

Privacy policy.

Notice under Regulation (EU) 2016/679 (GDPR). Initial draft, to be reviewed by legal counsel before production publication.

Preliminary version. This policy is a technical draft written by the development team, not a signed legal document. Before going live it must be reviewed by legal counsel (lawyer or DPO).

1. Data controller

Reeb Labs — legal entity in formation (REEB LABS, S.L. — Barcelona, ES, registration in progress 2026).

Controller email: founder@reeblabs.com.

2. Data we collect

2.1 Data you actively provide

If you fill out the contact form: name, email, optional company name, intent (request category), message text. This data is sent to our form provider (Plunk, EU-hosted) and forwarded to the founder’s email address.

2.2 Data collected automatically (analytics)

We use Plausible Analytics (EU-hosted, cookieless service). Plausible collects aggregate, anonymous metrics: pages visited, country (national level), browser and device, traffic source. No cookies are used, no persistent unique identifiers, no cross-site tracking.

2.3 Technical cookies

We use only strictly necessary technical session cookies (e.g. Cloudflare security preferences). We do not use profiling or marketing cookies.

  • Contact form: to respond to your request. Legal basis: pre-contractual measures (Art. 6.1.b GDPR) or consent (Art. 6.1.a) for informational requests.
  • Aggregate analytics: to understand site usage. Legal basis: legitimate interest (Art. 6.1.f) — analysis is anonymous and does not profile individuals.
  • Technical cookies: for site operation. Legal basis: necessity (Art. 6.1.b/f), exempt from consent under the ePrivacy Directive.

4. How long we keep it

  • Form messages: 24 months from last contact, then automatic deletion unless an active conversation or contractual relationship is in place.
  • Analytics data: indefinite aggregates (already anonymous); no personal data stored.

5. Who we share it with

  • Plunk (EU-hosted email & form provider) — handles form messages. DPA available.
  • Plausible (EU-hosted analytics) — aggregate metrics. DPA available.
  • Cloudflare (CDN + DNS + email routing) — traffic and email routing. Cloudflare operates under EU SCC and Data Privacy Framework.

We don’t share personal data with other third parties. We don’t sell data to anyone.

6. Transfers outside the EU

The providers above operate primarily in the EU. For Cloudflare, where extra-EU transfer occurs, Standard Contractual Clauses (SCC) issued by the European Commission and adherence to the EU-US Data Privacy Framework are in place.

7. Your rights (Art. 15-22 GDPR)

You have the right to:

  • Access your data (Art. 15).
  • Rectification if inaccurate (Art. 16).
  • Erasure (“right to be forgotten”, Art. 17).
  • Restriction of processing (Art. 18).
  • Data portability (Art. 20).
  • Object to processing (Art. 21).
  • Withdraw consent at any time, where processing is based on consent (Art. 7.3).
  • Lodge a complaint with the supervisory authority (Garante Privacy IT — garanteprivacy.it; AEPD ES — aepd.es).

To exercise these rights, write to founder@reeblabs.com. We reply within 30 days.

8. Security

Data is transmitted exclusively over HTTPS. Emails are forwarded via Cloudflare Email Routing to a Proton Mail account (E2E encrypted). Plunk and Plausible operate under standard security certifications (ISO 27001 / SOC 2 — available upon request).

9. Changes to this notice

We update this page when our processing practices change. The date of the last modification is at the top of the page.