PRIVACY POLICY

www.thebox.show  |  shop.thebox.show

Privacy is a priority for TheBox Characters & Creatures, SL. This policy details our practices regarding the processing of personal data, including what information we collect, how we use it, and how we protect it. It applies to all users who access our website and online shop. We recommend reading this document carefully.

1. Data Controller

In accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD), the data controller is:

Company Name: TheBox Characters & Creatures, SL
NIF: B22445977
Address: Carrer del Parc, 3 - entlo. 1A - 08002 Barcelona (España)
Email: info@thebox.show
Website(s): www.thebox.show | shop.thebox.show

2. Privacy Principles

TheBox Characters & Creatures, SL applies the following fundamental principles in all data processing activities:

• Lawfulness, fairness and transparency: Data is processed legally, fairly, and in a transparent manner.
• Purpose limitation: Data is collected for specified, explicit and legitimate purposes only.
• Data minimisation: Only data that is strictly necessary for the stated purpose is collected.
• Accuracy: Personal data is kept accurate and up to date.
• Storage limitation: Data is retained only for as long as necessary to fulfil the purpose for which it was collected.
• Integrity and confidentiality: Appropriate technical and organisational security measures are applied to prevent unauthorised access, loss or destruction of data.

3. What Data We Collect

Depending on how you interact with our website and shop, we may collect the following categories of personal data:

3.1 Purchase and Account Data

• Full name, billing and delivery address
• Email address and telephone number
• Order history and purchase details
• Payment information (processed securely by third-party payment providers; we do not store card data)
• Account login credentials (username and hashed password)

3.2 Contact and Communication Data

• Name and email address submitted via contact forms
• Content of messages or enquiries sent to us

3.3 Technical and Browsing Data

• IP address and device identifiers
• Browser type and version
• Pages visited, time spent, and navigation behaviour
• Cookie identifiers (see our Cookie Policy for full details)

3.4 Newsletter and Marketing Data

Email address and communication preferences (only if you have opted in)

4. Purposes and Legal Basis for Processing

We process your personal data for the following purposes, each grounded in a specific legal basis:

5. Data Recipients and Third-Party Sharing

We do not sell or commercially transfer your personal data to third parties. However, we may share data with the following categories of recipients where strictly necessary:

• Payment processors (e.g. Stripe, PayPal): to process purchases securely. These providers act as independent data controllers under their own privacy policies.
• Hosting and e-commerce providers (e.g. WooCommerce, WordPress hosting): to operate the website and store order data.
• Shipping and logistics providers: to fulfil and deliver physical product orders.
• Email service providers: to send transactional and marketing emails (only where consent has been given).
• Analytics providers (e.g. Google Analytics): to analyse website traffic. Data may be anonymised or pseudonymised.
• Tax and accounting advisors: where required to fulfil legal obligations.
• Public authorities: where required by law or court order.

All third-party providers are bound by data processing agreements and are required to process data only in accordance with our instructions and applicable data protection law.

6. International Data Transfers

Some of our service providers (such as Google Analytics) are located in or transfer data to countries outside the European Economic Area (EEA), including the United States. All such transfers are carried out under appropriate safeguards, specifically Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an equivalent level of data protection.

For further information on the safeguards in place, please contact us at info@thebox.show.

7. Data Retention

Personal data will be retained for as long as the relationship between the user and TheBox Characters & Creatures, SL is active, or for as long as necessary to fulfil the purpose for which it was collected, as indicated in the processing table in Section 4.

In particular:

• Order and billing data is retained for a minimum of 5 years in compliance with Spanish commercial and tax law (Código de Comercio, Ley General Tributaria).
• Data processed on the basis of consent will be retained until that consent is withdrawn.
• Technical and browsing data (cookies) will be retained for the periods indicated in our Cookie Policy.

Once the retention period expires, personal data will be securely deleted or anonymised using appropriate technical measures.

8. Your Rights

As a data subject, you have the following rights under GDPR and LOPDGDD. To exercise any of these rights, please contact us at info@thebox.show, attaching a copy of your national ID or equivalent document:

• Right of access: To obtain confirmation of whether we are processing your data and, if so, to receive a copy.
• Right to rectification: To request correction of inaccurate or incomplete data.
• Right to erasure (“Right to be forgotten”): To request deletion of your personal data, where there is no legal obligation to retain it.
• Right to restriction: To request that we temporarily suspend processing of your data.
• Right to data portability: To receive your data in a structured, commonly used and machine-readable format.
• Right to object: To object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond to all requests within one month. In complex cases, this may be extended by a further two months, of which you will be notified.

You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) at www.aepd.es, or with the supervisory authority of your country of residence within the EU.

9. Security Measures

TheBox Characters & Creatures, SL implements appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include:

• SSL/TLS encryption for all data transmitted through the website
• Secure, encrypted storage of passwords
• Access controls limiting data access to authorised personnel only
• Regular security updates and monitoring

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours and affected users without undue delay, in accordance with Article 33 GDPR.

10. Minors

Our website and services are not directed at children under the age of 14. We do not knowingly collect personal data from children under 14. If you believe a minor has provided us with personal data without parental consent, please contact us at info@thebox.show and we will delete such data promptly.

Users between the ages of 14 and 18 should inform their parents or guardians before providing personal data through this website.

11. Third-Party Links

This website may contain links to third-party websites. TheBox Characters & Creatures, SL is not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

12. Updates to This Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in legislation, our data processing practices, or the services we offer. When significant changes are made, we will notify users via a prominent notice on the website. The date of the last update is shown below.
Continued use of the website after any update constitutes acceptance of the revised policy. We recommend checking this page periodically.

For any questions regarding this Privacy Policy, please contact us at info@thebox.show.

Last updated: March 2026

‍

5. Data Recipients and Third-Party Sharing

We do not sell or commercially transfer your personal data to third parties. However, we may share data with the following categories of recipients where strictly necessary:

• Payment processors (e.g. Stripe, PayPal): to process purchases securely. These providers act as independent data controllers under their own privacy policies.
• Hosting and e-commerce providers (e.g. WooCommerce, WordPress hosting): to operate the website and store order data.
• Shipping and logistics providers: to fulfil and deliver physical product orders.
• Email service providers: to send transactional and marketing emails (only where consent has been given).
• Analytics providers (e.g. Google Analytics): to analyse website traffic. Data may be anonymised or pseudonymised.
• Tax and accounting advisors: where required to fulfil legal obligations.
• Public authorities: where required by law or court order.

All third-party providers are bound by data processing agreements and are required to process data only in accordance with our instructions and applicable data protection law.

6. International Data Transfers

Some of our service providers (such as Google Analytics) are located in or transfer data to countries outside the European Economic Area (EEA), including the United States. All such transfers are carried out under appropriate safeguards, specifically Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an equivalent level of data protection.

For further information on the safeguards in place, please contact us at info@thebox.show.

7. Data Retention

Personal data will be retained for as long as the relationship between the user and TheBox Characters & Creatures, SL is active, or for as long as necessary to fulfil the purpose for which it was collected, as indicated in the processing table in Section 4.

In particular:

• Order and billing data is retained for a minimum of 5 years in compliance with Spanish commercial and tax law (Código de Comercio, Ley General Tributaria).
• Data processed on the basis of consent will be retained until that consent is withdrawn.
• Technical and browsing data (cookies) will be retained for the periods indicated in our Cookie Policy.

Once the retention period expires, personal data will be securely deleted or anonymised using appropriate technical measures.

8. Your Rights

As a data subject, you have the following rights under GDPR and LOPDGDD. To exercise any of these rights, please contact us at info@thebox.show, attaching a copy of your national ID or equivalent document:

• Right of access: To obtain confirmation of whether we are processing your data and, if so, to receive a copy.
• Right to rectification: To request correction of inaccurate or incomplete data.
• Right to erasure (“Right to be forgotten”): To request deletion of your personal data, where there is no legal obligation to retain it.
• Right to restriction: To request that we temporarily suspend processing of your data.
• Right to data portability: To receive your data in a structured, commonly used and machine-readable format.
• Right to object: To object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond to all requests within one month. In complex cases, this may be extended by a further two months, of which you will be notified.

You also have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) at www.aepd.es, or with the supervisory authority of your country of residence within the EU.

9. Security Measures

TheBox Characters & Creatures, SL implements appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include:

• SSL/TLS encryption for all data transmitted through the website
• Secure, encrypted storage of passwords
• Access controls limiting data access to authorised personnel only
• Regular security updates and monitoring

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours and affected users without undue delay, in accordance with Article 33 GDPR.

10. Minors

Our website and services are not directed at children under the age of 14. We do not knowingly collect personal data from children under 14. If you believe a minor has provided us with personal data without parental consent, please contact us at info@thebox.show and we will delete such data promptly.

Users between the ages of 14 and 18 should inform their parents or guardians before providing personal data through this website.

11. Third-Party Links

This website may contain links to third-party websites. TheBox Characters & Creatures, SL is not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

12. Updates to This Privacy Policy

This Privacy Policy may be updated from time to time to reflect changes in legislation, our data processing practices, or the services we offer. When significant changes are made, we will notify users via a prominent notice on the website. The date of the last update is shown below.
Continued use of the website after any update constitutes acceptance of the revised policy. We recommend checking this page periodically.

For any questions regarding this Privacy Policy, please contact us at info@thebox.show.

Last updated: June 2026

‍