Privacy policy
1. Data Controller
In accordance with Article 13 of EU Regulation 2016/679 (hereinafter, 'GDPR') and Spanish Organic Law 3/2018 (LOPDGDD), the User is informed that the controller of personal data collected through https://simufy.com is:
| Company name | SAPRO TRADING, S.L. («SIMUFY») |
| Tax ID | B67553040 |
| Registered address | Ctra. BV-2131 Km. 7,2, 08787 Orpí, Barcelona, España |
| Commercial Registry | Barcelona, tomo 47166, folio 110, hoja 543317 |
| General email | info@simufy.com |
| Privacy email | privacidad@simufy.com |
| Phone | +34 93 131 06 62 |
| Data Protection Officer | SIMUFY has not appointed a DPO, as the mandatory conditions of GDPR art. 37 and Spanish LOPDGDD art. 34 do not apply. Privacy enquiries: privacidad@simufy.com |
2. Business Group
SAPRO TRADING, S.L. forms part of a business group for the purposes of GDPR art. 4.19. In accordance with GDPR Recital 48, SIMUFY may share personal data with group companies for internal administrative purposes (centralised corporate services, accounting, treasury, audit, shared IT infrastructure, fraud prevention), relying on the group's legitimate interest (GDPR art. 6.1.f). Such sharing is governed by intra-group agreements compliant with GDPR arts. 26 and 28.
SIMUFY will not use the User's personal data for direct marketing by other group companies operating in different sectors, unless the User has given specific and express consent. The User may object to intra-group data sharing at any time via privacidad@simufy.com.
3. Purposes, Legal Bases and Retention Periods
SIMUFY processes personal data for the following purposes:
| Purpose | Legal basis | Retention period |
|---|---|---|
| Online sales management, delivery, invoicing and contract fulfilment. | GDPR art. 6.1.b — Contract performance. GDPR art. 6.1.c — Legal obligations (tax, accounting). |
Duration of contract + 6 years (Spanish commercial law) + blocking until limitation periods expire. |
| Professional customer (B2B) and commercial relationship management. | GDPR art. 6.1.b — Contract performance. GDPR art. 6.1.f — Legitimate interest. |
Duration + 6 years + blocking until applicable contractual limitation periods expire. |
| Pre-order management: agreed ETA tracking and status communications. | GDPR art. 6.1.b — Contract performance. | During pre-order validity + contractual limitation periods. |
| Customer service, after-sales, incidents, complaints and claims. | GDPR art. 6.1.b — Contract performance. GDPR art. 6.1.c — Legal obligations. GDPR art. 6.1.f — Legitimate interest. |
5 years after case closure. |
| Warranty management, repairs and official Fanatec OOW service. | GDPR art. 6.1.b — Contract performance. GDPR art. 6.1.c — Legal obligations. |
During applicable warranty period + 5 years thereafter. |
| Returns and withdrawal processing, with application of the depreciation policy. | GDPR art. 6.1.b and 6.1.c. GDPR art. 6.1.f — Legitimate interest in fraud prevention. |
1 year (photo/video documentation) or 5 years if a claim arises. |
| Sending commercial communications (newsletters, offers, news) about motorsport and driving simulation hardware and software. | GDPR art. 6.1.a — Consent. Spanish LSSI art. 21.2 — Existing customers for similar products. |
Until consent is withdrawn or 24 months of inactivity. |
| Personalised online advertising and retargeting via third-party pixels (Meta, Google, TikTok, Pinterest). | GDPR art. 6.1.a — Specific consent via cookie banner. | Maximum 13 months (advertising cookies). |
| Web analytics and user experience optimisation. | GDPR art. 6.1.a — Specific consent (analytics cookies). | Maximum 13 months. |
| User account management and access security. | GDPR art. 6.1.b — Contract performance. | Until deletion requested or account cancelled due to inactivity. |
| Fraud prevention, transaction verification and business asset protection. | GDPR art. 6.1.f — Legitimate interest (Recital 47 GDPR). | 5 years after case closure. |
| Financing intermediation (Klarna, Aplazame) at the User's request. | GDPR art. 6.1.b — Contract performance at User's request. | During operation validity and subsequent legal periods. |
| Commercial appointment bookings (Calendly) and pre-sales assistance. | GDPR art. 6.1.b — Pre-contractual measures. | Up to 12 months after appointment or conversion to customer record. |
| Defence against claims, judicial or administrative proceedings. | GDPR art. 6.1.f — Legitimate interest. | Until final resolution + applicable limitation periods. |
4. Categories of Personal Data Processed
Depending on the purpose, SIMUFY may process the following categories:
- Identification data: name, surname(s), national ID where legally required.
- Contact data: email address, phone number, delivery and billing address.
- Professional data (B2B customers): company, role, company tax ID, professional contact details.
- Transactional data: order history, products purchased, amounts, dates, payment methods used.
- Financial data: strictly necessary banking data (bank account for transfers, last 4 digits of card). Full card data is processed directly by payment gateways (Shopify Payments, Stripe, PayPal) without SIMUFY having access. Credit scoring for deferred payments is carried out by the financial institution as an independent controller.
- Account data: username, password (stored as a hash), preferences.
- Browsing and technical data: IP address, device ID, browser, operating system, cookies, Website behaviour.
- Interaction data: opens and clicks on commercial communications, interactions with advertisements.
- Communications content: emails, tickets, chats and other correspondence with customer service.
- Images and, where applicable, videos from return deliveries, for content verification purposes.
SIMUFY does not routinely process special categories of personal data (GDPR art. 9). If such data is provided incidentally, it will be processed with a specific legal basis and enhanced security measures.
5. Data Sources
Personal data is usually provided directly by the User through the Website (registration, checkout, newsletter, contact forms, appointment bookings) or in subsequent communications. Some professional contact data may be obtained from publicly accessible sources (LinkedIn, corporate websites) solely for B2B prospecting, in accordance with GDPR Recital 47.
6. Recipients and Data Processors
To provide its services, SIMUFY shares personal data with the following recipients, with whom it has signed data processing agreements under GDPR art. 28:
| Recipient / Processor | Purpose | Location |
|---|---|---|
| Shopify Inc. | E-commerce platform and Website management. | USA (DPF) |
| Odoo S.A. / Eticco | Internal ERP/CRM system. | Belgium / Spain (EU) |
| Shopify Payments / Stripe / PayPal | Payment gateways. Full payment data is processed directly by these gateways; SIMUFY has no access to complete card data. | USA / Ireland (DPF / SCCs) |
| Klarna Bank AB | Deferred payment intermediation at the User's request. SIMUFY acts as an independent controller for the data it transmits for this intermediation. | Sweden (EU) |
| Aplazame, S.L. | Deferred payment intermediation at the User's request. SIMUFY acts as an independent controller for the data it transmits. | Spain (EU) |
| GLS, UPS, DHL, SEUR and international carriers | Delivery of purchased products. | Spain / EU / international depending on destination |
| Google Ireland Ltd. / Google LLC | Web analytics (Google Analytics), advertising (Google Ads), infrastructure (Gmail / Workspace). | Ireland / USA (DPF) |
| Meta Platforms Ireland Ltd. | Online advertising and tracking pixel (Facebook/Instagram). | Ireland / USA (DPF) |
| TikTok Technology Ltd. | Online advertising and tracking pixel. International transfer covered by SCCs (TikTok is not signed up to the EU-US DPF and is under specific EDPB supervision). | Ireland / Singapore / USA (SCCs) |
| Pinterest Europe Ltd. | Online advertising and tracking pixel. | Ireland / USA (DPF) |
| Email marketing provider (name available on request at privacidad@simufy.com) | Newsletter delivery, marketing automations and abandoned cart recovery. | USA (DPF) |
| Calendly Inc. | Online commercial appointment booking. | USA (DPF / SCCs) |
| Manufacturers and distributed brands (Fanatec, Simucube, Simagic, Moza, Trak Racer and others) | Warranty management, repairs and official service. | EU / international depending on manufacturer |
| External accounting and tax advisors | Compliance with accounting, tax and commercial obligations. | Spain (EU) |
| Vilvaq group companies | Internal corporate services covered by GDPR Recital 48. | Spain (EU) |
| Competent authorities and public administrations | Compliance with legal obligations (tax authority, social security, law enforcement where applicable). | Spain (EU) |
SIMUFY does not share personal data with parties other than those listed above, except where required by law or with the explicit consent of the data subject.
7. International Data Transfers
Some recipients have their headquarters or infrastructure outside the European Economic Area (EEA), particularly in the United States. Such transfers are legitimised under GDPR Chapter V mechanisms:
- EU-US Data Privacy Framework (DPF): European Commission adequacy decision of 10 July 2023, applicable to participating organisations (including Shopify, Google, Meta, Calendly, among others).
- Standard Contractual Clauses (SCCs): approved by the European Commission under Decision (EU) 2021/914, applicable when the entity is not signed up to the DPF. In particular, transfers to TikTok Technology Ltd. rely exclusively on SCCs, as TikTok is not signed up to the EU-US DPF and is under specific supervision by the European Data Protection Board.
- Other appropriate safeguards under GDPR arts. 46 and 49.
The User may request detailed information about the transfer mechanism applicable to each recipient by contacting privacidad@simufy.com.
8. Automated Decision-Making and Profiling
SIMUFY uses tools that involve profiling or automated decisions in the following cases:
- Marketing segmentation and personalised online advertising based on browsing and behavioural data. This does not produce significant legal effects. It is based on consent given through the cookie banner.
- Automated fraud detection in the purchase process (Shopify Fraud Protect). High-risk orders are reviewed manually by SIMUFY staff before any decision is taken, ensuring human intervention in all cases.
- Credit scoring carried out by Klarna and Aplazame when the User requests deferred payment. The scoring is performed by the financial institution as an independent controller. SIMUFY acts as an independent controller for the data it transmits to these entities for the intermediation requested by the User; the User may exercise their rights against SIMUFY regarding such transmission, and directly against the financial institution regarding the scoring. The User has the right to obtain human intervention and to contest the decision with the financial institution.
9. User Rights
The User may exercise the following rights at any time under the GDPR and LOPDGDD:
- Access: obtain confirmation of whether SIMUFY is processing personal data and access to such data.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure ('right to be forgotten'): request deletion when data is no longer necessary, consent is withdrawn or other grounds under GDPR art. 17 apply.
- Restriction of processing: request that processing be restricted in the cases set out in GDPR art. 18.
- Data portability: receive data in a structured, commonly used format or request its transfer to another controller.
- Objection: object to processing based on legitimate interest or to processing for direct marketing purposes.
- Withdrawal of consent: revoke consent at any time without retroactive effect.
- Not to be subject to solely automated decisions: right under GDPR art. 22, including the right to human intervention.
- Lodge a complaint with the AEPD: submit a complaint to the Spanish Data Protection Authority.
10. How to Exercise Your Rights
Rights may be exercised by emailing privacidad@simufy.com or by post to SAPRO TRADING, S.L. — Privacy — Ctra. BV-2131 Km. 7,2, 08787 Orpí, Barcelona, Spain. Exercise is free of charge, except for manifestly unfounded or excessive requests (GDPR art. 12.5). SIMUFY will respond within one (1) month, extendable by up to two (2) further months in complex cases (GDPR art. 12.3).
11. Complaint to the AEPD
If the User believes their rights have not been properly addressed, they may lodge a complaint with the Spanish Data Protection Authority (AEPD):
- Postal address: C/ Jorge Juan, 6, 28001 Madrid
- Phone: 900 293 183
- Electronic office: https://sedeagpd.gob.es/sede-electronica-web/
- Website: https://www.aepd.es
12. Security Measures
SIMUFY applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with GDPR art. 32, including:
- Encryption in transit (HTTPS/TLS) for all Website communications.
- Encryption at rest for systems holding sensitive data.
- Role-based access controls and least-privilege principle.
- Two-factor authentication for administrative access.
- Regular, encrypted and verified backups.
- Critical activity logging.
- Regular staff training on data access.
In the event of a personal data breach that may pose a high risk to Users' rights, SIMUFY will notify the AEPD within 72 hours and, where applicable, inform affected Users (GDPR arts. 33 and 34).
13. Minors
The Website's services are intended for adults (18+). SIMUFY does not knowingly collect personal data from children under 14. If a minor aged 14–17 has provided data without their legal guardian's authorisation, the guardian may contact privacidad@simufy.com to request immediate deletion.
14. Cookies
The use of cookies and equivalent technologies is governed by the Cookie Policy.
15. Updates to this Privacy Policy
SIMUFY may amend this Privacy Policy to reflect legislative or jurisprudential developments, operational changes or AEPD recommendations. Substantial amendments affecting Users' rights will be communicated to registered Users by email at least 15 days before taking effect.
16. Applicable Law
This Privacy Policy is governed by Spanish law and applicable EU law, in particular the GDPR and the LOPDGDD. Disputes relating to the processing of personal data shall be subject to the courts of the Consumer User's place of domicile, or, for non-consumer Users, the courts of Barcelona, Spain.
Last updated: 1 May 2026. Version 3.0.