Privacy Policy

PRIVACY POLICY
Gamusi – Nevenon Group, S.L.
Last updated: April 2026

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. DATA CONTROLLER

In compliance with Regulation (EU) 2016/679 of the European Parliament and of the
Council, of April 27, 2016 (GDPR), and Organic Law 3/2018, of December 5,
on Personal Data Protection and guarantee of digital rights
(LOPDGDD), we inform you that the data controller for your personal data is:

Owner:            Nevenon Group, S.L.
Tax ID (CIF):                B02820926
Trade name:   Gamusi
Address:          C/ Comarca dels Ports, 24 – 46880 Bocairent – Valencia – Spain
Phone:           +34 611 50 62 44
Email: clientes@gamusi.com

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

2. DATA WE COLLECT AND HOW WE OBTAIN IT

We collect personal data through the following channels:

2.1. Registration form or customer account
   - First name and surname
   - Email address
   - Password (stored in encrypted form)
   - Contact phone number (optional)

2.2. Purchase process
   - First name and surname of the buyer and/or recipient
   - Shipping and billing address
   - Contact phone number
   - Email address
   - Payment details (processed directly by the payment gateway;
     Gamusi does not store bank card details)

2.3. Contact form
   - Name
   - Email
   - Phone (if voluntarily provided)
   - Message content

2.4. Subscription to commercial communications (newsletter)
   - Email
   - Name (if voluntarily provided)

2.5. Website browsing
   - IP address and connection data
   - Pages visited, time spent, and browsing behavior
     (through cookies; see Cookie Policy)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

3. PURPOSES OF PROCESSING AND LEGAL BASIS

PURPOSE                          LEGAL BASIS                         RETENTION PERIOD
────────────────────────────────────────────────────────
Order management and contractual   Contract performance               5 years from the last
relationship (purchase, shipping,   (Art. 6.1.b GDPR)                  purchase (tax and
returns, invoicing)                                                   commercial obligations)

Customer account management       Contract performance               Until the user
                                   (Art. 6.1.b GDPR)                  requests deletion

Customer service and management    Legitimate interest of the controller    3 years from the last
of inquiries and complaints       (Art. 6.1.f GDPR)                  communication

Sending commercial communications   Consent of the data subject       Until consent is
(newsletter, offers, news)         (Art. 6.1.a GDPR)                  withdrawn

Statistical analysis and website   Legitimate interest of the controller    12 months (aggregated/
improvement                       (Art. 6.1.f GDPR)                  anonymized data)

Fraud prevention and platform     Legitimate interest of the controller    During the investigation
security                         (Art. 6.1.f GDPR)                  and, where applicable, the
                                                                        applicable legal term

Compliance with legal obligations   Legal obligation                    According to the regulations
(tax, accounting, commercial)      (Art. 6.1.c GDPR)                  applicable in each case
                                                                        (min. 5 fiscal years)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

4. RECIPIENTS AND DATA TRANSFERS

Your data will not be sold or transferred to third parties for commercial purposes.
However, for the proper provision of the service, your data may be
communicated to the following providers acting as data processors:

- Shopify International Ltd.: e-commerce platform
  (store hosting, order and payment processing).
  International transfer covered by standard contractual clauses.

- Payment gateways (Stripe, PayPal, or other active ones at the time of
  purchase): for secure payment processing. These providers apply
  their own privacy policies and PCI-DSS standards.

- Transport and logistics companies: for managing shipping and delivery
  of the order (name, delivery address, and contact phone number).

- Email marketing providers (e.g., Klaviyo, Mailchimp): only
  if you have given consent to receive commercial communications.

- Google LLC: analytics tools (Google Analytics) and infrastructure.
  International transfer covered by standard contractual clauses.

- Public Administrations and competent authorities: when required
  by legal obligation (Tax Agency, Courts, etc.).

All data processors have signed the confidentiality and data protection
agreements required by the GDPR.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

5. INTERNATIONAL DATA TRANSFERS

Some of our providers (Shopify, Google, Stripe, etc.) are
located or process data outside the European Economic Area (EEA).
Such transfers are carried out under adequate safeguards in accordance with
Article 46 of the GDPR, mainly through:

- Standard contractual clauses approved by the European Commission.
- Adequacy decisions of the European Commission where applicable.

You can request more information about these safeguards by writing to
clientes@gamusi.com.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

6. COMMERCIAL COMMUNICATIONS

If you have given your consent to receive commercial communications,
we will send you information about new products, offers, promotions,
and news from Gamusi.

You can revoke this consent at any time free of charge and
without needing to provide justification:

- By clicking on the "Unsubscribe" or "Cancel subscription" link
  found at the bottom of each commercial email.
- By sending an email to clientes@gamusi.com indicating your wish to unsubscribe
  from commercial communications.

The withdrawal of consent does not affect the lawfulness of processing
carried out prior to withdrawal.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

7. RIGHTS OF DATA SUBJECTS

Under the GDPR and LOPDGDD, you have the right to:

- Access: know what personal data of yours we process.
- Rectification: request the correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten"): request the deletion of your data
  when, among other reasons, they are no longer necessary for the purposes for
  which they were collected.
- Objection: object to the processing of your data in certain
  circumstances, especially when based on legitimate interest or for
  direct marketing purposes.
- Restriction of processing: request that the processing
  of your data be restricted in certain cases.
- Data portability: receive your data in a structured, commonly used,
  and machine-readable format, and transmit them to another controller.
- Withdrawal of consent: at any time, without affecting
  the lawfulness of prior processing.
- Lodge a complaint with the AEPD: if you believe that the processing of your data
  is not compliant with regulations, you can lodge a complaint with the
  Spanish Data Protection Agency (www.aepd.es).

To exercise any of these rights, you can contact:

  Nevenon Group, S.L. – Gamusi
  C/ Comarca dels Ports, 24 – 46880 Bocairent – Valencia – Spain
  clientes@gamusi.com

We will respond within a maximum period of one month from the receipt of your
request, extendable by two additional months in cases of particular
complexity. To verify your identity, we may request supporting documentation.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

8. MINORS

The Gamusi website is not intended for children under 14 years of age. We do not knowingly
collect personal data from children under that age. If you become aware
that a minor has provided us with data without parental consent,
please notify us at clientes@gamusi.com so that we can proceed with its immediate deletion.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

9. DATA SECURITY

Nevenon Group, S.L. applies appropriate technical and organizational measures to
ensure a level of security adequate to the risk, in accordance with Article 32
of the GDPR. These include:

- Encryption of communications using the HTTPS (TLS) protocol.
- Restricted access to data by authorized personnel.
- Use of certified providers with recognized security standards
  (PCI-DSS for payments, SOC 2 for cloud infrastructure).
- Periodic review of implemented security measures.

However, no Internet transmission system is completely secure.
In the event of a security breach affecting your rights
and freedoms, we will notify you within the legally established timeframe.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

10. COOKIES

The website uses its own and third-party cookies. For detailed information
on the types of cookies used, their purpose, and how to
manage them, please consult our Cookie Policy, available in the footer
of the website.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

11. MODIFICATIONS TO THIS POLICY

Nevenon Group, S.L. reserves the right to update this Privacy Policy
to adapt it to legislative, jurisprudential,
technological, or business changes. When changes are significant, we will
communicate them through a prominent notice on the website or, if we have
your email address, through a direct message.

The "Last updated" date at the header of this
document indicates when the most recent review was performed.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

12. APPLICABLE LAW AND JURISDICTION

This Privacy Policy is governed by Spanish and European law
on data protection. For any dispute
arising from its interpretation or application, the parties submit to the
Courts of Valencia, without prejudice to the user's right
to resort to the Spanish Data Protection Agency.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━