Legal notice, privacy & cookies
Template document: fill in your details (in brackets) and have it reviewed by a professional before selling.
Legal Notice
1. General information and website owner
In compliance with the information duty set out in Article 10 of Spanish Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI-CE), the following identifying details of the owner of this website are made available to the user:
- Owner: [FULL NAME OR COMPANY NAME] (hereinafter, “PITBOX” or “the Owner”)
- Tax ID (NIF/CIF): [NIF/CIF]
- Registered address: [FULL REGISTERED ADDRESS]
- Telephone: [TELEPHONE]
- Contact e-mail: pitbox.garaje@gmail.com
- Website: [DOMAIN TO BE DEFINED]
- Commercial Registry details: [REGISTRY DETAILS if applicable: Commercial Registry of [PROVINCE], Volume [ ], Sheet [ ], Page [ ], Entry [ ]]
- Codes of conduct: the Owner is not bound by any specific code of conduct, unless otherwise stated on this page.
2. Purpose
This Legal Notice governs access to, navigation of and use of the website owned by PITBOX, as well as the liabilities arising from the use of its contents.
PITBOX is an online shop dedicated to the sale of sim racing button boxes, handcrafted and made to order, including bespoke units configured by the customer through a 3D configurator. The activity is directed at customers located in Spain (including the Canary Islands, Ceuta and Melilla) and in the rest of the European Union.
Browsing the website confers the status of user and implies full and unreserved acceptance of all provisions contained in this Legal Notice. Users who do not agree with its content must refrain from using the site.
3. Conditions of use
The user undertakes to make appropriate and lawful use of the website and its contents, in accordance with applicable law, this Legal Notice, public morality and public order. In particular, the user agrees:
- Not to use the contents for unlawful purposes or effects, or in a manner harmful to the rights or interests of third parties.
- Not to cause damage to the physical or logical systems of the Owner, its suppliers or third parties (for example, by introducing viruses or malicious software).
- Not to introduce or disseminate content that infringes fundamental rights or public order.
- To provide truthful and up-to-date information in forms and purchase processes.
The Owner may temporarily suspend access to the website without prior notice for maintenance, updating or improvement operations.
4. Intellectual and industrial property
All website content — including, by way of example and not limitation, texts, photographs, graphics, images, icons, designs, 3D models, the configurator interface, software, trade names, trademarks, logos and distinctive signs — is the property of the Owner or of third parties who have authorised its use, and is protected by national and international intellectual and industrial property law.
The reproduction, distribution, public communication, transformation or any other form of exploitation, in whole or in part, of the website content without the prior written authorisation of the Owner is expressly prohibited. The “PITBOX” trademark and the designs of the button boxes are owned by PITBOX. Access to the site grants the user no ownership right over the contents.
5. Disclaimer and limitation of liability
The Owner shall in no case be liable for damages of any nature that may arise from:
- The lack of availability, continuity or accessibility of the website.
- The existence of errors, interruptions, viruses or harmful elements, despite having adopted reasonable technical measures to prevent them.
- The unlawful, negligent or fraudulent use of the site by users, or of the information they provide.
Product images and renders are for guidance only; as these are handcrafted products, slight variations from the final unit may occur. The specific commercial conditions (prices, taxes, manufacturing and delivery times, withdrawal and warranty) are set out in the General Terms and Conditions of Sale, which complement this Legal Notice.
6. Links
The website may contain links to third-party pages. The Owner exercises no control over such sites and assumes no responsibility for their content, policies or practices. The inclusion of these links does not imply approval, association or recommendation of the linked sites. If the user detects that a link leads to unlawful content, please report it to pitbox.garaje@gmail.com.
Likewise, anyone wishing to establish a link to this site must refrain from reproducing the content, creating confusion about ownership or making false or inaccurate statements about PITBOX.
7. Applicable law and jurisdiction
This Legal Notice is governed by Spanish law. For the resolution of any dispute arising from access to or use of the website, the parties submit to the courts and tribunals that are competent under applicable law. Where the user acts as a consumer, the jurisdiction of their place of residence shall apply, without any waiver of the rights recognised to them by consumer protection law.
In consumer matters, please note that the European Online Dispute Resolution (ODR) platform, created by Regulation (EU) No 524/2013, ceased to be operational on 20 July 2025 following its repeal by Regulation (EU) 2024/3228, and therefore can no longer be used. Instead, the consumer may use the accredited alternative dispute resolution (ADR) bodies and the other channels described in the General Terms and Conditions of Sale.
Privacy Policy
At PITBOX we are committed to protecting your privacy and to processing your personal data lawfully, fairly and transparently, in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD).
1. Data controller
- Controller: [FULL NAME OR COMPANY NAME]
- Tax ID (NIF/CIF): [NIF/CIF]
- Address: [FULL REGISTERED ADDRESS]
- Telephone: [TELEPHONE]
- E-mail: pitbox.garaje@gmail.com
PITBOX is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. For any question relating to the protection of your data, you may use the contact channel indicated (pitbox.garaje@gmail.com).
2. Data we process, purposes and legal basis
We process the following categories of data, for the purposes and on the legal bases set out below. We do not process special categories of data (Article 9 GDPR), such as health, ideological or biometric data.
2.1. Order management and performance of the purchase
- Data: full name, e-mail, telephone, shipping address (address, postcode, city, province, country) and order data (products, bespoke configuration, amount, tax zone).
- Purpose: to process, manufacture, manage and ship your order, and to handle the contractual relationship, after-sales service and incidents.
- Legal basis: performance of a contract to which you are party, or pre-contractual measures taken at your request (Art. 6.1.b GDPR).
2.2. Payment data
- Data: payment data is processed directly through an external payment gateway (for example, [GATEWAY TO BE DEFINED, e.g. Stripe]). PITBOX does not store the full card number or the CVC; it only keeps, where applicable, the card brand and the last four digits as a transaction reference.
- Purpose: to process payment and prevent fraud.
- Legal basis: performance of the contract (Art. 6.1.b GDPR) and compliance with legal obligations (Art. 6.1.c GDPR).
2.3. Tax and accounting obligations
- Data: identifying and billing data.
- Purpose: issuing invoices and complying with tax, accounting and commercial obligations.
- Legal basis: compliance with a legal obligation (Art. 6.1.c GDPR).
2.4. Handling enquiries and communications
- Data: name, e-mail and content of the enquiry.
- Purpose: to respond to requests for information sent to pitbox.garaje@gmail.com or via forms.
- Legal basis: the data subject’s consent (Art. 6.1.a GDPR) or the legitimate interest in handling your enquiry (Art. 6.1.f GDPR).
2.5. Newsletter (commercial bulletin)
- Data: e-mail address.
- Purpose: to send you news, new series, offers and commercial communications about PITBOX.
- Legal basis: express and revocable consent (Art. 6.1.a GDPR), in connection with Article 21 of the LSSI regarding the sending of commercial communications by electronic means. You may withdraw your consent at any time, without retroactive effect, via the unsubscribe link in each mailing or by writing to pitbox.garaje@gmail.com. Withdrawal of consent does not affect the lawfulness of prior processing.
2.6. Approximate geolocation by IP (functional processing)
When you visit our website, we infer your approximate country or region from your IP address for two strictly functional purposes: (a) to preselect the interface language (Spanish or English) and (b) to preselect the country and calculate the applicable taxes and shipping costs during checkout.
- How it works: detection is carried out primarily at the edge of the Cloudflare network (using the request.cf information), so your IP is not disclosed to third parties. As a fallback, when that information is unavailable, external geolocation services (ipapi.co or ipwho.is) are used.
- What we store: we do not store your IP address to build profiles or for advertising tracking. Alongside the order we only keep the detected country, tax zone and language, as these are necessary for correct processing and invoicing.
- Legal basis: legitimate interest (Art. 6.1.f GDPR) in offering a tailored experience and correctly calculating taxes and shipping. We have carried out the corresponding balancing test and concluded that this processing has minimal impact on your privacy; you can always override the automatic detection manually via the language selector and country selection at checkout, and exercise your right to object.
2.7. Security and fraud prevention
- Data: technical browsing and transaction data.
- Purpose: to ensure the security of the site and prevent fraudulent use.
- Legal basis: legitimate interest (Art. 6.1.f GDPR).
3. Retention periods
We will keep your data for the following periods:
- Order and billing data: for the duration of the contractual relationship and thereafter for the statutory limitation periods of tax, accounting and commercial obligations (generally up to 6 years under Art. 30 of the Commercial Code, and 4 years for tax purposes under Art. 66 of the General Tax Law), as well as for the limitation periods of actions arising from the contract.
- Newsletter data: until you revoke your consent or unsubscribe.
- Enquiries and communications: for the time needed to handle them and thereafter until any liabilities are time-barred.
- Geolocation data associated with the order (country/tax zone/language): for the same period as the corresponding order.
Once those periods have elapsed, the data will be deleted or duly blocked and anonymised.
4. Recipients and processors
To provide our services we rely on suppliers acting as data processors, with whom we have signed (or will sign) the corresponding contracts under Art. 28 GDPR. These suppliers process data only on our instructions. The main ones are:
- Supabase — database and storage of orders. Servers that may be located outside the EU / in the USA.
- Cloudflare — hosting, content delivery network and edge geolocation. Provider with global infrastructure.
- Google (Places API) — address autocomplete (OPTIONAL, only if this feature is enabled). Google Ireland Ltd. / Google LLC.
- Transactional e-mail provider — sending order confirmations and communications. [TO BE DEFINED].
- Payment gateway — processing of payments. [TO BE DEFINED, e.g. Stripe].
In addition, your data may be disclosed to:
- Transport and logistics companies, for the delivery of orders.
- Public authorities and bodies (for example, the Tax Agency, or customs for shipments to the Canary Islands, Ceuta and Melilla), where there is a legal obligation.
- Financial institutions, for payment management.
No other transfer of data takes place except where legally required.
5. International data transfers
Some of our suppliers (for example, Supabase, Cloudflare, Google or the payment gateway) may process data on servers located outside the European Economic Area, including in the United States.
In these cases, we ensure that such transfers are carried out with the appropriate safeguards required by Chapter V of the GDPR (Arts. 44 to 49), in particular through:
- Standard Contractual Clauses (SCC) approved by the European Commission (Art. 46.2.c GDPR), and/or
- the supplier’s adherence to the EU-US Data Privacy Framework, where applicable, and/or
- adequacy decisions of the European Commission (Art. 45 GDPR).
You may request a copy of the safeguards applied or additional information by writing to pitbox.garaje@gmail.com.
6. Your rights
You may exercise, free of charge, the following rights recognised in Articles 15 to 22 GDPR:
- Access: to know what data we process.
- Rectification: to correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”): to request the deletion of your data.
- Objection: to object to processing, especially processing based on legitimate interest (including geolocation).
- Restriction of processing: to request that the use of your data be restricted.
- Portability: to receive your data in a structured, commonly used format.
- Withdrawal of consent: for consent-based processing (for example, the newsletter), at any time and without retroactive effect.
- Not to be subject to automated decisions: we do not carry out automated decision-making or profiling that produces legal effects or significantly affects you.
How to exercise them? Write to pitbox.garaje@gmail.com, or by post to the Controller’s address indicated in section 1, stating the right you wish to exercise and attaching, where necessary to verify your identity, a copy of an identity document. We will respond within a maximum of one month from receipt of the request.
Complaint to the supervisory authority. If you consider that we have not processed your data in accordance with the law, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan, 6, 28001 Madrid, or through its electronic office: www.aepd.es (Art. 77 GDPR), without prejudice to bringing legal action (Art. 79 GDPR).
7. Data security and accuracy
We have adopted appropriate technical and organisational measures to ensure the security of your data and prevent its alteration, loss, unauthorised processing or access. The user guarantees the truthfulness and accuracy of the data provided and undertakes to keep it up to date.
8. Minors
Our services are aimed at adults. We do not knowingly collect data from minors under 14 years of age. If we detect otherwise, we will delete it.
9. Changes to the Privacy Policy
PITBOX may amend this Policy to adapt it to legislative developments or changes in its services. Changes will be published on this same page, indicating the date of the last update.
Last updated: [PUBLICATION DATE]
Cookies and Local Storage Policy
1. Introduction
This page explains how PITBOX uses storage technologies on your device. We want to be clear: we do not use advertising, tracking or third-party analytics cookies. We only use strictly functional local storage, necessary for the operation of the shop and to remember your preferences.
2. What we do NOT use
This website does not use:
- Advertising or marketing cookies.
- Tracking cookies or behavioural profiling cookies.
- Third-party analytics or statistics cookies that identify the user.
- Advertising networks or third-party cookies for commercial purposes.
For this reason, since these are exclusively technologies exempt from the consent requirement (Art. 22.2 LSSI-CE, as they are strictly necessary to provide the service requested by the user), we do not display a cookie acceptance banner: there is no advertising, analytics or tracking processing to consent to.
3. What we DO use: functional local storage (localStorage)
We use the browser’s local storage (localStorage), a technology that stores information only on your own device and is not automatically transmitted to our servers or to third parties. We use it for the following strictly necessary purposes:
- Language preference — to remember whether you prefer to browse in Spanish or English (functional).
- Shopping cart — to keep the products and configurations you have added while browsing or between visits (functional).
This information is necessary for the website to work correctly and to give you a continuous experience. Without it, the cart could not retain your products and your language could not be remembered. In line with the AEPD’s Guide on the use of cookies, this storage is treated like cookies but, being strictly necessary, is exempt from the prior consent requirement.
4. Functional geolocation by IP
To preselect the language and correctly calculate taxes and shipping costs, we approximately infer your country or region from your IP address. This detection is carried out primarily at the edge of the Cloudflare network (so your IP is not shared with third parties) and, as a fallback, through the external services ipapi.co or ipwho.is.
This is functional processing: we do not store your IP to build profiles or for advertising purposes, and you can always override the automatic detection via the language selector and manual country selection during checkout. You can find more details in section 2.6 of our Privacy Policy.
5. How to manage or delete local storage
You can delete the information stored in localStorage at any time from your browser settings (usually under “Privacy and security” → “Clear browsing data” → “Site data” or “Local storage”). Please note that if you delete it, the contents of your cart and your language preference will be lost, and the website may not work as expected.
You can find out how to do this in the main browsers:
- Google Chrome: Settings → Privacy and security → Clear browsing data.
- Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data.
- Safari: Preferences → Privacy → Manage Website Data.
- Microsoft Edge: Settings → Privacy, search and services → Clear browsing data.
6. Changes to this Policy
PITBOX may update this Cookies and Local Storage Policy if it adds new features or the law changes. If, in future, third-party analytics, advertising or tracking cookies or technologies are added, a consent system will first be enabled (a banner with accept and reject options that are equally easy to use, and a category-based settings panel). Any change will be published on this same page.
Last updated: [PUBLICATION DATE]
For any questions about this policy, write to us at pitbox.garaje@gmail.com.