Privacy policy

PRIVACY POLICY

Last updated: 15th March 2026

This Privacy Policy explains how Todologo S.L., trading under the brand XXL Lashes, collects, uses, stores, shares, and protects personal data when you visit www.xxllashes.com, place an order, contact us, subscribe to marketing, create an account, leave a review, or otherwise interact with us.

We aim to process personal data lawfully, fairly, and transparently in accordance with the General Data Protection Regulation (GDPR) and applicable Spanish data protection law, including Ley Orgánica 3/2018.

1. Data controller

The controller responsible for the processing of your personal data is:

Todologo S.L.
Calle Jaen 8
29680 Estepona (Málaga)
Spain
Email: info@xxllashes.com
Phone: +34 67 441 7788

Brand used on the website: XXL Lashes

For privacy-related questions or to exercise your data protection rights, you can contact our Privacy Contact at:

info@xxllashes.com

2. What personal data we may collect

Depending on how you interact with us, we may collect and process the following categories of personal data:

A. Identity and contact data

  • name

  • billing address

  • shipping address

  • email address

  • telephone number

  • company name

  • VAT / tax number where applicable

B. Account and customer profile data

  • login or account details

  • order history

  • saved preferences

  • wishlist, back-in-stock, or loyalty-related data where used

C. Transaction and payment data

  • order details

  • products purchased

  • payment status

  • payment method

  • transaction identifiers

We do not normally store full card details ourselves. Card payments are generally processed through payment service providers.

D. Communications data

  • emails

  • contact form messages

  • support requests

  • chat messages

  • WhatsApp or SMS communications where used

  • phone call-related notes where needed for customer service

E. Marketing and engagement data

  • newsletter subscription status

  • SMS marketing preferences

  • campaign interaction data

  • email opens and clicks where your chosen marketing tools track these

  • review submissions

  • influencer or wholesale application data

  • training or booking data

F. Technical and usage data

  • IP address

  • browser type

  • device type

  • approximate location derived from IP

  • cookie identifiers

  • page views

  • browsing behaviour on the website

  • referral information

  • interactions with ads or campaigns

G. Fraud prevention and security data

  • device and transaction signals

  • order-risk indicators

  • verification data

  • records of suspicious activity or chargeback-related events

3. How we collect personal data

We may collect personal data:

  • directly from you when you place an order, create an account, contact us, sign up for marketing, leave a review, submit an application, or otherwise communicate with us,

  • automatically through cookies, pixels, tags, logs, and similar technologies when you browse our website, subject to your cookie choices where required,

  • from service providers that help us process orders, payments, deliveries, analytics, fraud checks, or marketing,

  • from advertising and social media platforms where you interact with our ads or content,

  • and from publicly available or third-party sources where relevant and lawful.

4. Purposes of processing and legal bases

Under the GDPR, personal data must be processed on a valid legal basis, such as performance of a contract, compliance with a legal obligation, legitimate interests, or consent.

We may process personal data for the following purposes:

A. To process and fulfill orders

This includes:

  • taking and confirming orders,

  • processing payments,

  • arranging shipment and delivery,

  • issuing invoices,

  • handling returns, refunds, exchanges, and subscription orders,

  • providing customer service in relation to purchases.

Legal basis: performance of a contract; compliance with legal obligations where applicable.

B. To communicate with you

This includes:

  • sending order confirmations, dispatch updates, tracking information, invoices, subscription notices, service messages, and support responses.

Legal basis: performance of a contract; legitimate interests in customer service and business administration.

C. To manage customer accounts

This includes:

  • creating and administering accounts,

  • enabling login,

  • storing preferences,

  • facilitating faster checkout,

  • showing order history where available.

Legal basis: performance of a contract; legitimate interests in providing account functionality.

D. To send marketing communications

This includes:

  • newsletters,

  • promotional emails,

  • SMS marketing,

  • product updates,

  • reminders,

  • offers and campaigns,

  • and, where applicable, remarketing audiences.

Legal basis: consent where required by law; in some cases legitimate interests where permitted by law and subject to your right to object. You can unsubscribe or withdraw consent at any time.

E. To display reviews, testimonials, and user-generated content

This includes:

  • collecting and displaying reviews,

  • sending review requests after purchase,

  • moderating or responding to reviews where needed.

Legal basis: legitimate interests in gathering customer feedback and promoting our products; consent where required for specific uses.

F. To improve our website, products, services, and marketing

This includes:

  • analysing website traffic,

  • measuring campaign performance,

  • understanding customer behaviour,

  • testing website features,

  • improving navigation, performance, and content,

  • and building audiences for advertising.

Legal basis: consent where required for analytics or advertising cookies and similar technologies; legitimate interests for basic service improvement and internal analytics where lawful and appropriately configured.

G. To detect fraud, misuse, and unlawful activity

This includes:

  • fraud screening,

  • order-risk review,

  • chargeback prevention,

  • suspicious transaction checks,

  • account abuse prevention,

  • and website or system security measures.

Legal basis: legitimate interests in protecting our business, customers, website, and payment environment; compliance with legal obligations where applicable.

H. To comply with legal, tax, accounting, and regulatory obligations

This includes:

  • keeping transaction records,

  • responding to lawful requests,

  • complying with tax and accounting requirements,

  • handling legal claims and evidence preservation.

Legal basis: compliance with legal obligations; legitimate interests in defending legal claims.

I. To handle applications, wholesale requests, influencer enquiries, bookings, and training-related requests

Legal basis: steps prior to entering into a contract; performance of a contract; legitimate interests in evaluating requests and managing business relationships.

5. Cookies, pixels, and similar technologies

We use cookies and similar technologies on our website. These may include:

  • strictly necessary cookies,

  • preference cookies,

  • analytics cookies,

  • marketing or advertising cookies.

We also use tools connected to platforms such as Google, Meta, and other service providers for analytics, campaign measurement, and remarketing, subject to your consent where required.

You can manage your preferences through our cookie banner or cookie settings tool. For more detailed information, please see our Cookie Policy.

Under GDPR and Spanish guidance, users must be informed about cookie use and, for non-essential technologies, consent is generally required before those technologies are set or read, except where a legal exemption applies.

6. Providers and recipients of personal data

We may share personal data with trusted third parties where necessary for the purposes described above. Depending on the context, these parties may act as our processors, service providers, or independent controllers.

These may include:

  • Shopify and Shopify-related services for website hosting, checkout, order management, messaging, and ecommerce operations

  • Shopify Payments and other payment providers

  • PayPal

  • Klarna

  • Google Analytics

  • Google Ads

  • Meta Pixel / Meta advertising services

  • TikTok Pixel / TikTok advertising services

  • Judge.me

  • shipping carriers and shipping apps

  • ERP and order-management providers

  • email and communication service providers

  • SimpleVAT

  • IT, security, legal, tax, and professional advisers where needed

We may also disclose personal data:

  • where required by law,

  • to courts, regulators, tax authorities, law enforcement, or other public authorities where legally required,

  • in connection with a merger, acquisition, restructuring, or sale of assets,

  • or where necessary to establish, exercise, or defend legal claims.

7. International data transfers

Some of the providers we use may process personal data outside the European Economic Area (EEA), including in the United States or other countries.

Where personal data is transferred outside the EEA, we aim to use a lawful transfer mechanism under the GDPR, which may include:

  • an adequacy decision adopted by the European Commission under Article 45 GDPR,

  • the EU-U.S. Data Privacy Framework where the recipient participates in it,

  • or the European Commission’s Standard Contractual Clauses and, where required, supplementary measures under Article 46 GDPR.

Because our provider setup may evolve over time, the exact transfer mechanism can vary depending on the provider and service used.

8. How long we keep personal data

The GDPR requires that personal data be kept no longer than necessary for the purposes for which it was collected, while also allowing retention where needed for legal obligations or legal claims.

We generally retain personal data according to the following criteria:

  • Order and invoice data: for as long as necessary to perform the contract and afterwards for the period required by applicable tax, accounting, commercial, and legal obligations

  • Customer account data: while the account remains active and for a reasonable period afterwards, unless deletion is requested and retention is not otherwise required

  • Marketing data: until you unsubscribe, withdraw consent, object, or the data is no longer needed for the marketing purpose

  • Support and correspondence data: for as long as needed to handle the enquiry and for a reasonable period afterwards where needed for follow-up, records, or legal claims

  • Review, application, and enquiry data: for as long as needed to manage the request, relationship, or publication purpose

  • Technical, analytics, and cookie-related data: according to the relevant cookie duration, platform settings, legal requirements, and our internal review cycles

  • Fraud prevention and security data: for as long as reasonably necessary to investigate, prevent, evidence, or defend against fraud, abuse, or legal claims

Where possible, we may delete, anonymise, or aggregate data once it is no longer needed.

9. Whether you must provide personal data

Some personal data is necessary for us to:

  • process orders,

  • take payment,

  • deliver products,

  • provide customer support,

  • or comply with legal obligations.

If you do not provide the required data, we may not be able to process your order, provide certain services, or respond effectively to your request.

Providing data for marketing or non-essential cookies is generally voluntary.

10. Automated decision-making and profiling

We may use automated tools to help detect fraud, assess transaction risk, personalise marketing, measure campaign performance, or tailor website experiences.

However, we do not ordinarily make decisions that produce legal or similarly significant effects solely by automated means without appropriate human involvement.

For example, suspicious orders may be flagged by automated fraud tools and then reviewed manually before a final decision is made.

11. Your rights

Under the GDPR, individuals may have the right to:

  • access their personal data,

  • rectify inaccurate or incomplete data,

  • request erasure,

  • request restriction of processing,

  • object to certain processing,

  • receive data portability where applicable,

  • withdraw consent at any time where processing is based on consent,

  • and lodge a complaint with a supervisory authority.

If you want to exercise your rights, please contact us at:

info@xxllashes.com

We may ask you to verify your identity before responding to your request.

If you are in Spain, you also have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) if you believe your personal data has been processed unlawfully.

12. Marketing choices

You can opt out of marketing emails by clicking the unsubscribe link in the email or by contacting us.

If you receive SMS marketing from us, you can opt out using the method provided in the message or by contacting us.

Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

13. Data security

We take reasonable technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

No system can be guaranteed to be completely secure, but we aim to use appropriate safeguards proportionate to the nature of the data and the risks involved, as required by the GDPR.

14. Third-party websites and services

Our website may contain links to third-party websites, plugins, social media features, or external services.

We are not responsible for the privacy practices, content, or security of third-party websites or services. We encourage you to read their privacy notices separately.

15. Children

Our website and products are not specifically directed at children.

We do not knowingly collect personal data from children in violation of applicable law. If you believe that a child has provided us with personal data unlawfully, please contact us so that we can review and, where appropriate, delete the data.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes.

The latest version will always be published on our website with the updated effective date.

17. Contact

If you have any questions about this Privacy Policy or about how we process personal data, please contact:

Todologo S.L. / XXL Lashes
Calle Jaen 8
29680 Estepona (Málaga)
Spain
Email: info@xxllashes.com
Phone: +34 67 441 7788