Privacy Policy
Version 1.0.0 · effective 2026-05-02
This Privacy Policy explains how Ruslan Moskalenko, doing business under the trade name Webmaster Ramos (the "Controller"), processes personal data collected through the website https://webmaster-ramos.com (the "Website") and the services offered through it. This policy is published in compliance with Regulation (EU) 2016/679 (GDPR), the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and the Spanish Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE).
1. Data controller
- Controller: Ruslan Moskalenko (Webmaster Ramos)
- NIE: Y6786650P
- Business address: Avenida Maisonnave 41, 3ºB, 03003 Alicante, Spain
- Contact email for privacy matters: contact@webmaster-ramos.com
- Data Protection Officer: not designated. Under Article 37 GDPR the appointment of a DPO is not mandatory for the Controller's current processing activities.
2. Categories of personal data processed
2.1. Identification and contact data — name, email address, country of residence, optional company name and VAT number, optional postal address for invoicing.
2.2. Account data — encrypted password (bcrypt hash), account preferences, language, locale, timezone.
2.3. Order and billing data — order identifiers, products purchased, prices, invoices, payment receipts, refund records.
2.4. Payment data — last four digits of the payment card, card brand, payment-provider transaction identifiers. Full card numbers are processed by the payment service provider and never reach the Controller.
2.5. Repository access data — public keys associated with repository tokens, token labels, last-used timestamp, originating IP address of recent access logs.
2.6. Support data — content of support tickets and replies, attachments, ticket category, ticket status.
2.7. Audit and content interaction data — submitted reviews and comments, audit submissions and their outputs, free-tier audit input data (e.g. URLs scanned, technical signals), session events relevant to security or fraud prevention.
2.8. Technical data — IP address, browser user-agent, referrer, URL accessed, response code, response timing, language preference, and cookie identifiers as described in the Cookie Policy.
2.9. Communication data — content of emails and contact-form messages exchanged with the Controller, including any data the Customer voluntarily provides in such communications.
The Controller does not process special categories of personal data under Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation).
3. Purposes of processing and legal bases
For each purpose, the table below indicates the legal basis under Article 6 GDPR.
| Purpose | Legal basis |
|---|---|
| Operate the account and provide the service requested | Art. 6(1)(b) — contract |
| Process orders, issue invoices, comply with bookkeeping obligations | Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation |
| Provide customer support | Art. 6(1)(b) — contract |
| Send transactional emails (order confirmations, password reset, security alerts) | Art. 6(1)(b) — contract |
| Send commercial communications about similar products and services to existing customers | Art. 6(1)(f) — legitimate interest, with opt-out at any time (LSSI-CE Art. 21.2) |
| Send commercial communications based on opt-in (newsletters, promotional offers) | Art. 6(1)(a) — consent |
| Operate analytics on the Website | Art. 6(1)(a) — consent |
| Detect, prevent, and investigate fraud, abuse, security incidents, breaches of these Terms or the Software License Agreement, sanctions-list matches, and licence-circumvention attempts | Art. 6(1)(f) — legitimate interest |
| Maintain security logs (rate limits, failed logins, audit trails, IP reputation signals) | Art. 6(1)(f) — legitimate interest |
| Carry out internal product improvement, evaluation, and quality assurance using aggregated or pseudonymised data | Art. 6(1)(f) — legitimate interest |
| Comply with legal, tax, accounting, and regulatory obligations | Art. 6(1)(c) — legal obligation |
| Establish, exercise, or defend legal claims, including by retaining data necessary for the duration of the relevant limitation period | Art. 6(1)(f) — legitimate interest |
| Prepare and execute aggregated, anonymised research and statistics, and publish such statistics in commercial materials | Art. 6(1)(f) — legitimate interest |
| Transfer personal data in connection with a merger, acquisition, sale of business, or analogous transaction | Art. 6(1)(f) — legitimate interest |
4. Recipients and processors
4.1. The Controller relies on third-party service providers acting as data processors under Article 28 GDPR. Each processor is bound by a data-processing agreement and processes personal data only on documented instructions from the Controller. Current processors:
| Processor | Role | Location of processing |
|---|---|---|
| Hetzner Online GmbH | Hosting (servers, databases, backups) | Germany (EU) |
| Cloudflare, Inc. | Content delivery, DDoS protection, edge caching | Global edge; EU-US Data Privacy Framework |
| Stripe Payments Europe Ltd | Payment processing | Ireland (EU); US transfers under EU-US Data Privacy Framework or Standard Contractual Clauses |
| DuoCircle LLC / SMTP provider | Outbound transactional and commercial email | United States; transfers under EU-US Data Privacy Framework or Standard Contractual Clauses |
| GitHub, Inc. | OAuth login provider when chosen by the Customer | United States; transfers under EU-US Data Privacy Framework or Standard Contractual Clauses |
| Google LLC | OAuth login provider when chosen by the Customer | United States; transfers under EU-US Data Privacy Framework or Standard Contractual Clauses |
4.2. Personal data may also be disclosed to:
(a) public authorities and courts, where required by law, court order, or regulatory request;
(b) auditors, accountants, lawyers, and other professional advisers of the Controller, bound by professional duties of confidentiality;
(c) any potential acquirer of the Controller's business, in the event of a sale or transfer of part or all of the business, in which case the acquirer becomes the new controller and is bound by this Privacy Policy or an equivalent successor.
4.3. The Controller does not sell personal data to third parties.
4.4. The Controller may engage new sub-processors or replace existing sub-processors at any time, including for the purpose of improving service quality, security, or cost-effectiveness. The Controller shall update the table in Section 4.1 to reflect any such change.
4.5. Where reasonably practicable, the Controller shall provide thirty (30) days advance notice of a material change in sub-processors — through publication of the updated table in this Privacy Policy, by banner on the Website, or by email to the address registered to the Customer's account. Publication of the updated table in this Privacy Policy constitutes sufficient notice for the purposes of Article 28(2) GDPR. The Customer's continued use of the service after the effective date of the change constitutes acknowledgement of the new sub-processor.
4.6. Where the Customer reasonably objects to a new sub-processor on the basis of legitimate data-protection concerns, the Customer's sole remedy is to terminate the account in accordance with the Terms of Service Section 18.
5. International transfers
5.1. Where personal data is transferred outside the European Economic Area, the Controller relies on:
(a) an adequacy decision under Article 45 GDPR (e.g. EU-US Data Privacy Framework for certified US recipients); or
(b) Standard Contractual Clauses approved by the European Commission under Article 46(2)(c) GDPR; or
(c) any other transfer mechanism allowed by Chapter V of the GDPR where appropriate.
5.2. The Customer may obtain a copy of the safeguards in place for any specific transfer by writing to contact@webmaster-ramos.com.
6. Retention periods
| Data category | Retention period |
|---|---|
| Account data (logged-in users) | While the account is active; deleted or anonymised within ninety (90) days after the Customer closes the account, save for data retained under another row of this table |
| Order and billing data | Six (6) years from the end of the fiscal year in which the order was placed (Spanish Commercial Code, Art. 30); thereafter retained as long as necessary for the establishment, exercise, or defence of a legal claim |
| Invoice data | Six (6) years from issuance for bookkeeping (Spanish Commercial Code, Art. 30) and four (4) years for tax purposes (LGT, Art. 66) |
| Payment data | Until the end of the legally required retention period for the underlying order |
| Support data | Three (3) years from the closure of the ticket, then anonymised; messages directly relating to a refund, chargeback, complaint, or potential dispute are retained for the duration of the relevant limitation period |
| Repository access logs | Twelve (12) months from the access event; logs forming part of an active fraud or abuse investigation are retained until the investigation is closed |
| Security logs (failed logins, rate-limit events, IP reputation signals) | Twelve (12) months from the event; entries linked to a confirmed abuse incident are retained for the duration of the relevant limitation period |
| Cookie consent records | Thirteen (13) months from the last interaction |
| Newsletter subscription | Until the Customer unsubscribes; suppression-list record retained indefinitely so that unsubscribed addresses are not re-contacted |
| Communication data | Three (3) years from the last interaction; communications related to a potential or actual dispute are retained for the duration of the relevant limitation period |
| Aggregated and anonymised data | Indefinitely (no longer personal data within the meaning of Article 4(1) GDPR after irreversible anonymisation) |
After the relevant retention period, personal data is deleted or anonymised, at the Controller's option, where anonymisation preserves analytical, statistical, or product-improvement value and makes it impossible — within the meaning of Recital 26 GDPR — to re-identify the Customer.
Personal data may be retained beyond the periods listed above where the Controller is required or entitled to retain it:
(a) for the establishment, exercise, or defence of a legal claim, until the relevant limitation period expires (typically five (5) years under Article 1964.2 of the Spanish Civil Code, two (2) years for consumer claims under specific TRLGDCU provisions where applicable, or six (6) years for commercial bookkeeping under Article 30 of the Spanish Commercial Code);
(b) to comply with a legal, tax, accounting, anti-money-laundering, sanctions-compliance, or other regulatory obligation;
(c) to comply with a binding court order, regulatory request, or law-enforcement request; or
(d) to enforce these Terms, the Software License Agreement, or any related contract.
7. Rights of the data subject
7.1. The Customer has the following rights under Articles 15 to 22 GDPR:
(a) Access — to obtain confirmation of whether personal data is being processed and, if so, a copy of the personal data;
(b) Rectification — to obtain correction of inaccurate personal data and completion of incomplete personal data;
(c) Erasure — to obtain deletion of personal data where one of the grounds in Article 17 GDPR applies;
(d) Restriction — to obtain restriction of processing under Article 18 GDPR;
(e) Data portability — to receive personal data in a structured, commonly used and machine-readable format and to have it transmitted to another controller, where Article 20 GDPR applies;
(f) Objection — to object to processing based on legitimate interest at any time, on grounds relating to the Customer's particular situation;
(g) Withdrawal of consent — to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(h) Not to be subject to automated decision-making — including profiling, that produces legal or similarly significant effects, as described in Article 22 GDPR. The Controller does not currently carry out such automated decision-making.
7.2. Rights may be exercised by writing to contact@webmaster-ramos.com from the email address registered with the account, or by postal mail to the registered address indicated in Section 1, including a copy of an identity document where reasonably necessary to verify identity.
7.3. The Controller responds within one (1) month of receipt of the request under Article 12(3) GDPR, with a possible extension of two further months for complex or numerous requests, subject to notifying the Customer of the extension within the initial one-month period.
7.4. Manifestly unfounded or excessive requests, including those of a repetitive character, may be charged a reasonable fee that covers the administrative cost of handling the request, or refused outright, in accordance with Article 12(5) GDPR. The Controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
7.5. The Controller may request additional information necessary to verify the identity of the requesting person under Article 12(6) GDPR, in particular where there is a reasonable doubt as to the identity of the requester or where the request relates to a third party.
7.6. The right of erasure (Article 17 GDPR) does not apply, in accordance with Article 17(3) GDPR, where the processing is necessary:
(a) for compliance with a legal obligation;
(b) for the establishment, exercise, or defence of legal claims;
(c) for archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
(d) for any other ground listed in Article 17(3) GDPR.
The Controller will explain, where applicable, which retention rule in Section 6 prevents immediate erasure and how long the data will continue to be retained.
7.7. The Customer has the right to lodge a complaint with the Spanish Data Protection Agency:
Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6 — 28001 Madrid https://www.aepd.es Sede electrónica: https://sedeagpd.gob.es
The Customer may also lodge a complaint with the supervisory authority of the Customer's country of habitual residence within the European Union.
8. Security
8.1. The Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk under Article 32 GDPR, including:
(a) encryption in transit (TLS) for all public connections and encryption at rest for sensitive fields where applicable;
(b) bcrypt hashing of account passwords with a cost factor of at least 12;
(c) Fernet symmetric encryption for repository token private keys;
(d) role-based access control to administrative interfaces, multi-factor authentication for staff accounts where supported, and session timeouts;
(e) rate limiting on authentication and content-modification endpoints;
(f) regular backups, with backup retention separate from production retention;
(g) security headers (Content Security Policy, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy) on every public response;
(h) staff training, secret rotation, dependency vulnerability scanning, and periodic security reviews.
8.2. In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, the Controller notifies the Spanish Data Protection Agency within seventy-two (72) hours of becoming aware of the breach (Article 33 GDPR) and notifies affected Customers without undue delay where the breach is likely to result in a high risk (Article 34 GDPR).
9. Children
The Website is not directed to children under the age of fourteen (14). The Controller does not knowingly collect personal data from children under the age of fourteen. If a parent or legal guardian becomes aware that personal data of a child under that age has been provided, they may contact the Controller at the address in Section 1 to request deletion.
10. Cookies
The use of cookies and similar technologies is described in the Cookie Policy.
11. Changes to this policy
The Controller may update this Privacy Policy. Updates are published at this URL with the previous version archived at a permanent link. Material changes are notified through the email address registered to the Customer's account where reasonably practicable.
12. Contact
For any question relating to this Privacy Policy or to exercise the rights described in Section 7, the Customer may write to contact@webmaster-ramos.com or via the contact form. Full identification of the Controller — including business address — is published in Section 1 above and at Legal Notice.
This Privacy Policy is published as version 1.0.0 with effective date indicated on the public page. Future versions, if any, will be published at the same URL with the previous version archived at a permanent link.