Privacy Policy

Shugert Agency operates from Hermosillo (Mexico), Barcelona (Spain), and New York (USA). For any privacy matter, including data subject rights requests, contact our privacy team at hello@shugert.com.mx.

We collect only what we need to respond to you and run our business. Specifically:

Information you provide

• Contact form: full name, email, company (optional), message, language preference.
• Quote form: full name, email, phone (optional), company, website, current Shopify plan, monthly revenue range, requested services, scope, budget, timeline, and any message.
• Email correspondence and any files you attach when you write to us.

Information collected automatically

• Standard server logs (IP address, user agent, timestamp) retained briefly for security and abuse prevention.
• Strictly necessary cookies required for the site to function and remember your language.
• Aggregated, anonymous analytics about page views and navigation. We do not use cross-site advertising trackers.

• Respond to your enquiry and provide a quote — lawful basis: steps taken at your request prior to entering a contract (Art. 6(1)(b) GDPR).
• Operate, secure, and improve the website — lawful basis: our legitimate interest in running a safe, performant service (Art. 6(1)(f) GDPR).
• Send transactional emails about your project or quote — lawful basis: contract performance.
• Comply with legal, accounting, and tax obligations — lawful basis: legal obligation (Art. 6(1)(c) GDPR).
• Marketing communications — only with your prior, freely given consent (Art. 6(1)(a) GDPR), which you can withdraw at any time.

• Contact submissions: up to 24 months from your last interaction, then deleted or anonymised.
• Quote submissions: up to 36 months for commercial follow-up and audit, then deleted or anonymised.
• Signed engagements and invoices: retained for the period required by Mexican and Spanish tax law (typically up to 10 years).
• Server and security logs: typically 30 days.

We use a small number of vetted providers that process data on our behalf under written agreements (Art. 28 GDPR):

• Supabase (database and authentication for form submissions) — hosted on EU/US infrastructure.
• Lovable Cloud (hosting and edge functions) — global edge network.
• Email delivery providers used to receive your messages and reply to you.
• Privacy-respecting analytics for aggregate usage measurement.

Because our team and infrastructure span Mexico, the EU, and the United States, your data may be transferred outside your country of residence. When transferring personal data from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses and apply additional safeguards (encryption in transit and at rest, access controls, and minimisation).

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Request erasure ("right to be forgotten").
• Restrict or object to processing, including direct marketing.
• Receive your data in a portable, machine-readable format.
• Withdraw consent at any time, without affecting the lawfulness of prior processing.
• Lodge a complaint with your local supervisory authority (e.g. AEPD in Spain, your national DPA in the EEA, the ICO in the UK, or INAI in Mexico).

To exercise any of these rights, write to hello@shugert.com.mx. We respond within 30 days and may ask for proof of identity to protect your data.

We use TLS encryption for all traffic, role-based access controls, row-level security on our database, and least-privilege credentials for staff. No system is perfectly secure, but we work continuously to protect your information and will notify affected users and regulators of any breach within the timelines required by law.

We use only strictly necessary cookies (for example, to remember your language) and aggregated analytics that do not identify you individually. We do not set advertising or cross-site tracking cookies. You can clear cookies at any time through your browser settings.

Our services are intended for businesses. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Privacy Policy to reflect changes to our practices or the law. The "Last updated" date at the top will reflect the most recent revision. Material changes will be highlighted on the site.

Questions, requests, or complaints about this policy: hello@shugert.com.mx.