PRIVACY POLICY
1. Who We Are
LA BOMBA.dev is an independent software studio that builds web applications, browser extensions, and third-party platform integrations. This Privacy Policy explains how we collect, use, and protect information across all of our products and services.
Contact: hello@labomba.dev
2. What Information We Collect
2.1 Information you provide directly
- Support enquiries. When you contact us at hello@labomba.dev, we receive your email address and any information you include in your message.
2.2 Information collected automatically
- Usage data. We may collect anonymised, aggregated data about how our services are used (e.g. feature usage frequency, error rates). This data cannot be used to identify you individually.
- Error and diagnostic logs. When errors occur, our backend services may log technical identifiers (such as a platform-issued user ID) solely to diagnose the problem. See Section 7 for product-specific details.
2.3 Information we do NOT collect
- We do not collect your name, physical address, or payment details.
- We do not run advertising networks and do not collect data for ad-targeting purposes.
- We do not sell or rent your personal data to any third party.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, we process personal data only where we have a lawful basis to do so:
| Processing activity | Legal basis |
|---|---|
| Responding to support enquiries | Legitimate interest (responding to your request) |
| Error and diagnostic logging | Legitimate interest (maintaining service reliability) |
| Aggregated, anonymised analytics | Legitimate interest (product improvement) |
We do not process any data on the basis of consent (we do not use opt-in marketing), and we do not process special category data.
4. How We Use Your Information
We use the information we collect to:
- Provide, operate, and improve our services
- Diagnose and fix technical errors
- Respond to support requests
- Comply with legal obligations
We do not use your data for automated decision-making or profiling.
5. Data Sharing
We do not sell your personal data. We share data only in the following limited circumstances:
- Service providers. We use third-party infrastructure providers to operate our services (see Section 6). These providers act as data processors under appropriate data processing agreements.
- Legal requirements. We may disclose information if required to do so by law, court order, or to protect the rights and safety of our users.
- Business transfers. In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy.
6. Third-Party Processors
| Processor | Purpose | Privacy information |
|---|---|---|
| Cloudflare, Inc. | Backend infrastructure (Cloudflare Workers) | Cloudflare Privacy Policy — Cloudflare DPA available |
Cloudflare may process request data (including IP addresses) in the course of delivering our services. This is governed by Cloudflare's Data Processing Addendum.
7. Product-Specific Privacy Information
7.1 Music Embed (Canva App)
Music Embed is a Canva application that lets users search Spotify content and insert Spotify embed players into Canva designs. The following additional details apply:
What we process
- Canva user ID. When you use Music Embed, your Canva-issued user token is verified by our backend worker to enforce per-user rate limits and attribute error logs. We do not store this identifier beyond the lifetime of your request — it is held in memory only for the duration of processing and never written to a database or persistent store.
- Search queries. Search terms you type are transmitted to our worker, which forwards them to the Spotify Web API. We do not log or store your search queries. The Spotify API call is made using our application credentials (Client Credentials flow) — your personal Spotify account is never accessed.
- No audio. We do not stream, download, or cache any audio content. All audio playback happens inside Spotify's own embed widget, under Spotify's terms.
What we do NOT collect
- Your Spotify account details
- Your Canva design contents
- Your listening history or preferences
Spotify
Content returned by the Spotify Web API is owned by the respective rights holders and governed by Spotify's Terms of Service. Music Embed is an independent integration and is not affiliated with or endorsed by Spotify AB.
Canva
Your use of Music Embed within the Canva platform is also subject to Canva's Privacy Policy.
8. Data Retention
| Data type | Retention period |
|---|---|
| Support emails | As long as necessary to resolve your enquiry, then deleted |
| Error / diagnostic logs | Rolling 30-day window (Cloudflare Workers default) |
| Canva user ID (Music Embed) | Not retained — held in memory for request duration only |
| Search queries (Music Embed) | Not retained — never stored |
| Aggregated analytics | Indefinitely (no personal data) |
9. International Data Transfers
Our infrastructure is operated via Cloudflare, which may process data in data centres globally, including outside the EEA. Where this occurs, Cloudflare relies on Standard Contractual Clauses (SCCs) and its Data Privacy Framework certification to ensure adequate protection. You can review Cloudflare's transfer mechanisms in their Privacy Policy.
10. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access. Request a copy of the personal data we hold about you.
- Rectification. Ask us to correct inaccurate or incomplete data.
- Erasure. Request deletion of your personal data ("right to be forgotten").
- Restriction. Ask us to restrict processing of your data in certain circumstances.
- Portability. Receive your data in a structured, machine-readable format.
- Objection. Object to processing based on legitimate interests.
- Withdraw consent. Where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact us at hello@labomba.dev. We will respond within 30 days.
EEA/UK users: If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national data protection authority in the EU).
11. Children's Privacy
Our services are not directed to children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@labomba.dev and we will delete it promptly.
12. Security
We take reasonable technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. These include encrypted transit (HTTPS/TLS) for all communications and short data retention windows for any identifiers we process.
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes, we will make reasonable efforts to notify you. Continued use of our services after changes take effect constitutes acceptance of the revised policy.
14. Contact
For any privacy-related questions, requests, or complaints:
Email: hello@labomba.dev
We aim to respond to all enquiries within 5 business days.