Privacy Policy

The purpose of this privacy policy (the "Policy") is to explain the rules governing the various processing operations that may be carried out when you use our website accessible from the URL address: https://www.apartamentostaravilla.es (the "Site").

The processing of personal data implemented from the Site is the responsibility of the data controller.

1. Data Controller and Data Protection Officer

The Institution is hereinafter referred to as the "Data Controller". The terms "we", "us" and "our" in this Privacy Policy refer to the Data Controller.

2. Scope of This Policy

As the person responsible for processing your Personal Data, we do everything in our power to protect your privacy when you visit the Site. This Policy allows you to learn more about the origin and use of your Personal Data and your browsing information processed when you visit our Site.

For the purposes of this Policy, the term "Personal Data" refers to any data that relates to you alone and allows you to be identified directly or indirectly, regardless of the Terminal you are using. The term "Terminal" refers to the physical equipment (computer, tablet, smartphone, telephone, etc.) that you use to view and navigate the Site.

The term "Regulation" refers to the regulation relating to personal data, and in particular to Regulation No. 2016/679, known as the General Data Protection Regulation, and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (Ley Orgánica 3/2018, de Protección de Datos Personales y garantía de los derechos digitales — LOPDGDD).

By using our Site, you declare that you accept the terms of this Policy in their entirety. If you do not agree with any of these terms, you are free to stop using our Site.

This Privacy Policy is updated regularly. We will notify you of any significant changes in advance through notifications on the relevant services or by email as appropriate. The Site will always display the most current version of this Privacy Policy.

3. Protection of Your Personal Data

In accordance with the Regulations, we list all processing operations in a processing register that we leave at the disposal of the competent authorities. All information you provide during your visits to the Site is confidential. This information is necessary for the purposes of their processing.

3.1. What Personal Data is Collected and Processed?

The information that may be collected and processed includes:

• Identification data and contact details: first name, last name, gender, postal address, telephone number, email address, language and country from which you interact with us, and ID documents & numbers (required by Spanish law for guest registration with the Ministerio del Interior, in accordance with Real Decreto 933/2021)
• Personal data for reservations: check-in and check-out dates, membership number, hotel, reservation number
• Personal data to fulfill legal obligations: traveller registration, including full name, sex, date & place of birth, nationality, residence address, ID document type and details (DNI, NIE, passport number, or other travel document), date of arrival and departure, and signature — as required by Real Decreto 933/2021 on the communication of guest data to the Ministerio del Interior
• Health data: allergies
• Financial and payment data: bank details (all payment transactions are encrypted by the receiving bank or accredited storage center; we do not store credit card numbers), reservation information, etc.
• Connection, geolocation (only with your consent) and navigation data
• Personal preferences: including your cookie preferences

When we ask you to enter personal data to access a feature, some data are mandatory fields since they are required to allow you access to this feature (for example, to register your reservation we need your first and last name). It is important that the personal information shared about you is correct and up to date.

We do not process any personal data that could be qualified as "sensitive" (information concerning racial or ethnic origin, political, philosophical or religious opinions, trade union membership, health or sex life) within the meaning of the Personal Data Regulations.

We undertake not to transfer your personal data to third parties unless otherwise specified below in Article 3.3.

3.2. For What Purposes Are Your Personal Data Collected and Processed?

Booking Management The processing of your data is necessary to keep you informed of your reservation status, provide reservation summaries, accept payments, etc.

Access to Customer Service We process your Personal Data as part of our customer service to answer your requests, particularly through contact forms.

Fraud Detection and Prevention We process your personal data to detect, prevent, and investigate fraudulent activities to protect both you and our business from financial crimes, unauthorized transactions, and security threats.

Improving Our Services We process your navigation and booking data for analysis and statistics, only with your consent. This data allows us to analyze how you use our Site and improve its ergonomics and quality.

Marketing As part of your subscription to our newsletter, we process your data to manage your subscription and send targeted information by email or SMS according to your preferences. We may also contact you via push notifications if you subscribe to this service.

Processing for marketing purposes requires your consent. You can unsubscribe from our communications at any time.

If you have given us your consent to receive our communications, we may use the information for:

• Sharing information on current events, products, services, offers
• Recommendations on products or services that may interest you
• Customer research to better understand your expectations

3.3. Legal Basis for Processing Your Personal Data

Contract: For booking management and customer service access. When you purchase products from our Site, we collect and process your personal data to perform the contract between us. For example, we need your postal details for delivery or bank details to process payment.

Legitimate Interest: We process your personal data to ensure network and information system security, which is our legitimate interest to protect against cyber threats and ensure service availability. We detect and prevent fraud as this can affect you. Credit card data for payment purposes (user consumption and incidentals).

Consent: For improving our services and marketing. When processing Personal Data for service improvement and prospecting purposes, the legal basis is your consent.

Legal Obligation: To comply with applicable legal obligations. When we must comply with legal obligations such as providing guest personal data to the Ministerio del Interior (in accordance with Real Decreto 933/2021) or for tax purposes.

3.4. Who Are the Recipients of Your Personal Data?

In the course of using our Site, you may receive information from third parties with whom we collaborate to offer certain services:

• Accredited financial institutions and storage centers
• Competent public authorities
• Fraud detection and prevention entities
• Service providers related to marketing, communication and advertising

Personal Data collected from the Site are mainly processed by the Data Controller's internal services. We may share your information with the above third parties for reasons including:

• Payment processing (financial institutions and accredited storage centers)
• Credit and identity verification (fraud detection and prevention entities)
• Compliance with applicable legal obligations
• Site experience optimization and service improvement (marketing, communication and advertising service providers)

We require third parties who receive your personal data to comply with personal data Regulations. These third parties may only use your personal information according to our instructions and not for their own use.

Your login and browsing data can be transferred to Google Analytics.

We may also disclose your Personal Data in response to legal authorities' injunctions.

3.5. How Long Is Your Personal Data Kept?

We will keep your data for a period determined by applicable local law following your last reservation to answer questions, complaints or maintain data necessary to meet legal, accounting or analytical requirements.

Specific retention periods under Spanish law:

• General contractual claims: The general limitation period is five (5) years from the date the obligation becomes enforceable (Art. 1964 Código Civil, as amended by Ley 42/2015).
• Commercial and accounting records: Commercial books, correspondence, documentation, and supporting documents must be retained for a minimum of six (6) years from the date of the last entry (Art. 30 Código de Comercio).
• Tax-related data: Documentation supporting tax obligations must be retained for at least four (4) years, in accordance with the Ley General Tributaria (Art. 66).
• Guest registration data: Data communicated to the Ministerio del Interior under Real Decreto 933/2021 must be retained for a minimum of three (3) years.
• Data protection infringements: The LOPDGDD establishes limitation periods of one (1) to three (3) years depending on the severity of the infringement (Art. 73–74).
• Blocking obligation: In accordance with Art. 32 LOPDGDD, when data are rectified or deleted, they must be blocked (retained but inaccessible) for the applicable limitation period before final deletion, to ensure availability to courts, public prosecutors, or competent public administrations.

We may also keep your data for research or statistical analysis after anonymization. For newsletter subscriptions, we will not contact you again if you have not opened our newsletters for more than twelve (12) months or if you withdraw consent before, as you have the right to oppose commercial communications.

Any changes to this Policy will be made on this page and notified by email for material changes.

The Data Controller may also keep your data for research or statistical analysis. As these are anonymized, no retention period is imposed by the Regulations as it is no longer possible to "re-identify" you afterwards.

3.6. Hosting Your Personal Data

Your Personal Data is hosted by Heroku Inc. The Landmark @ 1 Market St., Suite 300, San Francisco, CA, 94105, United States. The servers on which your Personal Data is stored are located in Frankfurt, Germany.

The Data Controller has implemented appropriate technical measures to maintain the security of your Personal Data.

3.7. What Are Your Rights?

3.7.1. Consent

Your consent must be given clearly and unambiguously. When you agree to fill in the Site's contact form:

• You are informed of the use that will be made of your Personal Data
• You must check a box to validate your consent
• Country-specific age thresholds:
  • Spain: Children under 14 years cannot give consent (in accordance with the LOPDGDD, Article 7)
  • Other EU member states: may vary (e.g., Portugal: 13 years; France: 15 years)

3.7.2. Other Rights

In accordance with the Regulations, you have the following rights over your Personal Data:

• Right of access: Ask if your personal data are being processed and receive a copy of the Personal Data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete Personal Data concerning you.
• Right to delete your Personal Data if one of the legal grounds is fulfilled:
  • Personal Data are no longer necessary for processing purposes
  • You have withdrawn consent on which processing is based
  • You have objected to processing through your right of objection
  • Processing of your Personal Data is unlawful
  • Your Personal Data must be deleted under legal obligation
• Right to limit processing when:
  • You dispute the accuracy of your Personal Data
  • You do not object to deletion in the context of unlawful processing, but require limitation
  • Your Personal Data are no longer used by our services but storage is necessary for legal claim recognition, exercise or defense
• Right to portability: Contact us to have your Personal Data provided to you or directly to another controller in structured, commonly used and machine-readable format.
• Right of objection: Contact us when:
  • Processing is carried out in public interest or for our legitimate interests; you may object only for reasons relating to your situation
  • Processing is carried out for commercial prospecting; you may object at any time without explanation

3.7.3. Digital Rights under the LOPDGDD

Title X of the LOPDGDD (Articles 79–97) guarantees a series of digital rights, including but not limited to:

• Right to digital education (Art. 83): The right to adequate education in the digital environment.
• Right to rectification on the Internet (Art. 85): The right to request the updating of information published on digital media when it is inaccurate, incomplete, or outdated.
• Right to update of information in digital media (Art. 86): The right to request that outdated content in online media be updated with prominent notices.
• Universal right of access to the Internet (Art. 81): The right to access the Internet regardless of economic condition, geographic location, or disability.

These rights are provided for informational purposes. For the full scope and conditions, please consult the LOPDGDD directly.

Regardless of purpose or legal basis under which we process your data, you can send us an email to benefit from your rights at: Puerto de Mazarrón

Or send us a letter to: 30860, Calle Antoñita Moreno, nº 3, Puerto de Mazarrón, Spain

Please note that we are not always able to respond positively to your request for legal reasons that we will bring to your attention after receiving your request.

You have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) — Spain's supervisory authority for data protection — at www.aepd.es, C/ Jorge Juan, 6, 28001 Madrid, Spain.

4. Security of Internet Browsing

4.1. Integrity of Your Data on the Internet

The Site has appropriate security measures to prevent loss, unauthorized use or access, modification or disclosure of your Personal Data. All personal data collected is stored on secure servers. The Data Controller has implemented procedures to manage any violation of personal data.

4.2. Malicious Uses

We recommend connecting only to secure networks, preferably private networks. Be aware of risks involved with public wifi networks.

Regardless of the Data Controller to whom you have voluntarily transmitted your Personal Data and considering the nature of the Internet network, other operators without any link to the Data Controller may collect them without your consent, particularly during Internet browsing.

We recommend installing anti-virus and anti-spyware software on your computer and updating it regularly.

4.3. Usurpation/Phishing

The Data Controller will never solicit you by email to obtain personal information. If you receive an email on behalf of the Data Controller asking you to provide sensitive personal information (bank details, private life data, etc.), please do not reply and forward this email to us so we can take necessary action.

You should only provide your account information after logging into the Site directly through your browser.