Data protection policy

1. Introduction

This Data Protection Policy (the “Policy”) explains how SeaView Apartment (“we”, “us” or “our”) collects, uses, stores, shares and otherwise processes personal data of guests, prospective guests, website visitors and other individuals who interact with our short-term rental services in Spain.

We are committed to protecting your personal data and respecting your privacy rights. This Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation, “GDPR”), the Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”), and other applicable Spanish and European Union data protection legislation.

By using our website, making a booking, or otherwise providing your personal data to us, you confirm that you have read and understood this Policy.

2. Identity and Contact Details of the Data Controller

The data controller responsible for the processing of your personal data is:

SeaView Apartment

Tourist accommodation registration numbers:

  • National short term rental license number (SeaView Rancho A): ESFCTU00002904400011908400000000000000000000000000002 & VUT/MA/95928
  • National short term rental license number (SeaView Monte B): ESFCTU0000290440003252320000000000000000 & VUT/MA/765753

Email: hello@seaviewapartment.eu

Telephone: +370 699 15515 / +370 698 26808

Website: https://www.seaviewapartment.eu

For any matters relating to the protection of your personal data or to exercise your rights under the GDPR, you may contact us at the email address indicated above with the subject line “Data Protection”.

3. Categories of Personal Data We Process

Depending on how you interact with us, we may collect and process the following categories of personal data:

3.1 Identification and contact data

  • Full name, surname(s) and salutation;
  • Date of birth, nationality and gender;
  • Identity document data (DNI, NIE, passport or other government-issued ID), including document type, number, issuing country and date;
  • Postal address, country of residence;
  • Email address and telephone number(s).

3.2 Booking and stay data

  • Reservation details (check-in and check-out dates, number of guests, room/apartment booked, special requests);
  • Names and identity data of accompanying guests;
  • Booking source (direct, Booking.com, Airbnb, Vrbo or other channel) and booking reference numbers;
  • Arrival and departure information, time of check-in and check-out;
  • History of previous stays and guest preferences.

3.3 Payment and financial data

  • Billing name and address;
  • Payment method, last four digits of payment card and card brand (full card data is processed directly by our payment service providers and is not stored on our systems);
  • Transaction amounts, currency, dates and invoice references.

3.4 Communication data

  • Messages, emails, chat conversations and other communications you send to us through our website, email, messaging platforms or booking channels;
  • Records of telephone calls (where applicable and only with prior notice);
  • Reviews, feedback and complaints.

3.5 Technical and online data

  • IP address, browser type and version, operating system, device identifiers;
  • Pages visited, date and time of access, referring URL;
  • Cookies and similar tracking technologies (see our separate Cookie Policy).

3.6 Special categories of data

We do not actively request special categories of personal data (such as health data, religious beliefs or data revealing racial or ethnic origin). However, you may voluntarily disclose such information to us (for example, if you indicate dietary requirements, accessibility needs or allergies). In such cases, we will process this data only to the extent necessary to provide the requested service and on the basis of your explicit consent.

4. Sources of Personal Data

We collect personal data from the following sources:

  • Directly from you, when you complete forms on our website, make a booking, send us emails or messages, or check in at our property;
  • From third-party online travel agencies and booking platforms (such as Booking.com, Airbnb, Expedia/Vrbo) when you book through them;
  • From other guests in your booking party (for example, the lead booker may provide details of accompanying guests);
  • Automatically through cookies and similar technologies when you visit our website;
  • From publicly available sources or social media platforms, where you have made information publicly available.

5. Purposes of Processing and Legal Bases

We process your personal data only when we have a valid legal basis under Article 6 of the GDPR (and, where applicable, Article 9 for special categories of data). The purposes and corresponding legal bases are described below.

5.1 Booking management and provision of accommodation services

Purpose: to manage your reservation, communicate with you before, during and after your stay, provide check-in and check-out, and deliver the contracted accommodation services.

Legal basis: performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract (Article 6(1)(b) GDPR).

5.2 Compliance with legal obligations relating to traveller registration

Purpose: to comply with our obligations under Spanish legislation applicable to tourist accommodation establishments, including the registration and communication of traveller data to the competent Spanish authorities (Ministry of the Interior, Guardia Civil or National Police), in accordance with Organic Law 4/2015 on the Protection of Public Security and its implementing regulations (including Royal Decree 933/2021, where applicable).

Legal basis: compliance with a legal obligation to which we are subject (Article 6(1)(c) GDPR).

5.3 Tax, accounting and invoicing obligations

Purpose: to issue invoices, keep accounting records and comply with tax obligations under Spanish law, including the General Tax Law (Ley 58/2003) and applicable tax regulations.

Legal basis: compliance with a legal obligation (Article 6(1)(c) GDPR).

5.4 Payment processing and fraud prevention

Purpose: to process payments, issue refunds and prevent fraudulent transactions.

Legal basis: performance of the contract (Article 6(1)(b) GDPR) and our legitimate interests in preventing fraud and securing payments (Article 6(1)(f) GDPR).

5.5 Customer service and handling of enquiries and complaints

Purpose: to respond to your questions, requests, complaints or claims.

Legal basis: performance of the contract (Article 6(1)(b) GDPR), our legitimate interest in providing a high-quality service (Article 6(1)(f) GDPR), or your consent where required.

5.6 Marketing communications

Purpose: to send you information about offers, promotions, news and other commercial communications relating to our accommodation services, by email or other electronic means.

Legal basis: your prior, freely given, specific, informed and unambiguous consent (Article 6(1)(a) GDPR), or our legitimate interest in promoting similar services to existing customers, in accordance with Article 21.2 of the Spanish Law 34/2002 on Information Society Services (LSSI-CE).

You may withdraw your consent at any time, free of charge, by clicking the “unsubscribe” link in any marketing email or by contacting us at the address given in section 2.

5.7 Improvement of our services and statistical analysis

Purpose: to analyse the use of our website and services, prepare aggregated statistics, and improve the quality of our offering.

Legal basis: our legitimate interest in understanding and improving our business (Article 6(1)(f) GDPR), and your consent for non-essential cookies.

5.8 Establishment, exercise or defence of legal claims

Purpose: to protect our rights, defend ourselves in legal proceedings or pursue legal claims.

Legal basis: our legitimate interest in protecting our legal rights (Article 6(1)(f) GDPR) and compliance with legal obligations (Article 6(1)(c) GDPR).

6. Recipients of Personal Data

We treat your personal data confidentially and disclose it only when necessary and to the following categories of recipients:

  • Spanish public authorities and law enforcement bodies (Ministry of the Interior, Guardia Civil, National Police, tax authorities, courts) where required by law;
  • Payment service providers and financial institutions that process payments on our behalf;
  • Online travel agencies and booking platforms through which the booking was made, for the purposes of fulfilling the reservation;
  • IT service providers and hosting providers that operate the infrastructure on which our business management system is hosted (located within the European Economic Area);
  • Providers of email, communication and customer support tools used to interact with guests;
  • Accountants, tax advisors, lawyers and auditors, where engaged to provide professional services;
  • Insurance companies, where necessary in connection with claims;
  • Cleaning, maintenance and other operational service providers, strictly limited to the data necessary for them to perform their services.

Where third parties process personal data on our behalf, they act as data processors and we have entered into data processing agreements with them in accordance with Article 28 of the GDPR, requiring them to apply appropriate technical and organisational measures and to process the data only in accordance with our instructions.

7. International Transfers of Personal Data

Our business management system is hosted within the European Economic Area (“EEA”) and, as a general rule, your personal data is processed within the EEA.

In limited circumstances, certain service providers (for example, communication platforms or analytics tools) may transfer personal data to countries outside the EEA. Where this occurs, we ensure that adequate safeguards are in place in accordance with Chapter V of the GDPR, such as:

  • Transfers to countries that have been recognised by the European Commission as providing an adequate level of data protection (Article 45 GDPR); or
  • Transfers based on Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46 GDPR), supplemented where necessary by additional technical and organisational measures; or
  • Other appropriate safeguards or derogations as permitted under the GDPR.

You may request a copy of the safeguards applied to a specific transfer by contacting us at the address given in section 2.

8. Retention Periods

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including any applicable legal, accounting, tax or reporting requirements. The general retention periods are as follows:

  • Booking and guest data: for the duration of the commercial relationship and for a maximum of five (5) years from the end of your last stay, in accordance with the limitation periods under the Spanish Civil Code and consumer protection legislation;
  • Traveller registration data communicated to the Spanish authorities: for the periods established by applicable security and immigration regulations (typically up to three (3) years);
  • Invoicing and accounting data: for six (6) years, in accordance with the Spanish Commercial Code (Article 30), and for the periods required by tax legislation (generally four (4) years for tax obligations);
  • Communications and customer service records: for up to three (3) years from the date of the communication, unless a longer retention period is required;
  • Marketing data: until you withdraw your consent or object to the processing;
  • Website usage data and cookies: for the periods specified in our Cookie Policy.

Once the applicable retention periods have expired, your personal data will be securely deleted or anonymised, except where retention is required by law or to defend ourselves against legal claims, in which case data will be blocked and kept solely for that purpose for the corresponding statutory limitation period.

9. Your Rights as a Data Subject

Under the GDPR and Spanish data protection legislation, you have the following rights in relation to your personal data:

9.1 Right of access (Article 15 GDPR)

You have the right to obtain confirmation as to whether or not we are processing your personal data and, if so, to access that data and receive information about the processing.

9.2 Right to rectification (Article 16 GDPR)

You have the right to request the correction of inaccurate or incomplete personal data concerning you.

9.3 Right to erasure / “right to be forgotten” (Article 17 GDPR)

You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw your consent, when you object to the processing, or in other circumstances provided for in the GDPR.

9.4 Right to restriction of processing (Article 18 GDPR)

You have the right to request the restriction of processing of your personal data in certain circumstances, for example while we verify the accuracy of the data.

9.5 Right to data portability (Article 20 GDPR)

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit it to another controller, where the processing is based on your consent or on a contract and is carried out by automated means.

9.6 Right to object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, to the processing of your personal data based on our legitimate interests. You also have the unconditional right to object to the processing of your data for direct marketing purposes.

9.7 Right not to be subject to automated decision-making (Article 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. We do not currently make decisions of this nature.

9.8 Right to withdraw consent (Article 7 GDPR)

Where the processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

How to exercise your rights

You may exercise your rights free of charge by sending a written request to the email or postal address indicated in section 2 of this Policy. Your request should:

  • Clearly identify the right you wish to exercise;
  • Include your full name and a copy of an official identification document (DNI, NIE or passport) to verify your identity;
  • Specify the request and any relevant details (for example, the data you wish to access, rectify or delete);
  • Indicate an address or means of contact for the response.

We will respond to your request within one (1) month of receipt. This period may be extended by a further two (2) months where necessary, taking into account the complexity and number of requests, in which case we will inform you of the extension and the reasons for the delay.

Right to lodge a complaint

If you consider that the processing of your personal data infringes the applicable legislation, or you are not satisfied with the way we have handled your request, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, “AEPD”):

Agencia Española de Protección de Datos (AEPD)

Address: C/ Jorge Juan, 6, 28001 Madrid, Spain

Telephone: +34 901 100 099 / +34 912 663 517

Website: www.aepd.es

You also have the right to lodge a complaint with the data protection authority of the EU Member State of your habitual residence, place of work or place of the alleged infringement.

10. Security of Personal Data

We have implemented appropriate technical and organisational measures, in accordance with Article 32 of the GDPR, to ensure a level of security appropriate to the risks of the processing, including protection against unauthorised or unlawful access, accidental loss, destruction, alteration or disclosure of personal data.

Such measures include, among others:

  • Hosting of our business management system on infrastructure located within the European Economic Area, with appropriate physical and logical security controls;
  • Encryption of data in transit (TLS/HTTPS) and, where appropriate, at rest;
  • Access controls based on the principle of least privilege, with individual user accounts and strong authentication;
  • Regular backups and recovery procedures;
  • Logging and monitoring of access to personal data;
  • Confidentiality obligations imposed on personnel and service providers;
  • Periodic review and updating of security measures;
  • Procedures for the management and notification of personal data breaches in accordance with Articles 33 and 34 of the GDPR.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the AEPD within 72 hours of becoming aware of the breach and, where the breach is likely to result in a high risk, we will also inform the affected individuals without undue delay.

11. Personal Data of Minors

Our services are directed at adults. We do not knowingly collect personal data from individuals under the age of fourteen (14) without the consent of their parents or legal guardians, in accordance with Article 7 of the LOPDGDD.

Where a booking includes minors as accompanying guests, we process their identification data only as strictly necessary to comply with our legal obligations regarding traveller registration. The data is provided to us by the responsible adult making the booking, who confirms that they are authorised to provide such data on behalf of the minor.

12. Cookies and Similar Technologies

Our website may use cookies and similar technologies to improve your browsing experience, analyse the use of the website and, where applicable, display personalised content.

Detailed information on the cookies we use, their purpose, duration and how to manage your preferences is provided in our separate Cookie Policy, available at [INSERT COOKIE POLICY URL].

13. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The updated version will be published on our website with the new “Last updated” date. Where the changes are material, we will inform you by appropriate means (for example, by email or by means of a prominent notice on our website) before the changes take effect.

We recommend that you periodically review this Policy to stay informed about how we protect your personal data.

14. Acceptance and Consent

By providing your personal data to us through our website, by completing a reservation, by sending us communications or by otherwise interacting with us, you confirm that you have read and understood this Data Protection Policy and that you accept the processing of your personal data as described herein, on the legal bases indicated.

Į viršų