Privacy Policy
At SpainHotels, we take your privacy seriously. In this policy, we explain what personal data we process when you visit the site or book accommodation, for what purpose we do so, how long we keep it, and with whom we share it.
Data controller
The data controller for your data when you browse the site and when you purchase through the HotelShop service is Waak Marketing Services, SLU (hereinafter, "SpainHotels"), with tax identification number B72978638 and registered office at Calle Pau Claris 12, 2º 2ª, 08310 Argentona (Barcelona, Spain). Registered in the Mercantile Registry of Barcelona ({{ TODO: mercantile registry }}). For any questions regarding this data, you can write to us at spainhotels.es@gmail.com. In the accommodation booking process, personal and payment data are directly processed by LiteAPI, which acts as an independent data controller together with the hotel provider; consult their privacy policy to learn about this processing.
Data we process, purposes, and legal basis
We distinguish three categories of data according to the context in which they are collected. (a) Navigation and search data: cookies, IP address, browser language, search parameters (destination, dates, number of guests), and site usage events; we process them to provide the service, ensure technical security, and, if you consent, measure audience and campaign effectiveness. (b) Accommodation booking and payment data: the payment form and booking confirmation are managed by LiteAPI through an SDK loaded on the site; SpainHotels does not receive or store card data or guest data collected in that form. LiteAPI acts as an independent data controller for this data, along with the provider hotel, in accordance with its own privacy policy. (c) Data from the purchase of hotel products and experiences through the HotelShop service: we process order data (products, amount, contact details, associated hotel) to manage the purchase; payment is processed through Stripe Payments Europe Ltd. within our own integration, and SpainHotels does not store complete card data. The legal bases are the performance of the contract and pre-contractual measures for (a) and (c), our legitimate interest in the security and operation of the service for (a), your consent for analytics and marketing cookies within (a), and applicable legal accounting and tax obligations for (c). We do not send commercial communications or newsletters.
Retention period
We retain your data for the duration of the contractual relationship and, once it has ended, for the applicable legal periods. In particular, invoices and commercial records are kept for six years as required by Article 30 of the Commercial Code and current tax regulations. Data associated with cookies are retained for the period indicated in the cookie policy or until you withdraw your consent.
Recipients, data controllers, and international transfers
In the accommodation booking flow, processing is handled by LiteAPI, which acts as an independent data controller along with the hotel provider; SpainHotels is not a recipient of the personal and payment data collected in that form. In the HotelShop service flow, order data is communicated to the product's hotel provider, and payment data is communicated to Stripe Payments Europe Ltd. as the payment processor in our proprietary integration. Additionally, we use Laravel Cloud for website hosting (infrastructure on AWS Frankfurt, within the European Union) and Google LLC for audience analysis (Google Analytics 4), campaign measurement (Google Ads), and maps (Google Maps) as data processors, subject to a contract under Article 28 of the GDPR. Stripe and Google make international transfers to the United States under the standard contractual clauses approved by the European Commission as adequate safeguards. LiteAPI and Hotelbeds (the latter based in Spain) act as booking agents with their own privacy policies and legal bases; we recommend consulting them to understand their data processing.
Your rights
You may exercise your rights of access, rectification, erasure, objection, restriction of processing, and data portability at any time, as well as withdraw your consent, by writing to us at spainhotels.es@gmail.com with a copy of a document proving your identity. If you believe that the processing does not comply with the regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) through its electronic headquarters at https://www.aepd.es.
Minor's data and modifications
We do not process data from children under fourteen years of age. If we detect that data from a minor of that age has been provided without the consent of the person exercising parental authority, we will delete it. This policy may be updated to reflect legal or service changes; we recommend consulting it periodically. When changes are significant, we will notify you through the usual service channels.