Privacy Policy
[DRAFT] Personal data processing policy for gettsleep.es. Edition 2.0.
1. General Provisions
1.1. This Privacy Policy (hereinafter the "Policy") defines the procedure for processing personal data of users of the website gettsleep.es (hereinafter the "Website") by the data controller — REST&LEISURE CONCEPT, S.L., CIF B75552901, registered office at Avenida Manuel Fraga Iribarne 141, 28055 Madrid (hereinafter the "Controller").
1.2. The Policy is developed in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) and Organic Law 3/2018 of 5 December on Personal Data Protection and digital rights guarantee (LOPDGDD).
1.3. By using the Website and placing an Order, the User confirms that they have read this Policy and consent to the processing of their personal data on the terms set forth below.
2. Data We Process
| Data Category | Specific Data | Purpose |
|---|---|---|
| Identification | First name, last name | Placing the Order, identity verification at check-in |
| Contact | Email, phone number | Sending the Voucher, invoice or receipt, and Order notifications |
| Personal (optional) | Date of birth | Birthday coupon as part of the loyalty program |
| Payment | Card type, last 4 digits (full card details are not stored) | Processing payment and refunds |
| Technical | IP address, browser type, cookies | Website operation, analytics, security |
| Order Data | Property, dates, tariff, status, booking history | Contract fulfillment, loyalty program, dispute resolution |
3. Legal Basis for Processing
3.1. Contract performance — processing of data necessary for placing and fulfilling the Order (name, contacts, Order parameters). Separate consent is not required (art. 6(1)(b) GDPR).
3.2. Consent of the data subject — processing of data for marketing communications and the loyalty program. Consent is given separately upon registration in the Personal Account. The User may withdraw consent at any time (art. 6(1)(a) GDPR).
3.3. Legal obligation — data retention for the purpose of compliance with Spanish tax and accounting legislation (art. 6(1)(c) GDPR).
4. Data Sharing
| Recipient | Data Shared | Legal Basis |
|---|---|---|
| Service Provider for the specific Order (name and details are displayed in the "Service Provider Information" pop-up at checkout) | Guest name, contact details, Order parameters | Contract performance (art. 6(1)(b) GDPR). The Service Provider is an independent data controller and bears its own responsibility for data processing after receipt. |
| Payment service provider | Bank card data (via secure gateway) | Payment processing (art. 6(1)(b) GDPR) |
| Invoicing software provider | Email for invoice or receipt delivery | Legal obligation — Spanish VAT and invoicing regulations (art. 6(1)(c) GDPR) |
| Google Analytics — Google Ireland Limited (with onward transfer to Google LLC, USA, under the EU-US Data Privacy Framework). This is the only transfer of data outside the EEA. | Pseudonymized technical data (cookie identifiers, truncated IP) | Consent (Art. 6(1)(a) GDPR) — loaded only after acceptance in the cookie banner |
The Controller does not share personal data with third parties for commercial purposes without the consent of the data subject.
5. Data Retention Periods
| Data Category | Retention Period |
|---|---|
| Order data and payment documents | In accordance with Spanish tax legislation — General Tax Law 58/2003 (DRAFT: exact period pending legal confirmation) |
| Personal data for contract performance | No less than 3 years from the date the Order is fulfilled |
| Account data | Until account deletion + 1 year |
| Marketing data (with consent) | Until consent is withdrawn or 3 years from last activity |
| Technical data (logs, cookies) | Up to 1 year |
6. Data Subject Rights
The User has the right to (arts. 15–22 GDPR):
- Request information — about the data being processed and the legal basis for processing;
- Correct — inaccurate or incomplete data (including through the Personal Account);
- Delete — your data / close your account (except where processing is required by law);
- Restrict — the processing of your data;
- Withdraw consent — for data processing that was provided voluntarily;
- File a complaint — with the Spanish Data Protection Authority (AEPD, www.aepd.es).
To exercise your rights, send a request to: t4s@gettsleep.es or by post to the Controller's registered address. Response time: 30 calendar days.
7. Data Security
7.1. The Controller applies appropriate technical and organizational measures to protect personal data in accordance with the requirements of Article 32 of the GDPR.
7.2. Payment data is transmitted through a PCI DSS-certified gateway. Full bank card details are not stored on the Controller's servers.
7.3. Access to personal data is granted only to authorized employees who are required to maintain confidentiality.
8. Cookies
8.1. The Website uses cookies to ensure functionality, analytics, and to improve the user experience.
8.2. The User may manage cookie settings in their browser. Disabling cookies may affect the operation of certain Website features.
8.3. By continuing to use the Website after being shown the cookie notice, the User consents to the use of cookies in accordance with the Cookies Policy.
9. Policy Changes
The Controller may amend this Policy without prior notice. The current version is always available at: gettsleep.es/privacy.
Data Controller
REST&LEISURE CONCEPT, S.L.
CIF: B75552901
Registered office: Avenida Manuel Fraga Iribarne 141, 28055 Madrid · Madrid Commercial Registry
Email: t4s@gettsleep.es