Privacy and Data Protection Policy
Last updated: June 2026
1. Data controller
In compliance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018, of 5 December (LOPDGDD), the user is informed that the controller of their personal data is:
- Controller: María Esteban Sánchez
- Address: Calle Julieta Orbaiceta, 78 (Urb. Bungalows Playa), Playa Honda, Murcia, 30385
- Phone: +34 696 48 99 72
- Contact email: mariaesteban92@gmail.com
2. Purposes of processing and legal basis
Your personal data will be processed for the following purposes:
- Management of bookings and accommodation contracts — Legal basis: performance of a contract (art. 6.1.b GDPR).
- Handling enquiries via the contact form — Legal basis: consent of the data subject (art. 6.1.a GDPR).
- Compliance with legal obligations (tax and traveller registration under public safety regulations) — Legal basis: legal obligation (art. 6.1.c GDPR).
- Sending commercial communications about the accommodation or similar services — Legal basis: legitimate interest or consent (art. 6.1.f and 6.1.a GDPR), revocable at any time.
3. Data processed
Depending on the purpose, the following categories of data are processed:
- Identification data: full name, ID/passport (legally required for traveller registration).
- Contact data: postal address, email, phone number.
- Booking data: arrival and departure dates, number of guests, special preferences.
- Financial data: information needed for invoicing and payment of the booking.
No special categories of data are processed (art. 9 GDPR).
4. Recipients of the data
Your data may be disclosed to:
- State Security Forces and public authorities, in compliance with traveller registration obligations.
- Tax authorities, in compliance with applicable tax obligations.
- Service providers (data processors), acting under contract and on the controller's instructions.
No international data transfers outside the European Economic Area are carried out.
5. Retention period
Data will be retained for as long as necessary to fulfil the purpose and to address possible legal liabilities:
- Contracts and bookings: 6 years (art. 30 Commercial Code).
- Tax data: 4 years (tax law).
- Traveller registration: 3 years.
- Form enquiries: until resolved; maximum 1 year if there is no contractual relationship.
6. Rights of the data subject
The user may exercise the following rights at any time:
- Access: know which of their data is being processed.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request deletion of their data when no longer necessary.
- Restriction of processing in certain cases.
- Portability: receive their data in a structured, commonly used format.
- Objection to processing based on legitimate interest or to commercial communications.
- Withdrawal of consent, without affecting the lawfulness of prior processing.
You may exercise your rights by sending a written request, with a copy of your ID, to the postal or email address indicated in section 1.
If you believe your rights have not been respected, you may file a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.
7. Cookies
This website does not use tracking or third-party cookies for advertising purposes. Only strictly necessary technical cookies for the operation of the site may be used.
8. Security measures
Appropriate technical and organisational measures have been adopted to ensure a level of security appropriate to the risk, including the encryption of communications via the HTTPS/TLS protocol.
9. Policy updates
This Privacy Policy may be updated to adapt to regulatory changes or changes in the purposes of processing. The date of the last update is indicated at the top of the document.