Privacy Policy
Last updated: [FECHA_ACTUALIZACION]
This document has been translated into English for your convenience. In the event of any discrepancy, the Spanish version shall prevail as the legally binding document.
1. Data controller
In compliance with Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), we inform you that the data controller is:
- Controller: [NOMBRE_TITULAR]
- Tax ID (NIF/CIF): [NIF_CIF]
- Address: [DOMICILIO_FISCAL]
- Email: [EMAIL_CONTACTO]
- Phone: [TELEFONO_CONTACTO]
2. Personal data we collect
Depending on how you interact with our platform, we may collect the following data:
Account registration
- First and last name
- Email address
- Password (stored encrypted)
- Phone number (optional)
Student profile
- Date of birth
- Gender
- Country of origin
- University
- Identity document (type and number)
Booking process
- Check-in and check-out dates
- Payment data (processed by Stripe, we do not store card details)
Browsing
- IP address
- Browser and device type
- Pages visited and browsing time
- Cookies (see our Cookie Policy)
3. Purposes of data processing
We process your personal data for the following purposes:
- User management: Create and manage your account on the platform.
- Booking management: Process booking requests, payments, and related communications.
- Communications: Send notifications about booking status, payment confirmations, and essential service communications.
- Service improvement: Analyse platform usage to improve user experience.
- Legal compliance: Comply with applicable legal and tax obligations.
4. Legal basis for processing
The legal basis for processing your data is:
- Consent: By registering and accepting these conditions (Art. 6.1.a GDPR).
- Contract performance: For the provision of room rental intermediation services (Art. 6.1.b GDPR).
- Legitimate interest: For the improvement of our services and fraud prevention (Art. 6.1.f GDPR).
- Legal obligation: For compliance with tax and legal obligations (Art. 6.1.c GDPR).
5. Data recipients
Your personal data may be shared with the following third parties, acting as data processors:
- Stripe, Inc.: Card payment processing. Stripe complies with the PCI DSS standard. Stripe Privacy Policy.
- Vercel, Inc.: Website hosting. Vercel Privacy Policy.
- Cloudinary Ltd.: Image storage and management. Cloudinary Privacy Policy.
- Resend, Inc.: Transactional email delivery. Resend Privacy Policy.
No international data transfers to countries outside the European Economic Area (EEA) will be made without adequate safeguards. The above-mentioned providers operating outside the EEA have Standard Contractual Clauses approved by the European Commission or are part of the EU-US Data Privacy Framework.
6. Data retention period
Personal data will be kept for as long as necessary to fulfil the purpose for which it was collected:
- Account data: For the duration of the relationship with the user. After account deletion, data will be kept blocked for the legally required periods.
- Booking data: 5 years from the end of the contract (tax obligations).
- Billing data: 6 years (Spanish Commercial Code).
7. User rights
In accordance with the GDPR and LOPDGDD, you may exercise the following rights:
- Access: Know whether your data is being processed and obtain a copy.
- Rectification: Request the correction of inaccurate or incomplete data.
- Erasure: Request the deletion of your data when it is no longer necessary.
- Objection: Object to the processing of your data in certain circumstances.
- Restriction: Request the restriction of processing in certain cases.
- Portability: Receive your data in a structured format and transfer it to another controller.
To exercise these rights, you may contact us at [EMAIL_CONTACTO], providing your full name and a copy of your identity document.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es if you believe the processing of your data is not adequate.
8. Security measures
[NOMBRE_TITULAR] implements the necessary technical and organisational measures to ensure the security of personal data, including:
- Password encryption using secure algorithms (bcrypt).
- Encrypted communications via HTTPS/TLS.
- Payment processing delegated to Stripe (PCI DSS certified).
- Two-factor authentication (2FA) for administration accounts.
- Role-based access control.
- Audit log of system changes.
9. Policy modifications
[NOMBRE_TITULAR] reserves the right to modify this privacy policy to adapt it to legislative or jurisprudential developments. In the event of significant changes, users will be notified through the website or by email.