PRIVACY POLICY – EXTENDED INFORMATION

PRIVACY POLICY – EXTENDED INFORMATION

LAST MODIFICATION: 15/03/2025

The Privacy Policy forms part of the General Conditions governing the Website www.hiddenhotels.com together with the Cookies Policy and the Legal Notice.

HIDDEN HOTELS, reserves the right to modify or adopt this Privacy Policy at any time. Therefore, we recommend that you review it every time you access the Website. If the user has registered on the website and accesses his/her account or profile, upon accessing the same, he/she will be informed in the event that there have been substantial modifications in relation to the processing of his/her personal data.

Who is responsible for the processing of your data?

The data that is collected or that you voluntarily provide us with through the Website, whether by browsing it, as well as any data that you may provide us with in contact forms, via email or by telephone, will be collected and processed by the Data Controller, whose data is indicated below:

HIDDEN AWAY HOTELS, Tax Identification Number B57676108

C/ Echegaray, 8, 28014, Madrid.

HOTEL POSADA TERRA SANTA, C/De la Posada Terra Santa, 5, 07001, Palma de Mallorca, Illes Balears.

SUITE SAMARITANA, C/ Pes de Sa Farina, 2, 07001, Palma de Mallorca, Illes Balears.

Registered in the Mercantile Register of Palma de Mallorca, Volume 2433, Folio 106, Page 66229.

DANDA PATRIMONIO E INVERSIONES SL, Tax Identification Number B57900029

C/ Echegaray, 8, 28014, Madrid

GRAN HOTEL INGLÉS, C/ Echegaray, 8, 28014, Madrid.

Registered in the Mercantile Register of Palma de Mallorca, Volume 2478, Folio 91, Page PM-69043.

URIBEN SERVICES SL, Tax Identification Number B95817318

C/ Gravina 51, 41001, Sevilla.

HOTEL GRAVINA 51 C/ Gravina, 51, 41001, Sevilla.

Registered in the Mercantile Register of Seville, Volume 5566, Folio 199, Page BI-66816.

WANA INVERSIONES SA, Tax Identification Number A83057174

C/ Echegaray, 8,28014, Madrid.

SEDA CLUB HOTEL

Plza. De la Trinidad, 1801, Granada.

Registered in the Mercantile Register of Madrid, Volume 16743, folio 43, sheet M-285986.

HIDDEN AWAY HOTELS MANAGEMENT SL, Tax Identification Number B75297143

C/ Echegaray, 8,28014, Madrid.

CAVALTA BOUTIQUE HOTEL

C/ San Jacinto, 89, 41010, Sevilla

Registered in the Mercantile Registry of Madrid, Section 8, Page M-835176.

Contact HIDDEN HOTELS, for the protection of your personal Information

Phone: 910 56 93 54

Data Protection Delegate Contact: [email protected]

If, for any reason, you wish to contact us on any matter relating to the processing of your personal data or privacy (with our Data Protection Officer), you may do so through any of the means indicated above.

¿What data do we collect through the website?

Symply by browsing the Website HIDDEN HOTELS, will collect information relating to:

– IP address.

– Browser version.

– Operating system.

– Duration of the visit or browsing of the website.

Such information is stored by Google Analytics, so we refer to Google’s Privacy Policy, as Google collects and processes such information. http://www.google.com/intl/en/policies/privacy/

Similarly, the Website provides the utility of Google Maps, which may have access to your location, if you allow it to do so, in order to provide you with greater specificity about the distance and/or paths to our headquarters. In this regard, we refer to the Privacy Policy used by Google Maps, in order to know the use and processing of such data.

http://www.google.com/intl/en/policies/privacy/

The information we handle will not be related to a specific user and will be stored in our databases for the purpose of statistical analysis, improvements to the website, our products and/or services and to help us improve our business strategy. The data will not be communicated to third parties.

User registration on the website / Form submission

To access certain services, such as booking, it is necessary for the user to fill out a form. For this, personal data is requested in the registration form. The data is necessary and mandatory to carry out such registration. If such fields are not provided, the registration will not be carried out.

In this case, the browsing data will be associated with the user’s registration data, identifying the same user who browses the Website. In this way, the offer of products and/or services that, in our opinion, best suits the user can be personalized.

The registration data of each user will be incorporated into the databases of HIDDEN HOTELS, together with the history of operations carried out by the same and will be stored in them until the registered user account is deleted. Once such an account is deleted, this information will be removed from our database, keeping data related to transactions made for 10 years, without being accessed or altered, in order to comply with the legally effective deadlines. Data that is not linked to transactions made will be kept unless consent is withdrawn, in which case they will be immediately deleted (always considering legal deadlines).

The legal basis for the processing of your personal data is the execution of a contract between the parties. Regarding the sending of electronic communications and promotions and responding to requests for information, the legitimacy of the processing is the user’s consent.

The purposes of the data processing will be as follows:

a) Manage your access to the Website.
b) Manage the purchase of services available to you through the Website.
c) Keep you informed about the processing and status of your requests, purchases, and/or reservations.
d) Respond to your information request.
e) Manage all the utilities and/or services offered by the platform to the user.

Thus, we inform you that you may receive communications via email and/or on your phone, in order to inform you of possible incidents, errors, problems, and/or the status of your requests.

For the sending of commercial communications, the express consent of the user will be requested at the time of registration. In this regard, the user may revoke the consent given by contacting HIDDEN HOTELS, using the means indicated above. In any case, in each commercial communication, you will be given the possibility to unsubscribe from receiving them, either through a link and/or email address.

Newsletter Sending

On the Website, the option to subscribe to the Newsletter of HIDDEN HOTELS, is allowed. To do this, it is necessary to provide us with an email address to which it will be sent.

This information will be stored in a database of HIDDEN HOTELS, in which it will be registered until the interested party requests its removal or, where appropriate, it ceases to be sent by HIDDEN HOTELS.

The legal basis for the processing of this personal data is the express consent given by all those interested who subscribe to this service by checking the box provided for this purpose.

The email data will only be processed and stored for the purpose of managing the sending of the Newsletter by users who request it.

For the sending of the Newsletter, the express consent of the user will be requested at the time of registration by checking the box provided for this purpose. In this regard, the user may revoke the consent given by contacting HIDDEN HOTELS, using the means indicated above. In any case, in each communication, you will be given the possibility to unsubscribe from receiving them, either through a link and/or email address.

If you are any of the following groups, please consult the information below:

+ WEB OR EMAIL CONTACTS

What purposes will we process your personal data for?

Answer your queries, requests, or petitions.
Manage the requested service, answer your request, or process your petition.
Electronic information, related to your request.
Commercial or event information by electronic means, provided there is express authorization.

What is the legitimacy for the processing of your data?

The acceptance and consent of the interested party: In those cases where to make a request it is necessary to fill out a form and click on the send button, the completion of it will necessarily imply that you have been informed and have expressly given your consent to the content of the attached clause of said form or acceptance of the privacy policy.

All our forms have a verification checkbox with the following formula, in order to send the information: “□ I have read and accept the Privacy Policy.”

+ CUSTOMERS

What purposes will we process your personal data for?

Preparation of the budget and monitoring thereof through communications between both parties.
Electronic information, related to your request.
Commercial or event information by electronic means, provided there is express authorization.
Manage administrative, communication, and logistics services performed by the Controller.
Perform the corresponding transactions.
Invoicing and declaration of the corresponding taxes.
Control and collection management.

What is the legitimacy for the processing of your data?

The legal basis is your consent and the execution of a contract.

+ SUPPLIERS

What purposes will we process your personal data for?

Electronic information, related to your request.
Commercial or event information by electronic means, provided there is express authorization.
Manage administrative, communication, and logistics services performed by the Controller.
Invoicing.
Perform the corresponding transactions.
Invoicing and declaration of the corresponding taxes.
Control and collection management.

What is the legitimacy for the processing of your data?

The legal basis is the acceptance of a contractual relationship, or failing that your consent to contact us or offer us your products by any means.

+ SOCIAL MEDIA CONTACTS

What purposes will we process your personal data for?

Answer your queries, requests, or petitions.
Manage the requested service, answer your request, or process your petition.
Relate to you and create a community of followers.

What is the legitimacy for the processing of your data?

Acceptance of a contractual relationship in the environment of the corresponding social network, and in accordance with its Privacy policies:

Facebook http://www.facebook.com/policy.php?ref=pf

Instagram https://help.instagram.com/155833707900388

Twitter http://twitter.com/privacy

Linkedin http://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv

Whatsapp: https://www.whatsapp.com/legal/#privacy-policy

How long will we keep personal data?

We can only consult or unsubscribe your data in a restricted way by having a specific profile. We will treat them for as long as you let us follow you, be friends, or click “like,” “follow,” or similar buttons. Any rectification of your data or restriction of information or publications must be made through the configuration of your profile or user in the social network itself.

+ VIDEO SURVEILLANCE

What purposes will we process your personal data for?

Video surveillance of our facilities.
Control of our employees.
On occasion, they may be transferred to the courts and tribunals for the exercise of legitimate actions.

What is the legitimacy for the processing of your data?

The unequivocal consent of the interested party when accessing our facilities after viewing the informative sign of the video-monitored area.

+ JOB APPLICANTS

What purposes will we process your personal data for?

Organization of selection processes for hiring employees.
Schedule job interviews and evaluate your candidacy.
If you have given us your consent, we may transfer it to collaborating or related entities, with the sole purpose of helping you find a job.

What is the legitimacy for the processing of your data?

The legal basis is your unequivocal consent, by delivering your CV to us and receiving and signing information regarding the treatments we are going to carry out.

How long will we keep personal data?

The resume will be stored for a period of one year, after which, if we have not contacted you, it will be deleted.

+ HR

What purposes will we process your personal data for?

Management of the employment relationship and the worker’s file.
Carry out all those administrative, fiscal, and accounting procedures necessary to comply with our contractual obligations, obligations regarding labor, Social Security, occupational risk prevention, fiscal, and accounting regulations.
Payroll management through a financial institution.
Time control through the access control system by fingerprint/card (if applicable).
Management of the entity’s group insurance/pension plan.
Carry out training actions, both subsidized and non-subsidized training.

What is the legitimacy for the processing of your data?

The legal basis for the processing of your data is the execution of your employment contract. Compliance with the relevant legal obligations. The consent of the interested party.

Do we include personal data of third parties?

No, as a general rule, we only process the data provided by the owners. If you provide us with third-party data, you must inform and request their consent from those individuals beforehand, or otherwise exempt us from any responsibility for failing to comply with this requirement.

And what about data from minors?

We do not process data from minors under 14 years of age, so please refrain from providing them if you are under that age.

Will we make communications via electronic means?

Communications will only be made to manage your request if it is one of the contact methods you have provided to us. If we carry out commercial communications, they will have been previously and expressly authorized by you.

What security measures do we apply?

You can rest assured: We have adopted an optimal level of protection for the personal data we handle, and we have implemented all technical means and measures at our disposal, according to the state of the technology, to prevent loss, misuse, alteration, unauthorized access, and theft of personal data.

To what extent will decision-making be automated?

HIDDEN HOTELS, does not use fully automated decision-making processes to establish, develop, or terminate a contractual relationship with the user. In the event that we use such processes in a particular case, we will keep you informed and communicate your rights in this regard if required by law.

Will profiling take place?

In order to offer you products and/or services according to your interests and improve your user experience, we may create a “commercial profile” based on the information provided. However, automated decisions will not be made based on this profile.

Who will your data be communicated to?

Your data will not be transferred to third parties, except for legal obligations. Specifically, they will be communicated to the State Tax Administration Agency and to banks and financial entities for the collection of the provided service or acquired product, as well as to data processors necessary for the execution of the agreement.

In the event of a purchase or payment, if you choose any application, website, platform, bank card, or any other online service, your data will be transferred to that platform or processed in its environment, always with maximum security.

In the event that you have given us your consent for the processing of your name and images and other information related to the activities of HIDDEN HOTELS, they will be disclosed on the different social networks and website of HIDDEN HOTELS.

International transfers

If it is necessary to carry out international data transfers by HIDDEN HOTELS, it will ensure that such transfers are possible in accordance with the General Data Protection Regulation, or any other requirement established by applicable regulations. For this purpose, the company will adopt the necessary agreements to ensure a level of data protection equivalent to that provided for in European regulations.

In the event of working in a system of shared folders in applications such as Dropbox, Google Drive, Microsoft OneDrive, Amazon, Apple, HubSpot, etc., an international transfer to the United States will be made under the provisions of Article 49.c) of the General Data Protection Regulation or any other mechanism that guarantees a level of data protection equivalent to that provided for in European regulations.

What Rights do you have?

To know if we are processing your data or not.
To access your personal data.
To request the rectification of your data if it is inaccurate.
To request the deletion of your data if it is no longer necessary for the purposes for which it was collected or if you withdraw the consent given.
To request limitation of the processing of your data, in certain cases, in which case we will only keep them in accordance with current regulations.
To port your data, which will be provided to you in a structured, commonly used, or machine-readable format. If you prefer, we can send them to the new controller you designate. This is only valid in certain cases.
To file a complaint with the Spanish Data Protection Agency, if you believe that your rights have not been properly addressed.
To revoke the consent for any processing for which you have consented, at any time. If you modify any data, we appreciate your communication to keep them updated.

Would you like a form to exercise your Rights?

We have forms for exercising your rights, ask us for them by email or, if you prefer, you can use those prepared by the Spanish Data Protection Agency or third parties.
These forms must be signed electronically or accompanied by a photocopy of your ID card.
If someone represents you, you must attach a copy of their ID card, or they must sign it with their electronic signature.
The forms can be submitted in person, sent by mail or by email to the address of the Controller at the beginning of this text.

You have the right to file a complaint with the Spanish Data Protection Agency if you believe that your rights have not been properly addressed.

The maximum period for resolution by HIDDEN HOTELS, is one month, from the effective receipt of your request by us.

You have the right to revoke the consent for any processing for which you have consented at any time.

Do we use cookies?

If we use any other type of cookies than those necessary, you can consult the cookie policy in the corresponding link from the beginning of our website.

How long will we keep your personal data?

Personal data will be kept as long as you remain linked to us.
Once you unlink, the personal data processed for each purpose will be kept for the legally established periods, including the period in which a judge or court may require them according to the statute of limitations for legal actions.
The processed data will be kept until the expiration of the legal periods mentioned above, if there is a legal obligation to keep them, or if there is no legal deadline, until the data subject requests their deletion or revokes the consent given.
We will keep all information and communications related to your purchase or the provision of our service, for as long as the product or service warranties last, to attend to any possible claims.
In each treatment or type of data, we provide you with a specific period, which you can consult in the following table:

Data relating to	Document	Storage
Clients and suppliers	By way of example and without limitation, the following are some of the most significant documents. Invoices (issued by the company and drawn on the company). Contracts between traders (purchase and sale, commission, transport, provision of services, etc.) Contracts with individuals. Real estate contracts (leasing of business premises, sale, purchase, exchange, etc.) Business correspondence Bank contracts and documentation (current accounts, deposits, leasing, renting, etc.) Expense notes.	Obligation to keep documentation for at least 6 years. It is advisable to keep it depending on the case of prescription of actions. Article 30 of the Commercial Code stipulates that entrepreneurs shall keep the books, correspondence, documentation and supporting documents relating to their business for six years from the date of the last entry made in the books. However, this rule merely establishes a minimum period of time during which, in the general interest, the trader must keep the documents that have been generated in the course of his business.
	Tax relevant documents and records	Tax General Law arts. 66 to 70 4 previous financial years (years)
	Parties subject to the Prevention of Money Laundering Act, documentation accrediting compliance with AML obligations	Law 10/2010 art. 25 10 years
Humas Resources	Payrolls, TC1, TC2, etc.	10 years (Royal Legislative Decree 5/2000, of 4 August, approving the revised text of the Law on Offences and Penalties in the Social Order).
	CVs	Until the end of the selection process, and for a further 2 years unless the data subject revokes consent or requests deletion.
	Employee training	Art 5.2, Order TAS/2307/2007 4 years
	Working Time Records	Art. 34.9 Royal Legislative Decree 2/2015, approving the revised text of the Workers’ Statute Law. 4 years
	Severance pay documents. Contracts. Data on temporary workers.	RD 425/2005 apart. 3 Additional Provision 1 4 years Art. 30 of the Commercial Code establishes a minimum period of 6 years. Organic Law 7/2012 recommends keeping it for 10 years.
	Worker’s file.	Up to 5 years after leaving (Royal Legislative Decree 5/2000, of 4 August, approving the revised text of the Law on Offences and Penalties in the Social Order).
	Documentation or computer records accrediting compliance with ORP regulations.	RDL 5/2000 art. 4 5 years
Marketing	Databases or web visitors.	For the duration of treatment.
Access control and video surveillance	Visitor registration	Instruction 1/1996 AEPD 30 days
Access control and video surveillance	Video surveillance Images/sounds captured by video surveillance systems shall be cancelled within a maximum period of one month from their capture. Recordings shall be destroyed within a maximum period of one month from their capture, unless they are related to serious or very serious criminal or administrative offences in the field of public security, to an ongoing police investigation or to an open judicial or administrative procedure.	Instruction 1/2006 AEPD 30 days
Accounting	Accounting books and documents. Annual accounts Shareholders’ agreements and boards of directors, company bylaws, minutes, board of directors’ regulations and delegated committees. Financial statements, audit reports Records and documents related to grants.	Commercial Code art. 30: 6 years
Corporate Documentation	Deeds of incorporation of the company together with the articles of association, deeds of elevation of corporate resolutions, deeds of granting/renewal of powers of attorney, deeds of purchase/sale of shares, deeds of purchase/sale of assets, deeds of shares, dissolution/settlement, etc.). Books of minutes of meetings of the general meeting and the board of directors (commercial companies), register of shares, register of shareholders, register of contracts with the sole shareholder, other books. Other corporate documentation (private share purchase agreements, shareholder loans, pledges of shares, etc.)	It is recommended to keep them throughout the life of the company, from its incorporation until at least 6 years after its dissolution and liquidation. In the event that the deeds will incorporate rights or obligations for the company, it is recommended to adhere to the above-mentioned limitation periods. Obligation to keep the documentation for at least 6 years. From the last entry made in the books. They must be kept throughout the life of the company from its incorporation until at least 6 years after its dissolution and liquidation. It is recommended to keep them throughout the life of the company, from its incorporation until at least 6 years after its dissolution and liquidation.
Tax	Administration of the entity’s administration, rights and obligations relating to the payment of taxes. Administration of dividend payments and tax withholdings. All documents justifying the taxpayer’s tax actions (proof of income and expenditure), including both accounting and supporting documentation (contracts, invoices, receipts, delivery notes…) All types of tax declarations.	Obligation to keep the documentation: Minimum 4 years. Articles 66, 67 and 68 of the General Tax Law. The general limitation period for tax obligations is 4 years. With regard to tax returns, the 4-year limitation period starts to run from the day on which the voluntary tax filing period ends. In the event that there has been a subsequent action by the Administration (inspection, partial verification) or by taxpayer (corrective return, appeal) that has interrupted the limitation period, a new 4-year period starts to run from that action. However, it is advisable to keep the physical documentation, as Organic Law 7/2012 recommends keeping it for 10 years. Order EHA/962/2007 provides for the possibility of destroying invoices received on paper if a certified digitalisation process has been previously carried out to obtain electronically signed digital copies.
Health and Safety	Workers’ Medical Records/ Health data of Spa clients (treatments).	Article 17.1 of Law 41/2002 of 14 November, on patient autonomy and rights and obligations regarding clinical information and documentation. 5 years
Insurance	Insurance policies	6 years (general rule) 2 years (damage) 5 years (personal) 10 years (life)
Legal	Intellectual and Industrial Property Documents. Contracts and agreements.	5 years
	Permits, licences, certificates	6 years from the date of expiry of the permit, licence or certificate. 10 years (criminal statute of limitations)
	Confidentiality and non-competition agreements	Always the period of duration of the obligation or of confidentiality
Data protection regulations	Records and documents proving compliance with the requirements of data protection regulations (audits, reports, data processor contracts, etc.)	For the duration of data processing and thereafter for 3 years.
	Documentation accrediting that requests for the exercise of data subjects’ rights are dealt with.	For 3 years after application
	Logs/ Logs of access to information systems	2 years
	If the processing is based on the data subject’s consent, proof of consent	For the duration of data processing and thereafter 3 years
Traffic data relating to internet connections, e-mails and calls sent or received from fixed-line telephony.	User ID, IP address (source/destination), phone number, IMSI and IMEI (source/destination), date and time of communication (start/end), identification of type of service or communication used (voice, data, SMS or MMS).	Article 5 of Law 25/2007 on the retention of data relating to electronic communications and public communications networks. 1 year
Biometric data (fingerprint, facial recognition) (currently not allowed, unless legally authorised)	Biometric data are registered in the tool/software enabled for this purpose by the entity, in case of a positive Impact Assessment, within the current legal framework.	In compliance with the principle of limitation of the storage period, personal data may be processed for no longer than is necessary for the purposes of the processing, therefore, taking into account the provisions of article 34.9 of the ET, the company will keep the records for four years and they will remain at the disposal of the employees, their legal representatives and the Labour and Social Security Inspectorate. It will be the user who notifies and initiates the procedure for definitive deregistration. Building access control: 30 days, files to control access (Inst. 1/1996 AEPD) INACTIVE TRACKS: 6 MONTHS OF INACTIVITY. RECORDS: EMPLOYEES, 4 YEARS, NON-EMPLOYEES: 30 DAYS
Guests	Check-in of travellers/guests.	3 years (Ley Orgánica 4/2015 de protección de seguridad ciudadana, Orden INT/1922/2003 and in RD 933/ 2021, of 26 October (obligations of documentary registration and information of natural or legal persons carrying out accommodation activities).

File	Document	Storage
Customers	Invoices	10 years
	Forms and Coupons	15 years
	Contracts	5 years
Human Resources	Payrolls, TC1, TC2, etc.	10 years
	CV	Until the end of the selection process, and 1 more year with your consent
	Dismissal indemnity documents Contracts Data of temporary workers	4 years
	Employee file	Up to 5 years after termination
Márketing	Database or website visitors	For the duration of the treatment
Suppliers	Invoices	10 years
Suppliers	Contracts	5 years
Access control and video surveillance	Visitor list	30 days
Access control and video surveillance	Videos	30 days lockdown 3 years destruction
Accounting	Accounting books and documents Partnership agreements and board meetings, company bylaws, minutes, board regulations, and delegated committees Financial statements, audit reports Records and documents related to subsidies	6 years
Fiscal	Tax Ledger of the entity’s administration, rights and obligations related to tax payments Payment administration of dividends and tax withholdings	10 years
Fiscal	Information on intra-group pricing	18 years 8 years for intra-group transactions for pricing agreements
Safety and Health	Medical records	5 years
Environment	Information on chemical substances or substantially hazardous substances	10 years
	Documents related to environmental permits As long as the activity is carried out	3 years after closing the activity 10 years (crime prescription)
	Records on recycling or waste disposal	3 years
	Grants for cleaning operations must retain documents of rights and obligations, receipts, and payments	4 years
	Accident reports	5 years
Insurance	Insurance policies	6 years (general rule) 2 years (damages) 5 years (personal) 10 years (life)
Purchases	Record of all delivered goods or services, intra-community acquisitions, imports, and exports for VAT purposes.	5 years
Legal	Intellectual and Industrial Property Documents Contracts and agreements	5 years
	Permits, licenses, certificates	6 years from the expiration date of the permit, license, or certificate 10 years (criminal prescription)
	Confidentiality and non-competition agreements	For the duration of the obligation or confidentiality
Personal Data Protection	Personal data processing, if different from the processing notified to the AEPD	3 years