Privacy Policy | Hidden Away Hotels

Legal Policy

The Privacy Policy forms part of the General Conditions governing the Website www.hiddenhotels.com, together with the Cookies Policy and the Legal Notice.

HIDDEN HOTELS reserves the right to modify or adapt this Privacy Policy at any time. Therefore, we recommend reviewing it each time you access the Website. If the user is registered and accesses their account or profile, they will be informed in the event of substantial changes relating to the processing of their personal data.

Who is responsible for the processing of your data?

The data collected or voluntarily provided by you through the Website, whether by browsing it, as well as any data you may provide through contact forms, email, or telephone, will be collected and processed by the corresponding Data Controllers, whose details are set out below:

HIDDEN AWAY HOTELS, S.L.

VAT NUMBER: B57676108

Address: C/ Echegaray, 8, 28014, Madrid

Email Data Protection Delegate: lopd@hiddenhotels.com

Personal data will also be processed by the various companies operating the establishments of the HIDDEN HOTELS group for the purposes of managing bookings, stays and services.

In relation to marketing activities, CRM management and the sending of commercial communications, the data may be processed jointly by HIDDEN AWAY HOTELS, S.L. and CREGEST, S.L., together with the companies operating the different establishments, under a system of joint responsibility in accordance with article 26 of the RGPD.

The purpose of this joint processing is the centralised management of clients, the sending of commercial communications and the improvement of the services offered by the HIDDEN HOTELS group as a whole.

The user can obtain more information about the entities that form part of the group and participate in the processing in this Privacy Policy.

HIDDEN AWAY HOTELS SL acts as the management company of the corporate website and the content accessible on the domain. www.hiddenhotels.com

Contact details for data protection at HIDDEN HOTELS

Telephone: 910 56 93 54

Data Protection Officer contact: lopd@hiddenhotels.com

If, for any reason, you wish to contact us regarding any matter related to the processing of your personal data or privacy (with our Data Protection Officer), you may do so through any of the means indicated above.

What data do we collect through the Website?

By simply browsing the website, technical data such as IP address, browser type and version, operating system, language, pages visited, duration of the visit and other browsing data may be processed.

This data will be processed by HIDDEN AWAY HOTELS, S.L. in order to guarantee the correct functioning of the website, improve the browsing experience, analyse the use of the site and optimise the content and services offered.

The legal basis for the processing shall be:

- The user's consent, in relation to the use of analytical or measurement cookies.

- The legitimate interest of the responsible party, in relation to technical cookies necessary for the operation of the website.

The use of analytical cookies, such as Google Analytics or other similar tools, shall be subject to the prior consent of the user, which may be granted, rejected or configured through the cookie settings panel.

In relation to Google Analytics, HIDDEN AWAY HOTELS, S.L. acts as data controller, while Google acts as data processor or, where appropriate, as an independent data controller in accordance with its own terms and conditions. In any case, the necessary measures have been taken to ensure an adequate level of data protection, including the formalisation of standard contractual clauses where necessary.

The website may also integrate Google Maps services or other geolocation tools. In these cases, these services will only be activated when the user expressly consents to them. The use of these services may involve the communication of data to third party providers, who will process the information in accordance with their own privacy policies.

The information obtained through these mechanisms will not be associated with identified users, unless the user provides their data through forms or other channels enabled on the website.

The data may be communicated to technology service providers who act as data processors, subject to the corresponding contractual guarantees. No data will be transferred to third parties, unless legally obliged to do so.

User registration on the Website / Submission of forms

To access certain services, such as making a reservation or registering for group programmes, the user must fill in the forms provided, providing the personal data necessary for the correct processing of the request. The fields marked as obligatory must be completed, otherwise it will not be possible to process the request or provide the corresponding service.

In these cases, the personal data provided will be processed for the purpose of managing the user's registration, processing the bookings or requests made, as well as providing the services contracted.

Additionally, and only when the user has expressly authorised it, their data may be used to send commercial communications related to HIDDEN HOTELS products, services and promotions.

The browsing data may be associated with the personal data provided when the user interacts with the website, in order to improve the user experience, analyse the use of the services and, where appropriate, personalise the content offered. In those cases where such personalisation involves profiling, it will be carried out solely on the basis of the user's consent.

Personal data will be kept for the following periods:

- Registration data and user account: as long as the account remains active.

- Data related to bookings or services: during the contractual relationship and thereafter for the applicable legal time periods.

- Data for sending commercial communications: until the user withdraws his or her consent.

- Data associated with enquiries or forms: for the time necessary to deal with the request.

After the expiry of these periods, the data will be deleted or, where appropriate, blocked for the periods prescribed by law.

The legal basis for the processing shall be:

- The execution of a contract, for the management of the registration, booking and provision of services.

- Compliance with applicable legal obligations

- The user's consent for the sending of commercial communications and, where appropriate, for profiling.

- The legitimate interest of the responsible party, to guarantee the security of the website and to improve the services offered.

The purposes of the processing shall be:

a) Manage the user's registration and access to the website
b) Managing the procurement of services and bookings
c) Reporting on the status of requests, purchases or reservations made
(d) Handling requests for information
(e) Ensuring the proper functioning of the platform

Likewise, communications necessary for the correct provision of the service, such as booking confirmations, operational warnings or technical incidents may be sent, including by electronic means, as they are linked to the execution of the contract.

The sending of commercial communications will only take place when the user has given their express consent by means of the corresponding enabled box. In these cases, a double opt-in system will be implemented, whereby the user must confirm their subscription via a link sent to their e-mail address.

Users may withdraw their consent at any time, as well as unsubscribe from commercial communications through the link provided in each mailing or through the channels indicated in this Privacy Policy.

The data provided may be used centrally by the companies of the HIDDEN HOTELS group to send commercial communications, provided that the user has given his or her express consent to do so.

Booking engine (Roiback)

When the user makes a reservation through the booking engine available on the website, he/she must provide the personal data necessary for the management of the reservation.

The booking engine is provided by ROIBACK, which generally acts as a data processor in accordance with Article 28 of the GDPR, providing technological booking management services on behalf of DANDA PATRIMONIO E INVERSIONES, S.L. and/or the relevant hotel operator.

The data entered during the booking process will be communicated to the company that owns or operates the selected establishment, which will act as the data controller for the management, processing, confirmation, modification or cancellation of the booking, as well as for the provision of the contracted accommodation services.

The legal basis for the processing is the performance of a contract or the implementation of pre-contractual measures at the request of the user.

Personal data may be used to send communications necessary for the correct management of the booking, including confirmations, reminders, incidents, modifications or relevant information about the stay, including by electronic means, as they are linked to the execution of the contract.

Likewise, and only when the user has expressly authorised it, the data may be used for sending commercial communications by HIDDEN HOTELS or the corresponding establishment. In these cases, a double opt-in system will be applied to validate consent.

The data will be kept for the time necessary for the management of the reservation and the provision of the service, as well as for the legally required periods in accordance with the applicable regulations.

Within the framework of the provision of the service, the data may be communicated to technology providers acting as data processors, as well as to financial institutions for the management of payments. No data will be transferred to third parties, unless legally obliged to do so.

The user should review the specific data protection information provided during the booking process, which will identify the data controller and detail the conditions applicable to such processing.

The data may be integrated into customer management systems (CRM) used by the HIDDEN HOTELS group, in order to manage the relationship with the customer and, where appropriate, to send commercial communications, always on the basis of the user's consent.

Payment and Redsys payment gateway

To complete the booking process, the user must provide the necessary data to make the corresponding payment.

The payment service is carried out through the Redsys gateway, managed by the corresponding financial institutions. In this context, the banks and Redsys act as independent data controllers with respect to the data necessary for the execution of the financial transaction, in accordance with their own privacy policies and regulations.

DANDA PATRIMONIO E INVERSIONES, S.L. and/or the company operating the establishment do not access or store the complete details of the bank card used, but only receive confirmation of the payment made.

The legal basis for the processing of payment-related data is the execution of the accommodation contract as well as the fulfilment of statutory tax and accounting obligations.

The data provided for payment will be processed in a secure environment, in accordance with applicable industry security standards, including protocols such as PCI-DSS and strong authentication systems (SCA).

In certain cases, such as non-refundable rates, booking guarantees or possible charges associated with the stay, pre-authorisations or charges may be made in accordance with the booking conditions. Such treatments shall be limited exclusively to the management of the contracted service.

The data may be communicated to financial institutions and payment service providers necessary for the correct execution of the transaction. No additional transfers will be made to third parties, unless legally obliged to do so.

Users are recommended to consult the privacy policies of the financial institutions and Redsys to learn about the specific processing of their data in the field of payment management.

Newsletter/ Hidden Rewards

In the event that the website allows subscription to the Newsletter or registration for the “Hidden Rewards” loyalty programme, it will be necessary for the user to provide the personal data required in the corresponding form, including at least a valid e-mail address.

Signing up for the Newsletter and the Hidden Rewards programme will be done independently, and it is not obligatory to accept the sending of commercial communications in order to form part of the loyalty programme.

For the sending of commercial communications, the user's express consent will be required by ticking the corresponding box. Additionally, a double opt-in system will be implemented, whereby the user must confirm their subscription via a link sent to their e-mail address.

The legal basis for the processing shall be:

- The user's consent to receive commercial communications.

- The execution of a contract or the application of pre-contractual measures, in connection with the management of the Hidden Rewards programme

Personal data will be processed for the following purposes:

- Manage Newsletter subscription

- Send commercial communications, promotions and news

- Manage the registration, participation and benefits associated with the Hidden Rewards programme.

- Where appropriate, personalise the offers and benefits of the programme, only when the user has given his consent to do so.

In the event of processing based on profiling (e.g. personalisation of offers on the basis of consumption habits or preferences), this will only be carried out on the basis of the user's consent.

The data will be kept as long as the user does not request cancellation of the service, does not cancel their participation in the programme or does not withdraw their consent. Once the relationship has ended, the data will be deleted or blocked in accordance with the legally established deadlines.

The data may be processed by email marketing service providers and technology platforms associated with the loyalty programme, who will act as data processors under appropriate contractual safeguards. In case of international transfers, appropriate safeguards will apply in accordance with the GDPR.

Users may withdraw their consent at any time, as well as unsubscribe from the Newsletter or the Hidden Rewards programme through the link provided in each communication or through the channels indicated in this Privacy Policy.

Commercial communications may be carried out centrally by the HIDDEN HOTELS group, using customer management tools (CRM), and may include information from different establishments in the group, always in accordance with the consent given by the user.

__________________________________________________________________________________________________

If you belong to any of the following groups, please consult the detailed information below

+WEB OR EMAIL CONTACTS

For what purposes will we process your personal data?

Attend and respond to your queries, requests or petitions.
Manage the requested service or information.
Maintain communications related to your application, including by electronic means.
To send you commercial communications or information about events, only if you have expressly authorised this.

What is the legal basis for processing your data?

The legal basis for the processing of your data is:

The application of pre-contractual measures or the performance of a contract, where your request relates to the procurement of services.
The legitimate interest of the data controller, to deal with general enquiries and to maintain the relationship derived from your request.
The consent of the data subject, in relation to the sending of commercial communications.

In those cases in which the processing is based on consent, this will be obtained by ticking the corresponding box, which will not be pre-ticked in any case.

All forms shall have a check box with the following formula:

“I have read and accept the Privacy Policy”.”

By filling in and sending the form, the user declares that he/she has been informed about the processing of his/her data in accordance with this Privacy Policy.

How long will we keep personal data?

The personal data provided through contact forms or by sending e-mails will be kept for the time necessary to deal with and manage the request made.

Once the management of the consultation has been completed, the data may be duly blocked for the duration of the statute of limitations for possible legal liabilities.

In the event that the user has authorised the sending of commercial communications, their data will be retained as long as they do not withdraw said consent.

+ CLIENTS/GUEST / HOSPITALITY

For what purposes will we process your personal data?

Your personal data will be processed in order to manage the contractual relationship derived from the reservation and stay in the establishments of the HIDDEN HOTELS group.

Specific purposes include:

Budgeting and monitoring of budgets.
Managing the reservation, including prior processing, confirmation, modification, or cancellation.
The provision of accommodation and associated services during the stay.
The management of communications necessary for the correct provision of the service (confirmations, reminders, incidents or relevant information about the stay), including by electronic means.
Administrative, accounting and tax management derived from the services provided.
The carrying out of economic transactions, collections, payments and, where appropriate, guarantees or pre-authorisations.
Compliance with the legal obligations applicable to the hotel sector, in particular those relating to the registration of travellers and public safety regulations.
The management of internal controls, audits, complaint handling, fraud prevention and recovery of outstanding amounts.
Conducting satisfaction surveys and service quality evaluations.
The sending of commercial communications, promotions or offers related to HIDDEN HOTELS, only with the express authorisation of the user.
Likewise, the data may be used centrally by the HIDDEN HOTELS group to send commercial communications, provided that the user has given his or her express consent.

What is the legal basis for processing your data?

The legal basis for the processing of your personal data is:

The execution of a contract or the implementation of pre-contractual measures, for the management of quotations, reservations, accommodation and associated services.
Compliance with legal obligations in relation to tax, accounting, public safety and applicable sectorial regulations.
The legitimate interest of the data controller, for the management of complaints, fraud prevention, debt collection and improvement of the quality of service, including the carrying out of satisfaction surveys.
The consent of the data subject, in relation to the sending of commercial communications.

The communications necessary for the management of the reservation or provision of the service will not be considered as commercial communications, as they are based on the execution of the contract.

How long will we keep personal data?

The personal data will be kept for the time necessary for the management of the contractual relationship arising from the reservation and stay in the establishments of the HIDDEN HOTELS group.

In particular:

Data related to bookings and accommodation services: during the contractual relationship and, subsequently, during the periods required by the applicable regulations, in particular the regulations on the registration of travellers, as well as tax and accounting obligations.
Data associated with invoicing and payments: during the legally required tax and accounting periods.
Data used for fraud prevention, claims or recoveries: for the time necessary for the management of such actions and the applicable statute of limitations.
Data used for satisfaction surveys: for the time necessary to assess the quality of service, applying minimisation criteria.

In the event that the user has authorised the sending of commercial communications, their data will be retained as long as they do not withdraw said consent.

Once the aforementioned periods have expired, the data will be deleted or, where appropriate, blocked during the periods of limitation of possible legal liabilities, in accordance with the applicable regulations.

+ SUPPLIERS.

For what purposes will we process your personal data?

We will process the personal data of suppliers and collaborators in order to properly manage the commercial or professional relationship that links them with the different companies of the HIDDEN HOTELS group.

Specific purposes include:

Maintaining communications related to requests, proposals, offers, or exchanges of information necessary for the provision of services.
Sending information by electronic means related to your request or to the existing contractual relationship.
Sending commercial or event-related information only where express authorization exists.
Managing administrative, communication, and logistical services necessary for the contracting, provision, and control of the supplied services or products.
Carrying out the corresponding financial transactions, including payments, collections, and reconciliations.
Managing invoicing, accounting, and compliance with applicable tax or fiscal obligations.
Carrying out control procedures, internal audits, quality verification, fraud prevention, or recovery of outstanding amounts, when necessary for the proper execution of the contractual relationship.

What is the legal basis for processing your data?

The legal basis for processing supplier data is the performance of a contract or the application of pre-contractual measures related to the provision of services or supply of products. In the absence of a contractual relationship, the legal basis may derive from the data subject’s consent when they contact us through any channel. Certain processing operations linked to tax, accounting, or legal obligations are based on compliance with legal obligations. Commercial communications will be sent only where express consent exists.

How long will we keep personal data?

The personal data of suppliers and collaborators will be kept for the time necessary to manage the existing contractual or professional relationship.

In particular:
Identification and contact data: for the duration of the contractual or commercial relationship.
Data related to invoicing, payments and accounting: during the legally required tax and accounting deadlines.
Data used for administrative management, audits, internal control or fraud prevention: for the time necessary for these purposes and the applicable limitation periods.

In the event that a contractual relationship is not formalised, the data will be kept for the time necessary to process the request or proposal and will subsequently be deleted, unless there is a legal obligation to keep them.

In the event that the provider has authorised the sending of commercial communications, your data will be retained until you withdraw this consent.

+ SOCIAL MEDIA CONTACTS

For what purposes will we process your personal data?

When you interact with us through our official social media accounts, the personal data you provide or that is visible on your profile will be processed for the following purposes:

Attend and respond to your queries, requests or petitions.
Manage the relationship with you as a user of the social network.
Interact with you and energise the community of followers.
To analyse user interaction and participation for statistical purposes and to improve our services.

What is the legal basis for processing your data?

The legal basis for the processing is:

The legitimate interest of the data controller in managing its presence on social networks and attending to the users who interact with its profiles.
The execution of the relationship established with the user within the social network itself, in accordance with its terms of use.

In any case, the processing is carried out in accordance with the privacy policies of the corresponding social network. HIDDEN HOTELS and the social network platform may act as co-responsible for the processing in relation to certain processing (for example, page usage statistics), in accordance with the provisions of each platform.

How long will we keep personal data?

The personal data will be processed for as long as the user maintains a relationship with the HIDDEN HOTELS profile on the social network (for example, by following or interacting with it).

However, HIDDEN HOTELS has no direct control over the conservation of the data on the platform, so the effective deletion of the data will depend on the user's privacy settings and the policies of the corresponding social network.

In any case, HIDDEN HOTELS may delete or stop processing data that is inappropriate or excessive in the context of the interaction with your profiles.

+ VIDEO SURVEILLANCE

For what purposes will we process your personal data?

The images captured through the video surveillance systems installed in our facilities will be processed in order to guarantee the security of people, goods and facilities.

Likewise, in the field of employment, they may be used to monitor compliance with employment obligations, within the limits established by the regulations in force and respecting the rights of workers in all cases.

The images may be made available to law enforcement agencies, as well as to courts and tribunals, when necessary for the investigation of facts or the exercise of legal actions.

What is the legal basis for processing your data?

The legal basis for the processing is the legitimate interest of the controller, in accordance with Article 6.1.f) of the GDPR, in conjunction with Article 22 of Organic Law 3/2018.

In the case of labour inspection, the treatment is additionally covered by the provisions of Article 20.3 of the Workers' Statute.

How long will we keep personal data?

The images will be kept for a maximum period of 30 days from their capture.

However, they may be kept for a longer period when necessary to prove the commission of acts against the integrity of persons, property or installations, or when they are to be provided in the context of police or judicial proceedings.

In such cases, the images will be blocked and made available to the competent authorities, in accordance with the applicable regulations.

+ JOB APPLICANTS

For what purposes will we process your personal data?

We will process the personal data included in your résumé or provided during the recruitment process for the following purposes:

Organizing and managing current or future recruitment processes for hiring staff within the different companies of the HIDDEN HOTELS group.
Evaluating your application and assessing whether your profile matches the offered position.
Contacting you to arrange interviews or assessments related to the recruitment process.
If you give your express consent, communicating your application to other group companies or collaborating entities, solely for the purpose of facilitating your entry into the labor market.

What is the legal basis for processing your data?

The legal basis for processing your personal data is the consent you provide by submitting your résumé or participating in recruitment processes. Certain data may also be processed in application of pre-contractual measures related to the potential execution of an employment contract.

How long will we keep personal data?

Résumés will be retained for a maximum period of one year from receipt. After this period, if no recruitment process has been initiated with you, the data will be securely deleted, unless you have expressly authorized their retention for an additional period or there is an active recruitment process requiring longer retention.

+ HR

For what purposes will we process your personal data?

We will process employees’ personal data in order to properly manage the employment relationship and the employee’s personnel file. This includes:

Administrative, labor, and contractual management derived from the employment relationship.
Completion of all administrative, tax, accounting, and Social Security procedures necessary to comply with legal and contractual obligations.
Management of salary payments, remuneration, and employee benefits through the corresponding financial institution.
Management of time control and working hours registration through the enabled systems (card, personal code, platform, employee portal, or biometric system, only where legally and technically permissible).
Management of group insurance policies, additional coverage, or pension plans in which the employee may be included.
Management of staff training, whether mandatory, subsidized, or non-subsidized.
Management of actions related to occupational risk prevention, health surveillance, and regulatory compliance.
Management of incidents, leave, absences, disciplinary actions, or any other action derived from the employment relationship.
Conducting internal audits, quality controls, or internal procedures necessary to ensure the proper functioning of the human resources area and the group.

What is the legal basis for processing your data?

The legal bases that legitimize the processing are:

Compliance with legal obligations applicable to the employer, including labor, Social Security, occupational risk prevention, tax, and accounting regulations (Article 6.1(c) GDPR).
Compliance with legal obligations applicable to the employer, including those derived from labour, social security, occupational risk prevention, tax and accounting regulations (art. 6.1.c) GDPR).
Employee consent only for processing operations not covered by the employment relationship or a legal obligation, such as certain voluntary training actions or optional social benefits (Article 6.1(a) GDPR).
Legitimate interest of the employer, in cases such as internal controls, audits, or actions necessary for fraud prevention or proper organizational functioning (Article 6.1(f) GDPR), always within the limits provided by law.

How long will we keep personal data?

The personal data of employees will be kept for the time necessary to manage the employment relationship and, once the employment relationship has ended, for the legally required periods. In particular:

- Data derived from the employment relationship, pay slips, contributions and associated documentation: during the term of the contract and, subsequently, during the periods established by labour, Social Security, tax and accounting regulations.
- Data related to occupational risk prevention and health surveillance: during the periods required by the specific applicable regulations.
- Data linked to time control and recording of working hours: during the legally established period.
- Data relating to training, disciplinary files or internal evaluations: for the time necessary for the purpose for which they were collected and the applicable limitation periods.

Do we include personal data of third parties?

As a general rule, we only process personal data provided directly by their owners. If you provide us with data belonging to third parties, you guarantee that you have previously informed such persons of the content of this Privacy Policy and that you have obtained their consent where required, especially in cases where the applicable regulations so require. Otherwise, you shall hold HIDDEN HOTELS harmless from any liability arising from failure to comply with this requirement.

What about data relating to minors?

We do not process personal data of persons under 14 years of age. If you are under this age, you must refrain from providing us with your personal data. In the event that a minor under 14 provides us with data without authorization, we will proceed to delete it immediately as soon as we become aware of it.

Will we send communications by electronic means?

We will only make communications by electronic means when they are necessary to manage your request, reservation or any procedure related to the contracted services, provided that you have provided said data as a contact channel.

These communications will be of an operational or informative nature and will be based on the execution of the contractual relationship or on the application of pre-contractual measures, and will therefore not be considered as commercial communications.

The sending of commercial communications by electronic means will only be carried out when the user has given their prior, express and verifiable consent, in accordance with current legislation.

However, in accordance with the provisions of article 21.2 of the LSSI-CE, commercial communications may be sent relating to products or services similar to those previously contracted, provided that there is a prior contractual relationship and the user is offered the possibility of objecting to such processing in each communication.

In all cases, the user may unsubscribe from commercial communications easily, free of charge and at any time.

What security measures do we apply?

We have adopted the technical and organizational measures necessary to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are intended to protect the personal data we process and to prevent its loss, misuse, alteration, unauthorized access, or improper disclosure. To this end, we apply access control protocols, encryption where necessary, server and communication security systems, internal data protection policies, staff training, and incident response procedures, among other measures that are adapted to the state of the art and to the nature of the processing carried out. HIDDEN HOTELS periodically reviews and updates these measures to ensure their effectiveness and adequacy to the risk.

To what extent is decision-making automated?

HIDDEN HOTELS does not use fully automated decision-making processes that produce legal effects on the user or significantly affect them in a similar way. If, in any specific processing activity, automated procedures or profiling were applied, the corresponding information would be provided at the appropriate time, including the logic involved, the importance, and the possible consequences of such processing, as well as the rights available to the user in such cases, where required by applicable law.

Will profiling take place?

Certain service providers used by HIDDEN HOTELS may be located outside the European Economic Area, which may involve the international transfer of personal data.

In such cases, HIDDEN HOTELS shall ensure that such transfers are carried out in accordance with the provisions of Regulation (EU) 2016/679, applying appropriate safeguards to ensure a level of protection equivalent to that existing in the European Union.

In particular, transfers may be based on:

Adequacy decisions adopted by the European Commission.
Providers' adherence to the Data Privacy Framework, where applicable.
The signing of Standard Contractual Clauses approved by the European Commission.
The adoption of additional security measures where necessary.

These providers may include common technology services such as cloud storage platforms, communication tools, management systems, CRM or email marketing solutions.

In particular, certain technology providers, such as CRM or email marketing platforms (e.g. Revinate), may involve international transfers of data outside the European Economic Area.

The user may request additional information on international data transfers and the guarantees applied by contacting HIDDEN HOTELS through the channels indicated in this Privacy Policy.

To whom will your data be disclosed?

In general, your personal data will not be communicated to third parties, except when it is necessary for the correct provision of the contracted services or when there is a legal obligation.

In particular, the data may be communicated to:

Public administrations, such as the State Tax Administration Agency, in compliance with legal obligations.
State Security Forces and Corps, courts and tribunals, when so required by law or when necessary for the exercise of legal actions.
Financial institutions, for the management of collections, payments and economic transactions.

Your data may also be processed by external suppliers who provide services to DANDA PATRIMONIO E INVERSIONES, S.L. and the HIDDEN HOTELS group, and who act as data processors in accordance with article 28 of the GDPR. These providers include, among others, web hosting services, booking engines, analytics tools, cloud storage, CRM, email marketing, IT maintenance or management systems.

In particular, the booking engine provided by Roiback will, as a general rule, act as a data processor in the context of booking management.

Customer management platforms (CRM) may also be used, acting as data processors for customer data management, marketing campaigns and commercial communications, on the basis of consent.

In relation to payment services, financial institutions and payment systems (such as Redsys) will act as independent data controllers in respect of the data necessary for the execution of the transaction.

In the event that the user uses third-party services during the booking or payment process (e.g. external platforms or online payment methods), the user's data will be processed directly in the environment of these third parties, in accordance with their own privacy policies.

Additionally, in the event that the user has given their express consent, their data (including, where applicable, name, image or other information associated with events or activities) may be published on the website or official social networks of HIDDEN HOTELS, exclusively for the authorised purposes.

In cases where service providers are located outside the European Economic Area, appropriate safeguards in accordance with the GDPR, such as standard contractual clauses approved by the European Commission, will be adopted.

International data transfers

Certain service providers used by HIDDEN HOTELS may be located outside the European Economic Area, which may involve the international transfer of personal data.

In particular, transfers may be based on:

Adequacy decisions adopted by the European Commission.
Providers' adherence to the Data Privacy Framework, where applicable.
The signing of Standard Contractual Clauses approved by the European Commission.
The adoption of additional security measures where necessary.

These providers may include common technology services such as cloud storage platforms, communication tools, management systems, CRM or email marketing solutions.

In particular, certain technology providers, such as CRM or email marketing platforms (e.g. Revinate), may involve international transfers of data outside the European Economic Area.

The user may request additional information on international data transfers and the guarantees applied by contacting HIDDEN HOTELS through the channels indicated in this Privacy Policy.

What rights do you have?

You have the right to obtain confirmation as to whether HIDDEN HOTELS is processing your personal data.

You also have the right to access your personal data, as well as to request the rectification of inaccurate data, or to request its erasure when the data are no longer necessary for the purposes for which they were collected or when you withdraw the consent granted.

You may request the restriction of the processing of your data in the cases provided for by law, in which case we will retain them only in accordance with legal requirements.

You may also request the portability of your data, which will be provided to you in a structured, commonly used, and machine-readable format; if you prefer, we may transmit them to the new controller you designate, where legally permitted.

You have the right to withdraw at any time the consent given for any processing based on such consent, without affecting the lawfulness of processing carried out prior to its withdrawal.

If you consider that we have not properly addressed your rights, you may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

If you modify any data, we would appreciate it if you inform us so that we can keep them up to date and ensure that the information is accurate.

Would you like a form to exercise your rights?

We have specific forms available for exercising your rights, which you may request by email. If you prefer, you may also use the forms prepared by the Spanish Data Protection Agency or by third parties. Such forms must be electronically signed or accompanied by a copy of your ID or another valid document proving your identity. If you exercise your rights through a representative, you must provide a copy of their ID or documentation proving representation, or sign the form with an electronic signature. You may submit your request in person, by postal mail, or by email to the address of the Data Controller indicated at the beginning of this Policy.

The maximum period for HIDDEN HOTELS to respond to your request is one month from its effective receipt, extendable in exceptional cases in accordance with the GDPR.

Do we use cookies?

The website uses its own and third-party cookies.

Technical cookies, which are necessary for the basic operation of the website, will be installed automatically, as they are essential to enable browsing and the use of its functionalities.

Other cookies (analytical, personalisation or advertising cookies) will only be installed when the user has given their prior consent, through the cookie configuration panel enabled when accessing the website.

The user may accept, reject or configure the use of cookies in a granular manner at any time through this panel.

For detailed information on the cookies used, their purpose, duration and how to manage their configuration, you can consult our Cookies Policy, available at the corresponding link on the website.

How long will we keep your personal data?

Personal data will be kept for the time strictly necessary to fulfil the purposes for which they were collected and, subsequently, for the legally required periods of time in order to attend to possible liabilities.

In particular:

Customer and guest data (bookings, stays and services): during the contractual relationship and thereafter for the periods required by tax and accounting regulations (generally 4 years according to tax regulations and 6 years according to the Commercial Code).
Passenger registration data: for 3 years, in accordance with the applicable public security regulations.
Payment, invoicing and transaction data: for the periods required by tax, accounting and fraud prevention regulations.
Data managed through the booking engine: for the time necessary for the management of the booking and the applicable legal deadlines.
Labour and human resources data: during the term of the employment relationship and, subsequently, during the periods required by labour, Social Security, tax and occupational risk prevention regulations.
Time records: for 4 years, in accordance with current labour regulations.
Candidate data (CV): maximum 1 year from receipt, unless there is an ongoing selection process or consent to keep it for a longer period.
Contact data (forms, email, telephone): for the time necessary to deal with the request and then blocked for the applicable limitation periods.
Supplier data: during the contractual or commercial relationship and thereafter for the relevant legal periods.
Data from social networks: as long as the user maintains a relationship with HIDDEN HOTELS profiles on the corresponding platform.
Video surveillance images: maximum 30 days, unless they are to be kept for the investigation of incidents or legal proceedings.
Data processed by means of cookies: during the periods indicated in the Cookies Policy or until the user withdraws their consent.
Data processed on the basis of consent: as long as consent is not withdrawn.

Once the aforementioned periods have expired, the data will be deleted or, as the case may be, blocked, remaining at the disposal of the competent authorities during the periods of limitation of possible legal responsibilities, in accordance with the provisions of the applicable regulations.

Amendment of the Privacy Policy

HIDDEN HOTELS may amend this Privacy Policy at any time in order to adapt it to legislative developments, interpretative criteria, changes in the processing activities carried out, or Website functionalities, as well as for organizational reasons or service improvements. Any amendment will be published in this same section of the Website, and we therefore recommend reviewing it periodically. If the amendment involves a substantial change in the processing of your personal data and you have an account or use services requiring registration, we will inform you through the contact details provided or by means of a prominent notice on the Website. Continued use of the services once the update has been published will imply your knowledge and acceptance of the changes introduced.

Legal Policy

Book your stay