Privacy Policy

LAST UPDATED: 25/03/2026

The Privacy Policy forms part of the General Terms and Conditions governing the Website. https://hiddenhotels.com/seda-club/ together with the Cookies Policy and the Legal Notice.

WANA INVERSIONES, S.A.reserves the right to modify or adapt this Privacy Policy at any time. Therefore, we recommend that you review it each time you access the Website. In the event that the user has registered on the website and accesses their account or profile, upon accessing the same, you will be informed in the event that there have been substantial changes in relation to the processing of your personal data.

Who is responsible for the processing of your data?

The data that is collected or that you voluntarily provide us with through the Website, whether by browsing it, as well as any data that you may provide us with in the contact forms, via email or by telephone, will be collected and processed by the corresponding Data Controllers, whose respective data is indicated below:

 

WANA INVERSIONES, S.A.

VAT NO: A83057174

Address: C/ Echegaray, 8, 28014, Madrid

as the company operating the establishment SEDA CLUB HOTEL and responsible for processing in relation to the management of reservations, stay and provision of services.

Likewise, in relation to marketing activities, customer management and the sending of commercial communications, the data may be processed jointly by WANA INVERSIONES, S.A., CREGEST, S.L. and the various companies of the HIDDEN HOTELS group, under a system of joint responsibility in accordance with article 26 of the RGPD.

The purpose of this joint processing is the centralised management of clients, the sending of commercial communications and the improvement of the services offered by the group.

Contact at WANA INVERSIONES, S.A., for the protection of your personal information

Tel: 910 56 93 54

Contact Data Protection Officer: lopd@hiddenhotels.com

If, for any reason, you wish to contact us on any matter relating to the processing of your personal data or privacy (with our Data Protection Officer), you may do so through any of the means indicated above.

What data do we collect through the website?

By simply browsing the website, technical data such as IP address, browser type and version, operating system, language, pages visited, duration of the visit and other browsing data may be processed.

 

This data will be processed by WANA INVERSIONES, S.A. in order to guarantee the correct functioning of the website, improve the browsing experience, analyse the use of the site and optimise the content and services offered.

 

The legal basis for the processing shall be:

 

- The user's consent, in relation to the use of analytical or measurement cookies.

- The legitimate interest of the party responsible, in relation to technical cookies necessary for the operation of the website.

 

The use of analytical cookies, such as Google Analytics or other similar tools, shall be subject to the prior consent of the user, which may be granted, rejected or configured through the cookie settings panel.

 

In relation to Google Analytics, WANA INVERSIONES, S.A. acts as data controller, while Google acts as data processor or, where appropriate, as an independent data controller in accordance with its own terms and conditions. In any case, the necessary measures have been taken to ensure an adequate level of data protection, including the formalisation of standard contractual clauses where necessary.

 

The website may also integrate Google Maps services or other geolocation tools. In these cases, these services will only be activated when the user expressly consents to them. The use of these services may involve the communication of data to third party providers, who will process the information in accordance with their own privacy policies.

 

The information obtained through these mechanisms will not be associated with identified users, unless the user provides their data through forms or other channels enabled on the website.

 

The data may be communicated to technology service providers who act as data processors, subject to the corresponding contractual guarantees. No data will be transferred to third parties, unless legally obliged to do so.

User registration on the website/ Submission of forms

To access certain services, such as making a reservation or registering for group programmes, the user must fill in the forms provided, providing the personal data necessary for the correct processing of the request. The fields marked as obligatory must be completed, otherwise it will not be possible to process the request or provide the corresponding service.

 

In these cases, the personal data provided will be processed for the purpose of managing the user's registration, processing the bookings or requests made, as well as providing the services contracted.

 

Additionally, and only when the user has expressly authorised it, their data may be used to send commercial communications related to HIDDEN HOTELS products, services and promotions.

 

The browsing data may be associated with the personal data provided when the user interacts with the website, in order to improve the user experience, analyse the use of the services and, where appropriate, personalise the content offered. In those cases where such personalisation involves profiling, it will be carried out solely on the basis of the user's consent.

 

Personal data will be kept for the following periods:

 

- Registration data and user account: as long as the account remains active.

- Data related to bookings or services: during the contractual relationship and thereafter for the applicable legal time periods.

- Data for sending commercial communications: until the user withdraws his or her consent.

- Data associated with enquiries or forms: for the time necessary to deal with the request.

 

After the expiry of these periods, the data will be deleted or, where appropriate, blocked for the periods prescribed by law.

 

The legal basis for the processing shall be:

 

- The execution of a contract, for the management of the registration, booking and provision of services.

- Compliance with applicable legal obligations

- The user's consent for the sending of commercial communications and, where appropriate, for profiling.

- The legitimate interest of the responsible party, to guarantee the security of the website and to improve the services offered.

 

The purposes of the processing shall be:

 

  1. a) Manage the user's registration and access to the website
  2. b) Managing the procurement of services and bookings
  3. c) Reporting on the status of requests, purchases or reservations made
  4. (d) To deal with requests for information
  5. (e) Ensuring the proper functioning of the platform

 

Likewise, communications necessary for the correct provision of the service, such as booking confirmations, operational warnings or technical incidents may be sent, including by electronic means, as they are linked to the execution of the contract.

 

The sending of commercial communications will only take place when the user has given their express consent by means of the corresponding enabled box. In these cases, a double opt-in system will be implemented, whereby the user must confirm their subscription via a link sent to their e-mail address.

 

Users may withdraw their consent at any time, as well as unsubscribe from commercial communications through the link provided in each mailing or through the channels indicated in this Privacy Policy.

 

The personal data may be incorporated into customer management systems (CRM) used by the HIDDEN HOTELS group, in order to manage the relationship with the customer and, where appropriate, to send commercial communications, always on the basis of the user's consent.

Booking engine (Roiback)

When the user makes a reservation through the booking engine available on the website, he/she must provide the personal data necessary for the management of the reservation.

 

The booking engine is provided by ROIBACK, which acts, in general, as a data processor in accordance with Article 28 of the GDPR, providing technological booking management services on behalf of WANA INVERSIONES, S.A. and/or the relevant hotel operating company.

 

The data entered during the booking process will be communicated to the company that owns or operates the selected establishment, which will act as the data controller for the management, processing, confirmation, modification or cancellation of the booking, as well as for the provision of the contracted accommodation services.

 

The legal basis for the processing is the performance of a contract or the implementation of pre-contractual measures at the request of the user.

 

Personal data may be used to send communications necessary for the correct management of the booking, including confirmations, reminders, incidents, modifications or relevant information about the stay, including by electronic means, as they are linked to the execution of the contract.

 

Likewise, and only when the user has expressly authorised it, the data may be used for sending commercial communications by HIDDEN HOTELS or the corresponding establishment. In these cases, a double opt-in system will be applied to validate consent.

 

The data will be kept for the time necessary for the management of the reservation and the provision of the service, as well as for the legally required periods in accordance with the applicable regulations.

 

Within the framework of the provision of the service, the data may be communicated to technology providers acting as data processors, as well as to financial institutions for the management of payments. No data will be transferred to third parties, unless legally obliged to do so.

 

The user should review the specific data protection information provided during the booking process, which will identify the data controller and detail the conditions applicable to such processing.

 

The data may be integrated into customer management systems (CRM) used by the HIDDEN HOTELS group, in order to manage the relationship with the customer and, where appropriate, to send commercial communications, always on the basis of the user's consent.

Redsys payment and gateway

To complete the booking process, the user must provide the necessary data to make the corresponding payment.

The payment service is carried out through the Redsys gateway, managed by the corresponding financial institutions. In this context, the banking institutions and Redsys act as independent data controllers with respect to the data necessary for the execution of the economic transaction, in accordance with their own regulations and privacy policies.

WANA INVERSIONES, S.A. and/or the company operating the establishment do not access or store the full details of the bank card used, but only receive confirmation of the payment made.

 

The legal basis for the processing of payment-related data is the execution of the accommodation contract as well as the fulfilment of statutory tax and accounting obligations.

The data provided for payment will be processed in a secure environment, in accordance with applicable industry security standards, including protocols such as PCI-DSS and strong authentication systems (SCA).

In certain cases, such as non-refundable rates, booking guarantees or possible charges associated with the stay, pre-authorisations or charges may be made in accordance with the booking conditions. Such processing shall be limited exclusively to the management of the contracted service.

The data may be communicated to financial institutions and payment service providers necessary for the correct execution of the transaction. No additional transfers will be made to third parties, unless legally obliged to do so.

Users are advised to consult the privacy policies of the financial institutions and Redsys to learn about the specific processing of their data in the field of payment management.

Newsletter/ Hidden Rewards

In the event that the website allows subscription to the Newsletter or registration for the “Hidden Rewards” loyalty programme, it will be necessary for the user to provide the personal data required in the corresponding form, including at least a valid e-mail address.

Signing up for the Newsletter and the Hidden Rewards programme will be done independently, and it is not obligatory to accept the sending of commercial communications in order to form part of the loyalty programme.

For the sending of commercial communications, the user's express consent will be required by ticking the corresponding box. Additionally, a double opt-in system will be implemented, whereby the user must confirm their subscription via a link sent to their e-mail address.

The legal basis for the processing shall be:

- The user's consent to receive commercial communications.

- The execution of a contract or the application of pre-contractual measures, in connection with the management of the Hidden Rewards programme

Personal data will be processed for the following purposes:

- Manage Newsletter subscription

- Send commercial communications, promotions and news

- Manage the registration, participation and benefits associated with the Hidden Rewards programme.

- Where appropriate, personalise the offers and benefits of the programme, only when the user has given his consent to do so.

In the event of processing based on profiling (e.g. personalisation of offers on the basis of consumption habits or preferences), this will only be carried out on the basis of the user's consent.

The data will be kept as long as the user does not request cancellation of the service, does not cancel their participation in the programme or does not withdraw their consent. Once the relationship has ended, the data will be deleted or blocked in accordance with the legally established deadlines.

The data may be processed by email marketing service providers and technology platforms associated with the loyalty programme, who will act as data processors under appropriate contractual safeguards. In case of international transfers, appropriate safeguards will apply in accordance with the GDPR.

Users may withdraw their consent at any time, as well as unsubscribe from the Newsletter or the Hidden Rewards programme through the link provided in each communication or through the channels indicated in this Privacy Policy.

Commercial communications may be carried out centrally by the HIDDEN HOTELS group, using customer management tools (CRM), and may include information from different establishments of the group, always in accordance with the consent given by the user.

__________________________________________________________________________________________________

If you are one of the following groups, please see the information below:

 

            + CONTACTS FROM THE WEB OR EMAIL

For what purposes will we process your personal data?

  • Attend and respond to your queries, requests or petitions.
  • Manage the requested service or information.
  • Maintain communications related to your application, including by electronic means.
  • To send you commercial communications or information about events, only if you have expressly authorised this.

What is the legitimacy for the processing of your data?

The legal basis for the processing of your data is:

  • The application of pre-contractual measures or the performance of a contract, where your request relates to the procurement of services.
  • The legitimate interest of the data controller, to deal with general enquiries and to maintain the relationship derived from your request.
  • The consent of the data subject, in relation to the sending of commercial communications.

In those cases in which the processing is based on consent, this will be obtained by ticking the corresponding box, which will not be pre-ticked in any case.

All forms shall have a check box with the following formula:

“I have read and accept the Privacy Policy”.”

By filling in and sending the form, the user declares that he/she has been informed about the processing of his/her data in accordance with this Privacy Policy.

How long will we keep personal data?

The personal data provided through contact forms or by sending e-mails will be kept for the time necessary to deal with and manage the request made.

Once the management of the consultation has been completed, the data may be duly blocked for the duration of the statute of limitations for possible legal liabilities.

In the event that the user has authorised the sending of commercial communications, their data will be retained as long as they do not withdraw said consent.

            + CUSTOMERS / HOSPITALITY

For what purposes will we process your personal data?

Your personal data will be processed in order to manage the contractual relationship derived from the reservation and stay in the establishments of the HIDDEN HOTELS group.

Specific purposes include:

  • Budgeting and monitoring of budgets.
  • The management of the booking, including pre-booking, confirmation, modification or cancellation.
  • The provision of accommodation and associated services during the stay.
  • The management of communications necessary for the correct provision of the service (confirmations, reminders, incidents or relevant information about the stay), including by electronic means.
  • Administrative, accounting and tax management derived from the services provided.
  • The carrying out of economic transactions, collections, payments and, where appropriate, guarantees or pre-authorisations.
  • Compliance with the legal obligations applicable to the hotel sector, in particular those relating to the registration of travellers and public safety regulations.
  • The management of internal controls, audits, complaint handling, fraud prevention and recovery of outstanding amounts.
  • Conducting satisfaction surveys and service quality evaluations.
  • The sending of commercial communications, promotions or offers related to HIDDEN HOTELS, only with the express authorisation of the user.
  • Likewise, the data may be used centrally by the HIDDEN HOTELS group to send commercial communications, provided that the user has given his or her express consent.

What is the legitimacy for the processing of your data?

            The legal basis for the processing of your personal data is:

  • The execution of a contract or the implementation of pre-contractual measures, for the management of quotations, reservations, accommodation and associated services.
  • Compliance with legal obligations, in relation to tax, accounting, public safety and applicable sectorial regulations.
  • The legitimate interest of the data controller, for the management of complaints, fraud prevention, debt collection and improvement of the quality of service, including the carrying out of satisfaction surveys.
  • The consent of the data subject, in relation to the sending of commercial communications.

The communications necessary for the management of the reservation or provision of the service will not be considered as commercial communications, as they are based on the execution of the contract.

How long will we keep personal data?

The personal data will be kept for the time necessary for the management of the contractual relationship arising from the reservation and stay in the establishments of the HIDDEN HOTELS group.

In particular:

  • Data related to bookings and accommodation services: during the contractual relationship and, subsequently, during the periods required by the applicable regulations, in particular the regulations on the registration of travellers, as well as tax and accounting obligations.
  • Data associated with invoicing and payments: during the legally required tax and accounting periods.
  • Data used for fraud prevention, claims or recoveries: for the time necessary for the management of such actions and the applicable statute of limitations.
  • Data used for satisfaction surveys: for the time necessary to assess the quality of service, applying minimisation criteria.

In the event that the user has authorised the sending of commercial communications, their data will be retained as long as they do not withdraw said consent.

Once the aforementioned periods have expired, the data will be deleted or, where appropriate, blocked during the periods of limitation of possible legal liabilities, in accordance with the applicable regulations.


            + SUPPLIERS.

For what purposes will we process your personal data?

We will process the personal data of suppliers and collaborators in order to properly manage the commercial or professional relationship that links them with the different companies of the HIDDEN HOTELS group.

 Specific purposes include:

  • To maintain communications relating to requests, proposals, offers or exchanges of information necessary for the provision of services.
  • To send you information by electronic means related to your request or to the existing contractual relationship.
  • Send commercial or event information only when expressly authorised to do so.
  • Manage the administrative, communication and logistical services necessary for the contracting, provision and control of the services or products supplied.
  • Carry out the relevant economic transactions, including payments, receipts and reconciliations.
  • Manage invoicing, accounting and compliance with applicable fiscal or tax obligations.
  • To carry out control procedures, internal audit, quality verification, fraud prevention or recovery of amounts due, when necessary for the proper execution of the contractual relationship.

What is the legitimacy for the processing of your data?

            The legal basis for the processing of supplier data is the performance of a contract or the implementation of pre-contractual measures in connection with the provision of services or supply of products. In the absence of a contractual relationship, the legitimation may derive from the consent of the data subject when contacting us by any means. Certain processing linked to tax, accounting or legal obligations is based on compliance with legal obligations. Commercial communications will only be sent when there is express consent.

How long will we keep personal data?

The personal data of suppliers and collaborators will be kept for the time necessary to manage the existing contractual or professional relationship.

  • In particular:
  • Identification and contact data: for the duration of the contractual or commercial relationship.
  • Data related to invoicing, payments and accounting: during the legally required tax and accounting deadlines.
  • Data used for administrative management, audits, internal control or fraud prevention: for the time necessary for these purposes and the applicable limitation periods.

In the event that a contractual relationship is not formalised, the data will be kept for the time necessary to process the request or proposal and will subsequently be deleted, unless there is a legal obligation to keep them.

In the event that the provider has authorised the sending of commercial communications, your data will be retained until such time as you withdraw this consent.

Once the aforementioned periods have expired, the data will be deleted or, where appropriate, blocked during the periods of limitation of possible legal liabilities, in accordance with the applicable regulations.

            + SOCIAL MEDIA CONTACTS

For what purposes will we process your personal data?

When you interact with us through our official social media accounts, the personal data you provide or that is visible on your profile will be processed for the following purposes:

  • Attend and respond to your queries, requests or petitions.
  • Manage the relationship with you as a user of the social network.
  • Interact with you and energise the community of followers.
  • To analyse user interaction and participation for statistical purposes and to improve our services.

What is the legitimacy for the processing of your data?

The legal basis for the processing is:

  • The legitimate interest of the data controller in managing its presence on social networks and attending to the users who interact with its profiles.
  • The execution of the relationship established with the user within the social network itself, in accordance with its terms of use.

In any case, the processing is carried out in accordance with the privacy policies of the corresponding social network. HIDDEN HOTELS and the social network platform may act as co-responsible for the processing in relation to certain processing (for example, page usage statistics), in accordance with the provisions of each platform.

How long will we keep personal data?

The personal data will be processed for as long as the user maintains a relationship with the HIDDEN HOTELS profile on the social network (for example, by following or interacting with it).

However, HIDDEN HOTELS has no direct control over the conservation of the data on the platform, so the effective deletion of the data will depend on the user's privacy settings and the policies of the corresponding social network.

In any case, HIDDEN HOTELS may delete or stop processing data that is inappropriate or excessive in the context of the interaction with your profiles.

            + VIDEO SURVEILLANCE

For what purposes will we process your personal data?

The images captured through the video surveillance systems installed in our facilities will be processed in order to guarantee the security of people, goods and facilities.

Likewise, in the field of employment, they may be used to monitor compliance with employment obligations, within the limits established by the regulations in force and respecting the rights of workers in all cases.

The images may be made available to law enforcement agencies, as well as to courts and tribunals, when necessary for the investigation of facts or the exercise of legal actions.

What is the legitimacy for the processing of your data?

The legal basis for the processing is the legitimate interest of the controller, in accordance with Article 6.1.f) of the GDPR, in conjunction with Article 22 of Organic Law 3/2018.

In the case of labour inspection, the treatment is additionally covered by the provisions of Article 20.3 of the Workers' Statute.

How long will we keep personal data?

The images will be kept for a maximum period of 30 days from their capture.

However, they may be kept for a longer period when necessary to prove the commission of acts against the integrity of persons, property or installations, or when they are to be provided in the context of police or judicial proceedings.

In such cases, the images will be blocked and made available to the competent authorities, in accordance with the applicable regulations.

+ JOB SEEKERS

For what purposes will we process your personal data?

We will process the personal data included in your CV or provided during the selection process for the following purposes:

  • To organise and manage current or future selection processes for the recruitment of personnel in the different companies of the HIDDEN HOTELS group.
  • Evaluate your application and assess whether your profile matches the position offered.
  • Contact you to arrange interviews or tests related to the selection process.
  • In the event that you give us your express consent, we may communicate your application to other companies in the group or to collaborating entities, exclusively with the aim of facilitating your incorporation into the labour market.

What is the legitimacy for the processing of your data?

            The legal basis for the processing of your personal data is the consent you give by submitting your CV or participating in selection processes. Certain data may also be processed for the purposes of pre-contractual measures in connection with the possible conclusion of an employment contract.

How long will we keep personal data?

CVs will be kept for a maximum period of one year from receipt. After this period, and if no recruitment process has been initiated with you, the data will be securely deleted, unless you have expressly authorised their retention for a further period or there is an active recruitment process that requires them to be kept for a longer period.

             + HR

For what purposes will we process your personal data?

We will process employees' personal data for the purpose of properly managing the employment relationship and the employee's file. This includes:

  • The administrative, labour and contractual management derived from the employment relationship.
  • Carrying out all the administrative, tax, accounting and social security procedures necessary to comply with legal and contractual obligations.
  • The management of the payment of salaries, remuneration and social benefits through the corresponding financial institution.
  • The management of time and attendance and time recording by means of the authorised systems (card, personal code, platform, employee portal or biometric system, only when legally and technically appropriate).
  • The management of group insurance, additional coverage or pension plans in which the employee may be included.
  • The management of staff training, whether compulsory training, subsidised or non-reimbursed training.
  • The management of the necessary actions in terms of occupational risk prevention, health surveillance and regulatory compliance.
  • The management of incidents, leave, absences, disciplinary sanctions or any other action derived from the employment relationship.
  • The performance of internal audits, quality controls or internal procedures necessary to ensure the proper functioning of the human resources area and the group.

What is the legitimacy for the processing of your data?

            The legal bases legitimising the processing are:

  • The execution of the employment contract and the application of pre-contractual measures in the framework of the employment relationship (Art. 6.1.b) GDPR).
  • Compliance with legal obligations applicable to the employer, including those derived from labour, social security, occupational risk prevention, tax and accounting regulations (art. 6.1.c) GDPR).
  • The employee's consent only for those processing operations that are not covered by the employment relationship or a legal obligation, such as certain voluntary training actions or optional social benefits (art. 6.1.a) GDPR).
  • The legitimate interest of the employer, in cases such as internal controls, audits or actions necessary for the prevention of fraud or the proper functioning of the organisation (art. 6.1.f) RGPD), always within the limits provided for in the regulations.

How long will we keep personal data?

The personal data of employees will be kept for the time necessary to manage the employment relationship and, once the employment relationship has ended, for the legally required periods. In particular:

- Data derived from the employment relationship, payslips, contributions and associated documentation: during the term of the contract and, subsequently, during the periods established by labour, Social Security, tax and accounting regulations.
- Data related to occupational risk prevention and health surveillance: during the periods required by the specific applicable regulations.
- Data linked to time control and recording of working hours: during the legally established period.
- Data relating to training, disciplinary files or internal evaluations: for the time necessary for the purpose for which they were collected and the applicable limitation periods.

Once the aforementioned periods have expired, the data will be deleted or, where appropriate, blocked during the periods of limitation of possible legal liabilities, in accordance with the applicable regulations.

Do we include personal data of third parties?

As a general rule, we only process personal data provided directly by the data subjects. If you provide us with data of third parties, you guarantee that you have previously informed these persons about the content of this Privacy Policy and that you have obtained their consent when necessary, especially in cases where the regulations so require. Otherwise, you will be obliged to hold HIDDEN HOTELS harmless against any liability arising from failure to comply with this requirement.

What about data on minors?

We do not process personal data of children under 14 years of age. If you are under 14 years of age, you should refrain from providing us with your personal data. In the event that a child under 14 years of age provides us with unauthorised data, we will delete this data immediately as soon as we become aware of it.

Will we communicate electronically?

We will only make communications by electronic means when they are necessary to manage your request, reservation or any procedure related to the contracted services, provided that you have provided said data as a contact channel.

These communications will be of an operational or informative nature and will be based on the execution of the contractual relationship or the application of pre-contractual measures, and will therefore not be considered as commercial communications.

The sending of commercial communications by electronic means will only be carried out when the user has given their prior, express and verifiable consent, in accordance with current legislation.

However, in accordance with the provisions of article 21.2 of the LSSI-CE, commercial communications may be sent relating to products or services similar to those previously contracted, provided that there is a prior contractual relationship and the user is offered the possibility of objecting to such processing in each communication.

In all cases, the user may unsubscribe from commercial communications easily, free of charge and at any time.

What security measures do we apply?

We have taken the necessary technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with the provisions of Article 32 of the GDPR. These measures are intended to protect the personal data we process and to prevent their loss, misuse, alteration, unauthorised access or improper disclosure. To this end, we apply access control protocols, encryption when necessary, security systems on servers and communications, internal data protection policies, staff training and incident response procedures, among other measures that are in line with the state of the art and the nature of the processing carried out. HIDDEN HOTELS periodically reviews and updates these measures to ensure their effectiveness and suitability to the risk.

To what extent will decision-making be automated?

HIDDEN HOTELS does not use fully automated decision-making processes that produce legal effects on the user or significantly affect the user in a similar way. In the event that automated procedures or profiling are applied in any specific processing, the corresponding information will be provided at the appropriate time, including the logic applied, the importance and possible consequences of such processing, as well as the rights of the user in these cases, when required by current legislation.

Will profiling take place?

In order to offer products and services tailored to your interests and to enhance your user experience, we may create profiles based on the information you provide to us, as well as on your interaction with the website and, where appropriate, your spending habits.

This processing will only be carried out when the user has given his or her express consent, in particular in relation to the use of analytical or marketing cookies and the sending of personalised commercial communications.

This profiling may be carried out by means of customer management tools (CRM) used by the HIDDEN HOTELS group.

Profiling may be used to personalise communications, content, offers or recommendations related to HIDDEN HOTELS services.

Under no circumstances will automated decisions based solely on the said profile be adopted that produce legal effects on the user or significantly affect him/her in a similar way, in the terms of Article 22 of the GDPR.

The user may at any time object to profiling or withdraw their consent, through the channels indicated in this Privacy Policy or through the cookie settings.

To which recipients will your data be communicated?

In general, your personal data will not be communicated to third parties, except when it is necessary for the correct provision of the contracted services or when there is a legal obligation.

In particular, the data may be communicated to:

  • Public administrations, such as the State Tax Administration Agency, in compliance with legal obligations.
  • State Security Forces and Corps, courts and tribunals, when so required by law or when necessary for the exercise of legal actions.
  • Financial institutions, for the management of collections, payments and economic transactions.

Your data may also be processed by external suppliers who provide services to WANA INVERSIONES, S.A. and the HIDDEN HOTELS group, and who act as data processors in accordance with article 28 of the GDPR. These providers include, among others, web hosting services, booking engines, analytics tools, cloud storage, CRM, email marketing, IT maintenance or management systems.

In particular, the booking engine provided by Roiback will, as a general rule, act as a data processor in the context of booking management.

Customer management platforms (CRM) may also be used, acting as data processors for customer data management, marketing campaigns and commercial communications, on the basis of consent.

In relation to payment services, financial institutions and payment systems (such as Redsys) will act as independent data controllers in respect of the data necessary for the execution of the transaction.

In the event that the user uses third-party services during the booking or payment process (e.g. external platforms or online payment methods), the user's data will be processed directly in the environment of these third parties, in accordance with their own privacy policies.

Additionally, in the event that the user has given their express consent, their data (including, where applicable, name, image or other information associated with events or activities) may be published on the website or official social networks of HIDDEN HOTELS, exclusively for the authorised purposes.

In cases where service providers are located outside the European Economic Area, appropriate safeguards in accordance with the GDPR, such as standard contractual clauses approved by the European Commission, will be adopted.

International transfers.

Certain service providers used by HIDDEN HOTELS may be located outside the European Economic Area, which may involve the international transfer of personal data.

In such cases, HIDDEN HOTELS shall ensure that such transfers are carried out in accordance with the provisions of Regulation (EU) 2016/679, applying appropriate safeguards to ensure a level of protection equivalent to that existing in the European Union.

In particular, transfers may be based on:

  • Adequacy decisions adopted by the European Commission.
  • Providers' adherence to the Data Privacy Framework, where applicable.
  • The signing of Standard Contractual Clauses approved by the European Commission.
  • The adoption of additional security measures where necessary.

These providers may include common technology services such as cloud storage platforms, communication tools, management systems, CRM or email marketing solutions.

In particular, certain technology providers, such as CRM or email marketing platforms (e.g. Revinate), may involve international transfers of data outside the European Economic Area.

The user may request additional information on international data transfers and the guarantees applied by contacting HIDDEN HOTELS through the channels indicated in this Privacy Policy.

What rights do you have?

You have the right to obtain confirmation as to whether or not HIDDEN HOTELS is processing your personal data.

You also have the right to access your personal data, as well as to request the rectification of data that is inaccurate, or to request its deletion when the data is no longer necessary for the purposes for which it was collected or when you withdraw your consent.

You may request the limitation of the processing of your data in the cases provided for in the regulations, in which case we will only keep them in accordance with the provisions of the law.

You may also request the portability of your data, which will be provided to you in a structured, commonly used and machine-readable format; if you prefer, we may send it to the new data controller that you indicate, always in the cases permitted by law.

You have the right to withdraw your consent at any time for any of the processing operations based on that consent, without affecting the lawfulness of the processing operations prior to its withdrawal.

If you consider that your rights have not been properly addressed, you may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

If you change any information, please let us know so that we can keep it up to date and ensure that the information is correct.

Do you want a form for exercising your rights? 

We have specific forms for exercising your rights, which you can request by e-mail. If you prefer, you can also use the forms prepared by the Spanish Data Protection Agency or by third parties. These forms must be signed electronically or accompanied by a copy of your ID card or other valid document proving your identity. If you exercise your rights through a representative, you must provide a copy of your ID card or the document accrediting your representation, or sign the form using an electronic signature. You may submit your request in person, by post or by email to the address of the Data Controller indicated at the beginning of this Policy.

The maximum period for HIDDEN HOTELS to resolve your request is one month from its effective receipt, which may be extended in exceptional cases in accordance with the RGPD.

Do we process cookies?

The website uses its own and third-party cookies.

Technical cookies, which are necessary for the basic operation of the website, will be installed automatically, as they are essential to enable browsing and the use of its functionalities.

Other cookies (analytical, personalisation or advertising cookies) will only be installed when the user has given their prior consent, through the cookie configuration panel enabled when accessing the website.

The user may accept, reject or configure the use of cookies in a granular manner at any time through this panel.

For detailed information on the cookies used, their purpose, duration and how to manage their configuration, you can consult our Cookies Policy, available at the corresponding link on the website.

How long will we keep your personal data?

Personal data will be kept for the time strictly necessary to fulfil the purposes for which they were collected and, subsequently, for the legally required periods of time in order to attend to possible liabilities.

In particular:

  • Customer and guest data (bookings, stays and services): during the contractual relationship and thereafter for the periods required by tax and accounting regulations (generally 4 years according to tax regulations and 6 years according to the Commercial Code).
  • Passenger registration data: for 3 years, in accordance with the applicable public security regulations.
  • Payment, invoicing and transaction data: for the periods required by tax, accounting and fraud prevention regulations.
  • Data managed through the booking engine: for the time necessary for the management of the booking and the applicable legal deadlines.
  • Labour and human resources data: during the term of the employment relationship and, subsequently, during the periods required by labour, Social Security, tax and occupational risk prevention regulations.
  • Time records: for 4 years, in accordance with current labour regulations.
  • Candidate data (CV): maximum 1 year from receipt, unless there is an ongoing selection process or consent to keep it for a longer period.
  • Contact data (forms, email, telephone): for the time necessary to deal with the request and then blocked for the applicable limitation periods.
  • Supplier data: during the contractual or commercial relationship and thereafter for the relevant legal periods.
  • Data from social networks: as long as the user maintains a relationship with HIDDEN HOTELS profiles on the corresponding platform.
  • Video surveillance images: maximum 30 days, unless they are to be kept for the investigation of incidents or legal proceedings.
  • Data processed by means of cookies: during the periods indicated in the Cookies Policy or until the user withdraws their consent.
  • Data processed on the basis of consent: as long as consent is not withdrawn.

 

Once the aforementioned periods have expired, the data will be deleted or, as the case may be, blocked, remaining at the disposal of the competent authorities during the periods of limitation of possible legal liabilities, in accordance with the provisions of the applicable regulations.

Modification of the privacy policy

HIDDEN HOTELS may modify this Privacy Policy at any time in order to adapt it to new legislation, interpretative criteria, changes in the processing carried out or in the functionalities of the Website, as well as for organisational reasons or to improve the service. Any modification will be published in this section of the Website, so we recommend that you review it periodically. If the modification involves a substantial change in the processing of your personal data, and you have an account or use services that require registration, we will inform you through the means of contact provided or by means of a prominent notice on the Website. Your continued use of the services once the update has been published will imply your knowledge and acceptance of the changes introduced.

Book your stay

Advantages for booking on our website

Welcome glass of cava
Welcome gift
Upgrade + late checkout subject to availability

customers

Language

HIDDEN SPRING. It's time to bloom. Enjoy a 20% on your next stay.

Book now