Privacy policy

Data Policy

1. Introduction

At Villa Palm Garden Sitges, we are committed to protecting the privacy and security of all personal data we handle. This Data Policy explains how we collect, process, store, and protect personal information in compliance with the General Data Protection Regulation (GDPR) and all applicable Spain data-protection laws.

2. Scope

This policy applies to all personal data processed by Villa Palm Garden Sitges, including data from: Guests and customers Employees and contractors Suppliers and business partners Website visitors and online users It covers all processing activities conducted by Villa Palm Garden Sitges, whether manual or automated.

3. Data Protection Principles

We adhere to the following principles when handling personal data:

  • Lawfulness, fairness, and transparency – Data is processed legally and individuals are informed.
  • Purpose limitation – Data is collected only for specified and legitimate purposes.
  • Data minimization – Only the minimum necessary data is collected.
  • Accuracy – Personal data is kept accurate and up to date.
  • Storage limitation – Data is retained only for as long as necessary.
  • Integrity and confidentiality – Data is protected against unauthorized access, loss, or misuse.
  • Accountability – We take full responsibility for compliance with data-protection laws.

4. Data We Collect

We may collect the following types of information:

  • Identification data: full name, address, nationality, ID/passport number
  • Contact details: phone number, email address
  • Booking or transaction data: stay dates, number of guests, payment information 
  • Communication records: messages, inquiries, or feedback
  • Technical information: IP address, browser type, or device data (if applicable)

Sensitive data is only collected when absolutely necessary and with your explicit consent.

5. Purpose of Processing

Your data is processed for the following purposes:

  • Managing and confirming bookings or service agreements
  • Complying with legal and tax obligations
  • Registering guests with local authorities (if required)
  • Processing payments and issuing invoices
  • Communicating important updates or information
  • Improving customer service and operations

6. Legal Basis for Processing

Personal data is processed under one or more of the following legal bases:

  • Contract performance: to provide the requested service
  • Legal obligation: to comply with national or local laws
  • Legitimate interest: to ensure safety and improve service quality
  • Consent: when you voluntarily agree to optional communications or marketing

7. Data Retention

Personal data is retained only for as long as necessary:

  • Booking and payment data: 3 years for accounting and tax compliance
  • Guest registration data: as required by Spanish law
  • Communication or marketing data: until you withdraw your consent

After the retention period, data is securely deleted or anonymized.

8. Data Security

We implement appropriate technical and organizational measures to safeguard your personal data, including:

  • Encrypted data storage and secure servers
  • Access limited to authorized personnel only
  • Regular data-protection training and monitoring
  • Secure backup and recovery systems

In case of a data breach, we will notify the relevant authority within 72 hours, as required by law.

9. Data Sharing

We may share limited personal data with trusted third parties when necessary to deliver our services, such as:

  • Booking or payment platforms: e.g., Airbnb, Booking.com, Stripe, etc.
  • Local authorities: when required by law (e.g., guest registration, tax reporting)
  • Service providers: IT or cleaning companies, all under GDPR-compliant agreements

We never sell or rent personal data to third parties for marketing purposes.

10. Your Rights

You have the right to:

  • Access your personal data
  • Request correction or deletion
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent at any time

To exercise these rights, contact us at: mariajc60@yahoo.nl

If you believe your data has been mishandled, you can contact your national data-protection authority.

For Spain: Agencia Española de Protección de Datos (AEPD) – www.aepd.es

11. International Data Transfers

If data is transferred outside Spain, we ensure adequate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, or
  • Transfers to countries with recognized adequate protection levels.

12. Updates to This Policy

This policy is reviewed regularly and may be updated to reflect changes in legislation or business practices. The latest version will always be available on our website.

Villa Palm Garden Sitges

Maria Johanna Catharina van de Ven

30/10/2025