Privacy Policy

Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data we carry out, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media channels. B. our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Starting on: March 22, 2025

Responsible

Estefanía Aguas / Ave Fénix - Rural House in Calaceite

C/Alcalde 47
44610 Calaceita

Spain

Email address: aguas(at)casa-rural-fenix.es

Overview of processing operations

The following overview summarizes the types of data processed and the purposes of their processing, as well as the data subjects.

Types of data processed

  • Inventory data.
  • Payment details.
  • Contact data.
  • Content data.
  • Usage data.
  • Metadata, communication data, and procedural data.
  • Registration data.

Categories of data subjects

    Recipient and customer of the service.

  • Interested parties.
  • Communication partner.
  • Users.
  • Business and contractual partners.

Purposes of processing

    • Provision of contractual services and fulfillment of contractual obligations.
    • Communication.
    • Security measures.
    • Direct marketing.

Office and organizational procedures.

    • Organizational and administrative procedures.
    • Feedback.
    • Marketing.
    • Provision of our online offering and user-friendliness.
    • Information technology infrastructure.
    • Public relations.

Sales promotion.

  • Business processes and procedures.

Relevant legal bases

Relevant legal bases under the GDPR: Below you will find an overview of the GDPR legal bases on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national regulations may apply. Data protection regulations in your country or our country of residence or domicile. If more specific legal bases are relevant in individual cases, we will inform you in the data protection declaration.

  • Consent (Art. 6 (1) (a) GDPR) - The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes.
  • Performance of a contract and pre-contractual consultations (Article 6 (1) (b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to implement pre-contractual measures taken at the request of the data subject.
  • Legal obligation (Art. 6 (1) (c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Article 6 (1) (f) GDPR) - Processing is necessary to protect the legitimate interests of the controller or of a third party, as long as the interests, The fundamental rights and freedoms of the data subject that require the protection of personal data do not prevail over them.

National data protection regulations in Germany:In addition to the GDPR data protection regulations, national data protection regulations apply in Germany. This includes, in particular, the law on the protection against misuse of personal data in data processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated decision-making in individual cases, including profiling. In addition, the data protection laws of the individual federal states may apply.

Note on the validity of the GDPR and the Swiss DSG:This data protection notice serves to provide information in accordance with the Swiss DSG and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that, due to their broader geographical application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms "processing" of "personal data," "overriding interest," and "particularly sensitive personal data" used in the Swiss Data Protection Act, the terms "processing" of "personal data," as well as "legitimate interest" and "special categories of data" used in the GDPR are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss DSG within the scope of the Swiss DSG.

Security Measures

In accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, as well as access, input, transfer, ensuring availability, and separating data. In addition, we have established procedures to ensure the exercise of data subject rights, data deletion, and responses to threats to data. Furthermore, we take the protection of personal data into account when developing or selecting hardware, software, and processes in accordance with the data protection principle, through technology design, and through data protection-friendly default settings.

Transfer of Personal Data

As part of our processing of personal data, it may be transmitted or disclosed to other bodies, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to protect it.

International Data Transfers

Data Processing in Third Countries If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or do so as part of the use of third-party services, or if data is disclosed or transmitted to other persons, organizations, or companies (who can be identified by the postal address of the respective provider or if the transfer of data to third countries is expressly mentioned in the data protection declaration), this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the European Commission of July 10, 2023. In addition, we have entered into standard contractual clauses with the respective providers that comply with the requirements of the European Commission and establish contractual obligations to protect your data.

This dual protection guarantees comprehensive protection of your data: the DPF constitutes the main layer of protection, while the standard contractual clauses serve as additional security. Should changes occur within the DPF framework, the Standard Contractual Clauses will act as a reliable backup option. This way, we ensure that your data remains adequately protected even in the face of any political or legal changes.

For each service provider, we will inform you whether they are certified under the DPF and whether standard contractual clauses are in place. For more information about the DPF and a list of certified companies, please visit the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/.

For data transfers to other third countries, appropriate safeguards apply, including standard contractual clauses, explicit consent, or legally required transfers. You can find information on transfers to third countries and the applicable adequacy decisions in the information provided by the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General information on data storage and deletion

We delete the personal data we process in accordance with legal provisions as soon as the underlying consent is revoked or there is no other legal basis for the processing. This applies to cases where the original processing purpose no longer applies or the data is no longer necessary. There are exceptions to this rule if legal obligations or special interests require longer storage or archiving of data.

In particular, data that must be retained for reasons of commercial or tax law, or whose storage is necessary for legal proceedings or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information on data retention and deletion that applies specifically to certain processing operations.

If there are multiple details regarding the retention period or deletion period for a given date, the longer period always applies.

If a period does not expressly begin on a specific date and is at least one year, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships in the context of which data is stored, the triggering event is the moment at which the termination or other dissolution of the legal relationship takes effect.

We process data that is no longer stored for the originally intended purpose, but is stored only for reasons that justify its storage due to legal requirements or other reasons.

More information about processing procedures, methods, and services:

  • Data storage and deletion: The following general storage and archiving periods apply under German law:
      • 10 years - retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as work instructions and other organizational documents necessary for their understanding (Section 147 (1) No. 1 in conjunction with Section 3 of the German Fiscal Code (AO), Section 14b (1) of the German Value Added Tax Act (VAT)). StG), Section 257 (1) No. 1 in conjunction with Section 4 of the German Commercial Code (HGB)).

    8 years - Accounting documents, such as: B. Invoices and expense vouchers (Sections 147 (1) No. 4 and 4a in conjunction with Section 3, sentence 1 AO and Section 257 (1) No. 4 in conjunction with Section 4 HGB).

    • 6 years - Other business documents: incoming business or commercial letters, reproductions of outgoing business or commercial letters, other documents, insofar as they are relevant for taxation, for example: B. Hourly payslips, operating statements, calculation documents, price tags, but also payroll documents, provided they are not accounting documents, and cash receipts (Section 147(1)(2), (3), and (5) in conjunction with Section 3 of the Legal Entities Act, Section 257(1)(2) and (3) in conjunction with Section 4 of the German Labor Code).
    • 3 years - Data required for the consideration of potential warranty and compensation claims or similar contractual claims and rights, as well as for the processing of related inquiries, based on previous business experience and standard industry practices, will be stored for the regular statutory limitation period of three years (Sections 195, 199 BGB).

Customer Rights Data Subjects

Data Subject Rights under the GDPR: As a data subject, you are entitled to several rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

  • Right to Object: You have the right to object at any time to the processing of personal data concerning you, carried out on the basis of Art. 6 (1) (e) or (f) of the GDPR, on grounds relating to your particular situation; this also applies to profiling based on these provisions. If personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for such marketing; This also applies to profiling to the extent that it is related to such direct marketing.
  • Right to revoke consent: You have the right to revoke your consent at any time.
  • Right to information: You have the right to request confirmation as to whether the data in question is being processed and to request information about that data, as well as additional information and a copy of the data in accordance with legal requirements.
  • Right to rectification: You have the right, in accordance with legal provisions, to request the completion of data concerning you or the correction of inaccurate data concerning you.
  • Right to erasure and restriction of processing: You have the right, in accordance with legal provisions, to request the immediate erasure of data concerning you or, alternatively, to request the restriction of data processing in accordance with the provisions. Legal.
  • Right to data portability: You have the right to receive the data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements or to request that it be transmitted to another controller.
  • Lodging a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you have your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the provisions of the GDPR.

Business Services

We process data from our contractual and business partners, e.g., B. Customers and interested parties (collectively, "contractual partners"), within the framework of contractual and comparable legal relationships, as well as related measures and with respect to communication with contractual partners (or pre-contractually), for example, to answer inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, possible update obligations, and repairs in the event of warranty and other service interruptions. Furthermore, we use the data to protect our rights and for the purposes of administrative tasks associated with these obligations, as well as for the organization of the company. Furthermore, we process the data Based on our legitimate interests in both proper and cost-effective business management and security measures to protect our contractual partners and our business operations from misuse and compromise of their data, secrets, information, and rights (e.g., in the field of telecommunications, transportation, and other ancillary services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the scope of applicable law, we only transfer contractual partners' data to third parties to the extent necessary for the aforementioned purposes or to comply with legal obligations. Contractual partners will be informed about other forms of processing, e.g., for marketing purposes, within the scope of this data protection declaration.

We inform our contractual partners which data is required for the aforementioned purposes or as part of data collection, for example: in online forms, by means of special markings (e.g., colors) or symbols (e.g., asterisks or similar), or in person.

We delete data after the expiration of legal warranty and similar obligations, i.e., generally after four years, unless the data is stored in a customer account, for example, or if it is required for legal archiving reasons (e.g., for tax purposes, usually ten years). We delete data provided to us by the contractual partner within the scope of an order in accordance with the specifications and generally after completion of the order.

  • Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or telephone numbers); Contract data (e.g., subject of the contract, duration, customer category).
  • Data subjects: Recipients and service customers; Interested parties. Business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and procedures.
  • Storage and deletion: Deletion according to the information in the section "General information on data storage and deletion."
  • Legal basis: Contractual performance and pre-contractual consultations (Article 6 (1) (b) GDPR); Legal obligation (Article 6 (1) (c) GDPR). Legitimate interests (Article 6 (1) (f) GDPR).

Business processes and procedures

The personal data of service recipients and customers, including clients, users, or, in special cases, customers, patients, or business partners, as well as other third parties, are processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting, and project management.

The data collected is used to fulfill contractual obligations and streamline operational processes. This includes processing business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal accounting and financial processes. Furthermore, the data supports the protection of the data controller's rights and supports administrative tasks and the organization of the company.

Personal data may be transferred to third parties if necessary to fulfill the established purposes or legal obligations.