Privacy policy

This policy explains how Retreat Andalucía processes personal data under Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).

Data controller

No Data Protection Officer has been appointed; the size and activity of the business do not meet the Art. 37 GDPR criteria.

Purposes and legal basis

Categories of data

Identification data (name), contact data (email, phone, WhatsApp number), and any information you voluntarily include in your messages. We do not process special categories of data (Art. 9 GDPR).

Recipients and processors

International transfers

The Website self-hosts all fonts; no Google Fonts request is made. No personal data is transferred outside the EU/EEA in connection with email, hosting, or analytics. If you contact us via WhatsApp, your message reaches Meta Platforms Ireland Ltd, with onward transfers to the US under Standard Contractual Clauses.

Retention

Client correspondence: duration of the service relationship plus five (5) years (Spanish Commercial Code Art. 30 / General Tax Law). Enquiries that do not lead to a service relationship: deleted within twelve (12) months. Server logs: 14 days. Analytics: anonymous aggregates, indefinite.

Your rights

Under Arts. 15–22 GDPR you may request access, rectification, erasure, restriction, portability, objection, or withdrawal of consent. To exercise these rights, write to info@retreatandalucia.com with the subject "GDPR rights" and a copy of an identification document. We respond within one month (extendable by two further months for complex requests).

You may also lodge a complaint with the Spanish data protection authority: Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid — www.aepd.es.

Security

We apply reasonable technical and organisational measures to protect personal data against unauthorised access, loss, or alteration, in line with Art. 32 GDPR.