Privacy Policy

1. Introduction

At Reserva de Hamacas (hereinafter "we", "our" or "the Service"), we take the privacy of our users very seriously. This Privacy Policy describes how we collect, use, store and protect your personal information when you use our platform.

By using our service, you accept the practices described in this policy. If you do not agree with these terms, please do not use the service.

2. Data Controller

3. Information We Collect

3.1. Information You Provide Directly

• Account registration: Name, surname, email, password, business name
• Profile information: Phone, address, business logo
• Payment information: Card details (processed by Stripe), transaction history
• User content: Zone configuration, sunbeds, prices, reservations
• Communications: Support emails, feedback, inquiries

3.2. Information Collected Automatically

• Usage data: Pages visited, features used, time spent
• Technical data: IP address, browser type, device, operating system
• Cookies and similar technologies: See our Cookie Policy
• Server logs: Access date and time, URLs visited, HTTP response codes

3.3. Information from Third Parties

• Payment processors: Stripe, Redsys (transaction information)
• Social authentication: If you log in with Google/Facebook (name, email, profile photo)
• PMS integrations: If you connect your hotel system (guest data according to your configuration)

4. How We Use Your Information

We use your personal information for the following purposes:

4.1. Service Provision

• Create and manage your account
• Process and manage sunbed reservations
• Provide dashboard and widget functionalities
• Manage payments and billing
• Send confirmations and transactional notifications

4.2. Service Improvement

• Analyze platform usage
• Identify and fix technical errors
• Develop new features
• Perform A/B testing and optimizations

4.3. Communication

• Respond to support inquiries
• Send service updates (changes in terms, new features)
• Marketing and promotions (with your explicit consent)

4.4. Security and Legal Compliance

• Detect and prevent fraud
• Ensure platform security
• Comply with legal and regulatory obligations
• Protect our legal rights

5. Legal Basis for Processing (GDPR)

We process your personal information under the following legal bases according to GDPR:

• Contract performance: Processing necessary to provide the service (Art. 6.1.b GDPR)
• Consent: Marketing, non-essential cookies, processing of sensitive data (Art. 6.1.a GDPR)
• Legitimate interest: Service improvements, analysis, fraud prevention (Art. 6.1.f GDPR)
• Legal obligation: Tax, accounting and regulatory compliance (Art. 6.1.c GDPR)

6. Sharing Your Information

We do not sell or rent your personal information. We share information only in these cases:

6.1. Service Providers

• Payment processors: Stripe, Redsys (payment data)
• Hosting: Railway, Cloudflare (data storage)
• Email: Resend (transactional email delivery)
• Analytics: Google Analytics, Sentry (usage and error analysis)
• CDN: CloudFlare (content delivery)

All our providers are contractually obligated to protect your information and can only use it according to our instructions.

6.2. Legal Requirements

We may disclose your information if required by law, court order, legal process, or to protect our rights, property or safety.

6.3. Business Transfers

In case of merger, acquisition or sale of assets, your information may be transferred. We will notify you before your information is subject to a different privacy policy.

7. Data Retention

We retain your personal information for:

• Active accounts: As long as you maintain your account active
• Cancelled accounts: Up to 90 days after cancellation (to allow reactivation)
• Billing data: Minimum 7 years (tax and accounting requirements)
• Support data: 3 years after last contact
• Technical logs: 12 months

After these periods, we permanently delete or anonymize your personal information.

8. Data Security

We implement robust technical and organizational measures:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: JWT with refresh tokens, 2FA (TOTP) support
• Password hashing: bcrypt with salt (10 rounds)
• Data isolation: Strict multi-tenancy by clientId
• Backups: Automatic daily backups with 30-day retention
• Monitoring: Real-time intrusion and anomaly detection
• Access control: Least privilege principle, access auditing

However, no transmission or storage method is 100% secure. We recommend using strong passwords and enabling two-factor authentication.

9. Your Rights (GDPR)

If you are a resident of the European Union, you have the following rights under GDPR:

10. Cookies and Similar Technologies

We use cookies and similar technologies to improve your experience, analyze service usage and personalize content. For detailed information, see our Cookie Policy.

You can manage your cookie preferences at any time from the cookie banner or your browser settings.

11. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). In these cases, we ensure the protection of your data through:

• Standard Contractual Clauses (SCC): Approved by the European Commission
• Privacy Shield Certification: For US providers (where applicable)
• Additional safeguards: Risk assessments, technical encryption measures

Main locations of our servers: EU (Ireland, Frankfurt), USA (providers with SCC).

12. Protection of Minors

Our service is aimed at businesses and professionals. We do not intentionally collect information from minors under 16 years of age. If you are a parent and discover that your child has provided information without your consent, contact us immediately to delete it.

13. Changes to this Policy

We may update this Privacy Policy occasionally. We will notify you of significant changes through:

• Email to your registered address
• Notification in the dashboard
• Prominent banner on the website

Continued use of the service after changes constitutes your acceptance of the new policy. The "Last updated" date at the top of this page indicates when the last modification was made.

14. Contact

15. Supervisory Authority

If you believe that the processing of your personal data violates GDPR, you have the right to file a complaint with the competent data protection authority: