1. Data controller
This Privacy Policy informs users about the processing of their personal data in accordance with Regulation (EU) 2016/679 (GDPR), the Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD), and other applicable legislation.
2. Purposes and legal basis for processing
We process your data for the following purposes and on the following legal bases:
2.1 User account management (traveller)
We process the personal data you provide when registering (first name, surname, type and number of identity document, support number where applicable, address, country, telephone, email, vehicle type and licence plate) in order to:
- Create and manage your account on the platform.
- Complete the guest registration records required under Spanish Royal Decree 933/2021 and facilitate their transmission to the competent authorities (National Police and Civil Guard).
- Allow you to digitally sign those registration records.
Legal basis: Compliance with a legal obligation (Art. 6(1)(c) GDPR), in conjunction with Royal Decree 933/2021; and performance of a service contract (Art. 6(1)(b) GDPR).
2.2 Contractual relationship with accommodation establishments
We process the data of staff and representatives of accommodation establishments (first name, surname, email and billing details) in order to manage the contractual relationship and the provision of the service.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
2.3 Commercial communications and support
With your prior consent, we may send you communications about updates, new features or other information of interest related to AutoCheck.
Legal basis: Consent of the data subject (Art. 6(1)(a) GDPR). You may withdraw your consent at any time.
2.4 Contact form (website)
Data provided through the website contact form (name, establishment, email, telephone and message) is used solely to respond to your enquiry.
Legal basis: Consent of the data subject (Art. 6(1)(a) GDPR).
3. Categories of data processed
- Identifying data: first name, surname, type and number of identity document, support number (Spanish DNI), electronic signature.
- Contact data: postal address, email address, telephone number.
- Location data: country, region, town, postcode.
- Vehicle data: vehicle type, licence plate (campsite-type establishments only).
- Account data: email address, encrypted credentials.
- Usage data: access logs, dates and times of operations.
We do not process special categories of data (health data, biometric data, etc.).
4. Recipients and disclosures
Your data may be shared with:
- Spanish law enforcement authorities (National Police, Civil Guard or Mossos d'Esquadra, as applicable), in compliance with Royal Decree 933/2021 and the instructions of the Spanish Ministry of the Interior.
- The accommodation establishment where the traveller checks in, solely for the purpose of fulfilling the legal registration obligations.
- Data processors providing technology infrastructure and cloud hosting services, in particular Supabase, Inc. (database and authentication provider) and XXXX (web hosting provider), with whom the appropriate data processing agreements have been executed.
No data is disclosed to third parties for commercial purposes.
5. International data transfers
Infrastructure provider Supabase, Inc. may store data on servers located within the European Union (region selected by the Controller). Should any transfers outside the European Economic Area occur, such transfers will be subject to the appropriate safeguards set out in Article 46 of the GDPR (standard contractual clauses adopted by the European Commission or equivalent mechanisms).
To obtain further information about the applicable safeguards, please contact us at XXXX@XXXX.com.
6. Retention periods
- Guest registration data: retained for 3 years from the date of registration, in accordance with the minimum period established by Royal Decree 933/2021, unless the competent authority requires a longer retention period.
- User account data: for as long as the account remains active and, after cancellation, for the period necessary to meet legal obligations arising from the relationship (maximum 5 years).
- Contact form data: for the time necessary to handle the enquiry and any resulting liabilities.
- Billing data: 6 years, in accordance with Spanish tax legislation.
7. Your rights
Under the GDPR and the LOPDGDD, you may exercise the following rights by writing to the Controller at XXXX@XXXX.com, enclosing a copy of your identity document:
| Right | Description |
|---|---|
| Access | Find out what personal data we hold about you. |
| Rectification | Request the correction of inaccurate or incomplete data. |
| Erasure | Request the deletion of your data when it is no longer necessary or you withdraw consent, unless processing is required to comply with a legal obligation. |
| Restriction | Request the restriction of processing of your data in certain circumstances. |
| Objection | Object to the processing of your data on grounds relating to your particular situation, where the legal basis is legitimate interest. |
| Portability | Receive your data in a structured, machine-readable format, where processing is based on consent or a contract. |
| Withdrawal of consent | Withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. |
If you believe that the processing of your data violates applicable regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) (www.aepd.es) or with the supervisory authority of your country of residence within the EU.
8. Security measures
The Controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of communications via TLS/HTTPS.
- Encryption at rest of data stored in the database.
- Role-based access control (RLS — Row Level Security).
- Secure user authentication via magic link and/or password.
- Data processing agreements with all providers that access personal data.
9. Use of cookies
The AutoCheck platform may use strictly necessary technical cookies for the operation of the service (e.g. session management). No third-party tracking or advertising cookies are used.
You may configure your browser to reject cookies, although this may affect the correct functioning of the platform.
10. Minors
The AutoCheck service is intended for persons aged 18 or over, or for minors who have the consent of their parents or legal guardians. If we detect that we have received data from a minor without the appropriate consent, we will delete it promptly.
11. Changes to this privacy policy
The Controller reserves the right to amend this Privacy Policy to reflect legislative, judicial or technical changes. Updates will be published on this page. If the changes are material, users will be notified by email or by a notice on the platform.
The date of last update appears in the header of this document.