Casa de las Libélulas values your privacy and is committed to protecting your personal data under EU Regulation 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).
1. Data controller
- Owner: Casa de las Libélulas S.L.
- Tax ID: B19968643
- Address: Carretera Nacional 204 - Km. 20 - 19133 Durón, Guadalajara, Castilla La Mancha
- Email: hola@casadelaslibelulas.com
2. Data we process
- Contact form: name, email, phone (optional), message, tentative dates (optional), selected language, and a hashed identifier (SHA-256 of your IP) used solely for spam prevention.
- Bookings: name, email, phone, stay dates, number of guests, booking amount. Card payments are processed directly by Stripe — we never store card data.
- Suggestion box: the suggestion text, name (optional), email (optional, only if you want a reply) and a hashed technical identifier (IP hash) for abuse prevention. You can submit completely anonymously.
- Complaints form: name, email and/or phone, booking reference (optional), incident date, the complaint description and any files you choose to attach as evidence, plus a hashed IP identifier.
- Traveler registration: the identity data Spanish lodging regulations (Royal Decree 933/2021) require from tourist accommodations (full name, ID document type and number, nationality, date of birth, sex, address, phone and/or email, and family relationship when minors travel), collected before arrival.
- Admin accounts: only the property owner accesses the admin panel via passwordless magic link. Only the email is stored.
3. Purpose and legal basis
- Reply to inquiries — basis: consent (Art. 6.1.a GDPR).
- Manage bookings and send confirmations — basis: contract performance (Art. 6.1.b).
- Spam prevention via IP hash — basis: legitimate interest (Art. 6.1.f).
- Tax and accounting obligations — basis: legal obligation (Art. 6.1.c).
- Handle and reply to suggestions — basis: consent (Art. 6.1.a GDPR); your email is only processed if you choose to provide it for a reply.
- Process consumer complaints — basis: compliance with consumer-protection obligations (Art. 6.1.c GDPR) and defence against potential claims (Art. 6.1.f GDPR).
- Report traveler registration to the authorities (the Interior Ministry's SES.Hospedajes platform) — basis: legal obligation, Royal Decree 933/2021 (Art. 6.1.c GDPR).
- Send you a single post-stay email inviting a review — basis: legitimate interest (Art. 6.1.f GDPR); you can object at any time via the unsubscribe link in every email.
4. Retention periods
- Unanswered inquiries: 90 days, then automatically deleted.
- Confirmed bookings: the guest's personal data is anonymised 1 year after checkout. The booking's financial record (dates, amounts, payment references), stripped of personal data, is kept for up to 6 years to meet Spanish tax and accounting obligations (Art. 30 Commercial Code).
- Unconfirmed booking requests: kept for a maximum of 30 days from creation, or until the requested stay date has passed, then deleted.
- Cancelled or expired bookings: 30 days from cancellation.
- IP hashes: 90 days.
- Suggestions: 90 days, then automatically deleted.
- Complaints: 4 years from case closure (the general consumer-claims window), including attached files.
- Traveler registration: 3 years from its submission, as required by Royal Decree 933/2021.
5. Data processors (sub-processors)
We share strictly necessary data with the following processors, each under a signed Data Processing Agreement:
- Supabase (Frankfurt, Germany, EU) — database and authentication.
- Stripe Payments Europe Ltd. (Ireland + USA under SCCs) — payment processing.
- Resend (USA under SCCs) — transactional email.
- Google LLC (USA under EU-US Data Privacy Framework) — web analytics, only after consent.
- Hostinger — static site hosting.
- GitHub Inc. (USA under SCCs) — source code and automated deployment.
6. International transfers
Some sub-processors handle data outside the European Economic Area. These transfers rely on Standard Contractual Clauses approved by the European Commission, or on the EU-US Data Privacy Framework (in force since July 2023).
7. Your rights
Under GDPR Articles 15-22, you have the right to:
- Access your personal data.
- Rectify inaccurate data.
- Erasure (right to be forgotten) where applicable.
- Restrict processing.
- Portability of your data in a structured format.
- Object to processing based on legitimate interest.
- Withdraw consent at any time, without retroactive effect.
To exercise these rights, email hola@casadelaslibelulas.com from the address you used to contact us, or attach a copy of an ID document. We will reply within one month.
8. Lodging a complaint
If you believe we have breached your rights, you may lodge a complaint with the Spanish Data Protection Agency (AEPD).
9. Cookies
See our Cookie Policy for details. Analytics cookies only load with explicit consent.
10. Children
We do not process data of children under 14 without prior verifiable consent from their parents or legal guardians.
11. Changes
This policy may be updated to reflect legal or operational changes. The last updated date appears at the top of this page.