Casa de las
Libélulas

Privacy Policy

Last updated: 06/05/2026

Casa de las Libélulas values your privacy and is committed to protecting your personal data under EU Regulation 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).

1. Data controller

  • Owner: Casa de las Libélulas S.L.
  • Tax ID: B19968643
  • Address: CN 204 - KM20 19133 Durón, Guadalajara
  • Email: reservas@casadelaslibelulas.com

2. Data we process

  • Contact form: name, email, phone (optional), message, tentative dates (optional), selected language, and a hashed identifier (SHA-256 of your IP) used solely for spam prevention.
  • Bookings: name, email, phone, stay dates, number of guests, booking amount. Card payments are processed directly by Stripe — we never store card data.
  • Admin accounts: only the property owner accesses the admin panel via passwordless magic link. Only the email is stored.

3. Purpose and legal basis

  • Reply to inquiries — basis: consent (Art. 6.1.a GDPR).
  • Manage bookings and send confirmations — basis: contract performance (Art. 6.1.b).
  • Spam prevention via IP hash — basis: legitimate interest (Art. 6.1.f).
  • Tax and accounting obligations — basis: legal obligation (Art. 6.1.c).

4. Retention periods

  • Unanswered inquiries: 90 days, then automatically deleted.
  • Confirmed bookings: 1 year after checkout for dispute handling and tax obligations (which under Spanish law may require up to 4-6 years).
  • Cancelled or expired bookings: 30 days from cancellation.
  • IP hashes: 90 days.

5. Data processors (sub-processors)

We share strictly necessary data with the following processors, each under a signed Data Processing Agreement:

  • Supabase (Frankfurt, Germany, EU) — database and authentication.
  • Stripe Payments Europe Ltd. (Ireland + USA under SCCs) — payment processing.
  • Resend (USA under SCCs) — transactional email.
  • Google LLC (USA under EU-US Data Privacy Framework) — web analytics, only after consent.
  • Hostinger — static site hosting.
  • GitHub Inc. (USA under SCCs) — source code and automated deployment.

6. International transfers

Some sub-processors handle data outside the European Economic Area. These transfers rely on Standard Contractual Clauses approved by the European Commission, or on the EU-US Data Privacy Framework (in force since July 2023).

7. Your rights

Under GDPR Articles 15-22, you have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Erasure (right to be forgotten) where applicable.
  • Restrict processing.
  • Portability of your data in a structured format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time, without retroactive effect.

To exercise these rights, email reservas@casadelaslibelulas.com from the address you used to contact us, or attach a copy of an ID document. We will reply within one month.

8. Lodging a complaint

If you believe we have breached your rights, you may lodge a complaint with the Spanish Data Protection Agency (AEPD).

9. Cookies

See our Cookie Policy for details. Analytics cookies only load with explicit consent.

10. Children

We do not process data of children under 14 without prior verifiable consent from their parents or legal guardians.

11. Changes

This policy may be updated to reflect legal or operational changes. The last updated date appears at the top of this page.

← Back to home