1. Contact Details

The address of SPOTAHOME S.L.U (hereinafter "Spotahome") is Calle de Piamonte, 23, 28004, Madrid, and holds the following tax identification code (CIF): B-87004511.

For any matter related to the processing of your personal data, please contact us via email at privacy@spotahome.com, and our Privacy team (or the Data Protection Officer, where applicable) will reply to your query at the earliest convenience.

2. What Data Do We Collect?

2.1 Data Provided by You

a) User Account Information:

• Name and family name
• Email address
• Password (stored in encrypted form)
• Role and permissions within the system
• Locale preferences (language settings)
• Theme preferences (light/dark mode)
• Avatar/profile picture (if uploaded)

b) Customer Information:

• Customer identification data
• Customer nickname and type
• Associated property and account information
• Bank account details (for payment processing)

c) Financial and Business Data:

• Transaction records
• Billing and invoice information
• Payment orders and bank transfers
• Penalties and debt records
• Booking and property management data
• Employee expense records and related documents

d) Documents and Files:

• Uploaded documents (invoices, receipts, contracts, etc.)
• Tenant refund documents
• Finance-related documents
• DAC7 reporting documents

e) Communication Data:

• Chat messages between employees and customers
• Comments and notes within the system
• Support requests and communications

f) Security and Authentication Data:

• Two-factor authentication settings and recovery codes
• API tokens (for programmatic access)
• Trusted device information
• Session data and login history

2.2 Automatically Collected Data

a) Session and Usage Data:

• IP address (IPv4 and IPv6)
• User agent (browser and device information)
• Authentication method used
• Login attempts and session activity
• Device fingerprinting data
• Geographic location (derived from IP address)

b) System Logs:

• Application logs and error reports
• Audit logs for administrative actions
• System performance and usage metrics

3. What Do We Use Your Personal Data For?

3.1 To Provide Our Services:

• To manage and maintain your user account
• To provide access to financial and business management tools
• To process payments, invoices, and financial transactions
• To manage customer accounts and properties
• To facilitate communication between employees and customers
• To generate reports and statements
• To handle refunds, transfers, and financial requests
• To comply with legal and regulatory requirements (e.g., DAC7 reporting)

3.2 To Ensure Security:

• To authenticate users and prevent unauthorized access
• To detect and prevent fraud or security threats
• To monitor and log system access and activities
• To enforce security policies and two-factor authentication

3.3 To Improve Our Services:

• To analyze usage patterns and improve user experience
• To fix bugs and technical issues
• To develop new features and functionality

3.4 To Comply with Legal Obligations:

• To comply with tax and financial regulations
• To respond to legal requests and court orders
• To maintain records as required by law

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contractual necessity: To perform our contractual obligations with you and provide the services you have requested
• Legal obligation: To comply with applicable laws and regulations
• Legitimate interests: To ensure the security and integrity of our services, prevent fraud, and improve our services
• Consent: Where you have provided explicit consent for specific processing activities

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Important Notice: Please notice that some of your data may be retained, in whole or in part, when required or permitted by applicable legislation, for legal, contractual, or public interest reasons.

Specific retention periods:

• Account data: Retained while your account is active and for a reasonable period after account closure to comply with legal obligations
• Financial records: Retained for the period required by tax and financial regulations (typically 6-10 years)
• Session and security logs: Retained for security and fraud prevention purposes (typically 1-2 years)
• GDPR deletion requests: Retained for record-keeping purposes as required by law

6. With Whom Do We Share Your Data?

6.1 Within Spotahome Group:

We may share your data with other entities within the Spotahome group of companies for service purposes, as outlined in Spotahome's Privacy Policy.

6.2 Service Providers:

We work with third-party service providers who assist us in operating our services. These providers have limited access to your personal data and are bound by contract to protect your data. They may help us with:

• Payment processing and financial services
• Cloud hosting and data storage
• Email and communication services
• Security and fraud prevention
• Analytics and performance monitoring

6.3 Legal Requirements:

We may disclose your personal data to government authorities, regulatory bodies, or law enforcement agencies when required by law, to protect our rights, or to prevent fraud or criminal activity.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of sensitive data in transit and at rest
• Secure authentication mechanisms, including two-factor authentication
• Regular security assessments and updates
• Access controls and audit logging
• Employee training on data protection

8. Your Rights

In accordance with applicable data protection legislation (GDPR), you have the following rights:

• Right of access: You can request access to the personal data we hold about you
• Right to rectification: You can request correction of inaccurate or incomplete data
• Right to erasure: You can request deletion of your personal data, subject to legal and contractual obligations
• Right to restriction: You can request restriction of processing in certain circumstances
• Right to data portability: You can request a copy of your data in a structured, machine-readable format
• Right to object: You can object to certain types of processing
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, please contact us at privacy@spotahome.com. You can also submit a GDPR deletion request through our GDPR deletion request form.

We will respond to your request within one month, as required by GDPR. If you are not satisfied with our response, you have the right to file a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos).

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Adequacy decisions by the European Commission
• Standard contractual clauses approved by the European Commission
• Other appropriate safeguards as required by GDPR

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

11. Additional Information

For more comprehensive information about how Spotahome handles personal data, please refer to Spotahome's Privacy Policy.