Data protection and privacy policy

1.- Introduction and right to information

This Privacy Policy is provided to inform you, in detail, of the manner in which we handle your personal data and the measures we take to protect your privacy, as well as the information you submit to us.

In the event that substantial amendments are made to this Privacy Policy in the future, we will notify you accordingly, allowing you to be fully aware of the revised privacy terms that will be implemented.

Below, we outline the conditions under which CIVITATIS processes your personal data in a question-and-answer format:

2.- Who is in charge of processing your data?

- Company Name: Civitatis Tours, S.L. ("CIVITATIS")

- NIF: B-86899440

- Address: C/ Coloreros, 28013 Madrid (España)

- Emaildpo@civitatis.com

3.- Who is the CIVITATIS Data Protection Officer (DPO) and how can they help you?

The DPO is a figure, legally foreseen, whose main functions are to inform and advise CIVITATIS on the obligations that affect it in terms of personal data protection and to supervise its compliance.

In addition, the DPO acts as a point of contact for any matter relating to the processing of personal data, so if you have any questions, comments, or suggestions about how we use your personal data, you can contact them by writing to dpo@civitatis.com.

4.- For what purpose do we process your personal data?

We collect and process the personal data you voluntarily provide us with for the following purposes:

Customer Relationship Management, Billing, and Collection of Services: Personal data is processed for the purpose of managing the relationship with our customers, as well as for the billing and collection of services. For further details regarding the processing of this data, please refer to the relevant section on Personal Data Protection within the General Conditions of Use.

Supplier Relationship Management: Personal data is also processed to manage relationships with our suppliers. Further details regarding the processing of this data can be found in the General Terms and Conditions for Contracting with Suppliers, which are provided to and must be accepted by suppliers. These terms contain specific information on the processing of suppliers' personal data. The data processing terms apply to suppliers who deliver the activities and services contracted by clients, as well as to suppliers of structural services contracted by CIVITATIS.

Agency Relationship Management: Personal data is processed for the purpose of managing relationships with our partner agencies. For further details regarding this data processing, the General Conditions with Agencies are made available to the agencies. These conditions must be accepted by the agencies and include a specific section addressing the processing of their personal data.

Affiliate Relationship Management: Personal data is processed for the purpose of managing relationships with affiliates. For more detailed information on this data processing, the General Conditions of the Affiliate Program are provided to affiliates. These terms must be accepted by affiliates and include a dedicated section on the processing of their personal data.

Accommodation Relationship Management: Personal data is processed for managing relationships with accommodations. For more information regarding this data processing, the General Conditions with Accommodations are made available to the accommodations. These conditions must be accepted by the accommodations and contain a specific section addressing the processing of their personal data.

Handling Requests for Information, Suggestions, and Complaints: We process personal data to manage requests for information, suggestions, and complaints submitted by users through any of the contact methods provided for such purposes. This includes contacting the sender of the information, responding to their request or inquiry, and following up as necessary. Providing personal data for this purpose is voluntary. However, if such data is not provided, we will be unable to respond to the request, inquiry, or complaint. Therefore, the communication of personal data for these purposes is a necessary prerequisite for us to address such requests.

Sending Commercial Communications: Personal data is processed for the purpose of sending commercial communications related to our services, as detailed in each of the referenced general conditions and in this privacy policy. In connection with these communications, we may develop commercial profiles based on the information provided in order to offer products and services that best align with your interests.

Curriculum Vitae (CV) Submission: If you submit a Curriculum Vitae (CV) to us, we will process the data in order to gather information about individuals interested in internships and/or employment at CIVITATIS, for the purpose of conducting personnel selection processes. For more information regarding this data processing, please consult the Data Protection Policy for Candidates.

Blog Comments: If users leave comments on the CIVITATIS blog (https://www.civitatis.com/blog/en/), their personal data will be processed for the purpose of publishing the comment along with the name of the individual who posted it. Submission of personal data for this purpose is not mandatory, but failure to provide such data may result in the comment not being published as specified. If the user prefers not to be identified with their comment, they may use a pseudonym or post anonymously.

Use of the "CIVITATIS Gift Card" Service: If users opt to use the "CIVITATIS Gift Card" services (https://www.civitatis.com/en/gift/), their personal data will be processed for the purpose of issuing the requested gift card and, if necessary, sending it to the intended recipient. Providing personal data for this purpose is mandatory, as failure to do so will prevent the purchase and delivery of the gift card.

Management of Contest Participation/Registration: Personal data will be processed to manage participation or registration in contests organized by CIVITATIS, in accordance with the data protection policy outlined in the contest’s legal terms and conditions. Users are required to review the relevant Data Protection Policy when registering or participating in a contest to be informed about the processing of their personal data.

Social Media Friend/Followers Management: If you are a friend or follower of CIVITATIS on any of its social networks, your personal data will be processed to keep you informed about our activities and promotions via those platforms. Providing personal data for this purpose is voluntary; however, failure to provide such data will prevent you from being a friend or follower of CIVITATIS on the relevant social network. The categories of personal data processed for this purpose include identification data.

5.- How long will we process your data for?

We only keep your data for the period of time necessary to comply with the purpose for which they were collected, to comply with the legal obligations imposed on us and to meet the possible liabilities that may arise from the fulfilment of the purpose for which the data were collected.

The data for the management of clients, suppliers, agencies, accommodation and affiliates will be kept for the period of time established in the General Conditions applicable to each of them.

The data processed to deal with applications, requests, queries or complaints will be kept for the time necessary to respond to them and to consider them definitively closed. Subsequently, they will be kept as a communications history for the period of time necessary to meet hypothetical legal obligations.

The data for the sending of commercial communications about our products or services will be kept indefinitely, until, where appropriate, the user expresses their wish to delete them or their desire to stop receiving such communications.

The data provided by candidates will be kept for the period of time indicated in the aforementioned data protection policy for candidates.

The personal data associated with comments made by users will be retained indefinitely, as long as the comment remains published or until the user requests the deletion of their data or the revocation of consent. In the event that the user does not wish to be identified along with his or her comment, he or she may include a pseudonym or publish it anonymously.

The data processed to process the purchase of a CIVITATIS gift card, as well as its delivery, if applicable, will be kept for this purpose for as long as the contract/service is valid. Once this relationship has ended, if applicable, the data may be kept for the time required by the applicable legislation and until any liabilities arising from the contract expire.

The data processed for the management of participations/registrations in competitions will be kept in accordance with what is indicated in the data protection policy included in its legal basis, which must be read and accepted by the participants.

The data provided through social media will be kept for as long as you remain a friend and/or follower of CIVITATIS on the corresponding platform or social network.

6.- What is the legitimate purpose for processing personal data?

The legal basis for processing the data of customers, suppliers, agencies, affiliates and accommodation is reflected in the General Conditions applicable to each of them.

The processing of personal data to respond to users who contact CIVITATIS by any means regarding their requests for information, requests, queries and complaints is based on the consent of the person concerned, unless said complaint, query, request or request for information is made by a client by virtue of the services contracted, in which case the legitimate basis will be that reflected in the general conditions applicable to them.

The prospective offer of CIVITATIS products and services to users is based on consent, except in the case of affiliates, accommodation, providers and agencies, which is based on legitimate interest, as indicated in the general conditions applicable to each of them.

The legitimate basis for the processing of candidates' personal data is reflected in the aforementioned data protection policy for candidates.

Personal data provided with user comments will be processed on the basis of the user's consent.

The data processed in order to process the purchase of a CIVITATIS gift card, as well as its delivery, will be processed on the basis of the execution of the contract resulting from the purchase of such card.

The data processed for the management of participations/registrations in the competitions will be processed in accordance with the terms and conditions of participation of each of them, which will be tacitly accepted by the users as a consequence of their participation in the competition.

Data provided via social networks will be processed on the legal basis of their consent.

Consent may be withdrawn at any time by informing us by any of the means indicated in this Policy. Withdrawal of consent will not affect the performance of the contract, if applicable, however, data processing for this purpose previously carried out will not lose its lawfulness because consent has been withdrawn.

The categories of data processed are those requested in each case in the forms or contracts through which you provide us with your data.
 

7.- To which recipients will your data be communicated?

The data for the processing of customers, suppliers, agencies, affiliates and accommodations, will be transferred in accordance with what is indicated in the General Conditions applicable to each of them.

The personal data provided by comments will be published on the web, which implies a communication of personal data and can be viewed by any user who accesses it. If the user does not wish to be identified along with their comment, they may use a pseudonym or do so anonymously.

The data of the people who have acquired a CIVITATIS gift card will be communicated to the recipient of the same, if applicable, so that they may know who has given them the gift.

The data of participants in competitions may be transferred and/or published in accordance with what is indicated in the rules of participation of each competition.

The rest of the data will not be disclosed to third parties, except for transfers that must be made due to the requirements of current legislation.

Although this is not a transfer of data, it may be that third party companies, acting as providers to CIVITATIS, access your information to carry out the service. These providers access your data following our instructions and without being able to use them for a different purpose and maintaining the strictest confidentiality on the basis of a contract in which they undertake to comply with the requirements of the current regulations on personal data protection.

8.- Are there any international data transfers?

International data transfers may occur under the terms indicated in the general contracting conditions applicable to customers, providers, agencies, accommodations and affiliates, as well as in the legal bases of participation in competitions. Notwithstanding the foregoing, we inform you of the following usual international data transfers:

CIVITATIS contracts its virtual infrastructure for the storage of its database according to a “cloud computing” model through Google Drive, the information being stored in the USA, under the Data Privacy Framework agreement.

CIVITATIS uses the Sendgrid platform to send transactional communications related to the services provided, as well as for communications to Accommodations, Affiliates, Agencies and Providers. The use of this platform, owned by Twilio, involves international data transfers to the USA. However, this entity offers adequate data protection guarantees as it has signed the Standard Contractual Clauses approved by the European Commission (SCC). You can find more information here, as well as a copy of the content of the SCC in Annex 3 of its Data Protection Addendum.

9.- Is the location of users who download the CIVITATIS mobile application known?

When you download the CIVITATIS mobile app, you’ll be asked for permission to access your location in order to show you activities near you. This processing is based on your consent, which you can revoke at any time by disabling location access in the CIVITATIS app. Location processing is not necessary for using the app, but without it, we won’t be able to show you nearby activities.

10.- What are your rights when you provide us with your data?

You have the right to confirm whether we are processing your personal data and to access your personal data, request correction of inaccurate data, or request its deletion when the data is no longer necessary for the purposes collected.

Under conditions provided in the General Data Protection Regulation, you may request the restriction of processing or portability of your data, in which case we will only retain it for the assertion or defense of claims.

In certain circumstances and for reasons related to your particular situation, you may object to the processing of your data. If you have consented to processing for specific purposes, you are entitled to withdraw consent at any time, without affecting the legality of processing based on consent before its withdrawal. In these cases, we will stop processing the data or, if applicable, stop doing so for that specific purpose, except for compelling legitimate reasons, or the assertion or defense of possible claims.

Additionally, data protection regulations allow you to object to being the subject of decisions based solely on the automated processing of your data, where applicable.

These rights are characterized as follows:

- They are exercised free of charge, unless the requests are manifestly unfounded or excessive (e.g., repetitive), in which case a fee proportional to the administrative costs incurred may be charged, or the request may be refused.

- You can exercise these rights directly or through a legal or voluntary representative.

- We must respond to your request within one month, but this period may be extended by two more months if necessary, considering the complexity and number of requests.

- We are obligated to inform you about the means to exercise these rights, which must be accessible and cannot deny you the right for the sole reason of choosing another method. If the request is made by electronic means, the information will be provided by these means when possible, unless you request otherwise.

- If for any reason, your request is not acted upon, we will inform you no later than one month after the reasons for this and the possibility of filing a complaint with a Supervisory Authority.

To facilitate the exercising of these rights, we have provided links below to the request form for each right:

- Right of access form

- Right to rectification form

Right to object form

- Right to erasure ("right to be forgotten") form

- Right to restriction of processing form

- Right to data portability form

- Right not to be subject to a decision based solely on automated processing form

All the aforementioned rights can be exercised through the means of contact listed at the beginning.

In the event of any violation of your rights, especially when you have not obtained satisfaction in the exercising of your rights, you can file a complaint with the Spanish Data Protection Agency (contact details available at www.aepd.es), or other competent supervisory authority. You can also obtain more information about your rights by contacting these bodies.

11.- How do we protect your personal data?

We are firmly committed to protecting the personal data we process. We use reasonably reliable and effective physical, organizational, and technological measures, controls, and procedures aimed at preserving the integrity and security of your data and ensuring your privacy.

Additionally, all personnel with access to personal data have been trained and are aware of their obligations concerning the processing of personal data.

In the contracts we enter into with our service providers, we include clauses that require them to maintain confidentiality regarding the personal data to which they have access due to the engagement, as well as to implement the necessary technical and organizational security measures to ensure the permanent confidentiality, integrity, availability, and resilience of personal data processing systems and services.

All these security measures are periodically reviewed to ensure their adequacy and effectiveness.

However, absolute security cannot be guaranteed, and no security system is impenetrable. Therefore, in the event that any information under our control is compromised as a result of a security breach, we will take appropriate measures to investigate the incident, notify the Supervisory Authority, and, if applicable, inform those users who may have been affected so they can take appropriate action.

12.- What is your responsibility as the data subject?

By providing us with your personal data, you guarantee that you are over 14 years of age and that the data provided is true, accurate, complete and up-to-date.

For these purposes, you are responsible for the accuracy of the data and you must keep it properly updated to reflect your current situation, making you responsible for false and inaccurate data that you provide, as well as damages, direct or indirect, that may arise.

If you provide data regarding third parties, you assume the responsibility of informing them in advance of all provisions set forth in Article 14 of the General Data Protection Regulation under the conditions established in that provision.

13.- How did we obtain your data?

In the cases in which the user registration is made through social media, the personal data that we will process will come from the social network in question, to which, previously, the interested party will have provided such data for the purposes set out in their privacy policies. The categories of data that we will collect from the social network in question are those that appear on our registration form and that you have provided to that social network. If, in order to proceed with the registration on our website, more data than those provided by the social network are essential, you must additionally complete them in our registration form, subject to the privacy conditions set forth in this Policy.

With respect to the purchase of a CIVITATIS gift card, the data of the recipient of the same, if applicable, are provided by the purchaser when filling out the corresponding form, providing the contact data indicated therein: name and e-mail address. The buyer is responsible for having the authorization of the recipient prior to providing their data to CIVITATIS.

Finally, sometimes, the data of the final customers may be provided by the agency that proceeds to the contracting of the experience offered by CIVITATIS on their behalf, so that the contracted services can be offered, as indicated in the General Conditions of Use.