Privacy Policy

Segura Hostelería, S.A

The Privacy Policy is part of the General Conditions that govern this Website.

Who is responsible for processing your data?

Segura Hostelería, S.A CIF: A09045980

Address: Av. Indalecio Prieto 1, C.P. 48004, Bilbao.

Emails and phones of our hotels:

• Spirit Hotel Gran Bilbao: holabilbao@spirithoteles.com 944328575
• Spirit Apartamentos Atxuri: holabilbao@spirithoteles.com 944328575
• Spirit Hotel Ciudad de Burgos: holaburgos@spirithoteles.com 947431041
• Spirit Apartamentos Valladolid Centro: holavalladolid@spirithoteles.com 947431041

You can communicate with us in any way.

Data Protection Delegate: Hernando Domínguez Sánchez de las matas protecciondatos@spirithoteles.com

We reserve the right to modify or adapt this Privacy Policy at any time. We recommend you to review it, and if you have registered and access your account or profile, you will be notified of the modifications.

If you belong to any of the following groups, please consult the information below:

WEBSITE OR EMAIL CONTACTS

What data do we collect through the Website?

We may process your IP, operating system or browser you use, and even the duration of your visit, anonymously.

If you provide us with data in a contact form, you will identify yourself so we can contact you, if necessary.

What purposes will we use your personal data for?

• Respond to your queries, requests, or petitions.
• Manage the requested service, respond to your request, or process your petition.
• Send electronic information related to your request.
• Send commercial information or events electronically, with express authorization.
• Conduct analysis and improvements on the Website, our products, and services. Improve our commercial strategy.

What is the legitimacy for the processing of your data?

Acceptance and consent of the interested party: In cases where to make a request it is necessary to fill out a form and click on the submit button, the completion of the form will necessarily imply that you have been informed and have expressly consented to the content of the clause attached to the form or acceptance of the privacy policy.

All our forms have an asterisk * in the mandatory data. If you do not provide these fields, or do not check the acceptance checkbox of the privacy policy, the information will not be allowed to be sent. It usually has the following formula: “□ I am over 14 and have read and accept the Privacy Policy.”

You can revoke your consent at any time.

NEWSLETTER CONTACTS

What data do we collect through the newsletter?

On the Website, you can subscribe to the Newsletter, if you provide us with an email address, to which it will be sent.

We will only store your email in our database and proceed to send you emails periodically, until you request to unsubscribe, or we stop sending emails.

The Newsletter may have Web beacons, which confirm statistically whether you have opened it, at what time, or how many times. It helps us study the best sending times and what interests you, but we will not have personal information about you, only your email.

You will always have the option to unsubscribe from any communication.

What purposes will we use your personal data for?

• Manage the requested service.
• Send electronic information related to your request.
• Send commercial information or events electronically, with express authorization.
• Conduct analysis and improvements in mailing, to improve our commercial strategy.

What is the legitimacy for the processing of your data?

Acceptance and consent of the interested party: In cases where you subscribe, it will be necessary to accept a checkbox and click on the submit button. This will necessarily imply that you have been informed and have expressly consented to receiving the newsletter.

If you do not check the acceptance checkbox of the privacy policy, the information will not be allowed to be sent. It usually has the following formula: “□ I am over 14 and have read and accept the Privacy Policy.”

You can revoke your consent at any time.

CLIENTS – GUESTS

What purposes will we use your personal data for?

• Formalize your reservation.
• Management and collection of your stay in the establishment and management and improvement of quality.
• Send electronic information related to your request.
• Fidelity programs, evaluation of your stay, and sending commercial information based on your profile.
• Sending commercial communications by electronic means with information about services, products, promotions, or relevant news about the different hotels in the group always with the consent to receive communications from the group.
• Manage administrative, communication, and logistics services carried out by the Controller.
• Carry out the corresponding transactions. Billing and declaration of appropriate taxes. Control and recovery. Exercise of judicial actions that correspond to us.
• Management of the animation service, with even specially protected data of children when provided by their parents for medical reasons, to ensure the health and welfare of the child. Allergy control and other issues to consider during the activities.
• Services for attending incidents that occur during your stay in our establishment, in accordance with our quality policies.
• Check the validity of the card or make its bank pre-authorization, guarantee the reservation by making the corresponding charge, make the charge according to the reservation and cancellation conditions, as well as for the payment of the stay expenses, even after the stay.
• Ensure the payment of all expenses derived from the stay, even after check-out.
• Assessment survey.

What is the legitimacy for the processing of your data?

The legal basis is:

• Execution of the contract to provide our services.
• Compliance with the legal obligations of the controller.
• Consent of the interested party.
• Legitimate interest.

SUPPLIERS.

What purposes will we use your personal data for?

• Send electronic information related to your request.
• Send commercial information or events electronically with express authorization.
• Manage administrative, communication, and logistics services by the Controller.
• Carry out the corresponding transactions. Billing and declaration of appropriate taxes. Control and recovery.

What is the legitimacy for the processing of your data?

The legal basis is the acceptance of a contractual relationship, or failing that, your consent when contacting us or offering us your products through any means.

MEMBERS

What purposes will we use your personal data for?

• Organization of the necessary actions for the achievement of the company’s goals
• Internal management and legal compliance of the company.
• Convocation of meetings.
• Perform the corresponding transactions.
• Declaration of appropriate taxes.

What is the legitimacy for the processing of your data?

The legal basis is contractual, the acceptance of a contract for the purchase of shares or similar, or participation in the constitution of the company.

SOCIAL MEDIA CONTACTS

What purposes will we use your personal data for?

• Respond to your queries, requests, or petitions.
• Manage the requested service, respond to your request, or process your petition.
• Establish a relationship with you and create a community of followers.

What is the legitimacy for the processing of your data?

The acceptance of a contractual relationship in the social media environment that corresponds, and according to its Privacy policies:

Facebook http://www.facebook.com/policy.php?ref=pf

Instagram https://help.instagram.com/155833707900388

Twitter http://twitter.com/privacy

Google* http://www.google.com/intl/es/policies/privacy/

Linkedin http://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv

TikTok   https://www.tiktok.com/legal/page/eea/privacy-policy/es

*(Google+ and Youtube)

For how long will we keep your personal data?

We can only consult or delete your data in a restricted way by having a specific profile. We will process them for as long as you allow us to follow you, be friends, or like, follow, or similar buttons.

Any rectification of your data or restriction of information or publications must be made through the configuration of your profile or user in the social network itself.

VIDEO SURVEILLANCE

What purposes will we use your personal data for?

• Video surveillance of our facilities.
• Control of our employees.
• On occasion, they may be transferred to the courts and tribunals for the exercise of legitimate actions.

What is the legitimacy for the processing of your data?

The unequivocal consent of the interested party to access our facilities after viewing the information sign in the monitored area.

JOB APPLICANTS

What purposes will we use your personal data for?

• Organization of selection processes for hiring employees.
• Invite you to job interviews and assess your candidacy.
• If you have given us your consent, we may keep your CV for new job calls.
• If you have given us your consent, we may provide it to collaborating or related companies, solely to help you find a job.

What is the legitimacy for the processing of your data?

The legal basis is your unequivocal consent, by giving us your CV and receiving and signing information related to the treatments we will carry out.

WHISTLEBLOWER CHANNEL

What purposes will we use your personal data for?

Internal detection of possible criminal and administrative misconduct affecting the legal entity and compliance with the code of conduct and the compliance policies of the company.

Handling of complaints. The whistleblower’s data can be treated in an anonymous manner.

What is the legitimacy for the processing of your data?

Mission of public interests or powers and/or compliance with a legal obligation.

Do we include personal data from third parties?

No, as a general rule, we only process the data provided by the owners. If you provide us with data from third parties, you must inform and request the consent of those people prior, or otherwise release us from any responsibility for not complying with this requirement.

And data of minors?

We process data of minors when they come with their parents, as if they were customers. In case reservations are made by minors, parental authorization will be required in order to stay in our hotels.

Will we make electronic communications?

• They will only be made to manage your request if it is one of the contact methods you have provided.
• If we carry out commercial communications, they have been previously and expressly authorized by you.

What security measures do we apply?

You can rest assured: We have adopted an optimal level of protection for the Personal Data we handle and have installed all the technical means and measures at our disposal according to the state of technology to prevent loss, misuse, alteration, unauthorized access, and theft of Personal Data.

To which recipients will your data be communicated?

Your data will not be transferred to third parties, except for legal obligation. Specifically, they will be communicated to the State Tax Administration Agency and to banks and financial institutions for the collection of the service provided or product purchased. As well as to the data processors necessary for the execution of the agreement.

Your data will be transferred only when you give your consent to Zariquiegui Hostelería S.L. for sending commercial communications.

The hotels of Segura Hostelería S.L. belong to the Spirit Hotels & Apartments group, so your data may be transferred to hotels of the same group in order to provide the contracted services.

Your data will be transferred to the authority, according to the LO 5/2014, on Private Security, and Order INT/1922/2003 on registry books and entry forms of travelers in hotel establishments.

In the event of purchase or payment, if you choose an application, website, platform, bank card, or any other online service, your data will be transferred to that platform or processed in its environment, always with the maximum security.

When ordered, the web development and maintenance company or the hosting company will have access to our website. They will have signed a service provision contract that commits them to maintain the same level of privacy as us.

We use applications that may involve an International Transfer of data to the United States. This will only be carried out to entities that have adhered to the USA-EU Data Privacy framework or, failing that, to those that have demonstrated compliance with the regulations and have committed through standard contractual clauses (in English SCCs) to comply with the level of protection and guarantees according to the parameters and requirements provided for in the current European legislation on data protection, such as the European Regulation, or failing that, when there is a legal authorization to carry out the international transfer.

In the ethical or complaint channel, we act as a dominant company in accordance with art.42 of the Commercial Code, in relation to Law 2/2023, of February 20, which regulates the protection of persons who report regulatory infringements. Therefore, we may process reports from any company in the group, as well as provide them with the necessary data. The channel is currently shared with Zariquiegui Hostelería S.L.

What Rights do you have?

• To know if we are processing your data or not.
• To access your personal data.
• To request the rectification of your data if it is inaccurate.
• To request the deletion of your data if it is no longer necessary for the purposes for which it was collected or if you withdraw the consent you gave us.
• To request the limitation of the processing of your data, in some cases, in which case we will only keep them in accordance with current regulations.
• To carry your data, which will be provided in a structured, commonly used, or machine-readable format. If you prefer, we can send them to the new controller you designate. This is only valid in certain cases.
• To file a complaint with the Spanish Data Protection Agency, if you believe that we have not served you correctly.
• To revoke the consent for any treatment for which you have consented, at any time.

If you modify any data, we appreciate if you let us know to keep it updated.

Do you want a form to exercise your Rights?

• We have forms to exercise your rights, ask us for them by email or if you prefer, you can use those developed by the Spanish Data Protection Agency or third parties.
• These forms must be digitally signed or be accompanied by a photocopy of the ID card.
• If you are represented by someone, you must attach a copy of their ID card, or have them sign with their electronic signature.
• The forms can be submitted in person, sent by mail, or by email to the address of the Controller at the beginning of this text.

How long will it take us to respond to the Exercise of Rights?

It depends on the right, but at most within one month from your request, and two months if the issue is very complex and we notify you that we need more time.

For how long will we keep your personal data?

• Personal data will be kept for as long as you remain associated with us.
• Once your association ends, the personal data processed for each purpose will be kept for the legally stipulated periods, including the period during which a judge or court may require them, considering the statute of limitations for legal actions.
• The processed data will be kept provided the aforementioned legal periods have not expired, if there is a legal obligation to retain it, or in the absence of such a legal period, until the data subject requests its deletion or revokes the granted consent.
• We will keep all information and communications related to your purchase or the provision of our service, for the duration of the product or service warranties, to handle potential claims.
• For each processing activity or data type, we provide a specific period, which you can consult in the following table:

File	Document	Retention
Customers	Invoices	10 years
	Forms and vouchers	15 years
	Contracts	5 years
Human Resources	Payslips, TC1, TC2, etc.	10 years
	CVs	Until the end of the selection process, and 1 more year with your consent
	Documents related to redundancy payments. Contracts. Temporary worker data.	4 years
	Employee file.	Up to 5 years after termination.
Marketing	Databases or website visitors.	For the duration of the processing.
Suppliers	Invoices	10 years
	Contracts	5 years
Access Control and Video Surveillance	Visitor list	30 days
	Videos	30 days blocking 3 years destruction
Accounting	Accounting Books and Documents. Shareholder and board of directors agreements, company bylaws, minutes, board of directors and delegated committees regulations. Financial statements, audit reports Records and documents related to grants	6 years
Tax	Company administration, rights and obligations related to tax payments. Administration of dividend payments and tax withholdings.	10 years
	Information on intra-group pricing	18 years 8 years for intra-group transactions for pricing agreements
Health and Safety	Worker Medical Records	5 years
Environment	Information on chemical or substantially hazardous substances	10 years
	Documents related to environmental permits While the activity is carried out.	3 years after the activity ceases 10 years (criminal statute of limitations)
	Records on recycling or waste disposal	3 years
	Grants for clean-up operations must retain documents of rights and obligations, receipts and payments.	4 years
	Accident reports	5 years
Insurance	Insurance policies	6 years (general rule) 2 years (damage) 5 years (personal) 10 years (life)
Purchases	Record of all deliveries of goods or provision of services, intra-community acquisitions, imports and exports for VAT purposes.	5 years
Legal	Intellectual and Industrial Property documents. Contracts and agreements.	5 years
	Permits, licences, certificates	6 years from the expiry date of the permit, licence or certificate. 10 years (criminal statute of limitations)
	Confidentiality and non-compete agreements	For the duration of the obligation or the confidentiality
Data Protection Act	Processing of personal data, if different from the processing notified to the AEPD	3 years
	Employee personal data stored on networks, computers and communication equipment used by them, access controls and internal management/administration systems	5 years
Whistleblowing Channel	Internal reports. Compliance programme (corporate criminal liability)	3 months (general rule) 10 years (criminal statute of limitations)

The companies operating under the brands Spirit Hotels & Apartments and Spirit Hospitality Global Business are:

• Segura Hostelería S.A

Spirit Hotel Gran Bilbao
Spirit Apartamentos Atxuri
Spirit Hotel Ciudad de Burgos
Spirit Apartamentos Valladolid Centro

• • Zariquiegui Hostelería S.L.

Spirit Benalmadena Beach

• • Hotelider actividades turísticas unipessoal LDA

Hotel Spirit Fonte Real