Bike and Hike

Granada

0
Your Cart is Empty

Personal Data Protection Policy (GDPR)

Privacy Policy Statement – Bike and Hike Granada

At Bike and Hike Granada (hereinafter referred to as ‘the Company’), we recognize that privacy is a fundamental human right. We are committed to respecting our customers’ privacy and handling their personal data responsibly, with the utmost care, and in full compliance with applicable laws and regulations

Access to personal data is strictly limited to authorized personnel within the Company and contracted processors. Such access is granted solely to the extent necessary and for purposes directly related to the effective execution, assurance, and fulfillment of rights and obligations arising from contractual relationships.

At our Company, we take robust measures to ensure that personal data remains secure and protected throughout the entire processing period. These measures are designed to prevent unauthorized access, safeguard confidentiality and integrity, and avoid loss or unintentional destruction of data. While we take every precaution to protect personal data, we cannot be held liable for breaches resulting from external hacking incidents beyond our control.

We, along with our data processors, strictly adhere to the following general principles of personal data processing as outlined by GDPR:

  1. Lawfulness, Fairness, and Transparency:
    Personal data is processed legally, fairly, and transparently.
  • Purpose Limitation:
    Data is collected only for specific, explicit, and lawful purposes. It is not processed for any other purposes, except for scientific or historical research and statistical purposes, where permitted under specific conditions.
  • Data Minimization:
    We process personal data only to the extent necessary to achieve the intended purposes.
  • Accuracy:
    Personal data is kept accurate and up-to-date. Any inaccurate or outdated information is promptly corrected or deleted.
  • Storage Limitation:
    Data is retained only as long as necessary for the purposes for which it was collected and processed.
  • Integrity and Confidentiality:
    Appropriate technical and organizational measures are in place to ensure the security of personal data. This includes preventing unauthorized or unlawful processing, accidental loss, destruction, or damage.

Our commitment to these principles reflects our dedication to maintaining the trust of our customers and complying fully with GDPR requirements.

1.Privacy Contact

If you have any questions regarding the processing or use of your personal data, or if you wish to request information, corrections, blocking, deletion, or the cancellation of your consent for notifications, please contact us via our official email address, which can be found on our website or mentioned here (info@bikeandhikegranada.com

2. Personal Data We Collect

We collect the following types of personal data:

  • Basic personal data (e.g., name, surname)
  • Communication data (e.g., address, email, phone number)
  • Communication history between you and the Company
  • Payment data
  • Any other data collected based on your consent

3. Legal Bases for Processing Your Personal Data

We process personal data in compliance with applicable data protection laws, and based on the following legal grounds:

  • Contractual necessity: When processing is required to enter into or fulfill a contract (e.g., registration for an event or activity)
  • Legal obligation: When required by law
  • Consent: When you provide explicit consent (which you can withdraw at any time)
  • Legitimate interests: When processing is necessary for the legitimate interests pursued by the Company or a third party

These legal bases ensure that we handle your personal data in a lawful, transparent, and secure manner.

3.1 Processing Based on a Concluded Contract

The Company processes personal data of individuals to fulfill its obligations under a contractual agreement, such as for organizing events, activities, or providing other agreed-upon services. In the context of exercising rights and fulfilling contractual obligations, the Company processes personal data for the following purposes:

  • Identification of the individual
  • Preparation of offers and conclusion of the contract
  • Providing services: The Company may share personal data with contracted partners necessary for delivering specific services (e.g., accommodation providers)
  • Sending notifications to individuals about the implementation of the contractual relationship
  • Informing about changes in relevant legislation or terms of sale
  • Invoicing for services
  • Handling objections or complaints
  • Recovery procedures: Including the sale of receivables
  • Other purposes necessary for the conclusion or execution of the contractual relationship

To the extent necessary for authentication and transaction identification, the Company may process personal data to prepare reports and plan future activities.

For organizing events, related services, or other individual requests, the Company processes all required information, such as but not limited to: name, surname, date of birth, address, location, phone number, and email.

Explicit consent is not required for the processing of personal data related to contractual obligations.

At events or activities where photography and publication of images (e.g., on Facebook, Twitter, YouTube, LinkedIn or Instagram) are part of the experience, individuals are informed that photography and image publication are inherent to the event. Despite this, the Company will still seek explicit consent from participants for the use of their images. If explicit consent is not granted, and it is not possible to avoid capturing the individual in photographs, the Company reserves the right to decline participation in such events or activities.

If an individual does not provide all the personal data necessary for fulfilling the contractual relationship, the Company will be unable to process their order. The Company ensures that it only collects and processes the minimum amount of personal data required to meet contractual obligations.

3.2 Processing Based on Legal Obligations

The Company processes personal data of individuals to comply with applicable legal obligations imposed by relevant legislation. In the Kingdom of Spain, certain legal obligations for processing personal data are governed by the following laws and regulations:

  • Value Added Tax Act 
  • Tax Procedure Act
  • Companies Act
  • Accounting Act
  • Rules on the Implementation of the Value Added Tax Act
  • Spanish Accounting Standards

If the Company processes personal data of an individual who has made an online purchase or service order, it is required to retain the invoice for a period of 10 years, along with the individual’s/buyer’s account details, in accordance with legal requirements.

3.3 Processing Based on Legitimate Interest

The Company may process personal data based on a legitimate interest that it or a third party pursues, unless such interests are outweighed by the rights and freedoms of the individual to whom the data pertains, particularly when the data relates to a child. When further processing of collected data occurs, the Company conducts an assessment in accordance with the General Data Protection Regulation (GDPR). In cases where data is used in pseudonymized or aggregated forms, for example, for marketing or other business and technical analyses, this is considered lawful processing.

Under GDPR, direct marketing is considered a legitimate interest. For direct marketing purposes, the Company may create individual profiles without explicit consent, using basic information about selected services—such as the type or characteristics of the service, the time of selection, or previous marketing interactions. This profiling will always avoid using sensitive data. Individuals have the right to object to such processing under the right to restriction (Section 7.4).

Based on legitimate interest, the Company may contact individuals to improve services or assess their satisfaction with services, even if this is not strictly necessary for contract execution. However, the Company will not contact individuals who have expressed their objection to such outreach.

The Company also has a legitimate interest in retaining and further using personal data for analysis and research related to marketing, business planning, and similar activities, within the legally prescribed retention period.

3.4 Processing Based on Consent to Process Personal Data

Explicit consent serves as the legal basis for processing personal data when the Company does not have another legal or contractual basis for doing so. Consent may be requested for the following purposes:

  • To inform individuals about other Company offers and services, which will be communicated exclusively through the channel chosen by the individual.
  • To photograph or record an event or activity for the purpose of showcasing Company activities, and to publish photos, videos, and audio recordings on the Company website and social media profiles (e.g., Facebook, Twitter, YouTube, LinkedIn, Instagram).
  • In the case of children, consent must be provided by a parent or legal guardian.

In these instances, personal data will be processed only to the extent necessary and for the purposes outlined in the individual’s consent, through the agreed-upon communication channels, and will continue until the consent is revoked.

Refusing consent for the collection or processing of personal data for specific purposes will not impact the processing of data based on other legal grounds.

Personal data collected with consent will only be used for the purposes specified in the consent and will not be shared with third parties unless explicitly stated in the consent. The individual must agree for their data to be shared with any third-party processors specified in the consent.

Individuals have the right to withdraw their consent at any time by contacting our data protection office (see point 8). Consent can be withdrawn by sending an email to the address provided in point 1.

4. Retention of Personal Data

Personal data will be retained in accordance with applicable data protection regulations. It will only be stored for as long as necessary to fulfill the purposes for which it was collected or as required by law.

Personal data processed based on an individual’s consent will be retained indefinitely, until the consent is revoked. Data processed based on legal obligations or contractual relationships will be kept for the duration specified by relevant laws.

If personal data is processed for marketing purposes, it will be retained only for as long as necessary to carry out such marketing activities or provide the associated services.

Once the retention period expires, personal data will be securely deleted or anonymized, ensuring that it can no longer be associated with any individual.

5. How We Protect Personal Data

We implement both technical and organizational security measures to safeguard personal data from unauthorized access, misuse, and accidental loss or damage. These measures are designed with consideration of our IT infrastructure, the potential impact on individual privacy, associated costs, and current industry standards and practices. Our third-party processors are also required to adhere to these security protocols when processing your personal data.

Data security involves ensuring the confidentialityintegrity, and availability of personal data:

  • Confidentiality and Integrity: Personal data is protected from unauthorized or unlawful processing, as well as from accidental loss, destruction, or harm.
  • Availability: We ensure that authorized personnel and processors can access personal data only when necessary for legitimate purposes.

Our security measures include access control, backup copies, monitoring, audits, maintenance, and incident management to address potential security threats.

6. Who Processes Personal Data

Depending on the purposes for which we process personal data, we may share it with the following categories of processors:

a) Within the Company

  • Employees who require access to personal data to perform their job functions.

b) Our Business Partners

We require our business partners to comply with applicable data protection laws and to prioritize the confidentiality of personal data. These partners include:

  • Advertising, Marketing, and Promotional Agencies: Providers such as MailChimp, Google (Google uses cookie identifiers for remarketing, email addresses for Google Ads, and analytics data), and Facebook (using cookie identifiers for remarketing and email addresses for Custom Audiences). These agencies assist us in implementing and analyzing the effectiveness of our campaigns and promotions.
  • Service Providers: Companies offering services to the Company, such as accounting service providers.
  • Contractual Partners: Natural and legal entities that provide consulting or services to fulfill contractual relationships between the Company and individuals (e.g., partner agencies, hotels, airlines, carriers, etc.).

c) Other Third Parties

Personal data may also be disclosed to third parties when required by law or to protect:

  • The Company: To comply with legal obligations, authority requirements, court orders, legal proceedings, reporting obligations, or to enforce compliance with Company policies and agreements.
  • Rights, Property, or Security: To protect the rights, property, or security of the Company and/or its clients, especially during corporate transactions such as mergers, acquisitions, or reorganizations.

Our business partners listed above under item b) are only authorized to process personal data within the scope of our instructions and may not use personal data for their own purposes. It is important to note that processors in items b) and c), especially those offering services through applications or their own channels, may collect personal data separately. In such cases, they are solely responsible for handling and controlling the data, and individuals must engage with them according to their own terms and conditions.

7. Your Rights and Options Regarding Your Personal Data

As an individual whose personal data is being processed, you have certain rights and options regarding how your data is handled. Depending on the purposes for which we process your data, you may have the following rights:

a) Within the Company

  • Employees who need access to personal data to perform their job functions.

b) Our Business Partners

We require our business partners to comply with applicable data protection laws and ensure the confidentiality of personal data. These partners include:

  • Advertising, Marketing, and Promotional Agencies: For example, MailChimp, Google (for remarketing using cookie identifiers, email addresses for Google Ads, and Google Analytics data), and Facebook (for remarketing with cookie identifiers and email addresses in Facebook Custom Audiences). These partners help us implement and analyze the effectiveness of our campaigns and promotions.
  • Service Providers: Companies that provide services to the Company, such as accounting service providers.
  • Contractual Partners: Natural and legal entities that offer consulting or services to fulfill contractual relationships between the Company and individuals (e.g., partner agencies, hotels, airlines, carriers, etc.).

c) Other Third Parties

Personal data may also be disclosed to third parties when required by law or to protect:

  • The Company: To comply with legal requirements, authority demands, court orders, or legal procedures, and to enforce or verify compliance with Company policies and agreements.
  • Rights, Property, or Security: To protect the rights, property, or security of the Company and/or its clients, especially in the case of corporate transactions such as mergers, acquisitions, or reorganizations.

Our business partners listed above in item b) are only permitted to process your personal data as instructed by us and may not use the data for their own purposes. Please note that the processors in items b) and c), especially service providers offering services via applications or their own platforms, may collect your personal data independently. In such cases, they are solely responsible for managing the data, and your interaction with them will be governed by their terms and conditions.

7.1 Right to Access Data

Every individual has the right to request access to the personal data we process. To do so, you can contact us at the email address provided in point 1. Upon request, we will provide the following information about your personal data:

  • The purpose(s) of the processing.
  • The categories of personal data being processed.
  • The recipients or categories of recipients to whom personal data has been or will be disclosed.
  • The estimated retention period of your personal data, or if that is not possible, the criteria used to determine the retention period.
  • The existence of your rights to request the correction, deletion, or restriction of processing of your personal data, or the right to object to such processing.
  • The right to file a complaint with a supervisory authority.
  • If your personal data was not collected directly from you, we will provide all available information regarding the source of the data.

7.2 Right of Rectification

If an individual identifies any inaccuracies or incomplete information in their personal data, they have the right to request the Company to correct or update the data without undue delay.

7.3 Right to Deletion

An individual may request the deletion of their personal data without undue delay. The Company is obligated to delete personal data promptly in the following circumstances:

  • When the personal data is no longer needed for the purposes for which it was collected or processed.
  • If the individual withdraws consent that was the basis for the processing of personal data, and there is no other legal basis for continued processing.
  • If the individual objects to the processing based on the legitimate interests of the Company, and there are no overriding legal reasons to continue the processing.
  • If the individual objects to the processing for direct marketing purposes.
  • When personal data must be deleted to comply with a legal obligation under EU law or Spanish law.
  • In the case of data that was incorrectly collected from a minor for the use of information society services, where such data collection is not permitted under applicable law.

(Note: Deletion may not be applicable in certain cases, such as when data is needed to prove a transaction or when required by law.)

7.4 Right to Restriction of Processing

  • An individual may request a restriction on the processing of their personal data in the following cases:
  • If the individual challenges the accuracy of the data, for a period that allows the Company to verify its accuracy.
  • If the processing is unlawful, and the individual objects to the deletion of the personal data and instead requests its processing to be restricted.
  • If the Company no longer needs the personal data for processing purposes, but the individual needs it to exercise, establish, or defend legal claims.
  • If the individual has objected to the processing, until it is determined whether the Company’s legitimate reasons outweigh the individual’s reasons for the objection.

7.5 Right to Data Portability

An individual has the right to receive their personal data, which they have provided to the Company, in a structured, commonly used, and machine-readable format. They also have the right to transfer this data to another data controller without obstruction from the Company, provided that the processing is based on consent or a contract, and is carried out by automated means.

7.6 Right to Object

An individual has the right to object at any time to the processing of their personal data based on the legitimate interests pursued by the Company or a third party, due to reasons related to their particular situation. In such cases, the Company must cease processing the personal data, unless it can demonstrate compelling legitimate grounds for processing that override the individual’s interests, rights, and freedoms, or if the processing is necessary for the establishment or defense of legal claims.

When personal data is processed for direct marketing purposes, an individual has the right to object at any time to the processing of their personal data for such marketing purposes, including profiling related to direct marketing. If the processing of personal data for direct marketing is based on consent, the individual can exercise their right to object by withdrawing that consent.

8. Who to Contact for Questions Regarding Your Personal Data

We have designated a contact point to address any questions or requests related to your personal data and its processing, as well as the exercise of your rights. You can reach us via the email address provided in point 1.

For security and to ensure reliable identification when exercising your rights related to personal data, we may request additional information from you. We may only deny action if we are unable to verify your identity reliably.

9. Right to File a Complaint Regarding Personal Data Processing

Everyone has the right to file a complaint regarding the processing of their personal data. Complaints should be sent to the email address provided in point 1.

Additionally, you have the right to file a complaint directly with the Information Commissioner if you believe that the processing of your personal data violates Spanish or EU data protection regulations.

If you have exercised your right to access your data and, after receiving the decision, you believe the personal data you received is incorrect or incomplete, you may submit a reasoned complaint to the Company within 15 days before filing a complaint with the Information Commissioner. The Company will address your complaint as a new request and respond within five working days of receipt.

Bike and Hike for a Greener Planet

Join us in reducing your carbon footprint while exploring scenic trails and cycling and hiking routes that support environmental conservation.

 

Icomoon-twitte Icomoon-facebook Icomoon-instagram Linkedin

Documents

About Us

Get In Touch

  • Bike and Hike For a Greener Planet
EUR €
visa