Privacy Policy

Identity: Your full name, collected via the booking form.

Contact information: Your email address and phone number, collected via the booking form.

Booking details: Your chosen departure point, date, tour type, and number of participants, collected via the booking form.

Payment data: Payment card data, processed and stored exclusively by Stripe. We never receive or store card numbers on our own servers.

Technical data: IP address, browser type, pages visited, and session cookies, collected automatically by the Squarespace platform.

Communications: Email message history from automated pre- and post-booking emails, managed through our automated email system (Gmail).

We apply the principle of data minimisation (Article 5(1)(c) GDPR): we only collect data that is strictly necessary for the purposes described below.

3. Purposes and legal bases for processing

Under Article 6(1) GDPR, all processing must rest on one of six legal bases. Below sets out each purpose, the data used, and the applicable legal basis:

We process your personal data for the following purposes, each with its corresponding legal basis under Article 6 GDPR:

Processing and confirming your booking — Performance of a contract (Art. 6(1)(b)).

Processing your payment via Stripe — Performance of a contract (Art. 6(1)(b)).

Sending automated booking confirmation and pre-trip reminder emails — Performance of a contract (Art. 6(1)(b)).

Sending automated post-trip follow-up emails — Legitimate interests (Art. 6(1)(f)), specifically quality of service and customer care.

Responding to enquiries or complaints — Legitimate interests (Art. 6(1)(f)).

Meeting tax and accounting obligations — Legal obligation (Art. 6(1)(c)).

Website analytics (anonymised usage data) — Consent (Art. 6(1)(a)), collected via our cookie banner.

We do not use your data for direct marketing, newsletters, or any form of unsolicited commercial communication.

4. How long we keep your data

In line with the storage limitation principle (Article 5(1)(e) GDPR), we retain personal data only for as long as necessary for the purpose it was collected, or as required by law:

Booking and contract records are kept for 5 years from the date of service, in compliance with Spanish commercial and tax law obligations.

Payment transaction records are kept for 5 years from the date of transaction, as required by Spanish tax legislation (Ley 58/2003 General Tributaria).

Email communications are retained for 2 years from the date of last interaction, based on legitimate interest and potential legal claims.

Technical and analytics data is retained for up to 13 months, in line with Squarespace platform standards, after which it is anonymised.

Once these periods expire, data is securely deleted or anonymised. You may also request earlier deletion — see your rights in Section 7 below.

5. Data processors and third-party recipients

We do not sell or share your personal data with third parties for their own commercial purposes. We use the following data processors — companies that process data on our behalf — each subject to a Data Processing Agreement (DPA) as required by Article 28 GDPR:

Stripe, Inc. handles payment processing. Stripe is based in the USA. Transfers are safeguarded by EU Standard Contractual Clauses (SCCs) under Commission Decision 2021/914 and the EU–US Data Privacy Framework.

Squarespace, Inc. provides website hosting, booking forms, and analytics. Squarespace is based in the USA. Transfers are safeguarded by EU Standard Contractual Clauses under Commission Decision 2021/914 and the EU–US Data Privacy Framework.

Google LLC (Gmail) manages our automated transactional emails. Google is based in the USA. Transfers are safeguarded by EU Standard Contractual Clauses and the EU–US Data Privacy Framework.

We may also be required to disclose data to public authorities (e.g. the Agencia Tributaria, law enforcement) where required by applicable law.

6. International data transfers

Stripe, Squarespace and Google are based in the United States. Transfers of personal data outside the European Economic Area are carried out under the EU Standard Contractual Clauses (SCCs) adopted by European Commission Decision 2021/914 of 4 June 2021, and/or under the EU–US Data Privacy Framework where applicable. Both mechanisms ensure a level of data protection equivalent to that required within the EEA under the GDPR.

7. Your rights

Under Chapter III of the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): You may obtain confirmation of whether we process your data and request a copy of it.

Right to rectification (Art. 16): You may have inaccurate or incomplete data corrected.

Right to erasure (Art. 17): You may request deletion of your data when it is no longer necessary for the purpose it was collected, or when you withdraw your consent.

Right to restriction (Art. 18): You may limit processing in certain circumstances, for example while the accuracy of your data is being contested.

Right to data portability (Art. 20): You may receive your data in a structured, machine-readable format.

Right to object (Art. 21): You may object to processing based on legitimate interests (Art. 6(1)(f)).

Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before that point.

To exercise any of these rights, please contact us at: moonfishcat@gmail.com

We will respond within one month of receiving your request, as required by Article 12(3) GDPR. This period may be extended by a further two months for complex or multiple requests, in which case we will notify you. If you believe your rights have not been respected, you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) or the supervisory authority of your country of residence within the EU.

8. Security measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss or unlawful disclosure, consistent with Article 32 GDPR, including:

• All data transmitted via this website is encrypted using HTTPS/TLS.

• Payment data is processed exclusively by Stripe, Inc., which holds PCI DSS Level 1 certification — the highest standard for payment processors. Card numbers never reach our servers; Stripe uses AES-256 encryption for data at rest and TLS 1.2+ for data in transit.

• Access to booking data is restricted to authorised personnel of BENNASSAR NAVILIERS, SL only.

• Our website is hosted on Squarespace, which maintains ISO/IEC 27001 and SOC 2 Type II certifications.

9. Cookies

This website uses cookies. You can manage your preferences via the cookie banner displayed on your first visit. The main cookies in use are:

Essential / session cookies enable shopping cart functionality and basic site navigation. These are provided by Squarespace.

Analytics cookies collect anonymised visitor statistics, such as pages viewed and session duration. These are provided by Squarespace Analytics and are only placed with your consent, in line with Article 6(1)(a) GDPR and applicable ePrivacy rules.

Payment cookies manage secure checkout sessions and support fraud prevention. These are provided by Stripe.

You may withdraw your consent to analytics cookies at any time by adjusting your browser settings or contacting us.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our services or applicable law. The date at the top of this page will always reflect the most recent revision. For material changes, we will notify customers with active bookings by email. We encourage you to review this page periodically.