Privacy Policy

PRIVACY AND CONFIDENTIALITY POLICY

Cabau Hotels S.L., registered in the Commercial Register of the Balearic Islands, Folio: 40, Volume: 2622, Entry 1, Sheet PM-76806: FIRST

COMPANY NAME
Cabau Hotels S.L.

TAX IDENTIFICATION NUMBER (NIF)
B57925323

POSTAL ADDRESS
C/ Quatre de Novembre, 5, 3rd Floor, Door D1,
07011 Palma – Balearic Islands – Spain

EMAIL ADDRESS
cabau@cabauhotels.com

PHONE NUMBERS
+34 971 47 99 77

COMMERCIAL REGISTER
Registered in the Commercial Register of the Balearic Islands,
Folio: 40, Volume: 2622, Entry 1, Sheet PM-76806: FIRST

MAIN PURPOSE
The operation of hotel businesses, aparthotels, tourist accommodations, holiday apartments, suites, luxury villas and other short-stay lodgings.

---

Information on the Processing of Personal Data

In accordance with the provisions of the current regulations on personal data protection, users of this website are informed that the personal data they provide through cabauhotels.com will be processed in accordance with the principles of lawfulness, fairness and transparency.

Specifically, the following is communicated:

Identity and contact details of the data controller:
The person responsible for processing the data is Vanessa Cabau Wolf, with contact email cabau@cabauhotels.com.

Contact details of the Data Protection Officer (DPO):
Users may contact the Data Protection Officer via email at cabau@cabauhotels.com or by sending a written letter to the controller at the address indicated above.

Purposes of the processing:
User personal data will be processed for the following purposes:

• To manage reservations, enquiries, or requests made through the website.

• To respond to incoming communications and provide support or information about the services of Cabau Hotels.

• Where applicable, to send informational or commercial communications related to the products and services of the hotel chain, provided the user has given consent.

Legal basis for processing:
The processing of data is based on the performance of a contract or a prior request from the user, compliance with legal obligations, and, where applicable, the explicit consent of the individual for the sending of commercial information.

Data retention period:
Personal data will be retained for the time necessary to fulfill the purpose for which they were collected. Subsequently, they will be duly blocked for the legally applicable limitation periods.

Data disclosures:
Data will not be disclosed to third parties, except by legal obligation or when necessary for the proper provision of the contracted services (for example, technology providers or reservation management), always guaranteeing adequate security measures.

International transfers:
If international data transfers are made (for example, to technology providers outside the European Economic Area), these will be carried out in accordance with the guarantees established by the applicable regulations, ensuring an adequate level of protection of personal data.

---

2. Processing operations carried out

Website Management

• Purpose: Processing and management of data necessary for the proper functioning of the website.

• Retention period: For as long as the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None expected.

• International transfers: None expected.

• Profiling: Not expected.

---

Web User Management

• Purpose: Collection, registration, and processing of user data.

• Retention period: For as long as the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None expected.

• International transfers: None expected.

• Profiling: Not expected.

---

Contact Form

• Purpose: To handle your inquiries and/or requests.

• Retention period: While the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None.

• International transfers: None expected.

• Profiling: Not expected.

---

Cookies Installation

• Purpose: Management and installation of cookies.

• Retention period: While the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None.

• International transfers: None expected.

• Profiling: Not expected.

---

Compliance Management

• Purpose: Management and processing of obligations and duties derived from compliance with applicable regulations.

• Retention period: Until possible liability actions expire.

• Legal basis: Compliance with a legal obligation.

• Type of data: Basic identification data.

• Disclosures: To public authorities or agencies where required by law.

• International transfers: None expected.

• Profiling: Not expected.

---

Commercial Actions

• Purpose: Collection, registration, and processing of data for advertising and commercial prospecting purposes.

• Retention period: While the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None.

• International transfers: None expected.

• Profiling: Not expected.

---

Image Processing

• Purpose: Capture and use of images for advertising or promotional purposes.

• Retention period: While the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None.

• International transfers: None expected.

• Profiling: Not expected.

---

Job Pool Management

• Purpose: Registration and processing of candidate data for recruitment and job pool management.

• Retention period: For as long as the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: To partner entities for recruitment purposes.

• International transfers: None expected.

• Profiling: Not expected.

---

Newsletter

• Purpose: Management of newsletter subscriptions and sending of communications.

• Retention period: While the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None.

• International transfers: None expected.

• Profiling: Not expected.

---

Cabau Rewards Management

• Purpose: Registration and processing of data for Cabau Rewards membership to provide booking benefits.

• Retention period: While the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None.

• International transfers: None expected.

• Profiling: Not expected.

---

Accommodation Booking Management

• Purpose: Registration and management of accommodation bookings.

• Retention period: While the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None.

• International transfers: None expected.

• Profiling: Not expected.

---

Check-in Management

• Purpose: Collection and processing of client data for check-in purposes.

• Retention period: While the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: To public authorities or agencies where legally required.

• International transfers: None expected.

• Profiling: Not expected.

---

Social Media

• Purpose: Management of Cabau Hotels’ social media platforms.

• Retention period: While the consent remains valid.

• Legal basis: Consent of the data subject.

• Type of data: Basic identification data.

• Disclosures: None.

• International transfers: None expected.

• Profiling: Not expected.

---

3. Rights of the data subjects

3.1 Rights

In accordance with the GDPR, CABAU HOTELS informs data subjects that they have the right to:

• Access their personal data and obtain information about its processing (Article 15 GDPR).

• Request the correction of inaccurate or incomplete data (Article 16 GDPR).

• Request the deletion of personal data when they are no longer necessary or when consent is withdrawn (Article 17 GDPR).

• Request limitation of processing in certain circumstances (Article 18 GDPR).

• Oppose the processing of their data for reasons related to their particular situation, especially in processing based on public interest or direct marketing (Article 21 GDPR).

• Exercise the right to data portability, receiving their data in a structured, commonly used, machine-readable format, and transmit them to another controller (Article 20 GDPR).

• Not be subject to automated individual decisions, including profiling (Article 22 GDPR).

• Withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal (Article 7.3 GDPR).

3.2 Procedure to exercise rights

Data subjects may exercise their rights by written request to the following email: cabau@cabauhotels.com

The request must meet the following requirements:

1. Identification of the requester:
   The data subject must provide reliable identification. In cases of reasonable doubt about identity, additional information (e.g. copy of ID, previously used email) may be requested.

2. Representation:
   If exercising rights via a legal or voluntary representative, the identity of both parties must be proven and an express authorization by the data subject provided.

3. Content of the request:
   The specific right(s) to be exercised must be clearly indicated. If no particular processing is referenced, the response will cover all data processing by CABAU HOTELS. Phone requests will not be accepted; the request must be in writing.

4. Contact details for notifications:
   The request must include a valid postal or email address for communications.

5. Supporting documentation:
   Where necessary, the request shall be accompanied by relevant documentation to justify the exercise of the requested right.

6. Method of submission:
   The request should be sent by means that allow certification of its sending and receipt.

Finally, the data subject is informed of their right to file a complaint with the Spanish Data Protection Agency (www.aepd.es) if they believe their data protection rights have been violated.

---

PRIVACY POLICY FOR SOCIAL NETWORKS

In accordance with applicable personal data protection regulation and Law 34/2002 of 11 July on Information Society Services and E-commerce (LSSI-CE), CABAU HOTELS informs users that it has created a corporate profile on the social networks Facebook, Pinterest, and Instagram, primarily to publicize its services and events.

CABAU HOTELS S.L. details:

• Company Name: CABAU HOTELS S.L.

• NIF: B57925323

• Registered Address: Calle Quatre de Novembre, 5, 07011 Palma – Balearic Islands, Spain

• Phone: +34 971 47 99 77

• Email: cabau@cabauhotels.com

A user with a profile on the same social network who decides to follow the page created by CABAU HOTELS thereby consents to the processing of the personal data published on their profile by CABAU HOTELS.

The user can at any time access the social network’s privacy policies and configure their profile to ensure their privacy. There is no affiliation between CABAU HOTELS and the social networks, so the user accepts their usage policies and terms and conditions when accessing them or accepting their notices and conditions during registration.

1. Rights of Data Subjects

In relation to rights of access, rectification, restriction, deletion, portability and opposition to data processing, you may exercise them before CABAU HOTELS. According to the GDPR, note the following:

• Right of Access: the right to obtain specific personal data and information about its processing, origin, and communications made or planned.

• Right of Rectification: right to modify data that is inaccurate or incomplete. Applies to information under CABAU HOTELS’ control (e.g., removal of comments, images, or content containing personal data).

• Right to Limit Processing: the right to restrict planned processing under certain circumstances.

• Right to Deletion: the right to delete personal data, except where GDPR or other laws require retention.

• Right to Portability: the right to receive data in a structured, commonly used, machine-readable format and to transmit them to another controller.

• Right of Opposition: the right to object to the processing of personal data or its cessation by CABAU HOTELS.

2. Responsibility Regime

CABAU HOTELS may:

1. Access the public profile information

2. Publish to the user’s profile any content already posted to CABAU HOTELS’ page

3. Send personal and individual messages via social network channels

4. Post status updates of the page to the user’s profile

The user can always control their connections, delete contents no longer of interest, and restrict who sees their connections by adjusting privacy settings.

3. Publications

Once a user joins CABAU HOTELS’ page, they may publish comments, links, images, photos, or other multimedia content supported by the social network. The user must own rights to the content or have consent from third parties. It is expressly prohibited to publish content that offends public morality, ethics, good taste, or violates intellectual property, personality rights, or law. CABAU HOTELS reserves the right to remove such content immediately and may request the user be blocked permanently. CABAU HOTELS is not responsible for user-published content. The user is aware that their publications become visible to others, and thus is fully responsible for their privacy. Images posted are not stored in CABAU HOTELS’ systems but remain on the social network.

4. Information Security

In compliance with Article 32 of Regulation (EU) 2016/679, CABAU HOTELS undertakes to adopt the necessary technical and organizational measures, according to the risk level of the processing operations listed above, to guarantee integrity, confidentiality, and availability of data. Furthermore, CABAU HOTELS informs that if a user enters data in forms on third-party websites, those third parties become responsible for their personal data and must adopt the technical measures described in their own Privacy Policy.

5. Consent under LSSI-CE

In compliance with Law 34/2002 on Information Society Services and E-commerce, CABAU HOTELS will request and the user may grant express consent so that, if desired, CABAU HOTELS may use their data to send information and advertising about the website itself or different offers, promotions, and third-party service providers. To ensure security and confidentiality of personal data, CABAU HOTELS has adopted the required security levels of the data protection legislation and implemented technical means, where feasible, to prevent loss, misuse, alteration, unauthorized access, or theft of personal data provided to CABAU HOTELS.

6. Social Media Privacy Policies

Below are links to the privacy policies of various social networks:

• Instagram: https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect

• Facebook: https://es-es.facebook.com/privacy/policy/

• Pinterest: https://help.pinterest.com/es/topics/privacy-safety-and-legal

LAST UPDATED: October 2025