Privacy Policy

The Privacy Policy is part of the General Conditions that govern this Website.

Who is responsible for the processing of your data?

Segura Hostelería, S.A CIF: A09045980

Address: Av. Indalecio Prieto 1, C.P. 48004, Bilbao.

Emails and telephone numbers of our hotels:

• Spirit Hotel Gran Bilbao holabilbao@spirithoteles.com 944328575
• Spirit Apartamentos Atxuri holabilbao2@spirithoteles.com 944328575
• Spirit Hotel Ciudad de Burgos holaburgos@spirithoteles.com 947431041
• Spirit Apartamentos Valladolid Centro holavalladolid@spirithoteles.com 947431041

You can contact us in any way.

Data Protection Officer: Hernando Domínguez Sánchez de las Matas protecciondatos@spirithoteles.com

We reserve the right to modify or adapt this Privacy Policy at any time. We recommend that you review it, and if you have registered and access your account or profile, you will be informed of the modifications.

If you are one of the following groups, see the drop-down information:

 

+ WEB OR EMAIL CONTACTS

What data do we collect through the Web?

We may process your IP, what operating system or browser you use, and even the duration of your visit, anonymously.

If you provide us with data in the contact form, you will identify yourself so that we can contact you, if necessary.

For what purposes are we going to process your personal data?

• To respond to your queries, requests or requests.
• To manage the requested service, answer your request, or process your request.
• Information by electronic means, which deal with your application.
• Commercial or event information by electronic means, provided that there is express authorisation.
• To carry out analyses and improvements on the Website, on our products and services. Improve our business strategy.

What is the legitimacy for the processing of your data?

The acceptance and consent of the interested party: In those cases where it is necessary to fill in a form and click on the send button to make a request, the completion of the same will necessarily imply that they have been informed and have expressly given their consent to the content of the clause attached to said form or acceptance of the privacy policy.

All our forms have the * symbol in the mandatory data. If you do not provide these fields, or do not tick the checkbox accepting the privacy policy, the information will not be allowed to be sent. It usually has the following formula: “□ I am over 14 and have read and accept the Privacy Policy.”

You can revoke consent at any time.

 

+ NEWSLETTER CONTACTS

What data do we collect through the newsletter?

On the Website, it is possible to subscribe to the Newsletter, if you provide us with an email address, to which it will be sent.

We will only store your email in our database, and we will proceed to send you emails periodically, until you request to unsubscribe, or we stop sending emails.

The Newsletter may have a Web beacon, which statistically confirms whether you have opened it, at what time or how many times. We can study the best shipping times and what interests you, but we will not have personal information about you, only your email.

You will always have the option to unsubscribe, in any communication.

For what purposes are we going to process your personal data?

• Manage the requested service.
• Information by electronic means, which deal with your application.
• Commercial or event information by electronic means, provided that there is express authorisation.
• Carry out analyses and improvements in the sending of mailings, to improve our commercial strategy.

What is the legitimacy for the processing of your data?

The acceptance and consent of the interested party: In those cases where you subscribe, it will be necessary to accept a checkbox and click on the send button. This will necessarily imply that you have been informed and have expressly given your consent to receive the newsletter.

If you do not tick the privacy policy acceptance checkbox, the information will not be allowed to be sent. It usually has the following formula: “□ I am over 14 and have read and accept the Privacy Policy.”

You can revoke consent at any time.

+ CLIENTS – GUESTS

For what purposes are we going to process your personal data?

• Formalize your reservation.
• Management and collection of your stay at the establishment and management and improvement of quality.
• Information by electronic means, which deal with your application.
• Loyalty programmes, assessment of your stay and sending of commercial information based on your profile.
• Sending commercial communications by electronic means with information relating to services, products, promotions or relevant news about the different hotels of the group, provided that you have given your consent to receive communications from the group.
• To manage the administrative, communications and logistics services carried out by the Data Controller.
• Carry out the corresponding transactions. Invoicing and declaration of the appropriate taxes. Control and collection procedures. Exercise of legal actions that correspond to us.
• Management of the entertainment service, with data even specially protected of the children when provided by their parents for medical reasons, to ensure the health and well-being of the minor. Control of allergies and other problems to be taken into account during the performance of the activities.
• Attention services for incidents that occur during your stay in our establishment, in accordance with our quality policies.
• Check the validity of the card or make its bank pre-authorisation, guarantee the reservation by making the corresponding charge, make the charge in accordance with the booking and cancellation conditions, as well as for the payment of the expenses of the stay, even after it.
• Guarantee the payment of all expenses arising from the stay, even after departure.
• Assessment survey.

What is the legitimacy for the processing of your data?

The legal basis is:

• Performance of the contract to provide our services.
• Compliance with legal obligations of the controller.
• Consent of the data subject.
• Legitimate interest.

+ SUPPLIERS.

For what purposes are we going to process your personal data?

• Information by electronic means, which deal with your application.
• Commercial or event information by electronic means, provided that there is express authorisation.
• To manage the administrative, communications and logistics services carried out by the Data Controller.
• Carry out the corresponding transactions. Invoicing and declaration of the appropriate taxes. Control and collection procedures.

What is the legitimacy for the processing of your data?

The legal basis is the acceptance of a contractual relationship, or failing that, your consent when contacting us or offering us your products by any means.

+ PARTNERS
For what purposes will we process your personal data?

Organization of the necessary actions to achieve the company’s objectives.
Internal management and legal compliance.
Convening meetings.
Carrying out the corresponding transactions.
Declaring the appropriate taxes.
What is the legal basis for processing your data?

The legal basis is contractual: acceptance of a share purchase agreement or similar, or participation in the incorporation of the company.

+ SOCIAL MEDIA CONTACTS
For what purposes will we process your personal data?

• Responding to your queries, requests, or inquiries.
• Managing the requested service, responding to your request, or processing your request.
• Developing relationships with you and creating a community of followers.

What is the legal basis for processing your data?

Acceptance of a contractual relationship within the corresponding social network environment and in accordance with its privacy policies:

• Facebook http://www.facebook.com/policy.php?ref=pf
• Instagram https://help.instagram.com/155833707900388
• Twitter http://twitter.com/privacy
• Google* http://www.google.com/intl/es/policies/privacy/
• Linkedin http://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv
• TikTok https://www.tiktok.com/legal/page/eea/privacy-policy/es
• *(Google+ and YouTube)

How long will we retain personal data?

We can only consult or unsubscribe your data in a restricted way when you have a specific profile. We’ll treat them for as long as you let us follow, be friends, or like us, follow, or similar buttons.

Any rectification of your data or restriction of information or publications must be made through the configuration of your profile or user on the social network itself.

+ VIDEO SURVEILLANCE

For what purposes are we going to process your personal data?

• Video surveillance of our facilities.
• Control of our employees.
• Sometimes they can be transferred to the courts and tribunals for the exercise of legitimate actions.

What is the legitimacy for the processing of your data?

The unequivocal consent of the interested party when accessing our facilities after viewing the information poster of the video-monitored area.

+ JOB SEEKERS

For what purposes are we going to process your personal data?

• Organization of selection processes for the hiring of employees.
• Schedule you for job interviews and evaluate your candidacy.
• If you have given us your consent, we may keep your CV for new job postings.
• If you have given us your consent, we may give it to collaborating or related companies, with the sole purpose of helping you find employment.

What is the legitimacy for the processing of your data?

The legal basis is your unequivocal consent, when you give us your CV and receive and sign information regarding the processing we are going to carry out.

+ COMPLAINTS

CHANNEL For what purposes are we going to process your personal data?

Internal detection of possible criminal and administrative offences affecting the legal entity and compliance with the company’s code of conduct and compliance policies.
Complaint management. The data of the complainant may be processed anonymously.

What is the legitimacy for the processing of your data?

Mission, interests or public powers and/or compliance with a legal obligation.

Do we include personal data of third parties?

No, as a general rule we only process the data provided by the holders. If you provide us with data from third parties, you must previously inform and request their consent from said people, or else you exempt us from any liability for non-compliance with this requirement.

And data on minors?

We process children’s data when they come with their parents, as if they were customers. In the event that reservations are made by minors, parental authorization will be required to stay at our hotels.

Will we make communications by electronic means?

• They will only be carried out to manage your request, if it is one of the means of contact that you have provided us.
• If we make commercial communications, they will have been previously and expressly authorised by you.

What security measures do we apply?

You can rest assured: We have adopted an optimal level of protection of the Personal Data we handle, and we have installed all the technical means and measures at our disposal according to the state of technology to prevent the loss, misuse, alteration, unauthorized access and theft of Personal Data.

To whom will your data be communicated?

Your data will not be transferred to third parties, unless legally obliged. Specifically, they will be communicated to the State Tax Administration Agency and to banks and financial institutions for the collection of the service provided or product acquired, as well as to those in charge of the processing necessary for the execution of the agreement.

In compliance with the applicable regulations (Organic Law 4/2015 on the protection of public safety) the data of the guests will be communicated daily to the Security Forces and Corps.

Your data will be transferred as long as you give us your consent to Zariquiegui Hostelería S.L. to send commercial communications.

The hotels of Seguro Hostelería S.L. belong to the Spirit Hotels & Apartments group, so your data may be transferred to hotels of the same group in order to be able to provide the contracted services. Segura Hostelería S.A. works as a facility manager with the rest of the companies in the group (Zariquiegui hostelería S.L.), so your data may be transferred with the sole purpose of being able to provide you with the service you have requested.

Your data will be transferred to the authority, according to the L.O. 5/2014, on Private Security, and Order INT/1922/2003 on record books and entry reports of travellers in hospitality establishments.

In the event of a purchase or payment, if you choose an application, website, platform, bank card, or any other online service, your data will be transferred to that platform or processed in its environment, always with maximum security.

When we order them to do so, the web development and maintenance company, or the hosting company, will have access to our website. They will have signed a contract for the provision of services that obliges them to maintain the same level of privacy as us.

We use applications that may involve an International Transfer of data to the United States. This will only be carried out to entities that have adhered to the USA-EU Data PRivacy framework, or failing that, to those that have demonstrated that they comply with the regulations, and have committed through standard contractual clauses (SCCs) to comply with the level of protection and guarantees in accordance with the parameters and requirements provided for in the current European regulations on data protection. such as the European Regulation, or failing that, when there is a legal authorization to carry out the international transfer.

In the ethics or whistleblowing channel, we act as the dominant company according to article 42 of the Commercial Code, in relation to Law 2/2023, of 20 February, regulating the protection of people who report regulatory breaches.
For this reason, we may process the complaints of any company in the group, as well as transfer the necessary data to them. The channel is currently shared with Zariquiegui Hostelería S.L.

What rights do you have?

• To know if we are processing your data or not.
• To access your personal data.
• To request the rectification of your data if they are inaccurate.
• To request the deletion of your data if it is no longer necessary for the purposes for which it was collected or if you withdraw the consent granted.
• To request the limitation of the processing of your data, in some cases, in which case we will only keep them in accordance with current regulations.
• To port your data, which will be provided to you in a structured, commonly used or machine-readable format. If you prefer, we can send them to the new manager you appoint. It is only valid in certain cases.
• To file a complaint with the Spanish Data Protection Agency, if you believe that we have not attended to you correctly.
• To revoke consent to any processing to which you have consented, at any time.
• If you modify any data, we thank you for letting us know so that we can keep it updated.

Do you want a form for the exercise of Rights?

• We have forms for the exercise of your rights, ask us by email or if you prefer, you can use those prepared by the Spanish Data Protection Agency or third parties.
• These forms must be electronically signed or accompanied by a photocopy of the ID card.
• If you are represented by someone, you must attach a copy of their ID, or sign it with their electronic signature.
• The forms can be submitted in person, sent by letter or by mail to the address of the Data Controller at the beginning of this text.

How long does it take to respond to the Exercise of Rights?

It depends on the law, but at most in one month from your request, and two months if the issue is very complex and we notify you that we need more time.

How long will we keep your personal data?

• Personal data will be kept for as long as you remain linked to us.
• Once you unsubscribe, the personal data processed for each purpose will be kept for the legally established periods, including the period in which a judge or court may require them in accordance with the limitation period for legal actions.
• The processed data will be kept as long as the legal periods referred to above do not expire, if there is a legal obligation to maintain it, or if there is no such legal period, until the interested party requests its deletion or revokes the consent granted.
• We will keep all information and communications related to your purchase or the provision of our service, for the duration of the warranties of the products or services, to deal with possible claims.
• For each processing or type of data, we provide you with a specific period, which you can consult in the following table:

 

File	Document	Conservation
Clients	Bills	10 years
	Forms & Coupons	15 years
	Contracts	5 years
Human resources	Nóminas, TC1, TC2, etc.	10 years
	Curriculums	Until the end of the selection process, and 1 more year with your consent
	Docs of severance pay. Contracts. Data of temporary workers.	4 years
	Worker’s file.	Up to 5 years after the leave.
Marketing	Databases or web visitors.	For the duration of treatment.
Suppliers	Bills	10 years
	Contracts	5 years
Access control and video surveillance	List of visitors	30 days
	Videos	30 days block 3 years destruction
Accounting	Accounting Books and Documents. Shareholders’ agreements and boards of directors, company bylaws, minutes, board of directors regulations and delegated committees. Financial statements, audit reports Grant-related records and documents	6 years
Fiscal	Keeping of the administration of the company, rights and obligations related to the payment of taxes. Administration of dividend payments and withholding taxes.	10 years
	Information on the intra-group price establishments	18 years old 8 years for intra-group transactions for pricing agreements
Health and Safety	Workers’ Medical Records	5 years
Environment	Information on chemical or substantially hazardous substances	10 years
	Documents relating to environmental permits While the activity is being carried out.	3 years after the closure of the activity 10 years (statute of limitations)
	Records on recycling or waste disposal	3 years
	Grants for cleaning operations must keep documents of rights and obligations, receipts and payments.	4 years
	Accident Reports	5 years
Insurance	Insurance Policies	6 years (rule of thumb) 2 years (damage) 5 years (personal) 10 years (life)
Shopping	I register all the supplies of goods or provision of services, intra-community acquisitions, imports and exports for VAT purposes.	5 years
Juridical	Intellectual and Industrial Property Documents. Contracts and agreements.	5 years
	Permits, licenses, certificates	6 years from the date of expiration of the permit, license or certificate. 10 years (criminal statute of limitations)
	Confidentiality and Non-Compete Agreements	Always the duration of the obligation or confidentiality
LOPD	Processing of personal data, if different from the processing notified to the AEPD	3 years
	Personal data of employees stored in the networks, computers and communications equipment used by them, access controls and internal management/administration systems	5 years
Whistleblowing Channel	Internal complaints. Regulatory Compliance Program (Corporate Criminal Liability)	3 months (general rule) 10 years (criminal statute of limitations)

 

The companies operating under the Spirit Hotels & Apartments and Spirit Hospitality Global Business brands are:

• Segura Hostelería S.A

Av. Indalecio Prieto 1 C.P. 48004 de Bilbao

• Zariquiegui Hostelería S.L. 

Calle Ortutxueta, 1 Esc– 1º A C.P. 48006 de Bilbao