This document regulates the rules relating to the Privacy Policy on which the company Huesca Hoteles SL -HOSTAL UN PUNTO CHIC.-, as Data Controller (hereinafter, "the Responsible") will carry out the processing of personal data of its customers (buyers or not of their services) and suppliers or third parties, provided by those during their access to the website https://hostalunpuntochic.com in their registration process or provided by any other means valid in law.

If you expressly accept the transfer of your data to the Controller, whatever the means by which you do so, provided that your consent is express, you give your consent in a free, informed, specific and unequivocal manner for the Controller to process your personal data, in accordance with the General Data Protection Regulation of the Parliament and of the Council 679/2016, of 27 April (hereinafter "GDPR") and the Organic Law 3/2018, of 5 December, on Data Protection and Guarantee of Digital Rights.

Data controller data:

Responsible: Huesca Hoteles S.L.

CIF: B22275325.

Website: https://hostaljoaquincosta.com/

Registered Office: Calle Joaquín Costa 10, 22003 Huesca

E-mail: info@hostaljoaquincosta.com.

Collection of data:

The Data Controller may collect the data of its customers, suppliers and other third parties (hereinafter jointly referred to as "the data subject" or "data subjects") on its website when they access it and register or request its services through the contact link.

The interested party must enter all the data required by the Platform at all times (especially those marked with an asterisk), as failure to do so will prevent them from completing their registration as a user or the use of certain functionalities or services available through the Platform.

Data will also be collected from interested parties when by other means the interested parties have provided them to the Data Controller, within the normal development of a commercial or professional activity.

Likewise, the data subject shall guarantee that the Personal Data provided are true and accurate and must notify, through the appropriate channel, any change or modification thereof.

In the event that the data subject provides data of third parties, he/she shall assume the responsibility of having previously informed them and having their consent to do so, in accordance with article 14 of the GDPR.

Category of data collected:

The Controller may process the following personal data of the user:

Identification data: name and surname, NIF.

Contact details: telephone number, email and postal address.

Company you work for

Credit or debit payment card details

Bank account details

Data recipients:

Your data will be accessed by those suppliers who perform services for the Controller in relation to the service provided by the Controller to the data subject or vice versa. The Data Controller will maintain appropriate data processing contracts with each of the suppliers who provide services to the Data Controller in order to ensure that such suppliers process your data in accordance with the provisions of the legislation in force.

Personal data may also be disclosed to the competent authorities where there is a legal obligation to do so.

Likewise, they may be communicated to the financial institutions through which the collection and payment management is carried out.

They may also be transferred to third party companies related to the activity of the Data Controller, for the purpose of sending the user commercial information that may be of interest to him/her, always connected with the business of the Data Controller and provided that the user has expressly accepted this.

Purpose of the processing:

The Controller will process personal data for the purposes set out below, depending on the reason for which they have been provided:

To carry out the provision of the contracted services, the maintenance of the contractual relationship and the monitoring of the same.

To contact, process, manage and respond to the user's request, application, incident or query (either by e-mail, contact form or telephone).

Manage, where appropriate, the user's participation in the customer's private area.

Manage, where appropriate, the sending of commercial communications about products and services marketed by the Controller by electronic and/or conventional means.

To create, where appropriate, a profile of the user in order to offer him/her products and services related to the Controller in accordance with his/her interests.

Assess and manage, where appropriate, the curriculum provided by the user for selection processes that are adapted to their professional profile and carry out the necessary actions for the selection and recruitment of personnel.

Based on the above and depending on the category of user, the Controller may use the data for the following purposes:

Customers:

Preparation of quotations

Invoicing

Sending commercial communications

Updating of service conditions

Regular communication within the contracted service provision.

Creating a professional profile for the offer of services

Providers:

Invoicing

Sending commercial communications

Updating of service conditions

Regular communication within the contracted service provision.

Social Network Contacts:

Creation of a community of followers

Management of friend requests

Sending commercial information.

Creation of a professional profile for the services offered

Service conditions updates

Job applicants:

Assessment of the data included in the curriculum vitae to analyse the suitability to the needs of the person in charge.

Sending relevant information related to the job sought in the organisation.

In the event that the user expressly accepts, the data may be transferred to collaborating or related companies with the aim of helping the user to find a job.

To create a professional profile.

Legal basis for data collection and processing:

The legal basis for the collection and processing of user data is, on the one hand, the imperative obligation to be able to provide the contracted services and, on the other hand, the consent expressly granted by the user for the collection and processing of the data.

Duration of processing and data retention:

The data for the management of the relationship with the client, invoicing and collection of the services will be kept for as long as the contract is in force. Once this relationship has ended, if applicable, the data may be kept for the time required by the applicable legislation and until any liabilities arising from the contract expire.

Data for the management of queries and requests will be kept for the time necessary to respond to them, with a maximum period of one year.

Data for the sending of commercial communications and the creation of commercial profiles of our products or services will be kept for as long as the commercial relationship with the user is maintained and they do not withdraw their consent to this.

Curriculum vitae data for selection processes will be kept for two years.

For information purposes, the following are the legal deadlines for the conservation of information in relation to different subjects:

DOCUMENT	duration	LEGAL REF.
Documentation of a labour or social security nature	4 years	Artículo 21 del Real Decreto Legislativo 5/2000, de 4 de agosto, por el que se aprueba el texto refundido de la Ley sobre Infracciones y Sanciones en el Orden Social
Documentación contable y fiscal a efectos mercantiles	6 years	Art. 30 Código Comercio
Documentación contable y fiscal a efectos fiscales	4 years	Artículos 66 a 70 Ley General Tributaria
Control de accesos a edificios	1 mes	Instrucción 1/1996 de la AEPD
Videovigilancia	1 mes	Guía de 26 de noviembre de 2018 de la AEPD Ley Orgánica 4/1997. Ley 5/2014 de 4 de abril, de Seguridad Privada

User rights:

Any user who provides their personal data to the Data Controller may exercise the following rights:

Access, rectification, opposition, deletion, portability and limitation of processing, as well as to refuse the automated processing of personal data collected by the Controller.

In turn, all users shall have the right to withdraw any consent they may have given at any time.

These rights may be exercised free of charge by the user, making reference to the request specified in the application through the contact details listed in the Legal Notice link.

The user has the right to revoke their consent given at any time for the sending of commercial communications, simply by notifying the Data Controller and informing them that they no longer wish to receive commercial communications. To do so, the user may revoke their consent by making reference to their request via the contact details given in the Legal Notice or by clicking on the link "no more commercial communications".

The user has the right to file a complaint with the Spanish Data Protection Agency if he/she understands that the Data Controller has committed any type of infringement in the processing of his/her data (www.aepd.es).

Minors:

Under no circumstances will the Data Controller collect data from minors, except in those cases in which the Law allows it. Given the difficulty of verifying the age of users, the holders of parental authority or guardianship of minors under 14 years of age shall be responsible for establishing control measures on the devices to which minors may have access, in order to prevent them from improperly transferring their data.

If the Data Controller has reliable knowledge at any time that a minor has accessed its platform and their data is being processed without the authorisation of their legal representatives, it shall immediately remove said user from the platform.

Security measures:

The Data Controller undertakes to comply with its commitment to secrecy of personal data and its duty to protect them, treating the user's personal data confidentially, adopting the necessary technical and organisational measures to guarantee the security of the data and prevent its alteration, loss, unauthorised processing or access, taking into account the state of technology, the nature of the data stored and the risks to which they are exposed.

Modifications to the privacy policy:

The Data Controller may modify its Privacy Policy in accordance with the legislation applicable at any given time. In any case, any modification to the Privacy Policy will be duly notified to the user so that they are informed of the changes made to the processing of their personal data and, in the event that the applicable regulations so require, the user can give their consent.