PRIVACY POLICY

1. Information We Collect

We collect personal information you provide directly, information generated automatically when you use our Services, and information from third-party tools that support our operations.

Identifiers

• Name
• Email address
• Phone number
• Physical address

Account and Transaction Data

• Account or profile information
• Billing details and transaction history

Traveller Data (Parte de Viajeros)

As part of our core compliance service, we collect the following data from travellers as required by Real Decreto 933/2021:

• Full name, sex, ID number (DNI/Passport/TIE), document support number, nationality and date of birth
• Residential address, mobile/fixed phone, email address
• For minors: relationship of guardianship to other travellers
• Contract reference number, date, signatures
• Check-in and check-out date and time
• Payment type and method identifier, and name of payment holder

Technical, Analytics, and Communication Data

• IP address, device identifiers, browser type, OS
• Language settings, time zone, pages viewed, navigation patterns
• Cookie data, analytics events, usage logs
• Error logs, performance data, diagnostic information
• Messages or information provided through forms or support

2. How We Collect Information

Information You Provide Directly

We collect information you choose to provide when you:

• Create an account or update profile details
• Complete forms, make purchases, or engage with customer support
• Respond to surveys, request information, or communicate with us

Information Collected Automatically

When you visit our website or use the Services, we automatically collect technical and usage information including IP address, device characteristics, pages viewed, and diagnostic data.

We use Vercel Analytics for aggregated, anonymised traffic analysis.

Information From Third-Party Providers

• Analytics platforms (aggregated usage insights)
• Email and communication systems (delivery/engagement logs)
• Hosting and infrastructure providers (technical metadata)
• Third-party authentication providers (name, email, account ID)

3. How We Use Your Information

We only process personal information when we have a valid legal basis under applicable data protection laws.

Legal Bases We Rely On

• Contract: Processing necessary to provide the Services or take steps at your request.
• Consent: You voluntarily provide information for a specific purpose; you may withdraw consent at any time.
• Legitimate Interests: Processing necessary for our business operations that does not override your rights (e.g. fraud prevention, service improvement).
• Legal Obligation: Processing required to comply with applicable laws (e.g. RD 933/2021).
• Vital Interests: When necessary to protect the safety of an individual.

Purposes and Applicable Legal Basis

• Account creation and management — Consent
• Providing and billing the Services — Contract
• Customer support and issue resolution — Contract / Consent
• Analytics and service improvement — Legitimate Interests
• Fraud detection and security — Legitimate Interests
• Compliance with legal reporting obligations (RD 933/2021) — Legal Obligation
• Marketing and newsletters (opt-in only) — Consent

4. Data of Travellers (Parte de Viajeros)

Our core service assists accommodation providers in complying with the Spanish traveller registration obligation under Real Decreto 933/2021. In this context, Regi acts as a Data Processor on behalf of the accommodation provider (the Data Controller).

We are legally required to collect and transmit traveller data for all guests aged 14 and over to the relevant authorities (Ministerio del Interior, and regional police forces such as Mossos d'Esquadra or Ertzaintza where applicable).

Legal basis: Compliance with a legal obligation (Art. 6.1.c GDPR and RD 933/2021).

We process data of minors under 18 only when it forms a mandatory part of the Parte de Viajeros. This data is handled with the same high security standards as all other personal data and processed strictly for legal compliance.

5. How We Process Your Information

We process personal information in ways appropriate to the nature of the data and the purposes for which it was collected, including storing, organizing, using, transmitting, and deleting it when no longer required. We apply principles of data minimization, purpose limitation, and accuracy.

Access to personal information is limited to authorized personnel bound by confidentiality obligations. We implement technical and organizational measures including access controls, authentication procedures, encryption in transit and at rest, logging, monitoring, and routine security assessments.

We may combine information from different sources when necessary to operate the Services or fulfil a lawful purpose, such as preventing fraud or maintaining platform security.

6. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects. If this changes in the future, we will update this Policy and provide any required notices or options.

7. Cookies & Tracking Technologies

We use cookies and similar tracking technologies (web beacons, tags, pixels) to operate our website, understand how it is used, improve performance, and enhance your experience.

Categories of Cookies We Use

• Strictly Necessary / Session: Essential for the website to function. Always active.
• Analytics / Performance: Collect aggregated data to understand usage and improve performance (e.g. Vercel Analytics).

We currently only use strictly necessary session cookies for website operation. We do not use non-essential cookies.

8. How We Share Information

We do not sell your personal information. We only share it in the following circumstances:

• Competent Authorities: We are legally required to transmit Parte de Viajeros data to the Secretaria de Estado de Seguridad (Ministerio del Interior) and relevant regional police forces under RD 933/2021.
• Amazon Web Services (AWS): Cloud hosting and database storage. Data processed within the EU (Spain and France).
• Vercel: Web application hosting and analytics. Data processed within the EU.
• Legal requirements: When required by law, court order, or to protect our legal rights.

We have signed Data Processing Agreements (DPAs) with AWS and Vercel to ensure they apply the same high data protection standards as we do.

9. International Transfers

Our principal infrastructure providers (AWS and Vercel) process data within the European Union, specifically in data centres located in Spain and France. We do not transfer personal data outside the EEA unless appropriate safeguards are in place (such as Standard Contractual Clauses or an adequacy decision).

10. How Long We Retain Information

We retain personal information only as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

• Traveller data (Parte de Viajeros): 3 years, as required by RD 933/2021. Permanently deleted within two weeks after expiry.
• Account information: Until users delete their account.
• Profile and preferences: Until account termination.
• Usage logs and activity data: 90 days.
• Cookies and tracking data: Session only (deleted when browser closes).
• Security logs: 90 days.
• Legal and regulatory records: 3 years.
• User-generated content: Until deleted by the user or account closure.
• Property reference numbers (fraud prevention): Retained indefinitely to prevent abuse of free trials.

11. How We Keep Information Safe

We implement appropriate technical and organizational measures to protect personal information from unauthorized access, disclosure, alteration, or destruction:

• Encryption of data in transit (TLS/SSL) and at rest, with additional application-level encryption for sensitive personal data
• Access controls limiting who can view or handle information
• Monitoring and logging of system activity to detect potential issues
• Regular security assessments and system updates
• Anonymisation where possible for analytics and service improvement
• Security architecture based on AWS and Vercel best practices
• Employee training on data protection and security

While we take reasonable steps to safeguard personal information, no system is completely secure. If we identify a data breach affecting your personal information, we will notify you and applicable supervisory authorities as required by law.

12. Your Rights

Rights for Users in the EU/EEA (GDPR)

• Right of access: Request a copy of the personal information we hold about you.
• Right to correction: Request that we correct inaccurate or incomplete information.
• Right to deletion: Request deletion of your personal information in certain circumstances.
• Right to restrict processing: Request that we limit how your data is used.
• Right to object: Object to processing based on legitimate interests or direct marketing.
• Right to data portability: Request your information in a structured, commonly used format.
• Right to withdraw consent: Withdraw consent at any time when processing is based on consent.

You have the right to lodge a complaint with a data protection authority, typically in your country of residence, place of work, or where a violation occurred.

How to Exercise Your Rights

• Clients (property managers): many rights can be exercised directly through your account settings in the web application.
• Travellers: send a request to privacy@regi.es or support@regi.es. Note that for data transmitted to authorities, we may be legally required to retain it.
• Cookie consent: withdraw at any time via the cookie banner, privacy settings page, or by contacting us.

We may need to verify your identity before processing your request. Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.

13. Children's Privacy

Our Services are not directed at children under 16, and we do not knowingly collect personal information from individuals under this age, except where required as part of the Parte de Viajeros legal obligation under RD 933/2021. In that context, data of minors is handled with the highest level of security and processed strictly for legal compliance.

If you believe a child has provided personal information to us outside of this legal obligation, please contact us at support@regi.es and we will delete it as soon as reasonably possible.

14. Marketing Communications

We will only send you marketing emails or newsletters if you have explicitly given us your consent (opt-in), either by subscribing through a form or enabling this option in your account settings (disabled by default). You may unsubscribe at any time by clicking the "Unsubscribe" link at the bottom of any marketing email, or by contacting us directly.

15. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, operational needs, or applicable laws. When we make significant changes, we will update the Last Updated date at the top of this Policy and notify you by email or via an in-app notification. We encourage you to review this Policy periodically.

16. How to Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our handling of personal information, please contact us:

• Ignacio Lopedoza Serrano
• Email: support@regi.es / privacy@regi.es
• Phone: 652044477
• Address: Blvr. Louis Pasteur, 47, Oficina 103, 29010, Málaga, Spain