Last updated: 27 December 2025

1) Controller (data controller)

ESPECIALANZ S.L.
Cl/Cocedero 14
E-35570 Yaiza-La Hoya
Spain

Email: info@eslanz.com

2) Personal data we process

Depending on how you use our website and how you book, we may process the following categories of personal data:

a) Data you provide to us (contact and booking data)

• Contact details: title, first and last name, email address, and (where relevant) postal address (e.g. for invoicing).
• Booking details: arrival and departure dates, number of guests, number/age of children, selected property, and any special requests/comments.
• Communication content: messages you send us (e.g. by email, contact form, or via phone/WhatsApp/SMS if you choose to use those channels).

b) Payment and invoicing data

For card payments, payment data (e.g. card/transaction details) is processed by our payment provider. We typically receive confirmation and settlement information (e.g. payment status and a transaction reference), but not full card details. For invoices, we process the information necessary to issue and manage invoices (name, address, service period, amounts).

c) Technical data when using the website (server/log data)

When you access our website, technically necessary data may be processed (e.g. IP address, date/time, page requested, browser/device information, referrer URL, error messages). This data is typically stored in server logs and is used for technical delivery, security and troubleshooting.

3) What we use your data for (purposes)

We process personal data for the following purposes: Booking enquiries and booking fulfilment (e.g. availability checks, booking confirmation, pre-arrival communication, house information, check-in/key instructions). Payment processing and invoicing (including the balance payment invoice). Operation, security and improvement of the website (technical delivery, prevention of misuse, error analysis). Compliance with legal obligations, especially accounting/tax requirements and any statutory guest reporting obligations. Contact before, during and after your stay, e.g. important travel/stay information and—where permitted—information about future availability/offers.

4) Legal bases for processing

Depending on the purpose, we process personal data on one or more of the following legal bases under the GDPR: Performance of a contract / pre-contractual steps (Art. 6(1)(b) GDPR): e.g. booking, booking-related communications, invoices/balance payment. Legal obligation (Art. 6(1)(c) GDPR): e.g. statutory retention and record-keeping duties. Legitimate interests (Art. 6(1)(f) GDPR): e.g. IT security, misuse prevention, efficient communication, and maintaining relationships with past guests. Consent (Art. 6(1)(a) GDPR): where consent is required in individual cases (e.g. depending on legal requirements for certain types of electronic marketing).

5) Marketing and post-stay offers (opt-out)

From time to time, we may send guests and interested parties information about similar offers (e.g. availability, seasonal offers, returning-guest discounts). This is usually sent by email. Where permitted, the legal basis is our legitimate interest in maintaining relationships with past guests (Art. 6(1)(f) GDPR). You can object at any time (opt out), for example by emailing info@eslanz.com . We do not send marketing messages via phone/WhatsApp/SMS. We use those channels only for booking-related information and emergencies. We aim to keep marketing communications infrequent (generally no more than a few messages per year).

6) Recipients / service providers (processors)

To provide our services, we use service providers who may process personal data on our behalf, in particular: Smoobu (website and booking system) Stripe (payment processing for card payments) IONOS (email and/or hosting/IT services, where used) Check-in / registration service (for any legally required guest registration; collection is carried out through the service and we do not store ID copies) Property management / cleaning / tradespeople: access only to what is necessary (typically name, stay dates and, where relevant, arrival/departure information) to provide and maintain the accommodation. You can request an up-to-date and more detailed list of the service providers we use by contacting us.

7) International transfers (outside the EEA)

Some service providers (e.g. cloud/IT services or payment providers) may process data outside the European Economic Area (EEA). Where this occurs, we ensure an appropriate legal mechanism is in place (e.g. an adequacy decision, Standard Contractual Clauses and/or additional safeguards).

8) Retention periods

We keep personal data only for as long as necessary for the relevant purposes or as required by law: Booking/contract and invoicing data: generally for the duration of statutory retention periods. In Spain, business records are typically retained for up to six years under commercial law; tax retention periods may differ. Booking-related communications: as long as needed to process and document the matter, and thereafter in line with legal obligations and/or legitimate interests (e.g. evidence/defence of claims). Marketing/returning-guest contact: until you opt out or the purpose no longer applies. We do not store copies of identity documents.

9) Security measures

We apply appropriate technical and organisational measures to protect your data (e.g. access controls, role-based/need-to-know access, backups). Booking and guest data is accessible only to a small number of family members and necessary service providers (see “Recipients”), and only to the extent required.

10) Cookies and similar technologies

Our website may use technically necessary cookies/functions required for the website and booking process to work properly. As of today, we do not intentionally use analytics or marketing tracking tools. Please note that because the website is provided via a website builder/booking system, technically required cookies may be set by the system.

11) Your rights

Subject to the legal requirements, you have the right to: access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), and to object to processing based on legitimate interests (Art. 21 GDPR)—in particular, to object to direct marketing. You can also withdraw consent at any time with effect for the future (Art. 7(3) GDPR). To exercise your rights, simply email info@eslanz.com .

12) Right to lodge a complaint

You have the right to lodge a complaint with a data protection authority. The competent authority is generally the authority in your place of habitual residence or workplace. In Spain, the supervisory authority is the Agencia Española de Protección de Datos (AEPD).

13) Changes to this privacy policy

We may update this privacy policy from time to time (for example, if our processes or service providers change). The current version published on this website applies.