Privacy policy
This privacy policy describes how TADASANA ATMAN SL (hereinafter, "the Controller") collects, processes and protects the personal data of users of the website balconessanfermin.com, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights (LOPDGDD).
1. Data controller
- Identity: TADASANA ATMAN SL
- Tax ID (CIF): B71460125
- Postal address: Av. Pío XII 1-3F, 31002 Pamplona, Navarra, España
- Contact email: info@balconessanfermin.com
- Email for exercising rights: privacidad@balconessanfermin.com
- Phone: +34 669 57 37 01
2. Personal data we collect
Depending on the user's interaction with the Site, we may collect the following categories of data:
a) Balcony reservation
- First and last name
- Email address
- Phone number (optional)
- Country of residence
- Booking data (date, balcony, tier, extras)
Note: payment data (card number, CVV, expiry date) is handled directly by Stripe and is never stored on our servers.
b) Contact form
- Name
- Email address
- Phone number (optional)
- Subject and message content
c) Browsing data
- IP address
- Browser and device type
- Pages visited and time spent
- Cookies (see Cookies policy)
3. Purposes of processing
| Purpose | Legal basis | Retention period |
|---|---|---|
| Management of reservations and provision of the contracted service | Performance of contract (art. 6.1.b GDPR) | 5 años desde la fecha del evento (obligaciones fiscales, Ley General Tributaria art. 66) |
| Payment processing via Stripe | Performance of contract (art. 6.1.b GDPR) | 5 años desde la fecha del evento (obligaciones fiscales, Ley General Tributaria art. 66) |
| Sending booking confirmations, access and reminders | Performance of contract (art. 6.1.b GDPR) | 5 años desde la fecha del evento (obligaciones fiscales, Ley General Tributaria art. 66) |
| Handling enquiries (contact form) | Consent of the data subject (art. 6.1.a GDPR) | 12 meses desde la respuesta a la consulta |
| Compliance with tax and invoicing obligations | Legal obligation (art. 6.1.c GDPR) | 6 años (art. 30 Código de Comercio) |
| Marketing communications about future editions | Explicit consent (art. 6.1.a GDPR, art. 21 LSSI) | Until consent is withdrawn |
4. Recipients and processors
Personal data may be shared with the following third parties, exclusively for the purposes indicated:
| Processor | Purpose | Country | Safeguards |
|---|---|---|---|
| Stripe Technology Europe, Limited | Procesamiento de pagos con tarjeta | Irlanda (datos pueden transferirse a EE.UU.) | Data Processing Agreement conforme al RGPD; certificación PCI DSS Nivel 1; Cláusulas Contractuales Tipo (SCC) para transferencias a EE.UU. |
| Resend, Inc. | Envío de emails transaccionales (confirmaciones de reserva, recordatorios) | Estados Unidos | Data Processing Agreement; Cláusulas Contractuales Tipo (SCC) aprobadas por la Comisión Europea |
| Hetzner Online GmbH | Alojamiento web y base de datos | Alemania | Servidores en la UE (Alemania); DPA conforme al RGPD; certificación ISO 27001 |
Additionally, data may be communicated to Public Administrations where there is a legal obligation (Tax Agency, judicial authorities, etc.).
5. International data transfers
Some of our processors (Stripe, Resend) are based or process data in the United States. These transfers take place under the following safeguards, in accordance with Chapter V of the GDPR:
- Standard Contractual Clauses (SCC) approved by the European Commission (Implementing Decision 2021/914).
- Data Processing Agreements (DPA) signed with each provider including the safeguards required by the GDPR.
- Transfer Impact Assessments (TIA) carried out according to EDPB recommendations.
6. Rights of the data subject (arts. 15-22 GDPR)
The user may exercise the following rights at any time:
- Access (art. 15): To know whether we process their personal data and, where applicable, to obtain a copy.
- Rectification (art. 16): To request the correction of inaccurate or incomplete data.
- Erasure (art. 17): To request the deletion of their data when it is no longer necessary for the purposes for which it was collected.
- Restriction (art. 18): To request the restriction of processing in certain circumstances.
- Portability (art. 20): To receive the data in a structured, commonly used and machine-readable format.
- Objection (art. 21): To object to the processing of their data for reasons related to their particular situation.
- Not to be subject to automated decisions (art. 22): No profiling or automated decisions with legal effects are made.
- Withdraw consent (art. 7.3 GDPR): When processing is based on their consent, it may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.
How to exercise your rights? Send an email to privacidad@balconessanfermin.com, indicating:
- The right you wish to exercise.
- Your full name and associated email address.
- Copy of identification document (ID, passport or equivalent).
We will respond within a maximum of one month from receipt of the request, extendable by two additional months in cases of complexity (art. 12.3 GDPR).
7. Right to lodge a complaint
If you consider that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) (Spanish Data Protection Agency):
- Web: https://www.aepd.es
- Phone: 901 100 099
8. Security measures
TADASANA ATMAN SL has adopted the technical and organisational measures necessary to ensure the security and integrity of personal data, in accordance with article 32 of the GDPR, including:
- HTTPS/TLS encrypted communications throughout the Site.
- Payments processed by Stripe, PCI DSS Level 1 certified (highest level of security in the payments industry).
- Restricted access to personal data limited to authorised personnel.
- Periodic database backups.
- Passwords stored with secure hashing (never in plain text).
9. Minors
The Site and its services are not aimed at minors under 16 years of age. We do not knowingly collect data from minors of that age. If the user is under 16, they must have the consent of their parents or legal guardians.
10. Modifications to this policy
TADASANA ATMAN SL reserves the right to modify this privacy policy to adapt it to legislative or jurisprudential developments. In the event of a substantial change, users will be notified by email or by a prominent notice on the Site.
Last updated: marzo de 2026.