Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller for your personal data is:

STAYFRITZ SPAIN, S.L.
CIF: B26591909
Avenida Central, 18
07184 El Toro, Calvià
Mallorca, Balearic Islands, Spain
Email: thomas.langenberg@stayfritz.com

For any questions regarding the protection of your personal data, you can contact us at the address indicated above.

2. Applicable Legislation

This privacy policy is governed by the following regulations:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
  • Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD)
  • Law 34/2002, of July 11, on information society services and electronic commerce (LSSI-CE)

3. Personal Data We Collect

Depending on your relationship with us, we may collect the following categories of personal data:

3.1 Website Visitors

  • IP address and technical device data (browser, operating system)
  • Navigation data and pages visited
  • Language preference cookie (NEXT_LOCALE)

3.2 Contact Form Users

  • Full name
  • Email address
  • Phone number (optional)
  • Property type
  • Message content

3.3 Property Owners (B2B Clients)

  • Identification data (name, ID/passport)
  • Professional contact data
  • Property data (address, tourism license, cadastral registry)
  • Banking and tax data for payments
  • Property performance data (occupancy, revenue)

3.4 Guests (Processed on Behalf of Property Owners)

When we manage properties on behalf of their owners, we process guest data as data processors. This data includes:

  • Booking data (dates, number of guests, preferences)
  • Identification data required by Spanish law (Guest Registration per Royal Decree 933/2021)
  • Payment data processed by third-party booking platforms

4. Purposes of Processing

We process your personal data for the following purposes:

  • Handling inquiries: Responding to your requests submitted through the contact form or by email.
  • Service provision: Hotel management, property management, operations, and hotel technology services in accordance with contractual agreements.
  • Legal compliance: Compliance with tax, accounting, and guest registration obligations under Spanish law.
  • Commercial communications: Sending information about our services, only with your prior consent in accordance with Article 21 of the LSSI.
  • Service improvement: Analysis of website usage to improve user experience and our services.
  • Technology optimization: Use of artificial intelligence tools to optimize pricing, guest communication, and hotel operations. No automated decisions producing legal effects are made without human intervention.

5. Legal Basis for Processing

The processing of your personal data is based on the following legal grounds under Article 6 of the GDPR:

  • Consent (Art. 6.1.a): For sending commercial communications and using the contact form.
  • Contract performance (Art. 6.1.b): For the provision of hotel management, property management, and technology services.
  • Legal obligation (Art. 6.1.c): For compliance with tax, accounting, and guest registration obligations under Royal Decree 933/2021 and Spanish tax regulations.
  • Legitimate interest (Art. 6.1.f): For improving our services, fraud prevention, and website security.

6. Role as Data Controller and Data Processor

STAYFRITZ SPAIN, S.L. acts in a dual role:

  • As data controller: With respect to data from our website visitors, contact form users, and our own direct clients (property owners with whom we maintain a contractual relationship).
  • As data processor: With respect to guest data that we process on behalf of property owners who use our hotel management and technology services. In these cases, the property owner is the data controller and we act in accordance with their instructions and the corresponding data processing agreement.

7. Data Sharing with Third Parties

Your personal data may be shared with the following categories of recipients when necessary:

  • Booking platforms: Booking.com, Airbnb, Expedia, and other distribution channels for booking management.
  • Technology providers: Property management systems (PMS), channel managers, payment processors, and web hosting services.
  • Public authorities: Law enforcement agencies (for guest registration), Tax Authority, and other administrations when required by law.
  • Professional advisors: Auditors, tax advisors, and lawyers subject to confidentiality obligations.

We do not sell or share your personal data with third parties for marketing purposes.

8. International Data Transfers

Some of our technology providers may be located outside the European Economic Area (EEA). In such cases, we ensure that transfers are carried out in compliance with the GDPR, using:

  • Adequacy decisions of the European Commission
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary security measures when necessary

9. Data Retention

We retain your personal data for the following periods:

  • Contact inquiries: Up to 12 months after handling your request, unless a contractual relationship is established.
  • Contractual data: For the duration of the contract and applicable legal limitation periods.
  • Tax obligations: 4 years under the General Tax Law (Art. 66), or 6 years under the Commercial Code (Art. 30).
  • Guest registration: 3 years under Royal Decree 933/2021.

Once these periods have elapsed, your data will be deleted or irreversibly anonymized.

10. Your Rights

In accordance with the GDPR and LOPDGDD, you have the following rights:

  • Access: Obtain confirmation of whether we process your data and access it.
  • Rectification: Request the correction of inaccurate or incomplete data.
  • Erasure: Request the deletion of your data when it is no longer necessary for the purpose for which it was collected.
  • Restriction: Request the restriction of processing in certain circumstances.
  • Portability: Receive your data in a structured, commonly used, and machine-readable format.
  • Objection: Object to the processing of your data based on legitimate interest or for direct marketing purposes.
  • Automated decisions: Not be subject to decisions based solely on automated processing that produce legal effects.
  • Withdrawal of consent: Withdraw your consent at any time, without affecting the lawfulness of prior processing.

To exercise these rights, send a request to thomas.langenberg@stayfritz.com indicating your name, the right you wish to exercise, and a copy of your identification document.

If you consider that your rights have not been properly addressed, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

11. Cookie Policy

In accordance with Article 22.2 of the LSSI-CE, this website only uses the following technical cookies, strictly necessary for its operation:

CookiePurposeDurationType
NEXT_LOCALEStores the user's language preference1 yearTechnical (first-party)

We do not use analytics, tracking, advertising, or social media cookies. As these are exclusively necessary technical cookies, your prior consent is not required under Article 22.2 of the LSSI-CE.

You can configure your browser to reject or delete cookies. Please note that disabling technical cookies may affect the functioning of the website.

12. Artificial Intelligence and Automated Processing

As part of our Hotel Tech services, we use artificial intelligence tools for:

  • Automated guest communication (chatbots and virtual assistants)
  • Dynamic pricing optimization based on market data
  • Automation of operational tasks (invoicing, reports)

These tools do not make automated decisions that produce significant legal effects on individuals without human intervention. Any relevant decision is reviewed and approved by our team. In accordance with Regulation (EU) 2024/1689 (EU AI Act), we classify our AI systems according to their risk level and apply corresponding transparency measures.

13. Security Measures

We have implemented appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration, including:

  • Encryption of communications via SSL/TLS (HTTPS)
  • Role-based access control for internal systems
  • Hosting on servers within the European Union
  • Regular backups and recovery procedures
  • Staff training on data protection

14. Children's Data

Our website and services are not directed at children under 14 years of age, in accordance with Article 7 of the LOPDGDD. We do not intentionally collect personal data from children under this age. If we detect that we have collected data from a minor without the consent of their legal representative, we will immediately delete it.

15. Changes to This Policy

We reserve the right to modify this privacy policy to adapt it to legislative changes or changes in our data processing practices. Any modification will be published on this page with the date of last update. We recommend that you periodically review this policy.

16. Contact

For any questions about this privacy policy or the processing of your personal data:

STAYFRITZ SPAIN, S.L.
Email: thomas.langenberg@stayfritz.com
Avenida Central, 18, 07184 El Toro, Calvià, Mallorca

Supervisory authority: Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid — www.aepd.es