Legal

Privacy Policy

Last updated: 21 March 2026

This policy explains how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).

1. Who we are (data controller)

The data controller responsible for your personal data is:

Company[YOUR COMPANY NAME]

Address[YOUR REGISTERED ADDRESS], Granada, Spain

Emailorders@alhambra-booking.com

VAT / CIF[YOUR TAX ID]

If you have any questions about how we handle your data, contact us at orders@alhambra-booking.com.

2. What data we collect and why

We collect only the data necessary to fulfil your booking:

a) Booking & identity data

What: First name, last name, email address, ticket type, visit date, time slot, visitor count.

Why: To process your booking, secure tickets on your behalf, and deliver them to you.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR).

b) Payment data

What: Payment card details are collected and processed exclusively by Stripe, Inc. We never see or store your full card number, CVV, or expiry date. We only store the Stripe Payment Intent ID and the charged amount.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR).

c) Communication data

What: Emails you send us and our replies.

Why: To respond to your enquiries and resolve issues.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

3. How long we keep your data

Order records7 years (Spanish commercial & tax law obligation)

Support emails2 years from last contact

Incomplete bookings30 days, then deleted automatically

After the retention period, data is securely deleted or anonymized.

4. Who we share your data with

We share only the minimum necessary data with the following third-party processors, each bound by a Data Processing Agreement:

Stripe, Inc.Payment processing. Data may be transferred to the US under Standard Contractual Clauses.

Supabase, Inc.Database hosting (EU region: Frankfurt). Order and availability data.

Resend, Inc.Transactional email delivery. Your email address and ticket details are sent to deliver your confirmation.

Vercel, Inc.Website hosting. Processes request logs containing IP addresses.

We do not sell, rent, or trade your personal data with any third parties for marketing purposes.

5. International data transfers

Some of our processors (Stripe, Resend, Vercel) are based in the United States. Where data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable

You can request a copy of the relevant safeguards by emailing us at orders@alhambra-booking.com.

6. Your rights under GDPR

As a data subject under the GDPR, you have the following rights. To exercise any of them, contact us at orders@alhambra-booking.com — we will respond within 30 days.

Right of access (Art. 15)

Request a copy of all personal data we hold about you.

Right to rectification (Art. 16)

Ask us to correct inaccurate or incomplete data.

Right to erasure (Art. 17)

Request deletion of your data where we have no legal obligation to retain it.

Right to restriction (Art. 18)

Ask us to pause processing your data in certain circumstances.

Right to data portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to object (Art. 21)

Object to processing based on legitimate interests.

Right to withdraw consent

Where we rely on consent, you may withdraw it at any time without affecting prior processing.

7. Right to lodge a complaint

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Spanish data protection authority:

AuthorityAgencia Española de Protección de Datos (AEPD)

Websitewww.aepd.es

Phone+34 901 100 099

AddressC/ Jorge Juan, 6, 28001 Madrid, Spain

We would, however, appreciate the chance to address your concern directly before you contact the AEPD — please email us first.

8. Cookies & tracking

Our website uses only functional, session-based storage (via the browser'ssessionStorage) to carry your booking selection across steps. This data is never sent to a server and is cleared automatically when you close the browser tab.

We do not use advertising trackers, third-party analytics cookies, or any persistent cross-site tracking cookies.

9. Data security

We take appropriate technical and organizational measures to protect your data, including:

All data transmitted over TLS/HTTPS encryption
Payment card data never touches our servers — handled entirely by Stripe
Database access restricted by row-level security policies
Admin access protected and restricted to authorized personnel

10. Children's privacy

Our service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently done so, please contact us and we will delete the data promptly.

11. Changes to this policy

We may update this privacy policy from time to time. The date at the top of this page reflects the most recent revision. Where changes are material, we will notify you by email if we hold your contact details.