# Privacy Policy
**Last Updated: 5.11.2025**
www.spaways.com (“we,” “us,” or “our”) is committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable European data protection laws.
Email: info@spaways.com
—
## 1. Information We Collect
### 1.1 Personal Data You Provide
We collect personal data only when you voluntarily provide it:
**Newsletter Subscriptions:**
– Email address
– Name (optional)
– Subscription preferences
**Contact Forms:**
– Name
– Email address
– Message content
**User Comments/Reviews (if applicable):**
– Name (or username)
– Email address
– Comment content
– IP address (for spam prevention)
### 1.2 Automatically Collected Data
When you visit our website, we automatically collect:
**Technical Data:**
– IP address (anonymized where possible)
– Browser type and version
– Device type (desktop, mobile, tablet)
– Operating system
– Referring website URL
– Pages visited and navigation path
– Time and date of visit
– Approximate geographic location (country/city level)
**Cookies and Tracking Data:**
See our Cookie Policy for detailed information about cookies we use.
—
## 2. Legal Basis for Processing (GDPR Article 6)
We process your personal data based on the following legal grounds:
### 2.1 Consent (Article 6(1)(a))
– Newsletter subscriptions
– Cookie consent (non-essential cookies)
– Marketing communications
**You can withdraw consent at any time** by:
– Clicking “unsubscribe” in emails
– Adjusting cookie settings
– Contacting us at info@spaways.com
### 2.2 Legitimate Interests (Article 6(1)(f))
– Website analytics and improvement
– Fraud prevention and security
– Affiliate link tracking (see section 5)
– Understanding user behavior
We have assessed that our legitimate interests do not override your rights and freedoms.
### 2.3 Legal Obligation (Article 6(1)(c))
– Complying with tax and accounting requirements
– Responding to legal requests
—
## 3. How We Use Your Personal Data
### 3.1 Website Operation
– Delivering website content and functionality
– Maintaining website security
– Troubleshooting technical issues
### 3.2 Communication
– Sending newsletters (with your consent)
– Responding to your inquiries
– Notifying you of important updates
### 3.3 Analytics and Improvement
– Understanding website traffic and user behavior
– Improving content and user experience
– Identifying popular articles and hotels
### 3.4 Affiliate Marketing
– Tracking referrals to booking platforms
– Earning commissions on completed bookings
– See our Affiliate Disclosure for more information
### 3.5 Legal Compliance
– Complying with applicable laws and regulations
– Protecting our legal rights
—
## 4. Cookies and Tracking Technologies
We use cookies to enhance your experience. Our Cookie Policy provides detailed information about:
– Types of cookies we use
– Purpose of each cookie
– How to manage cookie preferences
– Third-party cookies
**Cookie Consent:**
We use a cookie consent banner to obtain your permission for non-essential cookies in compliance with GDPR and ePrivacy Directive.
—
## 5. Sharing Your Personal Data
### 5.1 Third-Party Service Providers
We share data with trusted service providers who process data on our behalf:
**Analytics Providers:**
– **Google Analytics** (with IP anonymization enabled)
– Location: USA (EU-US Data Privacy Framework certified)
– Purpose: Website analytics
– Data shared: Anonymized usage data
– Privacy Policy: https://policies.google.com/privacy
**Email Service Providers (if applicable):**
– **Mailchimp / ConvertKit / [Your Provider]**
– Location: [Country]– Purpose: Newsletter delivery
– Data shared: Email address, name
– GDPR-compliant: Yes
**Hosting Provider:**
– **[Your Hosting Provider – e.g., Cloudflare, AWS]**
– Location: EU data centers
– Purpose: Website hosting and CDN
– Data shared: Technical data
**Affiliate Networks:**
– **Booking.com, Agoda, etc.**
– Purpose: Tracking referrals and commissions
– Data shared: Anonymized click and booking data (not personal details)
– Note: Once you click through, their privacy policies apply
### 5.2 Legal Requirements
We may disclose your data if required by law, court order, or regulatory authority.
### 5.3 Business Transfers
If we are involved in a merger, acquisition, or asset sale, your data may be transferred. We will notify you of any change in data controller.
### 5.4 We Do NOT Sell Your Data
We never sell, rent, or trade your personal information to third parties.
—
## 6. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), particularly in the United States.
**Safeguards in place:**
– **EU-US Data Privacy Framework** (formerly Privacy Shield)
– **Standard Contractual Clauses (SCCs)** approved by EU Commission
– **Adequacy decisions** where applicable
We ensure all transfers comply with GDPR Chapter V.
—
## 7. Data Retention
We retain your personal data only as long as necessary:
| Data Type | Retention Period |
|———–|——————|
| Newsletter subscriptions | Until you unsubscribe + 30 days |
| Contact form inquiries | 2 years |
| Website analytics data | 26 months (Google Analytics default) |
| Cookie consent records | 12 months |
| User comments | Indefinitely (unless deletion requested) |
| Legal/tax records | As required by law (typically 7-10 years) |
After retention periods expire, we securely delete or anonymize your data.
—
## 8. Your Rights Under GDPR
You have the following rights regarding your personal data:
### 8.1 Right of Access (Article 15)
Request a copy of personal data we hold about you.
### 8.2 Right to Rectification (Article 16)
Correct inaccurate or incomplete data.
### 8.3 Right to Erasure / “Right to be Forgotten” (Article 17)
Request deletion of your personal data when:
– No longer necessary for the purpose collected
– You withdraw consent
– You object to processing
– Data was unlawfully processed
**Exceptions:** We may retain data if required by law or for legal claims.
### 8.4 Right to Restriction of Processing (Article 18)
Limit how we use your data in certain circumstances.
### 8.5 Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format.
### 8.6 Right to Object (Article 21)
Object to processing based on legitimate interests or for direct marketing.
### 8.7 Rights Related to Automated Decision-Making (Article 22)
We do not use automated decision-making or profiling.
### 8.8 Right to Withdraw Consent
Withdraw consent at any time (does not affect prior lawful processing).
### 8.9 Right to Lodge a Complaint
You have the right to complain to your national data protection authority:
**EU Data Protection Authorities:**
Find your authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en
**Example Supervisory Authorities:**
– **UK**: Information Commissioner’s Office (ICO) – https://ico.org.uk
– **Germany**: Your state’s Datenschutzbeauftragter
– **France**: CNIL – https://www.cnil.fr
– **Spain**: AEPD – https://www.aepd.es
—
## 9. How to Exercise Your Rights
To exercise any of your rights, contact us:
**Email**: privacy@[yourdomain.com]
**Subject Line**: “GDPR Data Subject Request”
**Please include:**
– Your full name
– Email address
– Specific right you wish to exercise
– Details of your request
**Response Time**: We will respond within **one month** (extendable to 3 months for complex requests).
**Verification**: We may request additional information to verify your identity.
—
## 10. Data Security
We implement appropriate technical and organizational measures to protect your data:
**Technical Measures:**
– SSL/TLS encryption (HTTPS)
– Secure hosting infrastructure
– Regular security updates and patches
– Firewalls and intrusion detection
**Organizational Measures:**
– Access controls (limited staff access)
– Regular staff training on data protection
– Data breach response procedures
– Privacy by design and default
**However**: No method of transmission over the internet is 100% secure. We cannot guarantee absolute security.
—
## 11. Data Breach Notification
In the event of a personal data breach that risks your rights and freedoms:
– We will notify our supervisory authority within **72 hours**
– We will inform affected individuals without undue delay
– We will take steps to mitigate harm
—
## 12. Children’s Privacy
Our website is not directed at children under 16 years old. We do not knowingly collect personal data from children.
If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@[yourdomain.com].
—
## 13. Third-Party Websites
Our website contains links to third-party websites, including:
– Hotel booking platforms (Booking.com, Agoda, etc.)
– Social media platforms
– Other travel websites
**We are not responsible** for the privacy practices of these websites. Please review their privacy policies before providing personal data.
**Important**: When you click an affiliate link and proceed to a booking platform, that platform’s privacy policy applies to your booking process and data.
—
## 14. Affiliate Marketing Transparency
We participate in affiliate marketing programs. When you make a booking through our affiliate links:
**What we receive:**
– Commission from the booking platform (not from you)
– Anonymized aggregate data (e.g., number of bookings)
**What we do NOT receive:**
– Your personal booking details
– Your payment information
– Your personal identity
See our Affiliate Disclosure page for more information.
—
## 15. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect:
– Changes in data processing activities
– New legal requirements
– Improved privacy practices
**Notification:**
– Updated “Last Updated” date at the top
– Significant changes: Email notification to newsletter subscribers
– Continued use of website constitutes acceptance
—
## 16. Contact Us
**Email**: info@spaways.com
**Response Time**: Within 48 hours for general inquiries, 1 month for GDPR requests
—
**Language**: This Privacy Policy is provided in English. If translated, the English version prevails in case of discrepancies.