Informativa sulla privacy | Island Tour Transfer GDPR

Last updated: April 12, 2025

1. Introduction

Welcome to Island Tour & Transfer SLU ("us", "we", "our"). We are firmly committed to protecting your privacy. This Privacy Policy describes our practices regarding the collection, use, storage, protection and communication of your personal data. We process your data in a transparent, fair and lawful manner, adhering strictly to the principles and requirements of the General Data Protection Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on the protection of personal data and guarantee of digital rights (LOPDGDD).

Our commitment to the principles of data protection:

All our data processing activities are guided by the fundamental principles of the GDPR:

Lawfulness, Fairness and Transparency: We process data lawfully, fairly and provide clear information about our practices.
Purpose limitation: Data are collected for specified, explicit and legitimate purposes and are not subjected to processing incompatible with those purposes.
Data minimization: We only collect data that is adequate, relevant and limited to what is necessary for the purpose.
Accuracy: We strive to keep data accurate and up to date and provide mechanisms for rectification.
Retention period limitation: Data are kept identifiable only for as long as necessary for the purposes.
Integrity and Confidentiality: We implement appropriate security measures to protect the data.
Proactive accountability: We undertake the responsibility to demonstrate compliance with these principles.

This Privacy Policy explains:

Who is responsible for your data.
What personal data we collect and how.
The specific purposes and the legal bases for the processing of your data.
How long we retain your data.
With whom we may share your data (Recipients, Processors).
Information about international data transfers.
The security measures we implement.
Your data protection rights and how to exercise them.
How to contact us or the supervisory authority.

This policy applies to personal data collected through our websitehttps://islandtourtransfer.com(el "Website"), our booking channels (online form, email, phone, WhatsApp) and during the provision of our private transfer services.

2. Who is responsible for your data (data controller)?

The entity responsible for the processing of your personal data (the "Data Controller") is:

Company name: ISLAND TOUR & TRANSFER SLU
NIF: B 16561540
Registered office: Calle Ramon Llull, 52 Piso 2B, 07320 Santa Maria del Cami, Islas Baleares, España.
Contact email: [email protected]
Phone:+34 637 548 711
Website: https://islandtourtransfer.com

3. Data Protection Officer (DPO)

ISLAND TOUR & TRANSFER SLU has assessed its processing activities in accordance with Article 37 of the GDPR and Article 34 of the LOPDGDD and has determined that, at this time, the appointment of a Data Protection Officer is not legally mandatory for our organization. For any questions or concerns relating to your privacy or this policy, please contact us directly using the details provided in Section 2 or Section 15.

4. What personal data do we collect?

We may collect and process the following categories of personal data depending on your interaction with us:

Identification data: Full name, Tax ID/Passport number (if required for invoicing or legal compliance).
Contact data: Email address, phone number, postal address (for pickup/drop-off if not a standard location such as airport/port/hotel).
Booking and service data: Pickup and drop-off locations and times, flight or cruise data (to monitor arrivals), number of passengers (including children/infants), child seat requirements, luggage details, special requests related to the service.
Payment data: Although we offer payment to the driver, if online payment is processed through our website or a payment link, card data may be collected directly by our secure third-party payment processor (we normally do not store full card data). For cash payments, payment data is not stored electronically. For card payments to the driver, data are processed through the payment terminal provider.
Communication data: Records of communications by email, WhatsApp, phone calls or contact forms on our website.
Website usage data (through cookies): IP address (potentially anonymized), browser type, operating system, referrer URL, pages visited, time on pages, interaction data. These data are primarily collected through cookies and similar technologies, subject to your explicit consent choices managed via our cookies banner and detailed in our Cookies Policy.
Data related to incidents/claims: Information provided in relation to incidents, accidents, complaints or claims during the provision of the service.

We do not intentionally collect sensitive data (e.g., health information, religious beliefs) unless you voluntarily provide them as part of a special request relevant to the service (e.g., need for assisted vehicle accessibility, which could imply a health condition), in which case we will process them only for that specific purpose and with your explicit consent or when necessary for the provision of the service.

5. How do we collect your data?

We collect personal data by various means:

Directly from you: When you fill out the booking form on our Website, you contact us by email, phone or WhatsApp to make a booking or inquiry, or you contact us during the service.
Automatically by technology: When you browse our Website, certain data (such as IP address, browsing patterns) may be collected automatically through cookies and similar technologies. The collection of non-essential cookies is subject to your explicit consent, managed via our cookies banner and detailed in our Cookies Policy.
From third parties: In some cases, bookings may be made through travel agencies or partners acting on your behalf who provide us with your booking data.

6. Why do we process your data (purposes and legal bases)?

We process your personal data only for purposes that are specified, explicit and legitimate, ensuring that we always have a valid legal basis in accordance with Article 6 of the GDPR. We clearly link each purpose to its corresponding legal basis:

Purpose	Examples of data used	Legal basis (Art. 6 GDPR) and explanation
Manage and satisfy your booking/service request	Identification data, contact data, booking/service data, payment data (if applicable)	Art. 6(1)(b): Performance of a contract. Processing is necessary to manage your booking and prepare the contracted service.
Provide the transportation service	Identification data, contact data, booking/service data (pickup/drop-off, flight monitoring)	Art. 6(1)(b): Performance of a contract. Processing is necessary to execute the agreed transportation service.
Communicate with you about your booking/service	Contact data, booking data, communication data	Art. 6(1)(b): Performance of a contract. Essential communications (confirmations, updates, driver contact) necessary for the provision of the service.
Process payments and manage invoicing	Identification data, contact data, booking data, payment data (processed by provider), NIF	Art. 6(1)(b): Performance of a contract(payment processing). Art. 6(1)(c): Legal obligation(issuance of invoices, tax compliance).
Comply with legal and regulatory obligations	Identification data, booking data, billing data	Art. 6(1)(c): Legal obligation. Necessary to comply with applicable laws (e.g., transport regulations, tax laws, accounting records).
Attend to inquiries, complaints or claims	Identification data, contact data, booking data, communication data, incidents	Art. 6(1)(f): Legitimate interest. Our legitimate interest is to provide customer support, manage feedback and establish, exercise or defend legal claims. You have the right to object to processing based on legitimate interest (see Section 10).
Improve our Website and services (analytics)	Website usage data (through cookies)	Art. 6(1)(a): Consent. Your explicit consent obtained through our cookies banner for non-essential analytics cookies. See the Cookies Policy.
Provide personalized advertising (marketing)	Website usage data (through cookies)	Art. 6(1)(a): Consent. Your explicit consent obtained through our cookies banner for marketing cookies. See the Cookies Policy.
Ensure website security and prevent fraud	IP address, website usage data	Art. 6(1)(f): Legitimate interest. Our legitimate interest is to protect our IT systems, prevent fraudulent activities and ensure network security. You have the right to object (see Section 10).
Send marketing communications (if you have given your consent)	Contact data (email/phone)	Art. 6(1)(a): Consent. Requires your explicit and separate consent (e.g., ticking a specific box). You may withdraw this consent at any time.

We will not use your personal data for purposes incompatible with those listed above, unless required or permitted by law, or if you provide additional consent.

7. How long do we retain your data (retention periods)?

We retain your personal data only for as long as necessary to fulfil the purposes for which they were collected, including to comply with legal, accounting or reporting obligations.

Booking and service data: Retained for as long as necessary to provide the service and, subsequently, for the period required to manage potential claims or comply with legal obligations (e.g., typically up to 6 years for commercial/tax records in Spain, or longer if prescription periods for claims apply).
Communication data: Retained as long as necessary to address the inquiry or manage the relationship, and potentially longer if related to a booking or claim subject to legal retention periods.
Website usage data (cookies): Retention periods vary depending on the cookie type (session or persistent) as detailed in our Cookies Policy. Cookie consent for non-essential cookies is typically valid for up to 24 months.
Marketing consent data: Retained until you withdraw your consent.

Once the retention period necessary for the primary purpose has expired, the data may beblocked– retained solely for the purpose of making them available to competent public authorities, courts or tribunals, for the handling of potential liabilities arising from the processing, during the applicable retention period – before being securely and permanently deleted or fully anonymized.

8. With whom do we share your data (recipients)?

We do not sell your personal data. We only share your data when necessary for the purposes described in Section 6 and with the appropriate legal basis and safeguards. We distinguish between:

A. Data Processors:

They are third-party service providers who process dataon our behalf and under our instructions. We prioritize the use of providers located in the European Union (EU) or the European Economic Area (EEA) when possible. We have legally binding contracts (as required by Art. 28 GDPR) with all processors to ensure that they protect your data and use it solely for the contracted services. Categories include:

IT and infrastructure providers:
Cloudflare: Provides website security (CDN, WAF) and performance services. Although Cloudflare operates globally, data processing may occur outside the EEA (see Section 9).
Google Cloud Platform (GCP): May be used for backend services or data storage. We strive to configure these services to use EU data centers where possible, but processing may involve international aspects (see Section 9).
Web hosting: Our main web hosting (Cloudflare Pages) leverages a global network; content delivery may occur from servers outside the EEA, though the central data processing aligns with Cloudflare policies (see Section 9).
Email service providers: Providers used to send transactional or marketing emails (where applicable), preferably based in the EEA.
Communication platform providers:
Meta Platforms Ireland Limited: Provides WhatsApp Business Platform/API services. Processing is mainly in the EEA but involves necessary transfers to Meta Platforms, Inc. (USA) (see Section 9).
Payment processors: Secure third-party providers, often based in the EEA, that process online or on-terminal payments.
Analytics providers:
Google LLC: Provides Google Analytics (subject to your cookie consent). Data processed by Google involve international transfers (see Section 9).
Advertising providers:
Google LLC: Provides Google Ads services (subject to your cookie consent). Data processed by Google involve international transfers (see Section 9).
Professional advisors: External accountants, lawyers, auditors, typically located in Spain/EEA (acting under confidentiality obligations).

B. Disclosures to Responsible Third Parties:

They are third parties to whom we may disclose data and who will process it for theirown purposesas independent controllers. These transfers are made only when required by law or with your explicit consent:

Public authorities: Tax authorities, transport authorities, law enforcement, courts, when required by law or legal process.
Collaborating transport providers: In specific cases where we must subcontract part of the service (e.g., due to high demand or specific vehicle needs), we may share essential booking data (name, contact, service details) with another authorized transport provider to fulfill your request. This transfer is based on theperformance of a contract (Art. 6(1)(b))as it is necessary to provide the service you reserved. We ensure these collaborators also comply with data protection regulations.
Advertising partners: Such as Google Ads (subject to your cookie consent), which process data collected via cookies for their own advertising purposes according to their policies.

We require all recipients to respect the security of your personal data and to process it in accordance with the law.

9. International data transfers

Although we prioritize the use of services and infrastructures located within the European Economic Area (EEA), the use of certain essential third-party services requires the transfer of personal data outside the EEA. This currently applies to:

Google LLC (USA): For Google Analytics, Google Ads, Google Tag Manager and potentially Google Cloud Platform services.
Meta Platforms, Inc. (USA): As part of processing for WhatsApp Business services provided via Meta Platforms Ireland Limited.
Cloudflare, Inc. (USA): For website security, performance (CDN) and hosting services (Pages).

These transfers are necessary for the provision of their respective services. These companies process data in accordance with their own privacy policies. Transfers to the United States are currently made under the framework of the EU-US Data Privacy Framework.(for companies certified such as Google, Meta, Cloudflare) or on the basis of Standard Contractual Clauses (SCCs)adopted by the European Commission, which provide safeguards for the protection of personal data. You can find more information about transfer mechanisms and these providers' privacy practices in their respective privacy policies:

By using our services and consenting to the relevant cookies (where applicable), you acknowledge these necessary international transfers under the safeguards specified. If other third-party services involve international transfers, details will be provided here or in their respective policies.

We ensure that such transfers comply with Chapter V of the GDPR. Currently, transfers to companies certified in the USA may be covered by the adequacy decision of the EU-US Data Privacy Framework.(for companies certified such as Google, Meta, Cloudflare) or on the basis of Standard Contractual Clauses (SCCs)adopted by the European Commission, potentially supplemented with additional technical and organizational measures assessed through a Transfer Impact Assessment (TIA), to ensure that your data receive a level of protection essentially equivalent to that within the EEA. You can request more information about the guarantees applied to international transfers by contacting us.

Right to rectification (Art. 16 GDPR):

Request correction of inaccurate personal data or completion of incomplete data. Right to erasure ('right to be forgotten') (Art. 17 GDPR): Request deletion of your personal data when no longer necessary for the purposes, withdraw your consent (if applicable), object and no overriding legitimate grounds exist, or the data have been unlawfully processed, among other cases. This right is subject to legal retention obligations. Right to restriction of processing (Art. 18 GDPR): Request the suspension of processing when you dispute the accuracy of the data, processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected while we verify our legitimate grounds.

Right to data portability (Art. 20 GDPR):

Receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and transmit them to another controller when the processing is based on consent or on a contract and carried out by automated means.

Right to object (Art. 21 GDPR): Object, on grounds relating to your particular situation, to processing based on our legitimate interests (Art. 6(1)(f)). We suspend processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. You have an absolute right to object
to processing fordirect marketing purposes
at any time. Right not to be subject to decisions based solely on automated processing (Art. 22 GDPR):
Right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or significantly affect you. (As noted previously, we currently do not undertake such processing.)Right to withdraw consent (Art. 7(3) GDPR):
When processing is based on your consent (e.g., non-essential cookies, marketing emails), you may withdraw it at any time easily. The withdrawal does not affect the lawfulness of processing carried out before withdrawal. Manage cookie consent through our Cookies Policy
or the settings link. Unsubscribe from marketing emails via the link included in them. How to exercise your rights: To exercise any of these rights, submit a written request, clearly identifying yourself and specifying the right(s) you wish to exercise, to the contact details provided in Section 2 (email: [email protected]is the preferred method for faster processing). We may request proof of identity to ensure data security. We will respond to your request at no cost within one month, extendable by up to two additional months if necessary, depending on the complexity and number of requests. We will inform you of any extension within the first month.11. Data security
We are committed to protecting the security of your personal data. We implement appropriate technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or processed. These measures are chosen based on the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to your rights and freedoms. Access to your personal data is restricted to authorized personnel who need it to perform their duties and are bound by confidentiality obligations.12. Minors' data
Our services are intended for bookings made by adults (over 18). We do not knowingly collect personal data directly from minors under 14 (as per Article 7 of the LOPDGDD) without verifiable parental or guardian consent, except when necessary data are provided (such as age for child seat requirements) by the adult making the booking, solely for the purpose of providing the service safely and in compliance with the law. If we become aware that we have collected personal data from a minor under 14 without such consent, we will take immediate steps to delete that information.13. Links to other websites Our Website may contain links to other websites not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly encourage you to review the Privacy Policy of every site you visit. We have no control over and do not assume responsibility for the content, privacy policies or practices of third-party sites or services.14. Changes to this privacy policy

We may periodically update this Privacy Policy. We will notify you of any changes by publishing the new Privacy Policy on this page and updating the "Last updated" date at the top. We encourage you to review this Privacy Policy periodically to be aware of any changes.

15. Contact us If you have any questions about this Privacy Policy, our data processing practices or wish to exercise your data protection rights, please do not hesitate to contact us via the following channels: Preferred method (for rights requests):

Email to

[email protected]

Postal address:

ISLAND TOUR & TRANSFER SLU, Attn: Privacy Inquiry, Calle Ramon Llull, 52 Piso 2B, 07320 Santa Maria del Cami, Islas Baleares, España.

Phone (for general inquiries):

+34 637 548 711

16. Supervisory authority

You have the right to lodge a complaint at any time with the competent data protection supervisory authority. The competent authority in Spain is the Spanish Data Protection Agency (AEPD).

Website:

www.aepd.es

Address: C/ Jorge Juan, 6, 28001-Madrid, España. Phone:
+34 900 293 183Nevertheless, we would appreciate the opportunity to address your concerns before you approach the AEPD, so please contact us in the first instance.
Teléfono (para consultas generales):+34 637 548 711

16. Autoridad de control

Usted tiene derecho a presentar una denuncia en cualquier momento ante la autoridad de control competente en materia de protección de datos. La autoridad competente en España es la Agencia Española de Protección de Datos (AEPD).

Sitio web: www.aepd.es
Dirección: C/ Jorge Juan, 6, 28001-Madrid, España.
Teléfono:+34 900 293 183

No obstante, agradeceríamos la oportunidad de atender sus inquietudes antes de que se dirija a la AEPD, por lo que le rogamos que nos contacte en primera instancia.