Legal
Privacy Policy
Last updated: 28 April 2026
1. Data Controller
In accordance with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR), Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE), we inform you that the data controller is:
| Company | Shanti Som Health Retreat, S.L. |
| Tax ID (CIF) | B92586155 |
| Address | Llanos de Purla km 22, A-355 Marbella–Cártama, 29110 Monda, Málaga, Spain |
| privacy@shantisom.com | |
| Phone | +34 952 864 455 |
| Website | www.shantisom.com |
2. Categories of Personal Data We Collect
We collect the following categories of personal data depending on how you interact with us:
2.1 Booking and Guest Data
Name, email address, phone number, postal address, nationality, date of birth, passport or ID number (as required by Royal Decree 933/2021 for traveller registration), payment details, dietary preferences, travel dates, and room preferences.
2.2 Health and Wellness Data
When you book spa treatments or wellness retreats, we may collect health-related information such as medical conditions, allergies, injuries, pregnancy status, or other information relevant to the safe provision of treatments. This data is classified as special category data under Article 9 of the GDPR and is processed only with your explicit consent and solely for the purpose of delivering safe, personalised wellness services.
2.3 Contact and Enquiry Data
Name, email address, phone number, and any information you provide in your message when using our contact forms, email, WhatsApp, or phone.
2.4 Marketing Data
Name, email address, marketing preferences, and engagement data (email opens, clicks) when you subscribe to our newsletter or opt in to receive commercial communications.
2.5 Recruitment Data
Name, contact details, CV, work history, qualifications, and any other information submitted through job applications.
2.6 Technical and Analytics Data
IP address, browser type, device information, pages visited, referring URL, time spent on pages, and interactions with our website. This data is collected through cookies and similar tracking technologies (see Section 8).
3. Purposes of Processing and Legal Basis
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Managing reservations and providing accommodation and retreat services | Performance of a contract (Art. 6.1.b) |
| Processing payments | Performance of a contract (Art. 6.1.b) |
| Responding to contact requests and enquiries | Legitimate interest (Art. 6.1.f) |
| Guest registration as required by Spanish law | Legal obligation (Art. 6.1.c) — Royal Decree 933/2021 |
| Providing spa and wellness treatments safely | Explicit consent for health data (Art. 9.2.a); performance of contract (Art. 6.1.b) |
| Sending newsletters and promotional communications | Consent (Art. 6.1.a) |
| Website analytics and performance improvement | Consent via cookie banner (Art. 6.1.a) |
| Online advertising and remarketing | Consent via cookie banner (Art. 6.1.a) |
| Managing recruitment and job applications | Consent (Art. 6.1.a); pre-contractual measures (Art. 6.1.b) |
| Compliance with tax and accounting obligations | Legal obligation (Art. 6.1.c) |
| Exercising or defending legal claims | Legitimate interest (Art. 6.1.f) |
4. Data Processors and Recipients
We share your personal data only where necessary to fulfil the purposes described above. The following categories of recipients may receive your data:
| Processor / Recipient | Purpose | Location |
|---|---|---|
| Mews Systems B.V. | Property management, bookings, and payment processing | EU (Netherlands) |
| HubSpot, Inc. | CRM, marketing emails, contact forms, and newsletter | USA (EU SCCs) |
| Google LLC (Analytics, Ads) | Website analytics and advertising | USA (EU SCCs) |
| Meta Platforms, Inc. | Advertising, social media integration | USA (EU SCCs) |
| Vercel Inc. | Website hosting | EU (Frankfurt region) |
| Storyblok GmbH | Content management system | EU (Austria) |
| WhatsApp (Meta) | Guest communication | USA (EU SCCs) |
| Payment processors (via Mews) | Credit/debit card transactions | EU |
| Spanish tax authorities (AEAT) | Tax and accounting compliance | Spain |
| Spanish National Police / Civil Guard | Traveller registration (Royal Decree 933/2021) | Spain |
All data processors with access to personal data have signed Data Processing Agreements (DPAs) in accordance with Article 28 of the GDPR.
5. International Data Transfers
Some of our data processors are located outside the European Economic Area (EEA), primarily in the United States. For these transfers, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission, as supplemented by transfer impact assessments where required.
- The EU-U.S. Data Privacy Framework, where the processor has been certified.
You may request a copy of the relevant safeguards by contacting us at privacy@shantisom.com.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Booking and guest records | Duration of the stay plus 5 years (Spanish Commercial Code Art. 30; tax law obligations) |
| Guest registration data (passport/ID) | 3 years (Royal Decree 933/2021) |
| Health and wellness intake forms | Duration of the stay; deleted within 30 days of departure unless ongoing care requires retention |
| Payment records | Duration of the contractual relationship plus 4 years (Spanish General Tax Law) |
| Marketing and newsletter data | Until consent is withdrawn; re-confirmation requested annually |
| Contact form enquiries | 12 months from last interaction |
| Recruitment and CV data | 24 months from submission, then securely deleted unless renewed consent is given |
| Website analytics (cookies) | See Section 8 (Cookie Policy) |
| CCTV footage (if applicable) | 30 days maximum (AEPD guidance) |
7. Payment Data and PCI Compliance
We do not store full credit or debit card numbers on our servers. All payment transactions are processed through PCI-DSS compliant payment providers integrated with our property management system (Mews). Card data is encrypted in transit and at rest, and we only retain masked card references and transaction identifiers as required for accounting and refund purposes.
8. Cookies and Tracking Technologies
Our website uses cookies and similar technologies. In compliance with Article 22 of the LSSI-CE and AEPD guidelines, non-essential cookies are only placed after you provide explicit consent through our cookie banner.
We use the following categories of cookies:
- Strictly necessary cookies — Required for the website to function (session management, security). No consent required.
- Analytics cookies — Google Analytics 4 (GA4) to understand how visitors use our website. Consent required.
- Marketing cookies — Google Ads, Meta Pixel (Facebook/Instagram), and HubSpot tracking to measure advertising effectiveness and deliver relevant ads. Consent required.
- Functionality cookies — Remember your language preference and booking widget state. Consent required.
You may manage your cookie preferences at any time through our cookie settings, accessible via the cookie icon on our website. You can also configure your browser to reject cookies, though this may affect website functionality.
For full details, see our Cookie Policy.
9. Your Rights
Under the GDPR and LOPDGDD, you have the following rights:
- Right of access (Art. 15) — Obtain confirmation of whether we process your personal data and receive a copy.
- Right to rectification (Art. 16) — Correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — Request deletion of your data where there is no compelling reason for continued processing.
- Right to restriction (Art. 18) — Request that processing is limited in certain circumstances.
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — Object to processing based on legitimate interest or direct marketing at any time.
- Right not to be subject to automated decision-making (Art. 22) — We do not make automated decisions with legal or significant effects.
- Right to withdraw consent — Withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@shantisom.com or write to us at the postal address above. We will respond within 30 days. You may be asked to verify your identity.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, C/ Jorge Juan 6, 28001 Madrid.
10. WhatsApp and Messaging Communications
When you contact us via WhatsApp or other messaging platforms, your messages and contact details are processed to respond to your enquiry and manage your booking. We use WhatsApp Business for this purpose. Messages may be stored by WhatsApp (Meta Platforms, Inc.) on servers outside the EEA, subject to their own privacy policy and our DPA with Meta. We retain message histories for the duration of your booking relationship plus 12 months.
11. Video Surveillance
For security purposes, certain common areas of our retreat may be monitored by CCTV. Monitored areas are clearly indicated by signage. Footage is retained for a maximum of 30 days and is accessed only when necessary for security incident investigation or at the request of law enforcement. Guest rooms, treatment rooms, and private wellness areas are never monitored.
12. Children's Data
Our services are primarily directed at adults. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have collected data from a child under 16 without verifiable parental consent, we will take steps to delete that information promptly.
13. Third-Party Data
If you provide personal data of other individuals (for example, when booking on behalf of travel companions), you confirm that you have informed those individuals of this Privacy Policy and have obtained their consent for us to process their data. You accept responsibility for any consequences of failing to do so.
14. Social Media
We maintain profiles on Facebook, Instagram, TikTok, and LinkedIn. When you interact with us through these platforms, the respective platform operator acts as joint controller or independent controller for the data processed on their platform. We encourage you to review the privacy policies of these platforms. We may display your public social media content (e.g., tagged posts) on our website with your implied consent; you may request removal at any time.
15. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or the services we offer. We will publish the updated version on this page with a revised "Last updated" date. For material changes, we will notify you via email or a prominent notice on our website.
16. Applicable Law and Jurisdiction
This Privacy Policy is governed by Spanish and European data protection law. In the event of a dispute, the parties shall first attempt to resolve it amicably. Where this is not possible, the competent courts shall be those determined in accordance with applicable consumer protection and jurisdictional rules.
© 2026 Shanti Som Health Retreat, S.L. All rights reserved.