Privacy Policy | Pirate Sailor – Boat Rental in Valencia

Article 01

Data controller

In compliance with Article 13 of the GDPR, you are informed that the controller responsible for the processing of personal data collected through the website piratesailor.com is:

Name: Pirate Sailor

Activity: Recreational boat rental and nautical advisory services

Address: Marina Pobla de Farnals, Valencia, Spain

Contact e-mail: info@piratesailor.com

Website: https://piratesailor.com

Areas of operation: Valencia, Mallorca, Ibiza, Formentera and Menorca

Pirate Sailor acts as the data controller within the meaning of Article 4(7) of the GDPR, determining the purposes and means of the processing of personal data.

Data Protection Officer (DPO): Pirate Sailor is not currently required to appoint a Data Protection Officer under Article 37 of the GDPR and Article 34 of the LOPDGDD, as it is not a public authority and does not carry out large-scale processing of special categories of data or data relating to criminal convictions. For any privacy-related queries, please contact us at the e-mail address indicated above.

Article 02

Definitions

For the purposes of this Privacy Policy, and in accordance with Article 4 of the GDPR, the following terms shall have the meanings set out below:

Personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data subject: an identified or identifiable natural person whose personal data are processed.
Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Supervisory authority: an independent public authority established by a Member State pursuant to Article 51 of the GDPR. In Spain, the Spanish Data Protection Agency (AEPD).

Article 03

Categories of personal data processed

Pirate Sailor applies the principle of data minimisation (Art. 5(1)(c) GDPR) and processes only the data necessary for the purposes set out in Article 4 below. Under no circumstances are special categories of data processed pursuant to Article 9 of the GDPR.

3.1 Identification and contact data

Full name
E-mail address
Phone number

3.2 Browsing and device data

IP address (automatically anonymised before storage in Google Analytics 4)
Browser type and version
Operating system and device type (desktop, mobile, tablet)
Pages visited, session duration and actions taken on the website
Country and city of access (city level, not street address)
Traffic source (search engine, direct referral, social media, etc.)
Analytical cookie identifiers

3.3 Communication data

Content of messages sent through the contact form
Date and time the request was submitted

3.4 Data excluded from processing

Pirate Sailor does not collect special categories of personal data within the meaning of Article 9(1) GDPR (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning sex life or sexual orientation).

Pirate Sailor does not process personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.

The user warrants that the personal data provided are truthful, accurate, complete and up to date, and is responsible for any damage resulting from failure to comply with this obligation. Where the data provided belong to a third party, the user warrants that they have informed that third party of the contents of this Policy and obtained their authorisation to provide such data for the stated purposes.

Article 04

Purposes of processing and legal bases

In accordance with the purpose limitation principle (Art. 5(1)(b) GDPR) and the transparency principle (Art. 5(1)(a) GDPR), the following table sets out all purposes for which we process your data and the legal basis legitimising each processing activity, as required by Article 13(1)(c) of the GDPR:

Purpose	Data processed	Legal basis (Art. 6 GDPR)	Mandatory
Handling enquiries received through the contact form	Name, e-mail, phone, message content	Art. 6(1)(b) — Performance of a contract or pre-contractual measures; subsidiarily Art. 6(1)(f) — Legitimate interest of the controller	Required. Without this data, we cannot respond to your enquiry.
Sending the informational newsletter with news, offers and nautical content	E-mail address	Art. 6(1)(a) — Explicit and unambiguous consent of the data subject	Optional. Refusal does not affect any other service.
Statistical analysis and website performance (Google Analytics 4)	Anonymised IP, cookie identifiers, aggregated browsing behaviour	Art. 6(1)(a) — Consent given via the cookie banner	Optional. Can be refused from the cookie preferences panel.
Management and formalisation of boat rental bookings and contracts	Name, e-mail, phone and data required for the transaction	Art. 6(1)(b) — Performance of the service contract	Required to provide the contracted service.
Compliance with legal obligations (tax, accounting, commercial)	Identification and billing data	Art. 6(1)(c) — Compliance with a legal obligation applicable to the controller	Mandatory under applicable law.
Defence of claims and exercise of rights in judicial, arbitration or extrajudicial proceedings	Data relevant to the specific claim	Art. 6(1)(f) — Legitimate interest of the controller in defending or exercising its rights	Applicable only in the event of a dispute or claim.

4.1 Legitimate interest balancing test

Where the legal basis is legitimate interest (Art. 6(1)(f) GDPR), Pirate Sailor has carried out the corresponding balancing test, concluding that the processing is necessary for the purposes pursued and that the interests or fundamental rights and freedoms of the data subject do not override those interests, taking into account the data subject's reasonable expectations and the safeguards applied. The data subject may obtain details of that balancing test upon written request.

4.2 Withdrawal of consent

Where processing is based on consent, the data subject may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3) GDPR). Consent to receive the newsletter may be withdrawn by clicking the unsubscribe link included in each communication, or by writing to info@piratesailor.com.

4.3 Automated decisions and profiling

Pirate Sailor does not make automated individual decisions that produce legal effects on the data subject or similarly significantly affect them, and does not carry out profiling within the meaning of Article 22 of the GDPR.

Article 05

Retention periods

In compliance with the storage limitation principle (Art. 5(1)(e) GDPR), personal data will be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Once the purpose has been fulfilled, data will be blocked and subsequently erased or irreversibly anonymised.

Data type / purpose	Active retention period	Additional blocking period	Legal basis
Contact form enquiries (no contract)	12 months from the last communication	Up to 5 additional years (blocked)	Legitimate interest; Art. 1964 Spanish Civil Code (general limitation period for personal actions)
Customer data (active rental contract)	Duration of the contractual relationship	5 years after contract termination	Art. 1964 CC; Art. 66 General Tax Law (tax prescription: 4 years)
Billing and accounting data	Duration of the financial year + annual close	6 years from the close of the financial year	Art. 30 Spanish Commercial Code
Newsletter subscribers	While the user maintains an active subscription	30 days after unsubscription (for effective deletion)	Consent of the data subject; minimisation principle (Art. 5(1)(c) GDPR)
Browsing data / analytical cookies	Up to 26 months (GA4 default)	N/A (data anonymised or deleted)	Consent; AEPD Cookie Guidelines (2023)
Record of GDPR rights requests	3 years from resolution of the request	N/A	Accountability principle (Art. 5(2) GDPR)
Consent records (cookies and newsletter)	While consent is active	3 years after withdrawal of consent	Demonstration of lawfulness of processing (Art. 7(1) GDPR)

During the blocking period, data will not be accessible for ordinary processing and will only be available to public authorities, courts and the public prosecutor's office during the limitation period for any actions that may arise. After that period, they will be securely and irreversibly destroyed.

Article 06

Recipients and processors

6.1 Disclosure of data to third parties

As a general rule, Pirate Sailor does not disclose or communicate personal data to third parties, except in the following cases provided for by law:

Where there is a legal obligation requiring the disclosure (tax authorities, judicial authorities, law enforcement bodies, etc.).
Where the data subject has given explicit consent for the communication to a specific third party.
Where it is strictly necessary for the performance of the service contract requested by the user (e.g. sharing identification data with the marina for berthing management as part of a booking).
In cases involving the vital interests of the data subject or a third party (Art. 6(1)(d) GDPR).

6.2 Data processors

To provide our services, we rely on the following providers acting as data processors within the meaning of Article 28 of the GDPR, with whom the corresponding data processing agreements have been signed:

Provider	Purpose	Data transferred	Location	Safeguards
Google LLC (Google Analytics 4 / Google Tag Manager)	Statistical analysis of website traffic and performance measurement	Anonymised IP, analytical cookies, aggregated browsing behaviour	USA (see Art. 07)	EU-U.S. Data Privacy Framework (EC Adequacy Decision, July 2023). Google Privacy Policy
Web hosting provider	Hosting of the website, server data storage and e-mail	Server access logs, contact form data in transit	European Union	Data processing agreement (Art. 28 GDPR); ISO 27001 or equivalent security measures
E-mail marketing platform (if applicable)	Subscriber list management and newsletter delivery	Subscriber e-mail address and name	EU / USA depending on provider	Processing agreement; Standard Contractual Clauses (SCCs) or Data Privacy Framework as applicable

Pirate Sailor requires all its data processors to implement appropriate technical and organisational measures, to process personal data only on documented instructions from the controller, and to ensure the confidentiality of such data.

Article 07

International data transfers

In accordance with Chapter V of the GDPR (Arts. 44–49), Pirate Sailor provides the following information on international data transfers:

7.1 Google LLC — United States

The use of Google Analytics 4 and Google Tag Manager involves the transfer of data to Google LLC, headquartered in Mountain View, California (USA). This transfer is covered by the European Commission Adequacy Decision of 10 July 2023 on the EU-U.S. Data Privacy Framework (DPF), in which Google LLC participates as a certified organisation.

The Adequacy Decision recognises that the USA provides, for data transferred to DPF-certified organisations, a level of protection essentially equivalent to that guaranteed in the European Union. Google LLC's certification can be verified in the official Data Privacy Framework Registry.

Additionally, Google Analytics 4 applies IP anonymisation by default, so that the IP address is truncated before being stored or transferred, making it impossible to identify the end user from the data processed by Google.

7.2 E-mail marketing platform (if applicable)

If the e-mail marketing provider used has its registered office outside the EEA, the transfer will be covered by the Standard Contractual Clauses adopted by the European Commission (Implementing Decision 2021/914), or, where applicable, by the provider's adherence to the Data Privacy Framework.

7.3 Other transfers

Outside the cases indicated above, Pirate Sailor does not transfer personal data to third countries or international organisations outside the European Economic Area (EEA). Should new international transfers take place in the future, data subjects will be duly informed and appropriate safeguards provided for in Chapter V of the GDPR will be applied.

Article 08

Data subject rights

In accordance with Articles 15 to 22 of the GDPR, the data subject may exercise the following rights at any time, free of charge:

👁

Right of access Art. 15 GDPR Obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to such data and to detailed information about the processing: purposes, categories of data, recipients, retention periods, origin of data, and the existence of automated decisions or profiling.

✏️

Right to rectification Art. 16 GDPR Obtain without undue delay the rectification of inaccurate personal data concerning you or, taking into account the purposes of the processing, completion of incomplete personal data, including by means of a supplementary statement.

🗑

Right to erasure ('right to be forgotten') Art. 17 GDPR Obtain the erasure of personal data concerning you without undue delay where, among other grounds, the data are no longer necessary for the purpose for which they were collected, consent is withdrawn, the right to object is exercised, or the processing is unlawful (Art. 17(1) GDPR). This right does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (Art. 17(3) GDPR).

⏸

Right to restriction of processing Art. 18 GDPR Obtain restriction of processing where one of the conditions in Art. 18(1) GDPR applies: accuracy of the data is contested, processing is unlawful and you oppose erasure, the data are needed for the establishment, exercise or defence of legal claims, or an objection is pending verification. During the restriction period, data may only be stored, except with your consent or for legal claims.

📦

Right to data portability Art. 20 GDPR Receive the personal data concerning you in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance, where the processing is based on consent or on a contract, and is carried out by automated means.

🚫

Right to object Art. 21 GDPR Object at any time, on grounds relating to your particular situation, to processing of personal data concerning you based on legitimate interest or public interest (Art. 6(1)(e) or (f) GDPR). The controller shall cease processing unless it demonstrates compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

🤖

Rights related to automated decision-making and profiling Art. 22 GDPR Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Pirate Sailor expressly declares that it does not make such automated decisions and does not carry out profiling within the meaning of Article 22 of the GDPR.

↩️

Right to withdraw consent Art. 7(3) GDPR Withdraw at any time consent given for a specific processing activity, without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawing consent shall be as easy as giving it. For the newsletter, this can be done via the unsubscribe link in each communication or by writing to info@piratesailor.com.

Free of charge and limits: The exercise of these rights is free of charge. However, where requests are manifestly unfounded or excessive, in particular because of their repetitive character, Pirate Sailor may charge a reasonable fee based on administrative costs or refuse to act on the request (Art. 12(5) GDPR). The detailed procedure for exercising these rights is described in Article 9 of this Policy.

8.1 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR). The competent supervisory authority in Spain is:

Spanish Data Protection Agency (Agencia Española de Protección de Datos — AEPD)

C/ Jorge Juan, 6 · 28001 Madrid, Spain

Phone: +34 901 100 099 / +34 912 663 517

Website: www.aepd.es

Electronic office: sedeagpd.gob.es

Article 09

How to exercise your rights

To exercise any of the rights described in the previous article, the data subject must follow the procedure set out below, in accordance with Article 12 of the GDPR:

01

Proof of identity Attach a copy of your national ID, passport or other valid official identity document. If acting on behalf of a third party, documentation proving representation must also be provided (notarial power of attorney, signed authorisation accompanied by a copy of the represented person's ID, etc.).

02

Drafting your request State in your request: your full name, the right you wish to exercise, a clear description of the processing or data affected, and an address or e-mail for notifications. You may use the request templates available free of charge on the AEPD website: www.aepd.es/derechos-y-deberes/conoce-tus-derechos.

03

Submitting your request Send the request together with your identification documentation by e-mail to info@piratesailor.com, indicating in the subject line: "Exercise of GDPR rights – [Right requested]".

04

Correction (if applicable) If the request does not meet all the required conditions, Pirate Sailor will inform you within 10 business days of receipt and grant you a period to remedy any deficiencies. The response period will be suspended during the correction period.

05

Response You will receive a reasoned response within a maximum period of one month from receipt of the complete request. In cases of particular complexity or a large number of simultaneous requests, this period may be extended by a further two months, with notification of the extension and reasons provided within the first month.

06

Complaint to the AEPD If you do not receive a response within the stated period, consider the response unsatisfactory, or believe your rights have been violated, you may lodge a complaint with the AEPD through its electronic office at sedeagpd.gob.es, without prejudice to any judicial remedies available to you.

Request register: Pirate Sailor keeps an internal register of all rights requests received and their resolution, retained for 3 years, in order to demonstrate compliance with the accountability principle required by Article 5(2) of the GDPR. This register is not shared with third parties except where required by law.

Article 10

Cookies and tracking technologies

10.1 Definition and nature of cookies

Cookies are small text files that a website places on the user's device (computer, tablet or mobile phone) when they visit it. Cookies allow the web server to recognise the user's browser on subsequent visits and to remember information about the session, preferences and browsing behaviour.

The use of cookies in Spain is governed by Article 22(2) of Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE), interpreted in light of the GDPR and the AEPD Cookie Use Guide (updated July 2023).

10.2 Classification of cookies used

Cookie	Provider	Type	Purpose	Duration	Consent
_ga	Google Analytics 4	Analytics — third party	Distinguishes unique users by assigning a randomly generated client identifier. Enables measurement of unique visits to the site.	2 years	Required
_ga_[ID]	Google Analytics 4	Analytics — third party	Maintains the Google Analytics 4 session state.	2 years	Required
_gid	Google Analytics 4	Analytics — third party	Records and updates a unique value for each page visited during the session.	24 hours	Required
cookie_consent (or similar)	Pirate Sailor — first party	Technical / functional	Stores the user's cookie consent preferences, avoiding repeated display of the banner.	12 months	Exempt (necessary technical cookie)

10.3 Consent management and preferences panel

Upon first accessing the website, a cookie banner is displayed allowing the user to:

Accept all cookies (including analytics).
Reject non-strictly-necessary cookies.
Configure preferences by cookie category.

Consent given is recorded along with its date, banner version and selected preferences. The user may modify or revoke their consent at any time by accessing the cookie preferences panel available in the website footer.

10.4 Browser-level cookie management

In addition to the preferences panel, users can manage or delete cookies from their browser settings. Below are help links for the most common browsers:

Please note that rejecting or deleting technical cookies may affect the correct functioning of certain sections of the website.

10.5 Google Analytics 4 and IP anonymisation

Pirate Sailor uses Google Analytics 4 with IP anonymisation enabled by default, so that the user's IP address is truncated before being processed and stored on Google's servers. Data collected is statistical and aggregated in nature and does not permit individual identification of the end user.

For more information on how Google processes this data, see Google's Privacy Policy and how to opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

For full information on all cookies used, their purposes and how to manage them, see our Cookie Policy.

Article 11

Minors

Pirate Sailor's services are directed exclusively at persons with full legal capacity, i.e. adults under applicable Spanish law.

In accordance with Article 8 of the GDPR and Article 7 of the LOPDGDD, the processing of personal data of children under 14 years of age based on consent requires the consent of the holder of parental responsibility or legal guardianship. Pirate Sailor does not knowingly collect or process personal data from children under 14 without the required parental or guardian consent.

If you become aware that a child under 14 has provided us with personal data without the required parental consent, please notify us immediately at info@piratesailor.com and we will delete such data as soon as possible.

Minors aged between 14 and 18 may exercise their GDPR and LOPDGDD rights themselves, although their legal representatives may also exercise such rights on their behalf, provided the minor does not object to this.

Article 12

Data security and technical and organisational measures

In compliance with the integrity and confidentiality principle (Art. 5(1)(f) GDPR) and Article 32 of the GDPR, Pirate Sailor has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account in particular the risks of accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to personal data.

12.1 Technical security measures

Encrypted communications: The website operates exclusively under HTTPS protocol with a valid TLS certificate, ensuring encryption of all data in transit between the user's browser and the server.
Anonymisation: IP addresses collected via Google Analytics are truncated and anonymised before storage, as described in Article 10.5.
Access control: Access to information systems is restricted using strong credentials (complex passwords and, where applicable, two-factor authentication), applying the principle of least privilege.
Backups: Regular backups of data hosted on the server, with documented procedures for incident recovery.
Security updates: Server software, operating system and applications are kept up to date, with security patches applied within reasonable timeframes.
Firewalls and intrusion detection: Use of perimeter protection tools to prevent unauthorised access.

12.2 Organisational security measures

Duty of confidentiality: All staff with access to personal data are subject to a duty of confidentiality, both during and after the employment or service relationship.
Processor agreements: All providers with access to personal data have signed the corresponding data processing agreement with the clauses required by Article 28 of the GDPR.
Record of processing activities: Pirate Sailor maintains a record of processing activities as required by Article 30 of the GDPR, available to supervisory authorities upon request.
Periodic reviews: This Privacy Policy and the security measures are reviewed periodically to ensure compliance with applicable regulations and identified risks.
Data Protection Impact Assessment (DPIA): Pirate Sailor assesses, in the cases required by Article 35 of the GDPR, whether the intended processing is likely to result in a high risk to the rights and freedoms of data subjects, and carries out a DPIA where necessary.

12.3 Notification of personal data breaches

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, Pirate Sailor will notify the Spanish Data Protection Agency (AEPD) within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR.

Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, Pirate Sailor will communicate this to them without undue delay (Art. 34 GDPR), describing in clear and plain language: the nature of the breach, the data affected, the likely consequences and the measures taken or proposed to address the breach and mitigate its effects.

Residual risk notice: Despite the security measures adopted, no Internet-based information transmission system can guarantee absolute security. Pirate Sailor cannot ensure the inviolability of communications made over public networks, but takes all reasonably practicable measures to minimise this risk.

Article 13

Changes to this Policy and effective date

Pirate Sailor reserves the right to modify this Privacy Policy at any time to adapt it to legislative or jurisprudential developments, changes in the services offered, recommendations from the AEPD, or changes in data processing practices.

13.1 Notification of material changes

Changes that materially affect the purposes of processing, the legal basis used, or the rights of data subjects will be communicated by:

A prominent notice (banner or informational message) on the website for a minimum period of 30 days.
An e-mail communication to newsletter subscribers where the changes directly affect them.
A request for renewed consent where required by applicable law.

13.2 Minor changes

Minor changes (typographical corrections, updates to regulatory references, changes to provider contact details, etc.) will be published on this page without prior notice, with the date of last modification updated accordingly.

13.3 Current version

The updated Privacy Policy will always be available at https://piratesailor.com/en/privacy.html. The version in force is the one published at that address at the time of the user's access to the website.

Continued use of the website following publication of changes to this Policy will constitute acceptance of those changes, unless express consent is required by the nature of the new processing.

Version: 2.0

Date of preparation: 1 January 2025

Date of last review: 1 January 2025

Primary reference legislation:

— Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) of 27 April 2016

— Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD)

— Spanish Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE)

— AEPD Cookie Use Guide (updated July 2023)

— European Commission Adequacy Decision on the EU-U.S. Data Privacy Framework (July 2023)

— Applicable guidelines of the European Data Protection Board (EDPB)