Privacy Policy

1. Who is responsible for your data (Data Controller)

The data controller (responsable del tratamiento) for the personal data processed through this website is the legal entity operating under the trade name Casa Boutique del Mar. In accordance with Article 13 GDPR (information to be provided) and Article 10 of Law 34/2002 (LSSI-CE) on the information service providers must make available, the controller's identity and contact details are set out below.

If you have any question about how we handle your data, or if you wish to exercise your rights, you can contact us using the details in this table or in the "Your rights" section below.

Trade name

Casa Boutique del Mar

Legal name (denominación social / titular)

Casa Boutique del Mar, S.L.U.

Legal form

Sociedad Limitada Unipersonal (S.L.U.) — Spanish single-member private limited company

Tax ID (NIF/CIF)

B19906338

Registered office (domicilio social)

Avenida de la Llibertat 36-3B, 03730 Jávea (Xàbia), Alicante, Spain

Email

hola@casaboutique-delmar.com

Telephone

+34 672 432 590

Website

casaboutique-delmar.com

Professional registration

APIAL no. A547 (Asociación Profesional de Agentes Inmobiliarios de Alicante); RAICV 4431 (Registro de Agentes Inmobiliarios de la Comunitat Valenciana)

Commercial Registry (Registro Mercantil)

Commercial Registry of Alicante — registration in progress; the registry details (tomo/volume, folio and hoja/sheet) will be added once the company's entry is recorded.

2. Data Protection Officer (DPO)

Given the nature and scale of our activity, we are not required to appoint a Data Protection Officer (Delegado de Protección de Datos) under Article 37 GDPR and Article 34 LOPDGDD and we have not voluntarily designated one.

For any matter relating to the protection of your personal data, please write to us at hola@casaboutique-delmar.com. We will deal with your request directly.

3. What personal data we collect, and how

We collect two kinds of data: data you give us yourself through our forms, and limited technical data generated automatically when your browser loads our pages.

Data you provide through our forms. The website has three contact channels, all of which send your enquiry to us so that we can reply:

• Contact form — first name, last name, email, telephone and your free-text message. • "Sell your home" / valuation enquiry form — first name, last name, email, telephone, your free-text message and any optional details you choose to add about the property you want to sell (such as property type, number of bedrooms and location). • Per-property enquiry form (shown on a property's page) — first name, last name, email, telephone, your free-text message and a reference to the specific listing you are enquiring about.

Technical and navigation data processed automatically. When you visit the site, certain data is processed for the website to work, load images and stay secure — for example your IP address, basic device and browser information, and server access logs with timestamps. This data is handled through our hosting provider and the Cloudflare content-delivery network (see "Recipients and processors"). We do not use analytics, advertising, profiling or other tracking technologies.

We do not knowingly collect special categories of data (Article 9 GDPR) and we ask that you do not include such data in your free-text messages.

4. Why we use your data and our legal basis

We process your personal data only for the purposes below. For each purpose we tell you the legal basis under Article 6(1) GDPR, as required by Article 13(1)(c)-(d) GDPR.

(a) To respond to and manage your enquiries about our properties and services, and to take the pre-contractual steps you ask for (for example arranging a viewing, providing a valuation, or answering a question that may lead to a transaction). Legal basis: Article 6(1)(b) GDPR — steps taken at your request prior to entering into a contract — and, for the general administration of the enquiry, Article 6(1)(f) GDPR (legitimate interest).

(b) To run, secure and keep this website available — including loading images, serving content efficiently and preventing fraud, abuse and attacks (technical, server and CDN logs). Legal basis: Article 6(1)(f) GDPR (legitimate interest).

(c) To comply with our legal obligations where applicable (for example tax, accounting or anti-money-laundering duties that arise if an enquiry becomes a transaction). Legal basis: Article 6(1)(c) GDPR.

(d) To remember your chosen language across pages. The language cookie is a strictly-necessary / exempt functional cookie that does not require consent under Article 22.2 of Law 34/2002 (LSSI-CE); to the extent any related processing involves personal data, the legal basis is Article 6(1)(f) GDPR (our legitimate interest in providing the site in your chosen language). See our Cookie Policy.

Where we rely on legitimate interest (Article 6(1)(f) GDPR), our interest is in being able to manage enquiries effectively, administer our business and keep our website and network secure; we have assessed that this interest does not override your rights and freedoms. You can object to this processing at any time on grounds relating to your particular situation (Article 21 GDPR) — see "Your rights".

We do not operate a newsletter or send commercial communications through this website. If we introduce one in future, we will ask for your separate, specific, informed and unbundled consent (Article 6(1)(a) GDPR, and Article 21 LSSI-CE for electronic commercial communications) beforehand.

5. Recipients and processors

We do not sell your data and we do not share it for anyone else's marketing. We do rely on a small number of service providers that process data on our behalf as data processors (encargados del tratamiento), each acting only on our documented instructions and bound by confidentiality and security obligations under a data-processing agreement as required by Article 28 GDPR (Vercel’s Article 28 data-processing agreement is incorporated into its terms of service):

• Tesoro Estate (Tesoro CRM, api.tesoro.estate) — our real-estate CRM. When you submit any of the three forms, your enquiry is stored there as a lead so our team can manage and respond to it. • Our hosting provider Vercel Inc. (a US company; this website is served from Vercel’s Frankfurt, Germany region, within the EEA) — hosts the website and processes server and access logs. • Cloudflare, Inc. — content-delivery network used to serve property images (via imagedelivery.net) and to provide security and performance. To deliver this content, Cloudflare processes your IP address. No cookies are used for image delivery.

When a property page shows a location map, the map (OpenStreetMap) loads only after you click to activate it; on our "About" page the map is embedded directly. When a map loads, your browser contacts OpenStreetMap's tile servers, which receive your IP address as a necessary part of serving the map.

The site fonts (Cormorant Garamond and Hanken Grotesk) are self-hosted by our framework and are served from our own domain, so loading the site sends no font requests to, and transfers no data to, Google.

Our pages also contain ordinary outbound links (for example to WhatsApp, Instagram, Facebook, LinkedIn and Google Maps directions). These set no cookies and share no data with those services unless and until you click through to them, at which point that third party's own privacy policy applies.

Beyond the above, we disclose personal data to third parties or public authorities only where we are legally required to do so.

6. International data transfers

Most processing takes place within the European Economic Area (EEA). However, some of our processors — in particular Cloudflare, Inc. (a US-headquartered provider whose CDN may route traffic outside the EEA) and potentially our hosting provider — may transfer or process personal data outside the EEA.

Where this happens, the transfer is protected by an appropriate safeguard under Chapter V GDPR (Articles 44-49): either an adequacy decision of the European Commission (such as the provider's certification under the EU-US Data Privacy Framework) or the European Commission's Standard Contractual Clauses (Cláusulas Contractuales Tipo, Implementing Decision (EU) 2021/914), together with any supplementary measures required. In practice, our hosting provider Vercel serves the site from its Frankfurt, Germany region within the EEA and relies on the Standard Contractual Clauses for any access from the United States, while Cloudflare relies on the Standard Contractual Clauses and/or its EU-US Data Privacy Framework certification; where Tesoro Estate processes any data outside the EEA, the same Chapter V safeguards (Standard Contractual Clauses or an adequacy decision) apply.

You can ask us for more information about these safeguards, and request a copy or details of them, using the contact details above.

7. How long we keep your data

We keep your personal data only for as long as necessary for the purpose for which it was collected. After that, we delete it or block it (bloqueo) — keeping it restricted and at the disposal of the competent authorities only for the limitation periods of any legal liabilities — in line with Article 32 LOPDGDD, before final deletion.

• Enquiry and form data: kept while we manage your enquiry and, afterwards, for the period needed to deal with any related liabilities or legal claims — in practice, up to 12 months after our last contact with you, unless a legal claim requires us to keep it longer. • Data linked to a transaction: kept for the periods required by tax, accounting and sector-specific (including anti-money-laundering) law — in practice, 6 years for tax and accounting records and up to 10 years for anti-money-laundering documentation. • Technical and log data: kept for the retention windows applied by our hosting provider and Cloudflare — in practice, between 30 and 90 days.

The NEXT_LOCALE language cookie expires roughly one year after it is set, unless you clear it sooner — see our Cookie Policy.

8. Your rights

Under the GDPR (Articles 15-22) and the LOPDGDD (Articles 12-18), you have the following rights over your personal data:

• Access (acceso, Art. 15 GDPR) — to know whether we process your data and obtain a copy of it.
• Rectification (rectificación, Art. 16 GDPR) — to correct inaccurate or incomplete data.
• Erasure / right to be forgotten (supresión, Art. 17 GDPR) — to have your data deleted where the law allows.
• Restriction (limitación, Art. 18 GDPR) — to limit how we use your data in certain cases.
• Portability (portabilidad, Art. 20 GDPR) — to receive data you provided in a structured, commonly used, machine-readable format.
• Objection (oposición, Art. 21 GDPR) — to object to processing based on our legitimate interest.
• Not to be subject to automated decisions (Art. 22 GDPR) — including profiling with legal or similarly significant effects (we do not carry out such processing).
• Withdraw consent (Art. 7(3) GDPR) — at any time, where processing is based on your consent, without affecting the lawfulness of processing carried out before withdrawal.

9. How to exercise your rights

To exercise any of the rights above, send a written request by email to hola@casaboutique-delmar.com, stating clearly which right you wish to exercise. So that we can verify it is really you, we may ask for proof of identity.

We will respond within one month of receiving your request, as required by Article 12(3) GDPR. That period may be extended by up to two further months where the request is complex or where we receive a number of requests; if so, we will tell you within the first month and explain why. You may also use the model forms made available by the Spanish Data Protection Agency (AEPD).

10. Right to lodge a complaint

Without prejudice to any other remedy, if you believe we have not handled your data or your rights correctly you can lodge a complaint with the Spanish supervisory authority, the Agencia Española de Protección de Datos (AEPD). We would, however, appreciate the opportunity to resolve the matter with you first.

Authority

Agencia Española de Protección de Datos (AEPD)

Address

C/ Jorge Juan 6, 28001 Madrid, Spain

Website

www.aepd.es

11. No automated decision-making or profiling

We do not carry out automated individual decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (Article 13(2)(f) and Article 22 GDPR). Our CRM stores your enquiry as a lead so that a member of our team can respond to it personally; it does not score, rank or profile you to make automatic decisions about you.

12. Security measures

We apply appropriate technical and organisational measures, as required by Article 32 GDPR, to protect your personal data and to ensure its confidentiality, integrity and availability — including protection against unauthorised access, loss, alteration or disclosure. Form submissions are transmitted over an encrypted connection, access to our CRM is restricted, and our processors are contractually required to maintain their own appropriate security measures.

13. Providing your data: what is required

On each form, the fields marked as required — first name, last name, email and telephone — are necessary for us to identify you and reply to your enquiry. Your free-text message and any property details are optional but help us answer more usefully.

If you do not provide the required fields, we will not be able to process your request or contact you back.

14. Accuracy of data and third-party data

By submitting a form you confirm that the data you provide is true, accurate and up to date, and you agree to keep it so. You are responsible for the data you give us.

If you provide personal data about another person (for example a co-buyer or family member), you confirm that you have informed them and obtained any authorisation needed for us to process their data for the purposes set out in this policy.

15. Cookies

This website uses a single strictly-necessary first-party cookie (NEXT_LOCALE) that remembers your chosen language. We do not use analytics, advertising or third-party tracking cookies, and we do not use other browser storage (such as localStorage) for tracking.

Because we use only a strictly-necessary / exempt functional cookie within the meaning of Article 22.2 of Law 34/2002 (LSSI-CE) and the AEPD's cookie guidance (Guía sobre el uso de las cookies), a cookie-consent banner is not legally required. For full details of this cookie and how to control or delete it, please see our Cookie Policy, which forms part of and should be read together with this Privacy Policy.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the law, in guidance from the AEPD, or in how the website works. The date at the top shows when it was last revised. We encourage you to review it periodically; the version published here is always the one in force.