Privacy Policy

Your privacy is important to us. This policy explains how we collect, use, and protect your information.

Last updated: December 2025

1. Introduction and Legal Framework

Spirit of Traveling ("we," "our," or "us") is committed to protecting your privacy in accordance with current data protection regulations. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our travel planning platform and services.

1.1 Data Controller Information (LOPDGDD Art. 13)

Data Controller: Spirit of Traveling (project operated from Spain)

Responsible for data processing: The Spirit of Traveling Administration Team

Contact: administrator@spiritoftraveling.com

Website: www.spiritoftraveling.com

1.2 Applicable Regulations

This Privacy Policy complies with:

  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)
  • LOPDGDD: Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (Spain)
  • LSSI-CE: Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (Spain)
  • LSSICE: Additional requirements for electronic communications and digital services

1.3 Data Storage and Processing

Server Location: Our servers are located in Germany/Netherlands (within the EU/EEA), ensuring full compliance with European data protection standards.

Data Processing: All data processing activities are subject to GDPR, LOPDGDD, and Spanish regulations. We maintain a Record of Processing Activities as required by GDPR Art. 30.

2. Information We Collect

2.1 Information You Provide

  • Account information (name, email address) when you create an account
  • Travel preferences and itinerary data
  • Communications with us (contact form submissions, support requests)
  • User-generated content (reviews, comments, photos you upload)

2.2 Information We Collect Automatically

  • Usage data (pages visited, features used, time spent)
  • Device information (browser type, operating system, IP address)
  • Location data (if you choose to share it)
  • Cookies and similar tracking technologies

2.3 Third-Party Data Sources

We integrate data from various sources to provide comprehensive travel information:

  • Wikipedia: Destination information and descriptions (attributed as required)
  • Geonames: Geographic data and place names (attributed as required)
  • OpenStreetMap: Map data and layers via Leaflet library (attributed as required)
  • Other APIs: Weather, transportation, and tourism data

3. How We Use Your Information

We use your information to:

  • Provide and improve our travel planning services
  • Personalize your experience and recommendations
  • Process transactions and manage your account
  • Communicate with you about our services
  • Analyze usage patterns to improve our platform
  • Comply with legal obligations
  • Protect against fraud and security threats

4. Legal Basis for Processing

Under GDPR and LOPDGDD, we process your personal data based on the following legal grounds:

4.1 Consent

  • When you explicitly agree to data processing for specific purposes (e.g., marketing communications, cookies)
  • You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal

4.2 Contract Performance

  • To provide our travel planning services as agreed in our Terms of Service
  • To manage your account and deliver the services you requested
  • To process and respond to your inquiries and support requests

4.3 Legitimate Interest

  • To improve our services and user experience through analytics
  • To prevent fraud, abuse, and security threats
  • To conduct internal research and development
  • To send service-related communications (not marketing)

4.4 Legal Obligation

  • To comply with Spanish tax and accounting laws
  • To respond to legal requests from authorities
  • To maintain records as required by Spanish commercial law

⚖️ Balancing Test (LOPDGDD Requirement)

When we process data based on legitimate interest, we conduct a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to such processing at any time.

5. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information only in these circumstances:

  • With your explicit consent
  • To comply with legal obligations or court orders
  • To protect our rights, property, or safety
  • With service providers who assist us (under strict confidentiality agreements)
  • In case of business transfer (merger, acquisition, etc.)

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication
  • Secure data centers with physical security
  • Staff training on data protection

7. Your Rights

Under GDPR and LOPDGDD, you have the following rights regarding your personal data:

7.1 Right of Access

  • Request confirmation of whether we process your personal data
  • Obtain a copy of your personal data and information about processing
  • Request additional copies (we may charge a reasonable fee for extra copies)

7.2 Right to Rectification

  • Correct inaccurate or incomplete personal data
  • Update your information through your account settings or by contacting us

7.3 Right to Erasure - "Right to be Forgotten"

  • Request deletion of your personal data when there is no legal basis for continued processing
  • Note: This right is not absolute and may be limited by legal obligations to retain data

7.4 Right to Restriction of Processing

  • Request limitation of data processing in specific circumstances
  • Your data will be stored but not actively processed during the restriction period

7.5 Right to Data Portability

  • Receive your data in a structured, commonly used, machine-readable format (JSON/CSV)
  • Transmit your data to another service provider where technically feasible

7.6 Right to Object

  • Object to processing based on legitimate interests or for direct marketing purposes
  • We will cease processing unless we demonstrate compelling legitimate grounds

7.7 Right to Withdraw Consent

  • Withdraw your consent at any time where processing is based on consent
  • Withdrawal does not affect the lawfulness of processing before withdrawal

7.8 Right Not to be Subject to Automated Decision-Making

  • Not to be subject to decisions based solely on automated processing, including profiling
  • Request human intervention in automated decision-making processes

7.9 Digital Rights

  • Digital Disconnection: Right to disconnect from digital communications outside working hours (for professional users)
  • Digital Testament: Right to decide the fate of your digital data after death
  • Right to Privacy in Internet and Digital Media Use

📧 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Required Information: To verify your identity, please include your full name, email address, and a copy of your ID or passport.

Response Time: We will respond within 1 month (30 days) as required by GDPR Art. 12. This may be extended by 2 additional months for complex requests.

8. Data Retention

We retain your data only as long as necessary for the purposes outlined in this policy:

  • Account data: Until account deletion or 3 years of inactivity
  • Usage data: Up to 2 years for analytics purposes
  • Communication data: Up to 3 years for customer service
  • Legal compliance data: As required by applicable laws

9. International Data Transfers

While our servers are in Germany/Netherlands, some data may be processed by third-party services globally. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) for EU-US transfers
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules where applicable
  • Certification schemes and codes of conduct

10. Cookies and Tracking Technologies (LSSI Art. 22)

10.1 Cookie Policy Compliance

In accordance with LSSI Art. 22 and ePrivacy Directive, we inform you about our use of cookies and similar tracking technologies.

10.2 Types of Cookies We Use

Essential Cookies (No Consent Required)

These cookies are strictly necessary for the website to function:

  • Session management and authentication
  • Security and fraud prevention
  • Load balancing and performance

Retention: Session or up to 12 months

Functional Cookies (Consent Required)

These cookies enhance functionality and personalization:

  • Remember your preferences and settings
  • Language and region selection
  • Personalized content display

Retention: Up to 24 months

Analytics Cookies (Consent Required)

These cookies help us understand how visitors use our website:

  • Google Analytics (anonymized IP)
  • Traffic analysis and usage patterns
  • Performance monitoring

Retention: Up to 26 months

Marketing/Advertising Cookies (Consent Required)

These cookies are used for marketing and targeted advertising:

  • Social media integration (Facebook, Instagram, etc.)
  • Personalized advertising
  • Marketing campaign tracking

Retention: Up to 24 months

10.3 Cookie Consent Management

When you first visit our website, we display a cookie consent banner in compliance with LSSI and ePrivacy Directive. You can:

  • Accept all cookies
  • Reject non-essential cookies
  • Customize your cookie preferences by category
  • Change your preferences at any time through our Cookie Settings

10.4 How to Control and Delete Cookies

You can control cookies through your browser settings. Please note that disabling certain cookies may affect website functionality:

  • Google Chrome: Settings > Privacy and security > Cookies and other site data
  • Firefox: Options > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Cookies and website data
  • Edge: Settings > Cookies and site permissions > Cookies and site data

10.5 Third-Party Cookies

Some cookies are set by third-party services. We do not control these cookies:

  • Google Analytics - Privacy Policy
  • Social Media Platforms (Facebook, Instagram, Twitter, etc.)
  • Content Delivery Networks (CDN)

🍪 Your Cookie Preferences

You can update your cookie preferences at any time by clicking on the "Cookie Settings" link in our website footer or by contacting us at administrator@spiritoftraveling.com

11. Information Society Services (LSSI Compliance)

Service Provider Information (LSSI Art. 10)

Company Name: Spirit of Traveling

Legal Form: Spanish Autonomous Company

Registered Address: Lugar A Freixa 55A, Ribadetea, Ponteareas, CP. 36866, Pontevedra, Spain

Email: administrator@spiritoftraveling.com

Electronic Communications (LSSI Art. 21)

We comply with LSSI requirements for electronic communications:

  • Commercial Communications: All promotional emails are clearly identified and include opt-out mechanisms
  • Prior Consent: We only send marketing communications to users who have given explicit consent
  • Unsubscribe: Every marketing email includes an easy unsubscribe link
  • Robinson List: We respect the Spanish advertising exclusion list (Lista Robinson)

Online Contracting (LSSI Art. 27-28)

For any services requiring payment or formal agreement:

  • Clear information about the steps to follow to conclude the contract
  • Technical means to identify and correct input errors
  • Language options for contract conclusion
  • General conditions made available before contract acceptance
  • Confirmation of receipt of acceptance

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.

Notification Method: We will notify you of material changes by:

  • Email notification to your registered email address
  • Prominent notice on our website and platform
  • In-app notification for mobile users

Effective Date: Changes will become effective 30 days after notification, unless a longer period is required by law.

Your Acceptance: Continued use of our services after the effective date constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you must stop using our services and may request account deletion.

11. Contact Information

For questions about this Privacy Policy or to exercise your rights, contact us:

Data Controller: Spirit of Traveling

Email: administrator@spiritoftraveling.com

Subject Line: "Privacy Policy Inquiry" or "GDPR Rights Exercise"

Response Time: Within 1 month (30 days) as required by GDPR Art. 12

⚠️ Identity Verification Required

To protect your privacy, we may require identity verification before processing data access, rectification, or deletion requests. Please provide a copy of your ID or passport with your request.

12. Data Protection Authority

You have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) if you believe we have violated your data protection rights:

Agencia Española de Protección de Datos (AEPD)

Website: www.aepd.es

Email: canaldedenuncias@aepd.es

13. Copyright and Attribution

Our Content: All original content, software, and data created by Spirit of Traveling is protected by copyright. All rights reserved. No distribution, copying, modification, or use without permission is allowed.

Third-Party Content: We respect intellectual property rights and provide proper attribution for:

  • Wikipedia content (Creative Commons Attribution-ShareAlike)
  • Geonames data (Creative Commons Attribution 4.0)
  • OpenStreetMap data (Open Database License)
  • User-submitted photos (with appropriate licenses)

📜 Legal Compliance Statement

This Privacy Policy is effective as of December 2025 and complies with:

  • Regulation (EU) 2016/679 (GDPR)
  • Organic Law 3/2018 (LOPDGDD - Spanish Data Protection Law)
  • Law 34/2002 (LSSI-CE - Spanish Information Society Services Law)
  • ePrivacy Directive 2002/58/EC