Privacy Policy

(Effective 9 June 2025)

This Privacy Policy (“Policy”) describes how LumaGuide LLC, a Florida limited-liability company (“LumaGuide,” “we,” “us,” “our”, "MallorcaGuide.com") collects, uses, discloses and protects the personal data of natural persons (“you,” “your”) who interact with our mobile apps, website and event-management tools (collectively, the “Platform”). We act as a data controller when we determine why and how your data is processed.

If you choose not to provide the personal data we request, some Platform features may be unavailable.

1. Definitions

Term - Meaning (summary)

  • Controller - Entity that decides the purposes and means of processing personal data.
  • Processor - Entity that processes personal data on behalf of a controller.
  • Organizer - Individual or legal entity using the Platform to publish, promote or ticket events.
  • User - Individual or legal entity using the Platform to browse guides or obtain event information or tickets.

Personal Data

  • Any information relating to an identified or identifiable natural person (e.g., name, email, IP address).

Processing

  • Any operation performed on personal data, automated or not (collection, storage, use, disclosure, deletion, etc.).

Sensitive Data

  • Personal data revealing racial or ethnic origin, religious or philosophical beliefs, health data, precise geolocation, etc., as defined by the GDPR/CCPA.

2. What We Collect, Why, and With Whom We Share It

User (account registration, ticket purchase, inquiry, coupon use)

Name, email, phone, password (hash), language/locale, payment token (last 4 digits), marketing preferences

  • Create & secure account
  • Process payments & issue tickets
  • Send service or marketing messages (opt-in)
  • Personalized event recommendations

Payment processors, email/SMS providers, fraud-detection tools

Organizer (brand or event page)

Business name, contact person, email, phone, public URL, bank or Stripe IDs, VAT/NIF

  • Verify identity & create organizer workspace
  • Remit payouts & handle invoices
  • Display organiser profile to Users

Payment processors, KYC/KYB vendors, accounting tools

Any User/Organizer (support, feedback, surveys)

Content of communication, attachments, metadata

  • Respond to queries & improve services

Customer-support platform, survey tool

Visitor (no login)

IP address, browser/OS, device ID, referring URL, cookies

  • Secure Platform, prevent abuse
  • Analytics & performance metrics
  • Tailor content and ads (consent-based)

Analytics providers, security vendors

Social-login User

Public profile ID, name, email, avatar provided by the social network

  • Simplify sign-in & personalise account

OAuth identity provider

* We require all processors to act under written contracts and follow the GDPR standard contractual clauses where applicable.

3. Legal Bases for Processing (GDPR / UK GDPR)

We process your data only when at least one lawful basis applies:

  1. Contract – to perfor – to run and secure our business, prevent fraud, analyze usage, and market similar services, provided your rights do not override ours.
  2. Legitimate Interests – to run and secure our business, prevent fraud, analyze usage, and market similar services, provided your rights do not override ours.
  3. Consent – for email marketing, non-essential cookies or where local law requires consent. You may withdraw consent at any time.
  4. Legal Obligation – to comply with accounting, tax, consumer-protection, anti-money-laundering or other laws.

4. International Transfers

Our primary servers are located in the European Union (Frankfurt, Germany). When we transfer data from the EEA or UK to the United States, we rely on Standard Contractual Clauses and supplementary measures (encryption, MFA, restricted role-based access). Some trusted service partners operate in the United States and other jurisdictions. When we transfer data outside the EEA/UK/Switzerland we rely on:

  • European Commission–approved Standard Contractual Clauses; or
  • An EU/US or UK/US adequacy mechanism (if available); or
  • Your explicit consent where other safeguards are not feasible.z, then anonymized or erased unless legal obligations require longer.

5. Retention

We retain personal data only as long as necessary for the purposes set out above:

  • User accounts & organizer workspaces – while the account is active and up to 30 days after deletion, then anonymised or erased unless legal obligations require longer.
  • Transaction records6 years (Spanish tax law).
  • Marketing consents – until you opt out or 3 years after last interaction, whichever is sooner.

6. Security

We use industry-standard safeguards, including:

  • TLS 1.3 encryption in transit and AES-256 at rest
  • Firewall-segmented networks and 24/7 intrusion monitoring
  • Role-based access controls and MFA for staff
  • Regular penetration tests and ISO 27001-aligned policies

If we discover a breach that affects your data, we will notify you and the relevant supervisory authority without undue delay.

7. Your Rights

Under GDPR (and comparable laws) you may:

Obtain a copy of the personal data we hold about you.

Rectification - Correct inaccurate or incomplete data.

Deletion (“Right to be Forgotten”) - Ask us to erase your data in certain circumstances.

Restriction - Request temporary suspension of processing.

Portability - Receive your data in a structured, machine-readable format, or ask us to transmit it to another controller.

Objection - Object to processing based on legitimate interests or direct marketing.

Withdraw Consent - Opt out of processing that relies on consent (e.g., marketing e-mails).

To exercise any right, email privacy@MallorcaGuide.com from the address linked to your account. We will verify your identity and respond within 30 days.

8. California Privacy Notice (CCPA/CPRA)

If you are a California resident, you have additional rights to know, access, correct, delete, opt out of sale/share, and limit use of sensitive personal information. LumaGuide LLC does not sell or share personal information for monetary consideration. See california-privacy@mallorcaguide.com for requests.

9. Cookies & Similar Technologies

We use:

  • Essential cookies – required for security, authentication, load-balancing (cannot be disabled).
  • Analytics cookies – help us understand traffic and improve UX (opt-in in the EEA).
  • Advertising cookies – personalise ads on third-party sites (consent required).

You can manage non-essential cookies via the banner presented on first visit or through your browser settings.

10. Children

The Platform is not directed to children under 16. We do not knowingly collect their data without parental consent. Parents who believe their child has provided data may contact us for deletion.

11. Organizers as Independent Controllers

When an Organizer collects attendee data on an event-specific form, that Organizer is the independent controller for such information. Attendees should refer to the Organizer’s privacy notice for details on that processing.

12. Changes to This Policy

We may update this Policy to reflect legal or operational changes. We will post the revised version with a new “Effective” date and, where material, give at least 15 days’ notice before it takes effect.

13. Contact

Data Protection Officer / Privacy Team

LumaGuide LLC
1060 Goodrich Avenue, Sarasota, Florida 34236
Email: privacy@mallorcaguide.com

Supervisory authority: Agencia Española de Protección de Datos (AEPD)

For US Residents: The Florida Attorney General's Office can be contacted by phone at 1-866-9-NO-SCAM (1-866-966-7226) for filing complaints or reaching their main office, or through their website, My Florida Legal. The office's mailing address is PL-01 The Capitol, Tallahassee, FL 32399-1050.

Thank you for trusting MallorcaGuide with your data. We are committed to treating it with care and transparency.