Privacy Policy

The data controller is GOYEN ETCHE CONNECT SL ("Corralejo Living"), a Spanish limited liability company (Sociedad Limitada), NIF B22809719, registered office at Calle Lepanto 270, 08013 Barcelona, Spain. For any privacy request, contact hola@corralejoliving.com.

This Privacy Policy explains how we collect, use, share and protect personal data when you visit corralejoliving.com, create an account, send a booking request, publish a listing, claim a business or interact with our messaging, payments and community features. It applies in addition to the Terms of Service.

• Account data: email, display name, handle, avatar, password (hashed by Supabase Auth), preferred language, role.
• Profile data: bio, photo, languages, interests, social links (Instagram, WhatsApp, Telegram, etc.), phone, website.
• Listing data (hosts): business name, address, geolocation, descriptions, photos, prices, availability, calendar, payment methods, IBAN, PayPal, Wise, Revolut, Bizum, Stripe identifiers.
• Booking data: guest name, email, WhatsApp, dates, party size, price, messages, payment status.
• Communications: messages, attachments, claim requests, support tickets, contact-form submissions, email replies.
• Consent logs: timestamp, document version, locale, IP and user-agent at the moment you accept the Terms or Privacy Policy, kept as proof under Article 7 GDPR.
• Technical data: IP, browser, device, language, pages visited, referrer, error logs, basic analytics, cookies (see §9).
• Payment metadata: Stripe customer / payment-intent IDs, status, amounts. We never store full card numbers or CVV.

• Operating the Platform, booking, messaging and payments — performance of a contract (Art. 6(1)(b) GDPR).
• Account creation, authentication and security — performance of a contract and legitimate interest in fraud prevention (Art. 6(1)(b)(f)).
• Customer support and dispute handling — contract and legitimate interest.
• Transactional emails (booking confirmations, password reset, payment recap) — contract.
• Marketing emails or newsletters, if any — your explicit consent (Art. 6(1)(a)), revocable at any time.
• Analytics and product improvement — legitimate interest, with privacy-friendly settings; non-essential cookies require consent.
• Legal compliance, anti-fraud, anti-money-laundering, tax — legal obligation and legitimate interest.

We share personal data only with the following categories of recipients, bound by appropriate confidentiality and data-processing terms:

• Hosting and infrastructure: Supabase / managed cloud (EU region where available) for database, auth, storage and serverless functions.
• Payments: Stripe for payment processing.
• Email delivery: the transactional-email provider configured for transactional and authentication emails.
• Maps and external links when you click a Google Maps, Instagram or WhatsApp link (subject to their own policies).
• Other users: the host receives the data necessary to fulfil your booking; the guest sees what the host chooses to publish.
• Authorities when required by law, court order, fraud investigation or to protect the rights, safety or property of users.

We do not sell personal data and do not use it for automated decision-making with legal effect.

Where data is processed outside the European Economic Area (for example by a US-based sub-processor of an EU-region service), we rely on EU Standard Contractual Clauses, EU-US Data Privacy Framework certifications or another lawful transfer mechanism under Chapter V GDPR.

We retain personal data for as long as needed to provide the service and to comply with legal, accounting, tax and dispute-resolution obligations — typically up to 10 years for transactional records, 5 years for booking and messaging history, and indefinitely for consent logs as long as the account exists. You can request deletion at any time (see §10).

We implement reasonable technical and organisational measures: encryption in transit (HTTPS/TLS), encryption at rest by our hosting provider, hashed passwords, row-level-security in the database, least-privilege access for the team, logging, and monitoring. No system is 100% secure; you must keep your password safe and notify us of any suspected breach.

We use strictly necessary cookies for authentication, language preference and security. We may use limited analytics or performance cookies that require consent under the ePrivacy framework where applicable. You can manage cookies in your browser. Disabling essential cookies will break sign-in.

You have the right to: access, rectify, erase, restrict, port and object to the processing of your data, and to withdraw any consent at any time. To exercise a right, email hola@corralejoliving.com from the address on file. We will respond within one month. You may also lodge a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es or with the supervisory authority of your EU country of residence.

The Platform is not directed to children under 18. If we learn that we hold personal data of a minor, we will delete it.

Please do not share special categories of personal data (health, ethnic origin, political opinions, religion, sexual orientation, etc.) in messages, listings, reviews or community content. Information you publish voluntarily on a public profile or listing becomes accessible to other users and may be indexed by search engines.

When you book a stay or service, the host receives your booking data and becomes the controller for their own customer-relationship purposes (their guest database, their accounting, their tourist-tax declarations). You should also review the host's own privacy notice when provided.

We may update this Privacy Policy. Material changes will be notified by email, in-app banner or website notice. The current version date is shown above. We keep prior versions and a record of your consent to each version.