Privacy Policy

Last updated: 16 May 2026

1. Who is the controller?

Corralejo Living (the "Platform") is the data controller for personal data collected through the website. Contact: privacy@corralejoliving.com.

2. What data we collect

  • Account data: email, password (hashed), display name, avatar.
  • Profile data: phone, WhatsApp, languages, bio, social handles (optional).
  • Booking data: guest name, email, dates, party size, messages.
  • Payment data: processed by Stripe — we store only the transaction ID, amount, currency and status. We never store card numbers.
  • Listings: photos, descriptions, contact details published by Hosts.
  • Technical data: IP, user-agent, cookies, anonymous click events.

3. Why we use it (legal basis)

  • Performance of contract: create accounts, process bookings, send transactional emails.
  • Legitimate interest: prevent fraud, secure the Platform, basic analytics.
  • Consent: marketing newsletter (opt-in only).
  • Legal obligation: accounting, tax, response to lawful requests.

4. Who we share it with

  • Hosts/Guests: contact details are revealed to the counterpart once a booking is accepted and paid.
  • Stripe (Ireland): payment processing.
  • Supabase (EU): database hosting.
  • Email infrastructure: for transactional and authentication emails.
  • Authorities: when required by law.

We do not sell personal data.

5. How long we keep it

  • Account data: until you delete your account.
  • Booking & payment records: 10 years (legal/tax retention in Spain).
  • Marketing consent: until you unsubscribe.
  • Server logs: 12 months.

6. Your rights (GDPR)

You can at any time:

  • access, correct or delete your personal data;
  • restrict or object to processing;
  • request portability of your data;
  • withdraw consent;
  • lodge a complaint with the Spanish AEPD or your local supervisory authority.

Email privacy@corralejoliving.com and we'll respond within 30 days.

7. Cookies

We use essential cookies (session, security) and a minimal amount of analytics cookies. We do not use third-party advertising cookies.

8. Security

Data is encrypted in transit (HTTPS) and at rest. Passwords are hashed. Access is restricted via Row-Level Security policies. No system is 100% secure — we follow industry best practice and notify affected users in case of a breach.

9. Changes

We may update this policy. Material changes will be announced on the Platform.