PRIVACY & COOKIE POLICY – GDPR & LOPDGDD
We are very pleased about your interest in our company. Data protection is of particular importance to the management of Poloca Surf. The Poloca Surf website can be used without the need to provide any personal data. However, if a data subject wishes to make use of special services of our company via our website, it may be necessary to process personal data. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the consent of the data subject.
The processing of personal data, such as a data subject’s name, address, email address or telephone number, is always in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), and with the Spanish Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD), as well as any other applicable national or regional legislation. By means of this privacy and cookie policy, Poloca Surf would like to inform the public about the type, scope and purpose of the personal data collected, used and processed via this website. Data subjects will also be informed of their rights.
As data controller, Poloca Surf has implemented numerous technical and organisational measures to ensure the most complete protection possible for personal data processed via this website. Nevertheless, Internet-based data transmissions can have security gaps, so that absolute protection cannot be guaranteed. For this reason, every person concerned is free to transmit personal data to us by alternative means, for example by telephone.
1. DEFINITIONS
The Poloca Surf Privacy Policy is based on the terms used in the General Data Protection Regulation (GDPR) and the Spanish LOPDGDD. The policy is intended to be easy to read and understand by the public and by our customers and business partners.
A) PERSONAL DATA
Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
B) DATA SUBJECT
Any identified or identifiable natural person whose personal data are processed by the controller.
C) PROCESSING
Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
D) RESTRICTION OF PROCESSING
Means the marking of stored personal data with the aim of limiting their processing in the future.
E) PROFILING
Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
F) PSEUDONYMISATION
Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
G) CONTROLLER
Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
H) PROCESSOR
Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
I) RECIPIENT
Means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not.
J) THIRD PARTY
Means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
K) CONSENT
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. NAME AND CONTACT DETAILS OF THE CONTROLLER
Poloca Surf
Owner: Victoria Sadowska
Tel.: +34 678224872
E-mail: vicky@polocasurf.com
Website: www.polocasurf.com
3. COOKIES
In order to be able to offer you the best service through our website, Poloca Surf places small data files called cookies in your browser. You can manage your cookie preferences at any time via the Cookie Settings button in our cookie banner.
WHAT ARE COOKIES?
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.
COOKIES USED ON THIS WEBSITE
| Cookie Name | Duration | Category | Description |
|---|---|---|---|
| cookielawinfo-checkbox-* | 1 year | Strictly Necessary | CookieYes – Records user cookie consent preferences. |
| viewed_cookie_policy | 1 year | Strictly Necessary | CookieYes – Records whether the user has viewed the cookie policy. |
| cli_user_preference | 1 year | Strictly Necessary | CookieYes – Stores user cookie consent preferences. |
| PHPSESSID | Session | Strictly Necessary | PHP session cookie – preserves user session state across page requests. |
| wpml_referer_lang | Session | Strictly Necessary | WPML – Stores the referring language for correct multilingual navigation. |
| _icl_current_language | 1 day | Strictly Necessary | WPML – Stores the selected language of the visitor. |
| woocommerce_cart_hash | Session | Strictly Necessary | WooCommerce – Helps WooCommerce determine when the cart contents or currency has changed. |
| woocommerce_session_* | 2 days | Strictly Necessary | WooCommerce – Contains a unique code for each customer, used to manage the shopping cart session. |
| wordfence_verifiedHuman | 1 day | Strictly Necessary | Wordfence – Used to verify that visitors are human and not bots. |
| _ga | 2 years | Analytics | Google Analytics 4 – Used to distinguish unique users by assigning a randomly generated number. |
| _ga_* | 2 years | Analytics | Google Analytics 4 – Used to persist session state. |
| _gid | 24 hours | Analytics | Google Analytics – Used to distinguish users. |
| _fbp | 3 months | Marketing | Facebook/Meta – Used to deliver advertising to people who have already visited our website when they are on Facebook or a Meta platform. |
| brevo_* | Varies | Functional | Brevo (formerly Sendinblue) – Used in relation to email subscription and web push notification functionality. |
For a complete and up-to-date list of all cookies, please refer to our Cookie Declaration managed by CookieYes.
4. ACQUISITION OF GENERAL DATA AND INFORMATION
The Poloca Surf website collects a series of general data and information each time a person or automated system accesses the website. This general data and information is stored in the log files of the server. We may record (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrer), (4) the sub-pages of the website accessed, (5) the date and time of access, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems.
When using this general data and information, Poloca Surf does not draw any conclusions about the person concerned. Rather, this information is required to (1) correctly deliver the contents of our website, (2) optimise the contents of our website, (3) ensure the permanent functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary in the event of a cyber attack. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
5. CONTACT FORMS AND ENQUIRIES (WPFORMS)
Our website uses WPForms to manage contact and enquiry forms. When you submit a form, we collect the personal data you provide, which may include your name, email address, telephone number, and the content of your message. This data is used solely to respond to your enquiry and for no other purpose.
The legal basis for processing this data is your consent (Art. 6(1)(a) GDPR) at the time of submission and/or our legitimate interest in responding to enquiries (Art. 6(1)(f) GDPR). Where an enquiry leads to or relates to a contractual relationship, the legal basis is Art. 6(1)(b) GDPR.
Form submissions are stored in our WordPress database. Data submitted via contact forms is retained for no longer than 12 months after the enquiry is resolved, unless a longer retention period is required by law. You may request deletion of your submission at any time by contacting us at vicky@polocasurf.com.
6. EMAIL COMMUNICATIONS AND NEWSLETTER (BREVO)
Our website uses Brevo (formerly Sendinblue), a marketing and transactional email platform operated by Brevo SAS, 106 boulevard Haussmann, 75008 Paris, France. Brevo acts as a data processor on our behalf.
If you subscribe to our newsletter or provide your email address for booking confirmations and service updates, we will process your name and email address for the purpose of sending you the requested communications. The legal basis for newsletter communications is your explicit consent (Art. 6(1)(a) GDPR). The legal basis for transactional emails (booking confirmations, service notifications) is the performance of a contract (Art. 6(1)(b) GDPR).
You may unsubscribe from our newsletter at any time by clicking the unsubscribe link in any email we send you, or by contacting us at vicky@polocasurf.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
Brevo’s privacy policy is available at: https://www.brevo.com/legal/privacypolicy/
7. ROUTINE DELETION AND BLOCKING OF PERSONAL DATA
The controller shall process and store the personal data of the data subject only for the time necessary to achieve the storage purpose, or as provided for by applicable European or Spanish legislation. If the storage purpose is not fulfilled or if a storage period prescribed by the applicable legislator expires, the personal data will be blocked or deleted in accordance with the statutory provisions.
8. RIGHTS OF THE DATA SUBJECT
A) RIGHT TO CONFIRMATION
Any data subject has the right to request confirmation from the controller as to whether personal data concerning him or her is being processed. To exercise this right, please contact us at vicky@polocasurf.com.
B) RIGHT TO ACCESS (ART. 15 GDPR / ART. 13 LOPDGDD)
Any data subject has the right to obtain, at any time and free of charge, information on the personal data held about them and a copy of that information, including the processing purposes, categories of personal data, recipients, planned retention periods, the existence of the right to rectification, erasure or restriction, the right to lodge a complaint with a supervisory authority, and information on any automated decision-making. Please contact us at vicky@polocasurf.com to exercise this right.
C) RIGHT TO RECTIFICATION (ART. 16 GDPR)
Any data subject has the right to request immediate correction of inaccurate personal data and completion of incomplete personal data. Please contact us at vicky@polocasurf.com.
D) RIGHT TO ERASURE – ‘RIGHT TO BE FORGOTTEN’ (ART. 17 GDPR)
Any data subject has the right to request the deletion of personal data concerning them, provided one of the following applies: the data is no longer necessary for the purposes for which it was collected; the data subject withdraws consent and there is no other legal basis for processing; the data subject objects to processing and there are no overriding legitimate grounds; the data was unlawfully processed; or deletion is required to comply with a legal obligation. Please contact us at vicky@polocasurf.com.
E) RIGHT TO RESTRICTION OF PROCESSING (ART. 18 GDPR)
Any data subject has the right to request restriction of processing where: the accuracy of the data is contested; the processing is unlawful but the data subject opposes erasure; the controller no longer needs the data but the data subject requires it for legal claims; or the data subject has objected to processing and verification is pending. Please contact us at vicky@polocasurf.com.
F) RIGHT TO DATA PORTABILITY (ART. 20 GDPR)
Any data subject has the right to receive personal data concerning them in a structured, commonly used and machine-readable format, and to transmit that data to another controller, where technically feasible. This right applies where processing is based on consent or contract and is carried out by automated means. Please contact us at vicky@polocasurf.com.
G) RIGHT TO OBJECT (ART. 21 GDPR)
Any data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them where processing is based on legitimate interests (Art. 6(1)(e) or (f) GDPR). This also applies to profiling based on those provisions. Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time. Please contact us at vicky@polocasurf.com.
H) AUTOMATED DECISIONS INCLUDING PROFILING (ART. 22 GDPR)
Any data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except where the decision is necessary for entering into or performing a contract, is authorised by law, or is based on the data subject’s explicit consent. Please contact us at vicky@polocasurf.com.
I) RIGHT TO WITHDRAW CONSENT (ART. 7(3) GDPR)
Where processing is based on consent, the data subject has the right to withdraw their consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. Please contact us at vicky@polocasurf.com or use the unsubscribe link in any email we send.
J) RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY (ART. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement.
The competent supervisory authority in Spain is:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
Website: https://www.aepd.es
Tel.: +34 901 100 099
9. PRIVACY POLICY REGARDING THE USE AND APPLICATION OF FACEBOOK / META
The controller has integrated components of Meta Platforms on this website, including the Facebook pixel and social sharing features. These services are operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (EU/EEA users) and Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.
When a Facebook/Meta component is integrated on a page of our website, the Internet browser on the information technology system of the person concerned may automatically download a representation of the corresponding component. As part of this technical process, Facebook/Meta may be informed about which specific page of our website is visited.
If the person concerned is logged on to Facebook/Meta at the same time as accessing our website, Meta recognises which specific page the person concerned is visiting. If the person concerned does not want this information to be transmitted to Meta, they can prevent it by logging out of their Facebook account before accessing our website.
The transfer of personal data to Meta in the United States is based on the EU–US Data Privacy Framework (adequacy decision of 10 July 2023) and/or Standard Contractual Clauses. More information is available at Meta’s Privacy Policy: https://www.facebook.com/privacy/policy/
10. PRIVACY POLICY REGARDING THE USE AND APPLICATION OF GOOGLE ANALYTICS 4
The controller has integrated Google Analytics 4 (GA4) on this website via MonsterInsights. Google Analytics 4 is a web analytics service operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and its parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
GA4 collects data about your use of the website, including pages visited, time spent, and general location (country/region level). IP addresses are truncated before storage and are not stored in full. GA4 does not use third-party cookies and data is aggregated for analytics purposes.
GA4 places cookies on your device (see the cookie table in Section 3). Each time a page of this website is accessed, GA4 automatically collects data to help us analyse visitor behaviour, improve our website, and understand the effectiveness of our services. The legal basis for this processing is your consent (Art. 6(1)(a) GDPR), obtained via our cookie banner.
The transfer of personal data to Google in the United States is based on the EU–US Data Privacy Framework (adequacy decision of 10 July 2023) and/or Standard Contractual Clauses. Data collected by GA4 is retained for 14 months.
You can withdraw your consent at any time via the Cookie Settings button on our website. You can also install the Google Analytics opt-out browser add-on: https://tools.google.com/dlpage/gaoptout
More information: https://policies.google.com/privacy | https://support.google.com/analytics/answer/6004245
11. PRIVACY POLICY REGARDING THE USE AND APPLICATION OF INSTAGRAM
The controller has integrated components of the Instagram service on this website. Instagram is an audiovisual platform operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Each time a page of this website with an integrated Instagram component is accessed, the Internet browser may automatically download a representation of the corresponding component. As part of this technical process, Instagram may be informed of which specific page of our website is visited. If the person concerned is logged in to Instagram at the same time, Instagram may recognise which specific page is being visited.
If the person concerned does not want such information to be transmitted to Instagram, they may prevent transmission by logging out of their Instagram account before accessing our website.
More information: https://help.instagram.com/519522125107875 | https://www.instagram.com/about/legal/privacy/
12. PRIVACY POLICY REGARDING THE USE AND APPLICATION OF X (FORMERLY TWITTER)
The controller may have integrated components of X (formerly Twitter) on this website. X is operated by X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
If you are logged into X while accessing our website, X may record which specific pages you visit. If you do not wish this information to be transmitted to X, please log out of your X account before visiting our website.
The current privacy policy of X is available at: https://x.com/en/privacy
13. PRIVACY POLICY REGARDING THE USE AND APPLICATION OF YOUTUBE
The controller has integrated components from YouTube on this website. YouTube is an Internet video portal operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, a subsidiary of Google LLC.
Each time a page of this website with an integrated YouTube video is accessed, the Internet browser may automatically prompt a connection to YouTube and Google servers. As part of this technical process, YouTube and Google may be informed of which specific page of our website is visited.
If the person concerned does not want such information to be transmitted to YouTube and Google, they should log out of their YouTube account before accessing our website.
The transfer of personal data to Google in the United States is based on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
More information: https://policies.google.com/privacy
14. LEGAL BASIS OF PROCESSING
The legal bases for our data processing activities are as follows:
– Consent (Art. 6(1)(a) GDPR): Where we have obtained your explicit consent, for example for analytics cookies or newsletter subscriptions.
– Contract performance (Art. 6(1)(b) GDPR): Where processing is necessary for the performance of a contract with you, such as processing a booking or surf lesson.
– Legal obligation (Art. 6(1)(c) GDPR): Where processing is necessary for compliance with a legal obligation, such as tax or accounting requirements.
– Vital interests (Art. 6(1)(d) GDPR): In rare cases where processing is necessary to protect the vital interests of a person, for example in a medical emergency during activities.
– Legitimate interests (Art. 6(1)(f) GDPR): Where processing is necessary for our legitimate business interests, provided those interests are not overridden by the rights and freedoms of data subjects, such as IT security and fraud prevention.
15. LEGITIMATE INTERESTS PURSUED BY THE CONTROLLER
Where processing is based on Art. 6(1)(f) GDPR, our legitimate interest is to operate our surf school business effectively for the benefit of our clients, staff and the organisation, including IT security, customer service and fraud prevention.
16. DURATION OF PERSONAL DATA STORAGE
Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable European or Spanish legislation (including the LOPDGDD). In Spain, financial and invoicing records must be retained for at least 5 years (Art. 30 Código de Comercio). After the applicable retention period, data is routinely and securely deleted.
17. PROVISION OF PERSONAL DATA AS STATUTORY OR CONTRACTUAL REQUIREMENT
We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may result from contractual requirements (e.g. booking information). In some cases, it may be necessary to provide personal data in order to conclude a contract. If you have questions about whether a specific data provision is mandatory, please contact us at vicky@polocasurf.com.
18. AUTOMATED DECISION MAKING
As a responsible company, we do not engage in automated decision-making or profiling that produces legal or similarly significant effects on data subjects.
19. SPANISH DATA PROTECTION LAW (LOPDGDD)
In addition to the GDPR, the processing of personal data in Spain is governed by Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD). The LOPDGDD supplements and specifies the application of the GDPR in Spain and includes additional rights specific to the Spanish legal framework.
Under the LOPDGDD, data subjects in Spain also have the following digital rights:
– Right to digital neutrality and to internet access
– Right to digital security and to the protection of minors online
– Right to privacy in the use of digital devices in the workplace
– Right to digital disconnection in the workplace context
– Right not to be subject to reputational damage through online content
For enquiries or complaints relating to data protection in Spain, the competent authority is the Agencia Española de Protección de Datos (AEPD), whose contact details are listed in Section 8(J) of this policy.
20. FURTHER INFORMATION
The complete EU General Data Protection Regulation (GDPR) including all 99 articles and 173 recitals is available at: https://gdpr-info.eu/
The Organic Law 3/2018 (LOPDGDD) is available at: https://www.boe.es/eli/es/lo/2018/12/05/3/con
This policy was last updated: May 2026.
