Privacy Policy
Last updated: June 25, 2026
Agroturismo Son Boronat SL respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect the personal data of guests, website visitors, event clients, planners, suppliers, and anyone who contacts us, in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR) and Spanish Organic Law 3/2018 of December 5 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
Please read it together with our Cookie Policy and our Legal Notice.
1. Data controller
The controller of your personal data is:
Agroturismo Son Boronat SL
Registered office: Camí de Son Boronat 33, 07184 Calvià, Illes Balears, Spain
Tax ID (CIF): B72740814
Email: hello@hotelsonboronat.com
Telephone: +34 601 988 333
For any privacy matter, including the exercise of your rights, you can contact us using the details above.
2. The personal data we collect
Depending on how you interact with us, we may collect the following categories of personal data:
Identification and contact data: name, surname, postal address, email address, telephone number, and, where required for a booking or legal obligation, your national ID, NIE, or passport number.
Reservation and stay data: arrival and departure dates, room and service preferences, number and details of guests, dietary requirements, accessibility needs, special requests, and information relating to your stay.
Event data: for events such as weddings, retreats, and private celebrations, details of your event, guest numbers, schedule, suppliers, and related requirements.
Payment and billing data: billing details and the payment card information needed to take deposits and payments, to hold a pre-authorization, and, where you authorize it, to charge any outstanding balance, incidentals, honesty-bar consumption, or damage to the card on file. Card payments are processed and stored securely through our booking platform, our website platform's online payment system (for example for event tickets), and our on-site points of sale at reception and our store, all of which apply recognized payment-security standards (such as PCI DSS).
Identity document data: a copy or scan of your national ID, NIE, or passport, where we are required to register your stay with the authorities, as explained in section 4.
Communications data: the content and metadata of your messages to us, whether by email, telephone, contact form, WhatsApp, or other messaging and social media channels.
Marketing data: your preferences for receiving communications from us, and whether you have opted in or out.
Technical and browsing data: IP address, device and browser information, and usage data collected through cookies and similar technologies, as described in our Cookie Policy.
Image data from video surveillance (CCTV): images captured by the security cameras installed in the common and exterior areas of the property, as described in section 8.
Photographs and audiovisual material: images and video taken at the property for promotional and marketing purposes (for our website, social media, and printed materials), in which guests and event attendees may appear, as described in section 9.
You are not generally required by law to provide your data, but if you do not provide the data necessary for a booking, contract, or legal obligation, we may be unable to process your reservation or provide the service.
3. Where your data comes from
We collect most data directly from you, including through our website inquiry and contact forms, the forms we use to manage your stay or event (such as pre-check-in forms, meal and dietary planning forms, and room distribution forms), and the documents collected at check-in (such as the credit card authorization form and your identity document). We may also receive your data from:
wedding planners, retreat organizers, or other guests making a booking that includes you;
online travel agencies, booking platforms, or other intermediaries through which you reserve; and
publicly available sources or social media where you interact with us.
4. How we use your data and our legal basis
We process your personal data for the following purposes, on the indicated legal basis:
Responding to your inquiries and requests: your consent and/or steps taken at your request before entering a contract.
Managing reservations, stays, events, and related services
Processing deposits, payments, invoicing, and accounting: performance of a contract and compliance with a legal obligation.
Holding a pre-authorization and charging deposits, balances, incidentals, honesty-bar items, or damages to the card on file, as authorized: performance of a contract.
Registering travelers and reporting the required identity and payment details to the competent authorities through the official accommodation registration system: compliance with a legal obligation.
Meeting other legal obligations, including tax and accounting duties: compliance with a legal obligation.
Communicating with you about your booking before, during, and after your stay (including by email, telephone, and messaging apps such as WhatsApp): performance of a contract.
Sending marketing communications, newsletters, or offers where you have opted in: your consent.
Maintaining the security of people and property through video surveillance: our legitimate interest in protecting the property, guests, and staff.
Taking and using photographs and video of the property for marketing, where guests may appear: your consent where you are identifiable and featured, and our legitimate interest for general or ambience views where individuals are incidental and not the focus, subject to your right to object.
Ensuring the security, integrity, and proper functioning of our website: our legitimate interest.
Handling complaints and exercising or defending legal claims: our legitimate interest and compliance with a legal obligation.
Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interest, you have the right to object as described in the section on your rights below.
5. Messaging and social media channels
When you contact us through WhatsApp, social media, or other third-party messaging platforms, your communication is also processed by the provider of that platform under its own terms and privacy policy, over which we have no control. We use the content of those messages only to assist you and manage your booking or inquiry. If you prefer not to use such platforms, you can always reach us by email or telephone.
6. Who we share your data with
We do not sell your personal data. We may share it with:
Service providers acting on our behalf (data processors), such as our website hosting and platform provider, our online reservation and booking system, payment processors, email, messaging, and IT providers, and professional service providers, each bound by a data processing agreement that restricts use of your data to our instructions.
Public authorities and law enforcement, where required by law, including the mandatory registration of travelers and, where applicable, the provision of video-surveillance images in connection with an offense.
Professional advisers, such as our accountants, auditors, or lawyers, where necessary.
7. International data transfers
Some of our providers may process data outside the European Economic Area (EEA). Where this happens, we ensure an adequate level of protection through one of the safeguards permitted by the GDPR, such as a European Commission adequacy decision or Standard Contractual Clauses. You may request further information about these safeguards, and a copy where available, using the contact details in section 1.
8. Video surveillance (CCTV)
For the security of guests, staff, and property, the premises are monitored by video-surveillance cameras. The processing of these images is carried out as follows:
Controller: Agroturismo Son Boronat SL (details in section 1).
Purpose: to ensure the safety of persons and the protection of the property.
Legal basis: our legitimate interest in security (GDPR Art. 6(1)(f)), in accordance with Article 22 of the LOPDGDD.
Areas covered: cameras are located in common and exterior areas only. They are not installed in areas intended for guests' rest or privacy, such as bedrooms, bathrooms, or changing areas. The presence of cameras is signposted with informational notices in the monitored zones.
Retention: images are kept for a maximum of one month from capture and are then deleted, except where they must be retained to prove an offense, in which case they are made available to the competent authorities.
Recipients: the images are not disclosed to third parties except to law enforcement, courts, or competent authorities where legally required.
9. Photography and marketing images
We photograph and film around the property to promote Son Boronat, including on our website, social media, and printed materials. Because our gardens, pool, courtyard, and event spaces are shared, guests and event attendees may appear in these images, whether as the subject or incidentally in the background.
Featured or identifiable individuals: where an individual is the focus of an image or is clearly identifiable, we rely on consent, which we obtain before using the image for marketing.
General and ambience views: for wider views of the property and its atmosphere, where individuals are incidental and not the focus, we rely on our legitimate interest in promoting our services, balanced against your rights.
Weddings, retreats, and events: images from events may be used for marketing only with the agreement of the event client, as set out in the relevant booking agreement or a separate image release. Where a professional photographer takes the images, we use them under a licence or release from that photographer.
You can ask us not to photograph you, ask us not to use an image in which you appear, or ask us to remove a published image, at any time, by contacting hello@hotelsonboronat.com. We will act on reasonable requests promptly. This processing is also subject to your image rights under Spanish Organic Law 1/1982.
10. How long we keep your data
We keep your personal data only for as long as necessary for the purposes for which it was collected, and to meet legal, accounting, and reporting requirements. As a general guide:
Inquiries that do not lead to a booking: kept for a reasonable period after our last contact and then deleted.
Reservation, stay, and event records: kept for the duration of the relationship and afterward for the periods required by law, generally up to four years for tax purposes and up to six years under Spanish commercial law.
Traveler registration data (identity document and required payment details): recorded and reported to the competent authorities as required by the accommodation registration rules (Royal Decree 933/2021 and the SES.HOSPEDAJES system), and kept for the period those rules require, generally three years.
Payment card data held on file: kept only for as long as needed to complete your stay and settle any authorized charges, and then removed in line with payment-security standards, except where a record must be retained for accounting or legal purposes.
Video-surveillance images: maximum of one month, as set out in section 8.
Marketing photographs and video: kept while in use for marketing and until you withdraw consent or successfully object, after which we stop using the image and remove it from materials we control.
Marketing data: kept until you withdraw your consent or object, after which it is deleted or anonymized.
11. Your rights
You have the right to:
access your personal data and obtain a copy;
request rectification of inaccurate or incomplete data;
request erasure of your data where it is no longer necessary;
request restriction of processing in certain circumstances;
object to processing based on our legitimate interest, including any direct marketing;
request portability of the data you have provided, in a structured, commonly used format; and
withdraw consent at any time, where processing is based on consent.
You may exercise these rights free of charge by writing to hello@hotelsonboronat.com or to our registered address, indicating the right you wish to exercise. We may ask for a copy of an identifying document to verify your identity. We will respond within one month, which may be extended by two further months for complex requests, in which case we will let you know.
If you believe your data protection rights have not been respected, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es.
12. Children
Our services and website are directed at adults. We do not knowingly collect data from children except in the context of a family booking made by a parent or guardian, who is responsible for the data of any minors included.
13. Automated decisions
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
14. Security
We apply appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, alteration, or disclosure, and we keep these measures under review.
15. Changes to this policy
We may update this Privacy Policy to reflect changes in our practices or in the law. The current version, with its "last updated" date, is always published on this page.