App Privacy Policy and Data Protection

1.- Introduction and right to information

We provide you with this Privacy Policy in order to inform you in detail about how we treat your personal data and protect your privacy and the information you provide to us through the App.

If, in the future, we make changes to this Privacy Policy, we will notify you through the App or by other means, so that you can be aware of the new privacy conditions that will be adopted.

We inform you below, in the form of questions and answers, of the conditions under which our entity treats your personal data through this App:

2.- Who is Responsible for Processing Your Data?

• Company Name: Civitatis Tours, S.L.
• NIF: B-86899440
• Address: C/ Coloreros, 28013 – Madrid.
• Email: dpo@civitatis.com

3.- Who is the CIVITATIS Data Protection Officer (DPO) and how can they help you?

The DPD is a figure, legally foreseen, whose main functions are to inform and advise our entity on the obligations that affect it in terms of personal data protection and to supervise its compliance.

In addition, the DPD acts as a point of contact for any matter relating to the processing of personal data, so if you have any queries, doubts or suggestions in relation to how we use your personal data, you can contact them by writing to dpo@civitatis.com

This email address is intended for queries related to the processing and protection of personal data. It is not authorised to handle bookings, cancellations or other operational matters, which should be dealt with through the usual customer service channels.

4.- For what purpose do we process your personal data?

We process the personal data you provide for the following purposes:

a) To manage our relationship with customers, including billing and payment for services, as well as configuring the user account that enables access to a private area for booking and managing activities or services. For more information on this data processing, please refer to the relevant section on Personal Data Protection in the General Terms of Use.

b) To handle requests for information, suggestions, or complaints submitted through any available contact channels; to get in touch with the sender; to respond to their inquiry; and to conduct follow-up communications. Providing your data for this purpose is voluntary; however, without it, we may be unable to respond to your request. Therefore, submitting your personal data is necessary for us to attend to such communications.

c) To send marketing communications about our services, as detailed in the General Terms of Use and this Privacy Policy. Based on the information provided, we may create commercial profiles to offer products and services that best match your interests. This type of data processing is optional. If you do not expressly authorize it, you will not receive commercial communications from CIVITATIS.

d) If users wish to use the “Gift CIVITATIS” service (https://www.civitatis.com/en/gift/), their data will be processed in order to manage the purchase of the selected gift card and, where applicable, deliver it to the intended recipient. Providing this data is mandatory, as it is necessary to complete the purchase and, if applicable, send the gift card.

e) To assess the services provided and measure user satisfaction for statistical purposes. CIVITATIS may publish reviews and comments submitted via the “Rate Us” option in the App, including identifying data if provided in the review. Otherwise, comments will be published anonymously. Published reviews will be accessible to anyone viewing the activity’s feedback section or searching for CIVITATIS reviews online. This data processing is not required for using the App.

5.- How Long Will We Keep Your Data?

We only keep your data for the period necessary to fulfill the purpose for which it was collected, to comply with legal obligations imposed on us, and to address any potential liabilities that may arise from fulfilling that purpose.

Data collected for managing customers will be retained for the duration specified in the General Conditions of Use.

Data processed to handle requests, inquiries, or complaints will be retained for the time necessary to respond and consider them fully resolved. Afterward, the data may be stored as part of a communication history for the time required to meet potential legal obligations.

Data used to send marketing communications about our services will be retained indefinitely, unless and until the user requests its deletion or expresses a desire to stop receiving such communications.

Data processed to manage the purchase and delivery of a CIVITATIS gift card will be retained for as long as the contract/service remains in force. Once the relationship ends, if applicable, the data may be stored for the period required by applicable legislation and until any potential contractual liabilities expire.

Data processed to manage and publish user reviews will be retained indefinitely, for as long as the comment remains published or until the user requests the deletion of their data or withdraws their consent. In any case, the data may be retained in anonymized form for statistical purposes.

6.- What is the legitimate purpose for processing personal data?

The legal basis for processing customer data, including user registration, is outlined in the General Terms of Use.

The processing of personal data in response to users who contact CIVITATIS through any channel with requests for information, queries, or complaints is based on the individual's consent—unless such contact is made by a customer regarding services already contracted, in which case the applicable legal basis is that set out in the terms and conditions of those services.

The prospective offer of products and services is based on our legitimate business interest in offering customers—registered users included—additional services or products to help build loyalty. This legitimate interest is recognized under applicable legal regulations (General Data Protection Regulation), which explicitly allows personal data to be processed on this basis for direct marketing purposes. However, please remember that you have the right to object to this type of data processing at any time, using any of the methods outlined in this clause.

The processing of data related to service reviews and the publication of user comments is based on consent.

Data collected to process the purchase and delivery of a CIVITATIS gift card is processed under the legal basis of contract performance.

Consent may be withdrawn at any time by contacting us through any of the channels listed in this Privacy Policy. Withdrawing consent will not affect the performance of a contract where applicable, and any data processing carried out before the withdrawal will remain lawful.

The categories of data processed correspond to the information requested in each specific form used to submit your details.

7.- What Permissions are Requested from Users Who Download the CIVITATIS App?

The App will request the following permissions from users who download it, related to
the processing of data for commercial purposes:
a) Authorization to send notifications regarding the activities of the entity,
the services offered or bookings made.

b) Authorization to access their location in order to display activities
near users.

The application will only process data when it's being executed by user action in the foreground, except for location information, which may also be processed in the background, even when the application is closed.

These processing operations are based on the user's consent, which may be revoked at at any time, by disabling these authorizations from the App, through the "Account" section, which allows the user to manage the permissions granted to the App at any time. The processing of user data for these purposes is not necessary for the use of the App, and users will not be able to receive notifications or personalised information based on their
location if these permissions are not granted.

8.- Who Will Your Data Be Shared With?

The data for the processing of customers will be transferred in accordance with the provisions of the General Conditions of Use.

The data of people who have purchased a CIVITATIS gift card will be communicated to the recipient of the card, if applicable, so that they can find out who has given them the gift.

The rest of the data will not be communicated to third parties, except for those transfers that must be made to
as required by current legislation.

Although this is not a transfer of data, it may be that third party companies, which act as structural providers of CIVITATIS, access your information in order to carry out the service. These providers access your data following our instructions and without being able to use them for a different purpose and maintaining the strictest confidentiality and on the basis of a contract in which they undertake to comply with the requirements of the current regulations on the protection of personal data.

9.- Are there any international data transfers?

International data transfers may take place under the terms outlined in the General Terms of Use applicable to customers and registered users. In addition, we inform you of the following regular international data transfers:

• Google Drive: CIVITATIS uses Google Drive’s cloud infrastructure to store its database. This means the information is stored in the United States under the safeguards of the Data Privacy Framework.

• SendGrid (by Twilio): CIVITATIS uses the SendGrid platform to send transactional communications related to the services provided, as well as communications to Accommodations, Affiliates, Agencies, and Providers. The use of this platform, owned by Twilio, involves the international transfer of data to the United States. However, Twilio offers adequate data protection safeguards, as it has signed the Standard Contractual Clauses (SCCs) approved by the European Commission. You can find more information here, including a copy of the SCCs in Annex 3 of its Data Protection Addendum. Twilio is also a participant in the Data Privacy Framework, which ensures the application of appropriate security measures.

• Mailchimp: CIVITATIS uses the Mailchimp platform to send marketing communications to users who have given prior consent. In this case, data is stored in the United States, meaning an international data transfer takes place. However, Mailchimp also offers appropriate safeguards, as it is a participant in the Data Privacy Framework and has signed the European Commission's Standard Contractual Clauses (SCCs). You can find more information here and download a copy of the SCCs here.

10.- What Are Your Rights When You Provide Us With Your Data?

You have the right to confirm whether we are processing your personal data and to access your personal data, request correction of inaccurate data, or request its deletion when the data is no longer necessary for the purposes collected.

Under conditions provided in the General Data Protection Regulation, you may request the restriction of processing or portability of your data, in which case we will only retain it for the assertion or defense of claims.

In certain circumstances and for reasons related to your particular situation, you may object to the processing of your data. If you have consented to processing for specific purposes, you are entitled to withdraw consent at any time, without affecting the legality of processing based on consent before its withdrawal. In these cases, we will stop processing the data or, if applicable, stop doing so for that specific purpose, except for compelling legitimate reasons, or the assertion or defense of possible claims.

Additionally, data protection regulations allow you to object to being the subject of decisions based solely on the automated processing of your data, where applicable.

These rights are characterized as follows:

• They are exercised free of charge, unless the requests are manifestly unfounded or excessive (e.g., repetitive), in which case a fee proportional to the administrative costs incurred may be charged, or the request may be refused.
• You can exercise these rights directly or through a legal or voluntary representative.
• We must respond to your request within one month, but this period may be extended by two more months if necessary, considering the complexity and number of requests.
• We are obligated to inform you about the means to exercise these rights, which must be accessible and cannot deny you the right for the sole reason of choosing another method. If the request is made by electronic means, the information will be provided by these means when possible, unless you request otherwise.
• If for any reason, your request is not acted upon, we will inform you no later than one month after the reasons for this and the possibility of filing a complaint with a Supervisory Authority.

To facilitate the exercising of these rights, we have provided links below to the request form for each right:

• Right of access form
• Right to rectification form
• Right to object form
• Right to erasure ("right to be forgotten") form
• Right to restriction of processing form
• Right to data portability form
• Right not to be subject to a decision based solely on automated processing form

All the aforementioned rights can be exercised through the means of contact listed at the beginning.

In the event of any violation of your rights, especially when you have not obtained satisfaction in the exercising of your rights, you can file a complaint with the Spanish Data Protection Agency (contact details available at www.aepd.es), or other competent supervisory authority. You can also obtain more information about your rights by contacting these bodies.

11.- How Do We Protect Your Personal Data?

We are firmly committed to protecting the personal data we process. We use reasonably reliable and effective physical, organizational, and technological measures, controls, and procedures aimed at preserving the integrity and security of your data and ensuring your privacy.

In addition, all personnel with access to personal data have been trained and are aware of their obligations regarding the processing of such data.

In the contracts we sign with our providers, agencies, affiliates, and accommodations, we include clauses that require them to maintain the duty of confidentiality regarding any personal data they may access as part of the services rendered, as well as to implement the necessary technical and organizational security measures to ensure the ongoing confidentiality, integrity, availability, and resilience of the systems and services that process personal data.

All these security measures are reviewed regularly to ensure their adequacy and effectiveness.

However, absolute security cannot be guaranteed, and no security system is impenetrable. Therefore, if any information under our control were to be compromised due to a security breach, we would take appropriate steps to investigate the incident, notify the Supervisory Authority, and, where applicable, inform any users who may have been affected so they can take suitable precautions.

12.- What is Your Responsibility as the Data Subject?

By providing us with your personal data, you guarantee that you are over 14 years of age and that the data provided is true, accurate, complete and up-to-date.

For these purposes, you are responsible for the accuracy of the data, and you must keep it properly updated to reflect your current situation, making you responsible for false and inaccurate data that you provide, as well as damages, direct or indirect, that may arise.

If you provide data regarding third parties, you assume the responsibility of informing them in advance of all provisions set forth in Article 14 of the General Data Protection Regulation under the conditions established in that provision.

13.- How Did We Obtain Your Data?

In cases in which user registration is carried out via social media, the personal data we process will come from the relevant social network, to which the data subject will have previously provided such information in accordance with the purposes outlined in that network’s own privacy policies. The categories of data we collect from the social network are those listed in our registration form and which you have provided to the respective social network. If additional information is required to complete registration on our website that was not supplied by the social network, you must fill it out in our registration form, in accordance with the privacy terms outlined in this Policy.

With regard to the publication of user reviews via the “Rate Us” option, these will be published under the Google username with which the user is registered. In this context, when a user uses their Google account to rate and post their opinion about the services received, CIVITATIS may access their name, language, and device information (such as model and OS version) and may use this information to respond to the user. Users can obtain more information about Google’s privacy policy for reviews at the time of posting, specifically in the “Learn more” section.

Regarding the purchase of a CIVITATIS gift card, the recipient’s data, where applicable, is provided by the purchaser when completing the corresponding form, entering the contact details indicated: name and email address.

The purchaser is responsible for obtaining the recipient’s authorization before providing their data to CIVITATIS.

Finally, in some cases, the data of end customers may be provided by the agency that books the experience offered by CIVITATIS on their behalf, in order to provide the contracted services, as outlined in the General Conditions of Use.