Privacy Policy
At Kidtastic Costa Del Sol, we are committed to protecting the privacy and personal data of our clients in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) in Spain. This Privacy Policy explains how we collect, use, and safeguard your personal data when you interact with our services, website, and related activities.
1. Scope of the Policy
This Privacy Policy applies to all personal data collected, processed, and stored by Kidtastic Costa Del Sol (“we”, “us”, “our”) in the course of providing services, including classes, rentals, bookings, and related activities.
2. Personal Data We Collect
We may collect the following types of personal data, depending on the services you use:
- Identity & contact information: Name, email address, phone number, address.
- Payment and invoicing information: Payment details, invoice information, transaction records.
- Identification numbers: ID/passport numbers, as required for legal or contractual purposes.
- Health and participation information: Relevant details for participation in classes or rentals (e.g., allergies, special requirements). For children attending classes, we also collect their name, date of birth, and a photograph, solely to facilitate the organisation and smooth running of the classes.
- Other relevant information: Details necessary to provide and improve our services.
- Technical and security information: When you submit forms on our website, CAPTCHA tools (such as Zoho CAPTCHA or Google reCAPTCHA) may collect and analyse technical information (e.g. IP address, device and browser characteristics, interaction patterns) to verify that the submission is made by a human and not an automated program.
3. Legal Basis for Processing
We process your personal data on the following legal bases:
- Performance of a contract: To provide the services you request, including rentals, classes, and bookings.
- Consent: Where explicit consent is required for specific processing (e.g., marketing communications).
- Legal obligations: Where required to comply with applicable law.
- Legitimate interests: For purposes such as improving our services, preventing fraud, and ensuring safety.
We use Cookiebot to manage cookie consent on our website. Cookiebot stores information about your consent, including the date, time, and an anonymised IP address, in order to demonstrate compliance with GDPR. No personal data is used beyond what is necessary to record and manage consent preferences.
4. How We Use Your Personal Data
We use personal data for purposes including, but not limited to:
- Organising classes and rentals.
- Managing bookings, payments, and invoices.
- Communicating with you regarding your requests, bookings, or account.
- Ensuring safety and compliance with applicable laws.
- Marketing communications, where consent has been given.
- Internal business operations, analytics, and service improvement.
- Protecting our online forms against spam and abuse through CAPTCHA verification (Zoho CAPTCHA or Google reCAPTCHA).
- Storing and managing enquiries, bookings, and form submissions securely in Zoho CRM, our customer relationship management platform.
5. Data Retention
We retain personal data only as long as necessary to fulfill the purposes outlined above or as required by law.
- Personal data of clients who are no longer active will be securely deleted after twelve (12) months, unless a longer retention period is required by law.
- Payment and invoicing information may be retained for statutory periods in compliance with Spanish accounting regulations.
6. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction.
- Access to personal data is restricted to authorised personnel with a legitimate need.
- We regularly review and update security procedures to maintain protection of your data.
7. Your Rights Under GDPR
Depending on where you reside, you have the following rights in relation to your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete personal data.
- Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing: Ask us to limit processing in certain circumstances.
- Right to data portability: Request your data in a structured, commonly used, machine-readable format.
- Right to withdraw consent: Withdraw consent for processing where consent is the legal basis.
- Right to object: Object to certain processing, including marketing communications.
To exercise any of these rights, please contact us using the details below. We will not discriminate against you for exercising your rights. Verification of identity may be required before processing requests.
8. Sharing Personal Data
We may share personal data with third parties for legitimate business purposes, including:
- Service providers: We use trusted third-party providers to help us operate our website, manage bookings, process payments, analyse performance, deliver marketing, and protect against fraud or abuse. These providers act as data processors on our behalf and are bound by contractual and legal safeguards under GDPR.
They include:- Zoho Corporation (Zoho CRM and related Zoho One applications) – to store and manage form submissions, enquiries, bookings, and client records.
- Google reCAPTCHA (Google Ireland Ltd., with transfers to Google LLC in the United States) – to protect our online forms against automated spam and abuse.
- WordPress and WooCommerce – to operate our website platform, and manage site functionality.
- Website Hosting: Our website is hosted by WP Engine, a secure hosting provider. WP Engine processes technical and personal data (such as IP addresses and server logs) on our behalf and is bound by contractual and legal safeguards under GDPR.
- Google Search Console, Google Tag Manager and Google Analytics (Google Ireland Ltd.) – to measure site usage and performance. Data may be transferred to Google LLC in the United States under Standard Contractual Clauses.
- We use Google Search Console to monitor our website’s performance in Google search results. This tool provides aggregated, non-personal data such as search terms, impressions, and clicks, which helps us understand how users find our website. No personal data from visitors is collected or stored by Google Search Console.
- We use Google Tag Manager to deploy and control various marketing and analytics tags on our website. Google Tag Manager does not collect or store any personal data itself but may enable other tags (such as Google Analytics) which do. These tags are only activated once you have given your consent through our cookie banner.
- We use Google Analytics 4 (GA4) to analyse website traffic and user behaviour in order to improve our content and user experience. Google Analytics collects aggregated, anonymised information such as device type, browser, location (approximate), and time spent on pages. Your IP address is anonymised before storage, and no personally identifiable information is collected. Google may process this data on our behalf in accordance with their Privacy Policy.
- We use Google Search Console to monitor our website’s performance in Google search results. This tool provides aggregated, non-personal data such as search terms, impressions, and clicks, which helps us understand how users find our website. No personal data from visitors is collected or stored by Google Search Console.
- Meta Platforms Ireland Ltd. (Facebook and Instagram) – for advertising and remarketing, where you have consented to marketing cookies. Data may be transferred to Meta Platforms Inc. in the United States under Standard Contractual Clauses.
- Legal and regulatory authorities: Where required by law or to respond to legal processes.
- Business transfers: In connection with mergers, acquisitions, or reorganisations.
- Zoho Corporation (Zoho CRM and related Zoho One applications) – to store and manage form submissions, enquiries, bookings, and client records.
We ensure that any third-party processor complies with GDPR requirements.
9. International Transfers
Some of our service providers are based outside the European Economic Area (EEA) and the United Kingdom, or may process data on servers located abroad. Where this occurs, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or equivalent legal mechanisms to ensure your data remains protected.
This includes transfers to Zoho Corporation (which offers EU data centres and Standard Contractual Clauses), Google LLC in the United States (for services such as reCAPTCHA and Analytics), Meta Platforms Inc. in the United States (for advertising and remarketing), and service providers supporting our website platform such as WordPress/WooCommerce.
10. Cookies and Online Tracking
We use cookies that are necessary for the proper functioning of our website. Some of our online forms use CAPTCHA technology, which may place cookies or process technical information for security purposes. For more information, please see our Cookie Policy.
11. Children’s Data
Our services are not intended for children under the age of majority in your jurisdiction. We do not knowingly collect personal data from children without a guardian’s consent. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.
12. Changes to this Privacy Policy
We may update this Privacy Policy periodically. Changes will be posted on this page with an updated “Last updated” date.
13. Contact
For any questions regarding this Privacy Policy or your personal data, please contact us.
Email: rebecka@kidtasticcostadelsol.com
You are the data controller of your personal information for the purposes of applicable data protection laws.
Last updated: 2025-10-17