Data Controller

Personal data collected through the website www.alsaibiza.es shall be processed by the following entities, acting as Data Controllers for the personal data provided through this website.

ALSA GRUPO, S.L.U., with its registered office at Calle Josefa Valcárcel, 20, 28027, Madrid, Tax ID (CIF) B-82059478, registered in the Mercantile Registry of Madrid, Volume 13281, Folio 119, Page M-215156, and contact email address asesoria@alsa.es, is the owner of the domain www.alsaibiza.es. Data Protection Officer (DPO) contact details: (dpo@alsa.es).

RUTAS DEL CANTÁBRICO, S.L., the company operating the transport services offered on www.alsaibiza.es, with its registered office at Calle Gran Vía Don Diego López de Haro, 81, 1º, 48011 Bilbao, Vizcaya, Tax ID (CIF) B-95227815, registered in the Mercantile Registry of Vizcaya, Volume 4223, Book 0, Folio 70, Section 8, Page BI-35108.

AUTOMÓVILES LUARCA, S.A.U., the company operating the transport services offered on www.alsaibiza.es, with its registered office at C/Magnus Blikstad, 2, 33207, Gijón, Asturias, Tax ID (CIF) A-33602608, registered in the Mercantile Registry of Asturias, Volume 1168, Folio 89, Page AS-2755.

Purposes of Personal Data Processing

In general, the collection and processing of your personal data on the website www.alsaibiza.es are carried out for the following purposes:

i. To be able to contact the user;

ii. To satisfactorily manage online ticket purchases made;

iii. To properly attend to and manage reservations, inquiries, comments, lost property requests, incidents, or suggestions submitted;

iv. To manage basic administrative tasks;

v. To keep you informed, either by email or any other means, about news, products, and services (and, where applicable, manage their proper provision) that may be of interest to you;

vi. To provide additional services, improvements to our services, and enhance the customer experience when using the Website;

vii. Statistical analysis of Website visits and User behavior on the site;

viii. To properly manage navigation through this website;

ix. To comply with all legal obligations applicable to us, as well as to communicate your personal data to State Law Enforcement Agencies and other bodies with jurisdiction in the matter when so required;

x. To correctly manage emergency situations, disasters, or cases of force majeure, which may involve communicating your personal data to bodies or entities with jurisdiction in the matter.

Legal Basis (Lawfulness of Processing)

The legal grounds legitimizing the indicated processing activities are the performance and fulfillment of the established contractual relationship (i, ii, iii, iv), user consent (v), the legitimate interest of the company (vi, vii, viii), and compliance with legal obligations (ix and x).

Types of Personal Data Processed

In general, www.alsaibiza.es processes the personal data that the user provides during the purchase process for the selected services, collecting the purchaser's personal data and/or the traveler's personal data through online data collection forms, call centers, and/or any sales channels enabled by the company.

However, on many occasions, our clients' personal data is provided by third parties, such as travel agencies or other individuals who request or contract, on your behalf, the products and/or services we offer through our various sales channels.

The categories of data processed are generally identifying data such as name, surname, ID/passport number, email, contact telephone, payment details, and purchase history, as well as data relating to large family status, all for the purpose of verifying eligibility for benefits.

The personal data requested across our various sales channels is necessary to provide the contracted service and assist you properly. Failure to provide the required data will result in the company being unable to process your request, as the requested personal data is mandatory to fulfill our legal and/or contractual obligations.

Recipients of Personal Data

Data provided as a result of a purchase will be stored in ALSA’s processing systems and will also be transferred to the systems of the companies operating the transport services contracted on www.alsaibiza.es. All parties involved in processing your personal data are responsible for its confidentiality under legally required terms, in accordance with their specific privacy policies.

We do not disclose your data to third parties for commercial purposes; we will only send commercial information offering company discounts and advantages that may be of interest to you, provided you have accepted the sending of commercial communications. No international data transfers are performed. We work with external providers, such as technology service providers or marketing and advertising service providers, who are always required to work with servers located in the European Economic Area (EEA), ensuring an adequate level of data protection. Should we work with external providers located outside the EEA that do not offer the same level of protection, they are required to provide adequate safeguards by subscribing to Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCC) adopted by the European Commission, as a guarantee for the correct management of your personal data.

Rights of the Data Subject

The data subject may exercise their rights of access, rectification, erasure, objection, portability, restriction, and other rights regarding personal data protection by submitting a request to our designated email address: asesoria@alsa.es, or to the postal address: ALSA, Legal Dept., Calle Josefa Valcárcel, 20, 28027, Madrid.

If you consider that your data has been processed inappropriately, you have the right to lodge a complaint with the Data Protection Officer (dpo@alsa.es) and/or file a complaint with the Spanish Data Protection Agency (www.aepd.es).

The user shall be responsible, in all cases, for the veracity of the data provided, and the company reserves the right to exclude any user who has provided false data from the services, without prejudice to other legal actions. The user is responsible for communicating any modification to the personal data provided.

Data Retention Period

We only store users' personal data to the extent necessary to use it for the purpose for which it was collected, and according to the legal basis of the processing. We will keep personal data as long as a contractual and/or commercial relationship exists with the user and as long as the user does not exercise their right to erasure, cancellation, and/or restriction of the processing of their personal data.

In such cases, we will keep the data duly blocked, without using it, for as long as it may be necessary for the exercise or defense of claims, or for any judicial, legal, or contractual liability arising from its processing that must be addressed and for which its recovery is necessary.

The company will comply with current regulations regarding the duty to cancel personal information that is no longer necessary for the purpose(s) for which it was collected, blocking said data to address potential liabilities arising from the processing and only during the statute of limitations periods for such liabilities. Once these periods have elapsed, the information will be permanently deleted using secure methods.

Information Collected from Website Visits

We collect and store limited personal information and anonymous global statistics from all users who visit our website, whether provided actively by the user or simply while browsing. The information collected includes the Internet Protocol (IP) address of the device used, the browser used, its operating system, the date and time of access, the web address from which the user accessed the site, and information on how you use our website.

We use this information to determine the loading time of our website, how it is used, the number of visits, and the type of information most consulted by users. This helps identify if the website is functioning correctly and, if faults or errors are detected, to fix them and improve the performance of our website to offer a better service to all users.

In view of the above, we collect usage and navigation data for statistical and advertising purposes, to monitor site usage, and to improve our understanding of user interests.

Minors

Individuals under 16 years of age must not send any personal information without the consent of their parent or guardian. The company is not responsible for any personal information sent by minors under 16 without appropriate authorization.

Security Measures

The company has adopted the personal data protection security levels required by current regulations based on the type of information processed and has implemented additional technical means and measures within its reach to prevent the alteration, loss, unauthorized processing, or access of the personal data provided. The company guarantees that it has adopted appropriate security measures to ensure information security and the confidentiality of the data you send us over the Internet. To this end, Secure Socket Layer (SSL) security technology is used, a system that allows the encryption of information sent to us, preventing it from being read even if intercepted. The server is certified, so your browser can confirm the company's identity before any transmission. This certificate guarantees the identity of the destination computer to which your data is being sent. You can recognize that SSL security is active by the appearance of a padlock icon in the bottom edge (or address bar) of most browsers. Clicking on this icon will display the certificate associated with the secure connection. Notwithstanding the above, the user should be aware that internet security measures are not infallible.

Social Networks

If you register as a user through social profiles, the company will process certain information associated with you. If you do not agree with the processing of the type of data we will collect, you should not continue the registration process with your social profile and may choose to register via the traditional method by completing the form provided for that purpose.

The data from your social profile that you choose to share with the company will also be processed to enrich our databases and create/refine commercial profiles to gain a better and more detailed commercial understanding of individual users and as a group (needs, tastes, preferences, etc.) to design, plan, and personalize our products, services, and commercial and marketing actions. Notwithstanding the above, we inform you that no automated decisions will be made based on said commercial profile.

If you expressly accept it during the registration process, your data will be used to send you personalized commercial communications, as explained in this Privacy Policy.

The categories of data that Trenes Turísticos will obtain and process when you register as a user via a social profile are as follows:

• "Public Profile" data (this category of data is mandatory): information you provided to the social network with which you wish to register on our website. Includes: first and last name, gender, user identifier on the social network (Account ID number), profile photo, cover photo, networks, age range, language, and country.
• Other social profile data you have chosen to share with Trenes Turísticos, e.g., other contact details, images, personal characteristics, social circumstances, academic and professional data, employment details, etc.
• Data generated by the use of the social network that you have chosen to share with Trenes Turísticos (e.g., likes and comments).
• Email address (mandatory).

Personal data marked as mandatory must necessarily be provided to complete registration via your social profile. If you do not agree, you should not continue the registration process with your social profile and may choose to register on our website via the traditional method.

As a social network user, you can always control your connections, delete content that no longer interests you, and restrict who you share your connections with; to do so, you must access the privacy settings enabled on each social network. Likewise, if you choose to publish comments, links, images, photographs, or any other multimedia content on social networks, you must be the owner of the same, hold the copyright and intellectual property rights, or have the consent of affected third parties. Any publication on the company's social network profile, whether text, graphics, photos, videos, etc., that offends or is likely to offend morality, ethics, good taste, or decorum, and/or that infringes, violates, or breaks intellectual or industrial property rights or any rights protected by Law, is expressly prohibited. In such cases, the company reserves the right to immediately withdraw the content and may request the permanent blocking of the user. The company shall not be held responsible for the content freely published by a User.

Cookies

Access to this website may involve the use of cookies. Cookies are small amounts of information stored in the browser used by each user so that the server can remember certain information for later use. This information allows us to identify you as a specific user and store your personal preferences and technical information such as visits or specific pages you visit.

Users who do not wish to receive cookies or want to be informed before they are stored on their computer can configure their browser accordingly. For more information, please see our Cookies Policy .