Villa Moderna

Cookies and Privacy Policies

1. PRIVACY POLICY (GDPR / SPAIN)

This Privacy Policy explains how we collect and process your personal data when you use our website and services.

Data Controller:

Natalex Group S.L.

Registered office: 29649 Mijas Malaga, Calle Opalo 12, 2 5

CIF/NIF: B06888697

Email: [email protected]

Phone: +34 615 357 222

For the purposes of the General Data Protection Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), Natalex Group S.L. is the controller of the personal data processed through this website.

2. What data we collect

We may collect and process the following categories of data:

  1. Identification and contact details

    • Name, surname
    • Email address
    • Phone number
    • Country of residence

  2. Booking and stay-related data

    • Dates of stay, number of guests, property booked
    • Special requests (e.g. arrival time, baby cot request)
    • Messages and communication regarding your booking

  3. Payment data

    • Partial payment information processed via Stripe (card type, last 4 digits, payment status – we do not store full card numbers on our systems)
    • Billing address and tax information where required

  4. Website usage and analytics data

    • IP address (anonymised where possible)
    • Device, browser type, operating system
    • Pages visited, time spent, clicks and navigation paths
    • Referrer (e.g. Google, Instagram)

  5. Communication and marketing data

    • Your preferences regarding receiving marketing communications
    • Email communication history (e.g. newsletters, offers)

  6. Technical cookies and similar technologies

    • Data collected through cookies and similar tools; see our Cookie Policy below.

We do not intentionally collect special categories of data (e.g. health, religion) and ask you not to include such information in free text fields unless strictly necessary for your stay (e.g. accessibility needs).

3. How we collect your data

We collect data in these ways:

  • Directly from you when:

    • You browse our website
    • You submit an enquiry or contact form
    • You make a booking or request a quote
    • You sign up for our newsletter or request special offers

  • Automatically via cookies and similar technologies when you use the website (see Cookie Policy).
  • From third parties, where applicable:

    • Booking platforms / OTAs (e.g. Airbnb, Booking.com) when you book our properties there
    • Payment providers (Stripe) for payment confirmation and fraud prevention

4. Purposes and legal bases of processing

We process your data for the following purposes and based on these legal grounds:

  1. To manage enquiries and bookings

    Handling enquiries, sending offers, confirming reservations, managing changes/cancellations, and communicating with you about your stay.

    Legal basis:

    • Article 6(1)(b) GDPR – Performance of a contract or steps prior to entering into a contract.

  2. To process payments and prevent fraud

    Processing payments via Stripe, managing refunds or deposits, preventing fraudulent transactions.

    Legal basis:

    • Article 6(1)(b) GDPR – Performance of a contract
    • Article 6(1)(f) GDPR – Legitimate interests (fraud prevention and security)

  3. To comply with legal obligations

    Accounting and tax obligations, local hospitality regulations, police/guest registration where applicable.

    Legal basis:

    • Article 6(1)(c) GDPR – Compliance with legal obligations

  4. To provide customer service and after-stay communication

    Responding to questions, handling complaints, sending important updates about your stay.

    Legal basis:

    • Article 6(1)(b) GDPR – Performance of a contract
    • Article 6(1)(f) GDPR – Legitimate interests (customer service and business continuity)

  5. To send marketing communications (if you consent)

    Sending you offers, news, and updates about our properties (for example, via email or WhatsApp) if you opt in.

    Legal basis:

    • Article 6(1)(a) GDPR – Your consent (you can withdraw it at any time)

  6. To analyse website usage and improve our services

    Using Google Analytics (configured to be as privacy-friendly as possible) to understand how visitors use our website and to improve performance, content and conversion.

    Legal basis:

    • Article 6(1)(a) GDPR – Consent via cookie banner (for non-essential analytics cookies)
    • Article 6(1)(f) GDPR – Our legitimate interest in improving our website and services, where cookies are strictly necessary or aggregated/anonymised.

  7. To protect our rights and prevent misuse

    Detecting and preventing abuse of our services, enforcing house rules, legal claims.

    Legal basis:

    • Article 6(1)(f) GDPR – Legitimate interests (protection of our business and legal rights)

5. How long we keep your data (retention periods)

We retain personal data only for as long as necessary for the purposes described above:

  • Enquiry data (no booking): typically up to 12 months after our last meaningful contact.
  • Booking and stay records: typically 5–6 years from the end of the fiscal year, to comply with tax and accounting obligations and local tourism regulations.
  • Payment-related data: retained according to legal requirements (usually up to 10 years for accounting/audit purposes in Spain).
  • Marketing data: retained until you withdraw your consent or object to processing.
  • Analytics data: stored in Google Analytics in aggregated form; retention periods are configured in GA (for example 14–26 months), after which data is deleted or anonymised.

We may keep some data longer in anonymised form for statistical purposes, without identifying you.

6. Who we share your data with

We do not sell your personal data. We may share data with:

  1. Service providers (data processors)

    These process data on our behalf and under our instructions, for example:

    • Lodgify – website hosting and booking engine
    • Stripe Payments Europe Ltd / Stripe, Inc. – payment processing
    • IT and hosting providers (servers, email, backup)
    • Analytics providers – e.g. Google Analytics (see Cookie Policy)

  2. Booking platforms / OTAs

    When you book through platforms such as Airbnb, Booking.com, etc., they have their own privacy policies, and certain data is shared between us to manage your booking.

  3. Professional advisors

    Accountants, tax advisors, lawyers, where necessary for legal and accounting reasons.

  4. Public authorities

    Tax authorities, police, or courts where we are legally required to share data.

In all cases where we use data processors, we sign data processing agreements to ensure your data is handled in compliance with GDPR.

7. International data transfers

Some of our providers are located outside the European Economic Area (EEA) or may use servers outside the EEA, for example:

  • Stripe may process data in the U.S. and other countries.
  • Google Analytics (Google LLC) may involve transfers to the U.S.

In such cases, we ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Additional technical and organisational measures (for example IP anonymisation in Analytics)

You may contact us for more information about these safeguards.

8. Your rights under GDPR

You have the following rights:

  • Right of access – to know whether we process your data and to obtain a copy.
  • Right to rectification – to correct inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) – to request deletion of your data where legally possible.
  • Right to restriction of processing – to limit how we use your data in certain cases.
  • Right to data portability – to receive your data in a structured, commonly used format and transmit it to another controller where legally applicable.
  • Right to object – to object to processing based on legitimate interests or to direct marketing at any time.
  • Right to withdraw consent – where processing is based on your consent (for example marketing, non-essential cookies), you can withdraw it at any time, without affecting prior lawful processing.

To exercise these rights, please contact us at:

Email: [email protected]

Include your name, contact details, and what you are requesting.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) (www.aepd.es). We would, however, appreciate the chance to resolve your concerns with you first.

9. Security measures

We implement appropriate technical and organisational measures to protect your data, including:

  • Secure hosting and HTTPS encryption (SSL)
  • Restricted access to booking and payment systems
  • Use of reputable processors (Stripe, Lodgify, etc.)
  • Regular updates and basic security best practices

No system is 100% secure, but we aim to reduce risks as far as reasonably possible.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal or operational changes. The latest version will always be available on our website, with the date of last update.

2. COOKIE POLICY

This Cookie Policy explains how we use cookies and similar technologies on our website.

The website [villamoderna.es / natalex.es] is operated by:

Natalex Group S.L.

Registered office: 29649 Mijas Malaga, Calle Opalo 12, 2 5

CIF/NIF: B06888697

Email: [email protected]

Phone: +34 615 357 222

Some cookies are set directly by us (“first-party cookies”), others are set by third parties (“third-party cookies”), such as Google or Stripe.

1. What are cookies?

Cookies are small text files stored on your device (computer, tablet, smartphone) when you visit a website. They allow the site to recognise your device and remember information about your visit, such as your language preference or items in your booking.

We also use similar technologies like pixels and local storage; in this Policy we refer to all of them as “cookies”.

2. Types of cookies we use

We group cookies into four categories:

  1. Strictly necessary cookies (essential)
  2. Preference / functional cookies
  3. Analytics / performance cookies
  4. Payment / security cookies

3. Strictly necessary cookies (essential)

These cookies are required for the website and booking system to function properly and cannot be disabled in our systems. They are usually set in response to actions made by you, such as:

  • Navigating between pages
  • Logging in to your booking area (if applicable)
  • Filling in forms
  • Adding dates/guests and proceeding through the booking process
  • Security and fraud prevention

Legal basis: Article 6(1)(b) and 6(1)(f) GDPR (performance of contract and legitimate interest). Consent is not required for these cookies.

Examples of strictly necessary cookies (names may vary depending on Lodgify configuration) include:

  • A session cookie used by Lodgify to maintain your session and booking progress (for example: “sessionid” or “lodgify_session”), which typically lasts for the duration of the session.
  • A security or traffic management cookie (for example from hosting/CDN providers, such as “__cf_bm” or similar), which helps to protect the site and may last for the session.
  • A cookie that remembers your cookie preferences (for example a “cookie_consent” or similar cookie), which may last for several months (for example 6–12 months).

4. Preference / functional cookies

Preference or functional cookies allow the website to remember choices you make (such as language or region) and provide enhanced features. If you disable them, some preferences may not be remembered.

Legal basis: Article 6(1)(a) GDPR – Consent.

An example of a preference cookie is:

  • A language preference cookie (for example “language”), which remembers the selected language and may last for up to one year.

5. Analytics / performance cookies (Google Analytics)

We use Google Analytics 4 to collect anonymous statistics about how visitors use our site, such as:

  • Which pages are visited
  • How long visitors stay
  • Which links are clicked
  • Which countries visitors come from

We configure Google Analytics to minimise privacy impact where possible (for example IP anonymisation). However, these cookies are not strictly necessary, so we only use them if you accept cookies in the banner.

Provider: Google LLC and/or Google Ireland Limited.

Legal basis: Article 6(1)(a) GDPR – Your consent.

Examples of analytics cookies include (names may differ with GA4):

  • A Google Analytics user identifier cookie (for example “_ga”), used to distinguish users via an anonymous ID, with a typical duration of up to 2 years.
  • A Google Analytics property/session cookie (for example “_ga_XXXX”), linked to a specific GA4 property, with a typical duration of up to 2 years or as configured in Google Analytics.

You can also opt out of Google Analytics by using Google’s browser add-on if you wish.

6. Payment / security cookies (Stripe)

When you proceed to payment, Stripe may set cookies that are necessary to:

  • Remember your payment session
  • Prevent fraud
  • Comply with security requirements (for example 3D Secure)

These cookies are either strictly necessary for payment or fall under Stripe’s own responsibility as an independent controller or processor.

Provider: Stripe Payments Europe Ltd / Stripe, Inc.

Legal basis: Article 6(1)(b) GDPR (performance of contract) and Article 6(1)(f) GDPR (legitimate interest in secure payments).

Examples of Stripe cookies include:

  • “__stripe_mid”: a Stripe cookie used to identify the payment session or customer, with a duration of up to around one year.
  • “__stripe_sid”: a short-lived Stripe cookie used for payment session management, typically lasting for the duration of the session.

For more details, please review Stripe’s own privacy and cookie policies.

7. How we obtain and manage your consent

When you first visit our website, we display a cookie banner that:

  • Explains that we use cookies
  • Allows you to accept all cookies, reject non-essential cookies, or customise your preferences
  • Links to this Cookie Policy

We will not place non-essential cookies (for example Google Analytics) until you have given your consent.

You can change or withdraw your consent at any time by:

  • Clicking on the “Cookie settings” link or button on our website (if provided by Lodgify’s consent management tool), or
  • Adjusting your browser settings to block or delete cookies.

Please note that if you block essential cookies, our website and booking engine may not function properly.

8. How to manage cookies in your browser

Most web browsers allow you to:

  • View which cookies are stored
  • Delete cookies
  • Block cookies from specific websites
  • Block all cookies

You can usually find these settings in the “Options”, “Settings” or “Preferences” menu of your browser. Instructions are available on the help pages for browsers such as Chrome, Firefox, Safari and Edge.

If you delete or block cookies, some parts of our website may not work correctly.

9. Third-party cookies and responsibility

Third-party providers such as Google and Stripe may use cookies subject to their own privacy and cookie policies.

We encourage you to review:

  • Google’s Privacy & Terms
  • Stripe’s Privacy Policy

We only integrate such services where necessary for analytics and secure payment. Where required, we rely on your consent and/or appropriate legal bases.

10. Changes to this Cookie Policy

We may update this Cookie Policy from time to time, for example if we add new services or cookies.

Last updated: 16.11.2025

[email protected]
©2025 Villa Moderna Todos los derechos reservados - Powered byLodgify