← Back to Home

Privacy Policy

Last updated: March 2026

Atipico Hotels, operated by Habyt Group (hereinafter referred to as "the company", "we" or "us") takes the protection of your personal data seriously. This Privacy Policy informs you about how your personal data is processed when you visit our website at www.atipicohotels.com and when you book our accommodation services.

This policy complies with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), Spanish Organic Law 3/2018 (LOPDGDD), and Law 34/2002 on Information Society Services (LSSI-CE).

1. Controller

The controller for the processing of your personal data within the meaning of Art. 4(7) GDPR is:

Habyt Group
CIF: B88375035
Calle Alcala 164
28028 Madrid, Spain
Phone: +34 691 75 27 95
Email: madrid@atipicohotels.com

2. Data Protection Contact

If you have any questions regarding data protection, you can reach us at: madrid@atipicohotels.com

3. Data Processing When Visiting the Website

3.1 Server Log Files

When you visit our website, our web server temporarily stores the following data in log files:

  • The page from which the page was requested (referrer URL)
  • The name and URL of the requested page
  • The date and time of the request
  • The type, language and version of the web browser used
  • The IP address of the requesting device (anonymised)
  • The amount of data transferred
  • The operating system
  • Whether the request was successful (HTTP status code)

This data is processed to ensure the stability and security of our website and for statistical purposes. The legal basis is Art. 6(1)(f) GDPR (legitimate interest). Log files are stored for a maximum of 30 days and then deleted.

3.2 Cookies

We use cookies to ensure the proper functioning of the website, improve user experience, analyse traffic and, with your consent, deliver personalised content and advertising. For full details about the cookies we use, please see our Cookie Settings page.

3.3 Contact Forms and Email

When you contact us via a form on our website or by email, the data you provide (name, email address, message content) will be processed to handle your enquiry. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

4. Data Processing When Making a Reservation

When you book a room at Atipico Hotels, we collect and process the following personal data:

  • Identity data (name, surname, ID or passport number)
  • Contact data (email address, telephone number, postal address)
  • Booking data (check-in and check-out dates, room preferences, number of guests)
  • Payment data (processed securely by third-party payment providers; we do not store card numbers)
  • Stay data (special requests, dietary preferences)

The legal basis for processing booking data is Art. 6(1)(b) GDPR (performance of a contract).

5. Guest Registration (Parte de Viajeros)

Under Spanish law (Royal Decree 933/2021), we are required to collect identification data from all guests and report it to the Spanish National Police. This includes your full name, nationality, date of birth, ID or passport number, and dates of stay. The legal basis is Art. 6(1)(c) GDPR (legal obligation). This data is retained for 3 years as required by law.

6. Newsletter and Marketing

If you subscribe to our newsletter, we will use your name and email address to send you information about offers, events and news related to Atipico Hotels. The legal basis is Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time by clicking the unsubscribe link in any email or by contacting us directly. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7. Recipients of Your Data

We may share your personal data with the following categories of recipients, only to the extent necessary:

  • Habyt Group (parent company, for internal administration)
  • Mews Systems (property management and booking engine)
  • Payment processors (for secure transaction handling)
  • Spanish National Police (traveller registration, as required by law)
  • Google (Analytics and marketing services)
  • Meta / Instagram (marketing and social media)
  • Professional advisors (legal, accounting, where required by law)

We never sell your personal data to third parties.

8. International Data Transfers

Some of our service providers (such as Google, Meta and Mews) may process data outside the European Economic Area (EEA). These transfers are carried out with appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, in compliance with Chapter V of the GDPR.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Booking and invoicing data: duration of stay + 5 years (Spanish tax obligations)
  • Police registration data: 3 years (Royal Decree 933/2021)
  • Marketing consent data: until you withdraw consent
  • Invoicing records: 6 years (Spanish Commercial Code)
  • CCTV footage (common areas): maximum 30 days (AEPD guidelines)
  • Server log files: maximum 30 days

After the applicable retention period expires, data is securely deleted or anonymised.

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — correct any inaccurate or incomplete data
  • Right to erasure — request deletion of your data ("right to be forgotten")
  • Right to restriction — limit how we process your data in certain circumstances
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, please contact us at madrid@atipicohotels.com. We will respond to your request within 30 days.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

11. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include SSL/TLS encryption for data in transit, access controls, and regular security reviews. All staff with access to personal data receive training on data protection.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in legislation, our business operations or data processing practices. The date of the most recent update is shown at the top of this page. We recommend reviewing this page periodically.

13. Contact

Habyt Group
CIF: B88375035
Calle Alcala 164, 28028 Madrid, Spain
Email: madrid@atipicohotels.com
Phone: +34 691 75 27 95
Supervisory authority: Agencia Espanola de Proteccion de Datos (AEPD)