UTOPIA FLATSValencia · Spain
Book

Privacy Policy

Preliminary notice

> Note: This document is a draft generated from the data processing activities actually carried out by UTOPIA FLATS S.L. It must be reviewed and validated by a legal professional before publication. It does not constitute legal advice.

This Privacy Policy describes how UTOPIA FLATS S.L processes the personal data collected through its website and digital services (guest portal, AI concierge, lead capture and purchase of extras), in accordance with Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD) and Law 34/2002 on Information Society Services (LSSI-CE).

1. Data controller

  • Legal name: UTOPIA FLATS S.L
  • Tax ID (CIF): B19913516
  • Registered address: Calle Serrano Morales 9, P1, 46004 València (Valencia), Spain
  • Contact email: info@utopiaflats.com
  • Activity: management and rental of tourist apartments in València (14 units with VUT/VT tourist registration). The main stay booking is made through an external engine (Guesty) and optional extras through Stripe.

For any matter relating to this policy or to the processing of your data, you may contact us at the email address above.

2. Data we process, purposes and legal basis

We process only the data described below. We do not collect special categories of data nor carry out automated profiling with legal effects.

2.1. Email capture (marketing via QR / portal) - *Data:* email address, preferred language and the consent given (including its date and the version of the text accepted). - *Purpose:* to send you communications, news and information about our apartments and services. - *Legal basis:* your consent (Art. 6.1.a GDPR), which you may withdraw at any time.

2.2. AI concierge (assistance chat) - *Data:* a pseudonymous session identifier (tied to your browser tab), the text of the messages you write and of the replies, and an opaque reference to your booking if you verify it. We do not store the booking code or the second factor (surname/email): they are validated in memory and immediately discarded. - *Purpose:* to provide you with assistance during your stay. - *Legal basis:* legitimate interest (Art. 6.1.f GDPR) and, where applicable, performance of the relationship arising from your stay (Art. 6.1.b).

2.3. Booking verification portal - *Data:* the booking code you enter (normalised), the verification result (yes/no) and a pseudonymised hash of your IP address. - *Purpose:* security and prevention of abuse of the portal. - *Legal basis:* legitimate interest (Art. 6.1.f GDPR).

2.4. Purchase of extras - *Data:* we do not store card data (handled by Stripe; our servers never see it) nor guest personal data. We only keep references to Stripe/Guesty and a snapshot of the applied price. - *Purpose:* to manage and formalise the purchase of optional extras. - *Legal basis:* performance of a contract (Art. 6.1.b GDPR).

2.5. Stay emails (pre and post arrival) - *Data:* your email and name, obtained from the booking system (Guesty). - *Purpose:* to send you the information needed before and after your arrival. - *Legal basis:* performance of the accommodation contract (Art. 6.1.b GDPR) and legitimate interest (Art. 6.1.f) in the proper provision of the service.

3. Source of the data

The personal data we process comes from:

  • You directly, when you provide your email to receive communications (QR/portal), when you interact with the AI concierge or when you verify your booking in the portal.
  • The booking system (Guesty), from which we obtain the guest's email and name needed to send the stay emails. We do not replicate the guest's personal information in our database: it is queried live against Guesty.

4. Recipients and data processors

To provide our services we work with providers acting as data processors that only process the data following our instructions:

  • Supabase — database hosting and authentication.
  • Vercel — website hosting.
  • Stripe — processing of payments for extras. Compliant with the PCI-DSS standard; card data does not pass through our servers.
  • Resend — sending of transactional and personalised emails.
  • Google — provides the «Gemini» AI model that generates the concierge's answers. It receives the content of the apartment manual and the conversation, never identifying guest data.
  • Guesty — property management system (PMS) where bookings are queried. We do not replicate the guest's personal information in our database.

We do not transfer your data to third parties for their own commercial purposes. Data will only be disclosed to the competent authorities where there is a legal obligation.

5. International transfers

Some of our providers (Google, Stripe and Vercel) may process data in the United States, which may involve international data transfers. Such transfers are covered by appropriate safeguards under Chapter V of the GDPR, in particular the European Commission's Standard Contractual Clauses (SCC) and/or adherence to the EU-US Data Privacy Framework.

You may request further information about these safeguards through the contact email.

6. Retention periods

We keep data only for as long as strictly necessary for each purpose:

  • Marketing leads: until you request removal or withdraw your consent.
  • Security logs (including the portal IP hash): for a limited time, as long as needed for the security and abuse-prevention purpose.
  • Orders and payments for extras: for the periods required by applicable tax and commercial regulations.

Once these periods have elapsed, the data is deleted or anonymised.

7. Your rights

As a data subject, you may exercise at any time the following rights recognised by the GDPR:

  • Access to your personal data.
  • Rectification of inaccurate data.
  • Erasure («right to be forgotten»).
  • Objection to the processing.
  • Restriction of the processing.
  • Portability of your data.
  • Withdrawal of consent at any time, without affecting the lawfulness of processing prior to such withdrawal.

You can exercise these rights by sending an email to info@utopiaflats.com, indicating the right you wish to exercise. We may ask you to prove your identity.

If you consider that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD)www.aepd.es.

8. Cookies

  • The public site does not use analytics, advertising or third-party tracking cookies (at this stage).
  • We use a technical session cookie (provider: Supabase) only in the owner's private panel. It is strictly necessary and `httpOnly`.
  • Language is handled via the URL (`/es`, `/en`), not via cookies.

As only strictly necessary cookies are used, the public site does not require a cookie consent banner.

9. Security measures

We apply appropriate technical and organisational measures to protect your data, including:

  • Pseudonymisation of the IP address in the verification portal (only a hash is stored, never the IP in clear).
  • No replication of guest personal information (PII) in our database: bookings are resolved live against Guesty and we only persist references and a minimal price snapshot.
  • No storage of card data: payments are processed by Stripe (PCI-DSS); our servers never see the card data.
  • No identifying guest data sent to the AI model: the concierge is only provided with the apartment manual and the conversation.
  • Access control, authentication and encryption in transit within our providers' infrastructure.

10. Changes to this policy

We may update this Privacy Policy to adapt it to regulatory changes or to new processing activities. Any updated version will be published on this same page, indicating its effective date. We recommend that you review it periodically.