Skip to main content

Privacy policy

This policy explains what data we collect, why we collect it, how we use it, the conditions under which we may share it and how we keep it secure. Roca Collection is committed to handling your information transparently and within the European data protection framework.

Controller details

The controller of the personal data collected through this website is:

  • Company name: Grupo MContigo S.L.
  • CIF: ESB37527900
  • Registered office: Calle Concejo 13, Salamanca, Spain.
  • Data protection contact: protecciondedatos@mcontigo.com

Roca Collection is located in Valencia, in the province of Valencia. This policy applies to the accommodation's public website. The booking itself is made outside this site, on the booking engine's platform, which has its own policy.

Data we collect

This website is informative. At present it does not include contact forms, subscriptions or a customer area.

When you browse, the hosting provider (Cloudflare) records minimal technical data needed to serve the site and protect its security: IP address, browser user agent, pages visited, response times and events relating to abuse mitigation. These records are not linked to a user profile that we identify.

If in the future we enable a form, subscription or any other channel that requires identifying data, we will update this section and ask for your explicit consent before collecting it. For details on cookies, see the Cookies policy.

Purposes

Technical browsing data is processed in order to:

  • Serve the requested pages to those who request them.
  • Keep the site secure: detect unusual activity, mitigate denial-of-service attacks and filter malicious traffic.
  • Diagnose technical issues when incidents occur.
  • Improve the performance and reliability of the service.

What we do not do. We do not use browsing data for commercial profiling, personalised advertising or automated decisions with legal effects on the visitor. Nor do we share it with third parties for commercial purposes.

Retention periods

Technical data recorded by the hosting provider is kept only for as long as strictly necessary for the purposes described above, typically between 7 and 30 days, after which it is irreversibly deleted or anonymised.

Any data you actively provide in the future (for example, through a contact form) will be kept for as long as is needed for the purpose for which it was collected, and then for the legal limitation periods that apply.

Disclosures and processors

We do not share your data with third parties for commercial purposes. We work with providers acting as data processors under contract, who only process data on our instructions:

Once the booking engine (Guesty) is in place, using it will take you to its own platform. Booking data will be processed under Guesty's policy and that of the property responsible for the accommodation; this website does not process the booking or store guest information.

International transfers

Cloudflare is a US company with a global presence. Technical browsing data may be processed, in whole or in part, on servers located outside the European Economic Area.

These transfers are covered by the standard contractual clauses approved by the European Commission and, where applicable, by the EU-US Data Privacy Framework adequacy decision. The level of protection required from the processor is equivalent to that provided by the GDPR.

Your rights

You have the right to exercise the following powers over your personal data:

  • Access: find out what data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: ask for your data to be deleted when it is no longer needed.
  • Restriction: ask for processing to be restricted in certain circumstances.
  • Objection: object to processing based on legitimate interest.
  • Portability: receive your data in a structured, commonly used format.
  • Withdraw consent: withdraw at any time any consent you have given.

Withdrawing consent does not affect the lawfulness of processing based on consent given before the withdrawal.

How to exercise your rights

You can exercise any of the rights above by writing to protecciondedatos@mcontigo.com , putting "Data protection" in the subject line and including a copy of a document proving your identity.

We will respond to your request within a maximum of one month from receipt, extendable by a further two months if the complexity or volume of requests so requires, in which case we will explain the reason for the delay.

If you believe your request has not been handled properly, or that the processing of your data breaches the applicable regulations, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) via its website: aepd.es.

Security

We apply reasonable technical and organisational measures to protect data against unauthorised access, alteration, loss and disclosure. These include:

  • Encryption in transit via HTTPS, with HSTS enabled.
  • Security headers: Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
  • Periodic review of hosting provider configurations and site dependencies.
  • Data minimisation: we collect only the data essential for each purpose.

No system is completely invulnerable. Should a security incident occur that may pose a risk to your rights, we will act with care and transparency, notifying the supervisory authority and those affected within the timeframes set out by the regulations.

Changes to this policy

If the way we process data changes substantially, we will update this document and indicate the new revision date in the header. The version currently in force is always the one published on this page.