Privacy policy

1. Information for the User

Who is responsible for the processing of your personal data?

Pablo Martín Schubert is the data controller responsible for processing the personal data of the user and informs you that this data will be processed in accordance with the provisions of Regulation (EU) 2016/679, of 27 April (GDPR), and Organic Law 3/2018, of 5 December (LOPDGDD).

What type of data do we request and process?

Depending on the form or method used to obtain your data, we always request the minimum data necessary to fulfil the purposes detailed in each case.

Why do we process your personal data and for what purposes?

Depending on the form through which we obtained your personal data, we will process it confidentially to achieve the following purposes:

Contact form

  • To respond to enquiries or any type of request made by the user through any of the contact methods made available on the data controller's website. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)
  • To send commercial advertising communications by e-mail, fax, SMS, MMS, social media or any other electronic or physical means, present or future, enabling commercial communications. These communications will be made by the data controller and will relate to its products and services, or those of its partners or suppliers with whom it has reached a promotional agreement. In this case, third parties will never have access to personal data. (based on the consent of the data subject, 6.1.a GDPR)
  • To carry out statistical analyses and market studies. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Newsletter form

  • To send informative bulletins, news, offers and online promotions. (based on the consent of the data subject, 6.1.a GDPR)

Request a quote form

  • To send commercial quotes for products and services. (for the performance of a contract or pre-contract, 6.1.b GDPR)
  • To send commercial advertising communications by e-mail, fax, SMS, MMS, social media or any other electronic or physical means, present or future, enabling commercial communications. These communications will be made by the data controller and will relate to its products and services, or those of its partners or suppliers with whom it has reached a promotional agreement. In this case, third parties will never have access to personal data. (based on the consent of the data subject, 6.1.a GDPR)

Online forum form

  • To participate in the online forums proposed by the data controller. (based on the consent of the data subject, 6.1.a GDPR)

CV / Résumé form

  • To allow the data subject to take part in personnel selection processes and to analyse the applicant's profile with the aim of selecting a candidate for the data controller's vacant position. (based on the consent of the data subject, 6.1.a GDPR)

Testimonial form

  • To moderate and publish the user's experiences, opinions and suggestions about a product or service on the website. (based on the consent of the data subject, 6.1.a GDPR)

Comments form

  • To moderate and publish opinions about a publication on the website. (based on the consent of the data subject, 6.1.a GDPR)

User registration form

  • To manage the user's account in order to provide personalised access to the website and the interactive services it offers. (based on the consent of the data subject, 6.1.a GDPR)

E-commerce form

  • To manage your online purchase or order, process payment and proceed with shipping or activation, based on the general terms and conditions of contract. (for the performance of a contract or pre-contract, 6.1.b GDPR)
  • To manage, maintain, improve or develop the services provided. (for the performance of a contract or pre-contract, 6.1.b GDPR)
  • To carry out satisfaction and quality surveys. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Loyalty card form

  • To manage the loyalty card if requested. (based on the consent of the data subject, 6.1.a GDPR)
  • To send commercial advertising communications by e-mail, fax, SMS, MMS, social media or any other electronic or physical means, present or future, enabling commercial communications. These communications will be made by the data controller and will relate to its products and services, or those of its partners or suppliers with whom it has reached a promotional agreement. In this case, third parties will never have access to personal data. (based on the consent of the data subject, 6.1.a GDPR)
  • To carry out statistical analyses and market studies. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Sweepstakes and promotions form

  • To participate in sweepstakes, contests, promotions or other services offered by the data controller. (based on the consent of the data subject, 6.1.a GDPR)
  • To send commercial advertising communications by e-mail, fax, SMS, MMS, social media or any other electronic or physical means, present or future, enabling commercial communications. These communications will be made by the data controller and will relate to its products and services, or those of its partners or suppliers with whom it has reached a promotional agreement. In this case, third parties will never have access to personal data. (based on the consent of the data subject, 6.1.a GDPR)

Membership registration form

  • To manage and process any type of information request, including those aimed at becoming a member. To keep members informed about the actions we carry out. Disclosure of activities. (for the performance of a contract or pre-contract, 6.1.b GDPR)
  • To send commercial advertising communications by e-mail, fax, SMS, MMS, social media or any other electronic or physical means, present or future, enabling commercial communications. These communications will be made by the data controller and will relate to its products and services, or those of its partners or suppliers with whom it has reached a promotional agreement. In this case, third parties will never have access to personal data. (based on the consent of the data subject, 6.1.a GDPR)
  • To carry out statistical analyses and market studies. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Bookings form

  • To formalise bookings at the data controller's establishment. (for the performance of a contract or pre-contract, 6.1.b GDPR)
  • To send commercial advertising communications by e-mail, fax, SMS, MMS, social media or any other electronic or physical means, present or future, to clients, enabling commercial communications regarding products or services similar to those initially contracted with the client (Art. 21.2 LSSI). (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Appointments form

  • To schedule appointments and meetings with the data controller. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Social Media form

  • Contact through Social Media in order to maintain a relationship between the User and the Data Controller, which may include the following operations: - Processing your requests and enquiries. - Informing about activities and events. - Informing about products and/or services. - Interacting through official profiles. The user has a profile on the same social network and has decided to join the Data Controller's social network, thereby showing their interest in the information published on it; therefore, by requesting to follow our official page, you provide your consent for the processing of your data. The User may access the social network's own privacy policies at any time, as well as configure their profile to ensure their privacy. Once the User becomes a follower of or joins the Data Controller's social network, they may publish comments, links, images, photographs or any other type of content supported by it. In all cases, the User must be the owner of the published content, hold the copyright and intellectual property rights, or have obtained the consent of the affected third parties. - Sending commercial communications relating to the activities of the Group's companies, as well as external companies with which commercial collaboration or intermediation agreements have been established. (based on the consent of the data subject, 6.1.a GDPR)

Instant Messaging form

  • To schedule appointments and meetings with the data controller. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)
  • To send commercial advertising communications by e-mail, fax, SMS, MMS, social media or any other electronic or physical means, present or future, to clients, enabling commercial communications regarding products or services similar to those initially contracted with the client (Art. 21.2 LSSI). (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)
  • To manage, maintain, improve or develop the services provided. (for the performance of a contract or pre-contract, 6.1.b GDPR)
  • To manage your online purchase or order, process payment and proceed with shipping or activation, based on the general terms and conditions of contract. (for the performance of a contract or pre-contract, 6.1.b GDPR)
  • To send commercial quotes for products and services. (for the performance of a contract or pre-contract, 6.1.b GDPR)
  • To send commercial advertising communications by e-mail, fax, SMS, MMS, social media or any other electronic or physical means, present or future, enabling commercial communications. These communications will be made by the data controller and will relate to its products and services, or those of its partners or suppliers with whom it has reached a promotional agreement. In this case, third parties will never have access to personal data. (based on the consent of the data subject, 6.1.a GDPR)
  • To respond to enquiries or any type of request made by the user through any of the contact methods made available on the data controller's website. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Video Surveillance form

  • Purpose: Security and access control, labour control and internal activity. Legal basis: Public interest in security and access control, and the legitimate interest of the Data Controller based on Art. 20.3 of the Workers' Statute. Retention: A maximum of 30 days. (based on the consent of the data subject, 6.1.a GDPR)

Images and Recordings form

  • File with static and/or moving images. Includes publication in the data controller's own media or in third-party media. (based on the consent of the data subject, 6.1.a GDPR)

Clients and Suppliers form

  • Commercial management with clients and suppliers. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Advertising Opt-out form

  • Management of data to prevent the sending of commercial communications to those who have expressed their refusal or objection to receiving them. (for compliance with a legal obligation, 6.1.c GDPR)

Commercial Advertising form

  • Advertising management and commercial prospecting. Includes data from legitimate sources of public access. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Data Subject Rights form

  • To handle citizens' requests regarding the exercise of the rights established by the GDPR. (for compliance with a legal obligation, 6.1.c GDPR)

Web, App and other platform Users form

  • Identification data of users accessing the corporate website. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Training, courses, workshops, activities or similar form

  • Management of access and usage conditions. (based on the legitimate interest of the data controller, Art. 6.1.f GDPR)

Legal Representatives and Contact Persons form

  • If you are a legal representative or contact person of any of the entities or persons with whom the Foundation has a relationship, the data controller will process your data to manage the development of that relationship. (based on the consent of the data subject, 6.1.a GDPR)

How long will we keep your personal data?

It will be kept for no longer than necessary to maintain the purpose of the processing or as required by legal retention periods, and once it is no longer necessary, it will be deleted using appropriate security measures to ensure the anonymisation of the data or its complete destruction.

To whom do we disclose your personal data?

No disclosure of personal data to third parties is envisaged, except where necessary for the development and execution of the purposes of the processing, to our service providers related to communications, with whom the data controller has signed the confidentiality and data processing agreements required by current privacy regulations.

Third-party data provided by the User

If the USER provides personal data of third parties for any purpose, they guarantee that they have previously informed the affected parties and have obtained their consent for the disclosure of their data to the Data Controller.

The USER guarantees that the affected parties are of legal age and that the information provided is accurate and truthful.

The Data Controller may verify the consent of such affected parties through an initial e-mail with non-commercial content, requesting verification of the consent granted on their behalf by the USER.

Should any liability arise from a breach of these conditions by the USER, the USER must bear responsibility for the consequences of such breach.

Do we carry out international data transfers?

In accordance with the provisions of Article 44 of the GDPR, authorisation for the international transfer of data to a country that has not been declared to have an adequate level of protection may only be granted if sufficient guarantees are obtained. This may be granted if the data controller provides a written contract, entered into between the data exporter and importer, setting out the necessary guarantees to respect the protection of data subjects and ensure the exercise of their rights.

It is possible that the data controller uses service providers with servers or premises located elsewhere, and therefore such transfers are carried out. To consult the updated list of providers, please contact the data controller or via info@mallorcawellness.com.

What are your rights?

The rights afforded to the user are:

  • The right to withdraw consent at any time.
  • The right of access, rectification, portability, erasure of their data, and restriction of or objection to its processing.
  • The right to lodge a complaint with the supervisory authority (www.aepd.es) if they consider that the processing does not comply with current regulations.

Contact details for exercising your rights:

Pablo Martín Schubert. Hipotels - Av. De Les Savines, SN - 07560 Sa Coma (Balearic Islands). E-mail: info@mallorcawellness.com

2. Mandatory or optional nature of the information provided by the user

Users, by checking the corresponding boxes and entering data in the fields marked with an asterisk (*) on the contact form or presented in download forms, expressly and freely and unequivocally accept that their data is necessary for the service provider to handle their request, with the inclusion of data in the remaining fields being voluntary. The user guarantees that the personal data provided to the data controller is truthful and is responsible for reporting any changes to it.

The data controller informs you that all data requested through the website is mandatory, as it is necessary to provide an optimal service to the user. If not all data is provided, it cannot be guaranteed that the information and services provided will be fully tailored to your needs.

If you provide us with personal data of other persons by any means, the data controller warns that you must do so with their consent and having previously informed them of the matters contained in this Privacy Policy. Likewise, the data controller undertakes to provide any third party whose data is provided to us with the relevant information, in accordance with the provisions of Article 14 of the General Regulation.

3. Security measures

In accordance with the provisions of current personal data protection regulations, the data controller complies with all the provisions of the GDPR and LOPDGDD regulations for the processing of personal data under its responsibility, and manifestly with the principles described in Article 5 of the GDPR, whereby data is processed lawfully, fairly and transparently in relation to the data subject, and is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

The data controller guarantees that it has implemented appropriate technical and organisational policies to apply the security measures established by the GDPR and the LOPDGDD in order to protect the rights and freedoms of users, and has provided them with adequate information so that they can exercise them.

International data transfers

In the context of providing its services, some of the providers used by the data controller may be located outside the European Economic Area (EEA) or may process data from third countries.

In such cases, the data controller guarantees that such international data transfers are carried out in compliance with the provisions of Regulation (EU) 2016/679 (GDPR), applying appropriate guarantees for the protection of personal data, such as the formalisation of Standard Contractual Clauses approved by the European Commission, the existence of adequacy decisions by the European Commission, or other legal guarantees recognised by applicable regulations.

The user may request additional information about the specific guarantees applied to each international transfer by contacting the data controller via info@mallorcawellness.com.

For more information about privacy guarantees, you may contact the data controller via Pablo Martín Schubert. Hipotels - Av. De Les Savines, SN - 07560 Sa Coma (Balearic Islands). E-mail: info@mallorcawellness.com

4. Validity

This privacy policy has been in force since 15/06/2026.

The data controller reserves the right to modify this policy in order to adapt it to future legislative or jurisprudential updates that may apply, or for other technical, operational, commercial, corporate or other reasons. If users' rights are affected as a result of such changes, the data controller undertakes to inform them of the reasons.