Our team of design specialists will be happy to do it.
Privacy Policies
INDEX
- Objective of the Privacy Policy
- Definitions
- Identity of the Data Controller
- Applicable laws and regulations
- Applicable principles to the processing of personal data
- Data processing activities carried out
- Necessary and updated information
- Personal data of minors
- Technical and organizational security measures
- Rights of the data subjects
- Complaints to the Control Authority
- Acceptance and changes in the Privacy Policy
1.- OBJECTIVE OF THE PRIVACY POLICY
This "Privacy and Data Protection Policy" aims to inform about the conditions governing the collection and processing of personal data by Disfruta tu baño 3000, s.l., making every effort to safeguard the fundamental rights, honor, and freedoms of individuals whose personal data is processed, in compliance with the regulations and laws in force that govern the Protection of Personal Data according to the European Union and the Spanish Member State, specifically those expressed in the section "Data Processing Activities" of this Privacy Policy.
Therefore, in this Privacy and Data Protection Policy, users of the Website https://banototal.com are informed of all the details of their interest regarding how these processes are carried out, for what purposes, which other entities may have access to their data, and what rights users have.
2.- DEFINITIONS
“Personal data”: Any information about an identified or identifiable natural person (“the user of the Website”); an identifiable natural person is considered to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, identification number, location data, an online identifier, or one or several elements specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
“Processing”: any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, comparison or interconnection, limitation, deletion or destruction.
“Limitation of processing”: the marking of personal data retained to limit its processing in the future.
"Profiling": any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects related to professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
"Pseudonymization": the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
"File": any structured set of personal data, accessible according to specific criteria, whether centralized, decentralized, or functionally or geographically distributed.
"Data controller" or "controller": the natural or legal person, public authority, service, or other body that, alone or jointly with others, determines the purposes and means of the processing; if Union or Member State law determines the purposes and means of processing, the data controller or the specific criteria for its appointment may be established by Union or Member State law.
"Processor" or "data processor": the natural or legal person, public authority, service, or other body that processes personal data on behalf of the data controller.
"Recipient": the natural or legal person, public authority, service, or other body to whom personal data is communicated, whether or not it is a third party. However, public authorities that may receive personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by these public authorities shall comply with the applicable data protection rules for the purposes of processing.
“Third party”: any natural or legal person, public authority, service, or body other than the data subject, the data controller, the processor, and the persons authorized to process the personal data under the direct authority of the controller or the processor.
“Consent of the data subject”: any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data concerning them.
“Personal data breach”: any breach of security that leads to the accidental or unlawful destruction, loss, or alteration of personal data transmitted, stored, or otherwise processed, or to the unauthorized communication or access to such data;
“Genetic data”: personal data related to the inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of that person, obtained in particular from the analysis of a biological sample of that person.
“Biometric data”: personal data obtained from a specific technical processing, related to the physical, physiological, or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or fingerprint data.
“Health data”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status.
“Main establishment”:
a) with regard to a data controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions regarding the purposes and means of processing are taken in another establishment of the controller in the Union and that latter establishment has the power to enforce such decisions, in which case the establishment that has made such decisions shall be considered the main establishment;
b) with respect to a processor with establishments in more than one Member State, the place of its central administration in the Union or, if it lacks this, the establishment of the processor in the Union where the main processing activities are carried out in the context of the activities of an establishment of the processor to the extent that the processor is subject to specific obligations under this Regulation.
«Representative»: natural or legal person established in the Union who, having been designated in writing by the controller or processor in accordance with Article 27 of the GDPR, represents the controller or processor regarding their respective obligations under this Regulation.
«Company»: natural or legal person engaged in an economic activity, regardless of its legal form, including companies or associations that regularly carry out an economic activity.
«Supervisory authority»: the independent public authority established by a Member State in accordance with Article 51 of the GDPR. In the case of Spain, it is the Spanish Agency for Data Protection.
«Cross-border processing»: a) the processing of personal data carried out in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, if the controller or processor is established in more than one Member State, or b) the processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
«Information society service»: any service of the information society, that is, any service provided normally for a fee, at a distance, by electronic means and at the individual request of a service recipient.
3.- IDENTITY OF THE DATA CONTROLLER
The Data Controller is the natural or legal person, public or private, or administrative body, that alone or jointly with others determines the purposes and means of processing personal data; in case the purposes and means of processing are determined by the law of the European Union or the Spanish Member State.
In the aspects expressed in this Data Protection Policy, the identity and contact details of the Data Controller are:
Enjoy your bath 3000, s.l. - NIF/DNI B12969309
C/ Azahar, Nº1, Urbanización Serena Mar, 1 Bl.1 Esc . 12570, Alcalá de Xivert (Castellón), Spain
- Email: info@banototal.com
- Phone:
4.- APPLICABLE LAWS AND REGULATIONS
This Privacy and Data Protection Policy is developed based on the following data protection regulations and laws:
- Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free movement of such data. Hereinafter GDPR.
- Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights. Hereinafter LOPD/GDD.
- Law 34/2002, of July 11, on Information Society Services and Electronic Commerce. Hereinafter LSSICE.
5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
The personal data collected and processed through this website will be processed in accordance with the following principles:
-
Lawfulness, fairness, and transparency principle: All processing of personal data carried out through this Website will be lawful and fair, making it completely clear to the user when their personal data is being collected, used, consulted, or processed. Information regarding the processing carried out will be provided in advance, easily accessible, and easy to understand, in simple and clear language.
-
Purpose limitation principle: All data will be collected for determined, explicit, and legitimate purposes, and will not be processed subsequently in a manner incompatible with the purposes for which they were collected.
-
Data minimization principle: The data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
-
Accuracy principle: The data will be accurate and, if necessary, updated, taking all reasonable measures to ensure that inaccurate personal data is erased or rectified without delay concerning the purposes for which it is processed.
-
Data retention limitation principle: The data will be maintained in a way that allows the identification of the data subjects for no longer than necessary for the purposes of processing personal data.
-
Integrity and confidentiality principle: The data will be processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss or damage, through the application of appropriate technical and organizational measures.
- Proactive responsibility principle: The entity owning the Website will be responsible for complying with the principles outlined in this section and will be able to demonstrate it.
6.- DATA PROCESSING ACTIVITIES
Below are the data processing activities carried out through the Website specifying each of the following sections:
- Activity: Name of the data processing activity
- Purposes: Each of the uses and processes carried out with the collected data
- Legal basis: The legal basis that legitimizes the processing of the data
- Processed data: Type of data processed
- Source: Where the data is obtained from
- Retention: Period during which the data is retained
- Recipients: Third parties to whom the data is provided
- International transfers: Cross-border transfers of data outside the European Union
6.1 MAIN PROCESSING ACTIVITIES
These are data processing activities whose purposes are necessary and essential for the provision of services.
| Clients | |
|---|---|
| Legal bases | (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract |
| Purposes | Contact and commercial activities with clients |
| Categories of data and groups | Clients (Identifying data; Economic, financial, and insurance; Transactions of goods and services) |
| Source of data | The interested party themselves or their legal representative |
| Category of recipients | Tax Administration; Banks, savings banks, and rural banks |
| International transfer | Not planned |
| Retention period | For a period of 6 years from the last confirmation of interest. Article 30 of the Commercial Code |
| Potential clients | |
|---|---|
| Legal bases | (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract |
| Purposes | Management of potential clients and contacts |
| Categories of data and groups | Prospects (Identifying data) |
| Source of data | The interested party themselves or their legal representative |
| Category of recipients | Not planned |
| International transfer | Not planned |
| Retention period | For a period of 2 years from the last confirmation of interest. Article 5 of GDPR 2016/679 section C |
| Labor | |
|---|---|
| Legal bases | (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract |
| Purposes | Labor presence control; Labor training; Payroll and labor contract management; Occupational risk prevention; Labor supervision and control |
| Categories of data and groups | Employees (Identifying data; Academic and professional; Personal characteristics; Economic, financial, and insurance; Employment details) |
| Source of data | The interested party themselves or their legal representative |
| Category of recipients | Social Security bodies; Tax Administration; Banks, savings banks, and rural banks; Public administration with competence in the matter |
| International transfer | Not planned |
| Retention period | For a period of 5 years from the last confirmation of interest. Articles 66 to 70 of the General Tax Law. |
| Suppliers | |
|---|---|
| Legal bases | (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract |
| Purposes | Management of clients/suppliers, accounting, tax, and administrative |
| Categories of data and groups | Suppliers (Identifying data; Economic, financial, and insurance; Transactions of goods and services) |
| Source of data | The interested party themselves or their legal representative |
| Category of recipients | Tax Administration; Banks, savings banks, and rural banks |
| International transfer | Not planned |
| Retention period | For a period of 6 years from the last confirmation of interest. Article 30 of the Commercial Code |
6.2 OPTIONAL PROCESSING ACTIVITIES (if the user has marked their acceptance)
These are activities involving the processing of personal data whose purposes are not essential for the provision of the service and that are only carried out if the user has marked YES in the consent for these activities.
| Job bank | |
|---|---|
| Legal bases | (Art. 6.1.a GDPR) Consent of the data subject |
| Purposes | Staff selection |
| Categories of data and groups | Job candidates (Identifying data; Academic and professional; Employment details; Social circumstances) |
| Source of data | The interested party themselves or their legal representative |
| Category of recipients | Not planned |
| International transfer | Not planned |
| Retention period | For a period of 2 years from the last confirmation of interest. Article 5 section C GDPR 679/2016 |
| Commercial communications | |
|---|---|
| Legal bases | (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract |
| Purposes | Commercial communications; Marketing, advertising, and business prospecting |
| Categories of data and groups | Ecommerce Clients (Identifying data; Economic, financial, and insurance data). Web Contacts (Identifying data) |
| Source of data | The interested party themselves or their legal representative |
| Category of recipients | Not planned |
| International transfer | Not planned |
| Retention period | As long as the interested party does not request their deletion |
| Management of Ecommerce clients | |
|---|---|
| Legal bases | Explicit consent of the interested party |
| Purposes | E-commerce |
| Categories of data and groups | Ecommerce Clients (Identifying data; Economic, financial, and insurance data; Transactions of goods and services) |
| Source of data | The interested party themselves or their legal representative |
| Category of recipients | Tax Administration; Banks, savings banks, and rural banks |
| International transfer | Not planned |
| Retention period | For a period of 5 years from the last confirmation of interest |
7.- NECESSARY AND UPDATED INFORMATION
All fields marked with an asterisk (*) in the Website forms are mandatory, so omitting any of them may result in the inability to provide the requested services or information.
You must provide truthful information so that the information provided is always up to date and does not contain errors; you must communicate to the Data Controller as soon as possible any modifications and corrections to your personal data that occur via email to the address: info@banototal.com.
Furthermore, by clicking the "I Accept" button (or equivalent) included in the aforementioned forms, you declare that the information and data you have provided are accurate and truthful, as well as that you understand and accept this Privacy Policy.
8.- DATA OF MINORS
In compliance with the provisions of Article 8 of the GDPR and Article 7 of the LOPD/GDD, only those over 14 years of age may give their consent for the processing of their personal data by Disfruta tu baño 3000, s.l..
For the above reasons, minors under 14 years of age may not use the services available through the Website without prior authorization from their parents, guardians, or legal representatives, who will be solely responsible for all acts performed through the Website by the minors in their care, including the completion of online forms with the personal data of such minors and, where applicable, the marking of the accompanying boxes.
9.- TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Data Controller adopts the necessary organizational and technical measures to ensure the security and privacy of its data, prevent its alteration, loss, processing, or unauthorized access, depending on the state of technology, the nature of the stored data, and the risks to which they are exposed.
Among others, the following measures stand out:
- Ensure the permanent confidentiality, integrity, availability, and resilience of processing systems and services.
- Restore the availability and access to personal data quickly, in the event of a physical or technical incident.
- Regularly verify, evaluate and assess, the effectiveness of the technical and organizational measures implemented to ensure the security of processing.
- Pseudonymize and encrypt personal data, in case it involves sensitive data.
On the other hand, the Data Controller has decided to manage information systems according to the following principles:
- Principle of regulatory compliance: All information systems will comply with applicable legal, regulatory, and sectoral regulations affecting information security, especially those related to the protection of personal data, security of systems, data, communications, and electronic services.
- Principle of risk management: Risks will be minimized to acceptable levels, seeking a balance between security controls and the nature of the information. Security objectives must be established, reviewed, and consistent with information security aspects.
- Principle of awareness and training: Training programs, awareness-raising, and campaigns will be organized for all users with access to information regarding information security.
- Principle of proportionality: The implementation of controls that mitigate security risks to assets will seek a balance between security measures, the nature of the information, and risk.
- Principle of responsibility: All members of the Data Controller will be responsible for their conduct regarding information security, complying with established standards and controls.
- Principle of continuous improvement: The effectiveness of the security controls implemented in the organization will be reviewed regularly to increase the ability to adapt to the constant evolution of risk and the technological environment.
10.- RIGHTS OF THE DATA SUBJECTS
Current data protection regulations protect the user with a series of rights regarding the use of their data. Each of these rights is personal and non-transferable, meaning that they can only be exercised by the data subject, upon verification of their identity.
The following details the rights of the users of the Website:
- Right of access: It is the right that the user of the Website has to obtain confirmation of whether the Data Controller is processing their personal data or not and, if so, to obtain information about their specific personal data and the processing that the Data Controller has carried out or is carrying out, as well as, among other things, information available about the origin of such data and the recipients of the communications made or planned regarding them.
- Right to rectification: It is the right that the user of the Website has to modify their personal data that are found to be inaccurate or, taking into account the purposes of the processing, incomplete.
- Right to erasure: Commonly known as the "right to be forgotten," it is the right that the user of the Website has, provided that current legislation does not state otherwise, to obtain the deletion of their personal data when it is no longer necessary for the purposes for which it was collected or processed; the User has withdrawn their consent to the processing and there is no other legal basis; the User opposes the processing and there is no other legitimate reason to continue; the personal data has been processed unlawfully; the personal data has been obtained as a result of a direct offer of information society services to a minor under 14 years of age. In addition to deleting the data, the Data Controller, taking into account the available technology and the cost of its application, will take reasonable measures to inform other possible controllers who are processing the personal data of the request from the interested party for the deletion of any link to that personal data.
- Right to data limitation: It is the right of the User of the Website to limit the processing of their personal data. The User of the Website has the right to obtain the limitation of processing when they contest the accuracy of their personal data; the processing is unlawful; the Data Controller no longer needs the personal data, but the User needs it to make claims; and when the User of the Website has objected to the processing.
-
Right to data portability: In cases where processing is carried out by automated means, the User of the Website will have the right to receive from the Data Controller their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller. Whenever technically possible, the Data Controller will directly transmit the data to that other Controller.
-
Right to object: It is the right of the User not to have their personal data processed or to cease the processing of the same by the Data Controller.
- Right not to be subject to automated decisions and/or profiling: It is the right of the User of the Website not to be subject to an individualized decision based solely on the automated processing of their personal data, including profiling, unless otherwise provided by current legislation.
- Right to withdraw consent: It is the right of the User of the Website to withdraw, at any time, the consent given for the processing of their data.
The user of the Website can exercise any of the rights mentioned by contacting the Data Controller and prior identification of the User using the following contact information:
- Responsible: Disfruta tu baño 3000, s.l.
- Address: C/ Azahar, Nº1, Urbanization Serena Mar, 1 Bl.1 Esc . 12570, Alcalá de Xivert (Castellón), Spain
- E-mail: info@banototal.com
- Website: https://banototal.com
11.- RIGHT TO COMPLAIN TO THE SUPERVISORY AUTHORITY
The user is informed of their right to lodge a complaint with the Spanish Agency for Data Protection if you believe that there has been a violation of the legislation on data protection regarding the processing of your personal data.
Contact information of the supervisory authority:
Spanish Agency for Data Protection
Email: info@aepd.es
Phone: 912663517
Website: https://www.aepd.es
Address: C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain
12.- ACCEPTANCE AND CHANGES IN THE PRIVACY POLICY
It is necessary for the user of the Website to have read and agreed to the data protection conditions contained in this Privacy Policy, as well as to accept the processing of their personal data so that the Data Controller can proceed with it in the manner, periods, and purposes indicated.
The Data Controller reserves the right to modify this Privacy Policy at its discretion, or due to a legislative, jurisprudential, or doctrinal change by the Spanish Agency for Data Protection. Changes or updates made to this Privacy Policy that affect the purposes, retention periods, data transfers to third parties, international data transfers, as well as any rights of the User of the Website, will be explicitly communicated to the user.
* The user agrees that all their personal data will be fully transferred to Aplazame from the moment the user has initiated the contracting of the deferred payment service offered by the latter at the time of choosing the payment method. This acceptance extends to third parties that may need to access the files for the proper fulfillment of the contract. *Example of financing with APLAZAME for a purchase of €200.00 over 12 months, starting payment 30 days after the request. An upfront payment of €16.65 is required, which the user must pay via their card at the time of the transaction. The amount to be financed is the difference between the basket value (€200.00) and the upfront payment (€16.65): €183.35. 12 monthly payments of €16.65 are requested. Opening fee: €0.00. TIN: 16.19%; APR: 17.45%. Total amount owed: €199.83. Subject to approval by APLAZAME. Cash price: €200.00; Financed price: €216.48

