Woonivers

PRIVACY POLICY

Who are we?

Owner: Woonivers Spain, SL. (hereinafter referred to as Woonivers)

VAT number: B87922522

Our main activity: collaborating entity in the procedure for the refund of Value Added Tax under the traveller regime by virtue of the authorisation granted by the Tax Management Department of the State Tax Administration Agency on 6 February 2019, published in the Official State Gazette on 15 February of the same year,  as well as in application of the collaboration agreement signed between the COMPANY and the Tax Agency on 5 February 2020.

Our address: Calle San Rafael, 1, Portal 2, 2ºC, 28108, Alcobendas, Madrid (Spain).

Our contact telephone number: 914841028.

Our contact email address: traveler@woonivers.com

Our Data Protection Officer, to whom you can contact any question relating to the processing of your personal data via the following e-mail: dpo@sipay.es

The person responsible for this website is a regulated profession, for which we provide you with the following information: José Luis Nevado Martínez.

INFORMATION IN COMPLIANCE WITH PERSONAL DATA PROTECTION REGULATIONS

The Management / Governing Body of Woonivers Spain, SL (hereinafter, the Data Controller), assumes the maximum responsibility and commitment to the establishment, implementation and maintenance of this Data Protection Policy, guaranteeing the continuous improvement of the Data Controller with the aim of achieving excellence in relation to compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council,  of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016), and the Spanish legislation on the protection of personal data (Organic Law,  sector-specific legislation and its implementing rules).

The Data Protection Policy is based on the principle of proactive responsibility, according to which the data controller is responsible for compliance with the regulatory and jurisprudential framework that governs said Policy, and is able to demonstrate this to the competent supervisory authorities.

In this regard, the data controller shall be governed by the following principles that must serve as a guide and frame of reference for all its personnel in the processing of personal data:

  • Data protection by design: the controller shall apply, both at the time of determining the means of processing and at the time of the processing itself, appropriate technical and organisational measures, such as pseudonymisation, designed to effectively apply data protection principles, such as data minimisation, and to integrate the necessary safeguards into the processing.
  • Data protection by default: the controller shall implement appropriate technical and organisational measures with a view to ensuring that, by default, only personal data that is necessary for each of the specific purposes of the processing is processed.
  • Data protection in the information lifecycle: measures to ensure the protection of personal data will be applicable throughout the entire information lifecycle.
  • Lawfulness, fairness and transparency: personal data will be processed lawfully, fairly and transparently in relation to the data subject.
  • Purpose limitation: personal data will be collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with those purposes.
  • Data minimization: personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: personal data will be accurate and, if necessary, up-to-date; All reasonable measures shall be taken to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are erased or rectified without delay.
  • Limitation of the retention period: personal data will be kept in such a way as to allow the identification of the data subjects for no longer than is necessary for the purposes of the processing of the personal data.
  • Integrity and confidentiality: Personal data will be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organisational measures.
  • Information and training: one of the keys to guaranteeing the protection of personal data is the training and information provided to the personnel involved in the processing of these data. During the information lifecycle, all personnel with access to the data will be properly trained and informed about their obligations in relation to compliance with data protection regulations.

 

The Data Protection Policy of Woonivers Spain, SL (hereinafter also WOONIVERS) is communicated to all the staff of the data controller and made available to all interested parties on the corporate website.

Consequently, this Data Protection Policy involves all the staff of the data controller, who must be aware of it and assume it, considering it as their own, with each member being responsible for applying it and verifying the data protection regulations applicable to its activity, as well as identifying and providing the opportunities for improvement that it deems appropriate with the aim of achieving excellence in relation to its compliance.

This Policy will be reviewed by the Management / Governing Body of WOONIVERS, as many times as deemed necessary, in order to adapt, at all times, to the current provisions on the protection of personal data.

In Europe and in Spain there are regulations to respect your fundamental right to the protection of your personal data and that generate mandatory obligations for our entity.

Therefore, it is very important to us that you fully understand what we are going to do with the personal data you provide through our website and app.

We want to be transparent and respect your right to control your data, with plain language and clear options that allow you to decide what we do with your personal information.

Please, if you have any questions after reading this information, do not hesitate to ask us.

Thank you very much for your cooperation.

 

What regulations do we comply with?

WOONIVERS will process personal data in accordance with applicable European Union or national legislation, including Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); and any other applicable data protection regulations (collectively, the “Data Protection Regulations”). In particular, WOONIVERS will implement appropriate technical and organisational measures to ensure an appropriate level of security for personal data.

 

How do we collect your data through the web and app?

The data that we process at WOONIVERS has been obtained from you, through the different forms that you fill in while browsing the website or application, or completed in some other format within the activities of WOONIVERS; by sending an enquiry e-mail or by telephone.

In the event that the personal data provided belongs to a third party, you warrant that you have informed such third party of this Personal Data Protection Policy and have obtained their authorization to provide your data to WOONIVERS for the purposes indicated below.

In addition, we inform you of the possible processing of your social network data through the corporate profiles in which SIPAY maintains an available profile, all based on the terms and conditions established in each social network.

We collect your personal information on this website through:

  • The WOONIVERS web contact form .
  • Download our app through any of the official marketplaces.
  • The use of Cookies.
  • The Whistleblowing Channel Form of Grupo Sipay to which WOONIVERS belongs.
  • When you exercise any of your data protection rights with us.

 

We specify in the following section the information regarding the data processing that we may do as a result of the collection of data in any of our forms, the personal data collected, the purpose of the processing and the legal basis for the processing of these.

 

What are we going to use your data for? What is the legitimate basis for this processing?

Specifically, WOONIVERS, in its capacity as Data Controller, collects personal data from its users, through the different forms contained on the website, for the following purposes and legal basis of the processing:

 

FORM

PERSONAL DATA COLLECTED

PURPOSES OF PROCESSING

LEGAL BASIS

“CONTACT” WEB FORM

Identification data (name and surname, nationality), contact data (e-mail).

  • Collect information and respond to your requests related to the services offered by WOONIVERS.
  • Collect information and respond to other inquiries related to WOONIVERS’ activity.

Consent.

 

Application

Email, address, ID or Passport and selfie photo, invoices scanned by the User, payment methods (credit card, bank account, etc., boarding pass; information from the user’s mobile device (Geolocation via GPS and IP address and access to notifications).

  • Email: in order to validate the User’s registration in the App.
  • Address: in order to validate the User’s residence.
  • Identity Document or Passport and selfie photo: to verify the User’s identity and residence.
  • Invoices scanned by the User: to generate the electronic reimbursement documents (DER)
  • Payment methods (credit card, bank account, etc.): to reimburse the User for the amounts accumulated for their purchases.
  • Boarding pass: to verify that the User has left the territory of the European Union.
  • Geolocation via GPS and IP address: to verify that the User has indeed left the territory of the European Union and to be able to reimburse the amounts of VAT that correspond to him. Likewise, in the event that the User has accepted it, in order to be able to offer the User personalized services.
  • Access to notifications: to be able to accompany and assist the User throughout the VAT refund procedure.

User’s consent to download the application and contractual compliance in the management of data for the provision of the service.

Compliance with a legal obligation to prevent money laundering, by requesting in the registration of the application of travelers who request the refund of VAT identification documents (passport, selfie video) that are verified by biometric analysis technology. By default, this system prevents any payment from being processed if the user has not previously completed the registration and if certain additional mandatory information and documents (e.g. invoice) are not included in the process.

dpo@sipay.es

Identification data (name and surname), contact details (email) and DNI/NIF (by providing a photocopy to verify the identity of the applicant).

  • Attend to the exercise of users’ data protection rights.

Compliance with a legal obligation.

Legitimate interest: WOONIVERS may transmit your information to other related organizations for administrative management purposes.

Cookies

IP & Location

  • Manage the functionalities of the website and application, as well as analyze user preferences.

Express consent of the user (which can be given by ticking the corresponding box in the first layer of information on cookies on the website).

Whistleblowing Channel

Identification and, depending on what the user indicates in the text of the report or attachments, other types of data may be contained

  • Process, investigate, and/or resolve complaints, even though anonymous complaints may be filed. They will only be processed by those who carry out management functions of the Whistleblowing Channel at Sipay Plus, SL, parent company of the group whose criminal risk management system (Compliance) we are attached to and in accordance with the Whistleblowing Channel Management Procedure, mainly the Compliance Committee. The absolute confidentiality and custody are guaranteed under security measures appropriate to the type of data and the risk of the information processed.

Compliance with a legal obligation in accordance with the provisions of Law 2/2023, of February 20, 2023, regulating the protection of persons who report regulatory and anti-corruption violations and the legitimate interest of WOONIVERS in complying with the requirements regarding the prevention of corporate risks, especially those related to the possible criminal liability of the legal entity,  by virtue of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.

 

In cases other than the above, the processing will be based on the possible development of pre-contractual or contractual measures linked to our services.

SIPAY carries out the following processing of personal data not linked to the website, duly registered in its Register of Processing Activities:

  • Establishment and/or management (execution, development and control) of a contractual relationship with the traveller or with the establishment.
  • Claims management (litigation).
  • Management of the prevention of money laundering in operations and companies of the group subject to such regulations and for the prevention of criminal risks.

 

We may be required to use and retain personal information for legal and compliance reasons, such as preventing, detecting or investigating crime, loss or fraud prevention, or to comply with internal and external audit requirements, our information security, crime prevention, or compliance objectives inherent in our business,  This may lead to the following being processed:

  • under applicable law;
  • to respond to requests from courts, law enforcement, regulators, and other authorities; and
  • to protect other rights of the user or others.

 

Your commitment, the veracity of the data you provide us.

You declare that the personal data you provide to WOONIVERS in any part of the use of this website are truthful.

As a user, you should be aware that you are solely responsible for any damage, direct or indirect, that may be caused to WOONIVERS as responsible for this website or to a third party if you fill in any form with false or third party data without their prior consent, causing deception, damage or harm.

In order for us to keep your data accurate and up-to-date, please inform us of any changes that may occur in the data provided.

In the event that you contact WOONIVERS Y for the services you provide for an entity (legal person) or as a sole proprietor, the processing of your personal data will be based on the legitimate interest of WOONIVERS (Article 19 LOPD).

If you contact WOONIVERS because you have used our app, the processing will be based on the contract relating to the acceptance of the download of the app or the contract with the establishment, if applicable.

In cases other than the above, the processing will be based on the possible development of pre-contractual or contractual measures linked to our services and on our website/application.

For the receipt of commercial and courtesy communications related to the services offered by our entity, the legitimate basis is the consent you have given us through the box of the corresponding form. If you have not flagged it or withdraw your consent, we will not or stop sending you these communications.

 

Who is going to know the information we ask for?

Your personal data may be accessed by service providers that WOONIVERS hires or may contract and who have the status of data processor, in order to comply with the purposes described in the previous point.

Likewise, those public or private entities to which we are obliged to provide your personal data in compliance with a law, such as the regulations on the prevention of money laundering, to which we are obliged to comply, will be aware of your information.

In the case of the data entered in the Whistleblowing Channel Form, they may be transferred to third parties exclusively in the case of external legal advisors and to judicial bodies and to the State Security Forces and Corps or administrative authority, when necessary and in compliance with a legal obligation (Law 2/2023,  of 20 February, regulating the protection of persons who report regulatory and anti-corruption infringements) and the legitimate interest of WOONIVERS in complying with the requirements regarding the prevention of corporate risks, especially those related to the possible criminal liability of the legal entity (Organic Law 3/2018,  of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights).

In some cases, WOONIVERS uses third-party tools and services to manage some of the services offered on this website. These services are owned by third parties resident in the European Economic Area.

WOONIVERS tries to use secure tools whose servers are preferably located in Spain, or failing that, in a member state of the European Union, or that comply with European legislation in accordance with the guidelines and recommendations of the Spanish Data Protection Agency, the European Commission and the reference community agreements on international data transfer.

In the event that the international transfer of data is necessary, the acceptance of this Privacy Policy in each of the forms in which you can provide your data will mean that as a user you expressly consent to the aforementioned transfer.

 

How will we protect your data?

In order to protect the personal data of users, WOONIVERS ensures itself, and controls its processors, in the application of technical and organizational measures appropriate to the state of the art for the protection of personal data, taking into account the scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of the data subjects,  striving to be able to ensure the confidentiality, integrity, availability and resilience of treatment systems and services.

Our information security policies and procedures are regularly reviewed and updated to meet the needs of our business, technological changes and regulatory requirements.

We will protect your data with effective security measures depending on the risks involved in the use of your information.

To this end, our entity has approved a Data Protection Policy and undergoes annual controls and audits to verify the security of the processing.

 

Will we send your data to other countries?

WOONIVERS hosts the personal data subject to processing within Spain. Therefore, we do not carry out international transfers of the data processed through this website.

 

How long will we keep your data?

In general, personal data will be kept as long as you do not revoke your consent to the processing or request its deletion, as well as the time necessary to comply with the legal obligations that WOONIVERS must observe.

  • In the event that you have given your consent to receive commercial communications, we will keep your contact details until you withdraw it, unsubscribing from this processing.
  • If you have contacted us as a user of our application or services, during the term of the contract, as well as the statute of limitations of legally applicable obligations.
  • If you have contacted us as an individual who provides services in an entity with which WOONIVERS has a contractual relationship or may have an interest in such function, for as long as you perform such function or position and during the statute of limitations of legally applicable obligations.
  • In all other cases, WOONIVERS will keep the personal data linked to your query until it is answered and then delete it within 1 month.
  • In the case of the data entered in the Whistleblowing Channel Form, they will be kept in the Whistleblowing Channel system for the time necessary to decide on the admissibility of initiating an investigation into the reported facts and, where appropriate, while the process of investigation and resolution of the complaints submitted is carried out. and always for a maximum period of 3 months from the date of entry of the complaint.

 

In any case, we inform you that WOONIVERS has established internal data purification policies aimed at controlling the retention periods of the personal data in its possession, so that these may be cancelled when they are no longer necessary and/or appropriate for the purpose for which they were collected.

What are your data protection rights?

You may exercise your rights of access, rectification, cancellation, opposition, limitation of processing and portability of data, as well as withdraw the consent given free of charge, in the cases and to the extent established by the applicable regulations at any given time.

Before handling a request to exercise any of the aforementioned rights, SIPAY must verify the identity of the interested party and the legitimacy of their request or claim. SIPAY will respond to such request or claim in accordance with the provisions of the Data Protection Regulations.

To exercise these rights, you may write to the DPO of Woonivers (SIPAY Group) at dpo@sipay.es 

 

Can I withdraw my consent if I change my mind at a later time?

You can withdraw the consent given by means of the request submitted through the website or by checking the box corresponding to the sending of commercial communications if you change your mind in this regard, by sending a new form through the website in which your withdrawal of consent appears.

 

In case you feel that your rights have been disregarded, where can you make a claim?

In the event that you believe that your rights have been disregarded by our entity, you can file a complaint with the Spanish Data Protection Agency, through one of the following means:

  • E-Office: www.agpd.es
  • Postal address: Agencia Española de Protección de Datos C/ Jorge Juan, 6 28001-Madrid
  • Telephone: Tel. 901 100 099 Tel. 91 266 35 17

 

Filing a complaint with the Spanish Data Protection Agency does not entail any cost and the assistance of a lawyer or solicitor is not necessary.

 

Will we build profiles based on your personal data?

WOONIVERS does not perform any profiling analysis that leads to automated decision-making. Notwithstanding this, in the identification process required by the regulations on the prevention of money laundering, we do carry out an examination of the transactions with a view to identifying any transaction suspected of breaching the regulations, for the purposes of reporting them to the competent authorities.

 

Minors

Anyone of any age is authorized to browse this website.

However, in order to provide their personal data, the user must be over 14 years of age. Otherwise, they must be provided, where appropriate, by their father, mother or legal guardian.

SIPAY reserves the right to request a copy of your ID card or equivalent document that proves its legitimacy in the event of having well-founded suspicions about the user’s minority.

SIPAY recommends that parents, representatives or legal guardians supervise or take the appropriate precautions during minors’ browsing on the Internet, as well as establish filters on the information and content that minors may or may not access.

 

What happens if personal data security is breached?

In the event of a breach of personal data, unless it is unlikely that such breach of security would constitute a risk to the rights and freedoms of natural persons, WOONIVERS will notify the Spanish Data Protection Agency within 72 hours after it becomes aware of the incident.  describing the nature of the breach, the possible consequences that may result, and the measures taken or proposed to remedy the security breach; and, if possible, the categories and approximate number of data subjects and data affected shall be made known.

In addition, WOONIVERS will notify data subjects, as soon as possible, when the breach of personal data security is likely to entail a high risk to the rights and freedoms of natural persons, describing the possible consequences that may arise and the measures taken or proposed to remedy the security breach.

 

What security measures do we implement to protect personal data?

In order to protect the personal data of users, SIPAY ensures itself and controls its data processors, in the application of technical and organisational measures appropriate to the state of the art to protect personal data, taking into account the scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of the data subjects,  striving to be able to ensure the confidentiality, integrity, availability and resilience of treatment systems and services.

In particular, WOONIVERS has implemented an encryption and authentication protocol that ensures that the personal data accessed by us is transmitted to our servers via a secure SSL connection (“Secure-Socket-Layer”) SHA-256 with RSA encryption ( 1.2.840.113549.1.1.11 ), in order to protect it from third parties.

SIPAY Group’s Security Policy (PCIDSS) and information security procedures are regularly reviewed and updated in order to meet business needs, technological changes and regulatory requirements.

  • Technical and organizational measures are put in place to store and transfer information securely to protect against accidental attack or loss, as well as unauthorized access, use, destruction, or disclosure.
  • WOONIVERS has a privacy and security risk assessment strategy, as well as a disaster recovery and business continuity plan designed to safeguard the continuity of our services and to protect your staff.
  • Appropriate restrictions apply on access to personal information.
  • WOONIVERS requires its data processors to provide accreditation of the security controls appropriate to the processing of personal data that, in each case, they carry out.
  • WOONIVERS requires its employees and contractors to be continuously trained in the area of information security, as well as in other pertinent areas, as they have access to personal information and other sensitive data.

 

WOONIVERS states that it is able to act quickly and effectively to restore the availability and access to personal data in the event of identifying the occurrence of a physical or technical incident, maintaining an internal record of incidents, as well as the necessary management and control activities of backups that guarantee the recovery of information in the event of a possible security incident.

WOONIVERS states that it stores users’ personal data on secure servers, protected against the most common types of attacks and located in Spain.

In accordance with the Law on Information Society Services and Electronic Commerce (LSSICE), WOONIVERS does not engage in SPAM practices or send commercial communications that have not been previously requested or authorized by Users. Consequently, in each of the respective forms of the Website and the App, the User has the possibility of giving their express consent to receive electronic communications, regardless of the commercial information requested.

In accordance with the provisions of the LSSICE, WOONIVERS undertakes not to send any type of communication of a commercial nature without duly identifying itself.

 

Use of cookies

WOONIVERS uses cookies (small information files that are downloaded to a user’s device or terminal equipment when accessing a website, in order to store data that can be updated and retrieved by the person responsible for its installation) and other tracking technologies to carry out certain functions that are considered essential for the correct functioning and visualization of the website and,  in some cases, to store and manage user preferences, enable content, and collect analytics and usage data.

To obtain these analyses, this website may store certain information in the server logs automatically through the use of cookies or other mechanisms (such as local or browser session storage) that collect non-personal usage and browsing data relating to the use of this website by the User. These logs typically include information such as browser type, browser language, date and time of access request, URL, computer or device model, operating system version, and data about the mobile network used to access and browse this website.

 

What is the applicable law and jurisdiction?

WOONIVERS is based in Spain, so the content of this Data Protection Policy has been drafted in accordance with Spanish law and applicable European Union regulations.

The User accepts that any claims or complaints against WOONIVERS arising from or related to the use of this website and more specifically to the processing of their personal data will be resolved by the court of competent jurisdiction located in Madrid (Spain).

If WOONIVERS has to make any type of claim, it will do so before the competent court of the user’s domicile or in Madrid (Spain) in the case of non-consumer legal persons or professionals.

If you access this site from a location outside of Spain, you are responsible for complying with all applicable local and international laws.

 

Reservation of the right to modify the Data Protection Policy

SIPAY may modify this Data Protection Policy at any time, taking into account the evolution of this website and the contents offered therein, if it deems it necessary, either for legal reasons, for technical reasons, or due to changes in the nature or layout of the website, without there being any obligation to notify or inform the User of such modifications.  It is understood that its publication on the website itself is sufficient.

Any modification will be effective with respect to users who use this website after such modification. Your continued use of this site following the posting of any changes will be deemed acceptance of the changes. That is why, at the end of this Data Protection Policy, the last date of its update will always be published, so the changes introduced will be effective from that date.

In the event that the User does not agree with the updates to our Data Protection Policy, he/she may waive them by not entering his/her personal data in the contact forms on the website or by exercising his/her rights as specified above. If your rights are not satisfied, you can lodge a complaint with the supervisory authority.


Last updated: 02/28/2024