GETREFUND, S.L. (WOONIVERS hereafter) informs users of the website about its policy regarding the treatment and protection of personal data of users and customers that may be collected by browsing or contracting services through its website.

In this sense, WOONIVERS guarantees compliance with current regulations on the protection of personal data is reflected in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 relating to the protection of natural persons. with regard to the processing of personal data and the free circulation of these data and repealing Directive 95/46 / EC (General Data Protection Regulation).


Responsible for the treatment: GET REFUND, S.L.

VAT NUMBER: B 87922522

Registered office at C / Reyes Magos, 14, Bajo, (28009) of Madrid.



WOONIVERS has the duty to inform users of its website about the collection of personal data that can be carried out, either by sending email or filling in the forms included in the website. In this sense, WOONIVERS will be considered as Responsible for the Treatment of the data collected through the means described above.

WOONIVERS informs users of the purpose of processing the data collected, which includes:

  • The attention of requests made by users.
  • Inclusion in the contacts.
  • The provision of services and the management of the commercial relationship.

The operations, management and technical procedures carried out in an automated or non-automated way and that enable the collection, storage, modification, transfer and other actions on personal data, are considered to be the processing of personal data.

All personal data collected through the website or the WOONIVERS platform, and therefore considered to be the processing of personal data, will be included in the Activity Register owned by WOONIVERS.

Specifically, Woonivers will perform the following data collection for the development and execution of its services:

Information that we obtain from the client:

a. Email address: in order to validate your registration in the APP.

b. Billing address: in order to assist in the purchase process as well as verify the residence of the interested party.

c. Documents to verify the identity of the user: Passport and Selfie, in order to verify the identity of each user and their residence.

 d. Invoices scanned by the tourist: in order to digitize them and be able to generate, automatically, the electronic form DIVA Tax Free.

e. Tourist collection methods: to be able to transfer the taxes that have accumulated with your purchases, we will request a card where you can make a payment to the same for the amount that corresponds.

f. Boarding Pass: We will request the boarding pass to verify that the client is going to leave the territory of the European Union.

Information we obtain from the customer’s mobile device:

a. Geolocation: via GPS, and IP Address. To be able to offer personalized services.

 b. Access to the notifications: in order to be able to accompany the tourist throughout the trip and help in their management of the invoices of their purchases for the return of taxes.


The General Data Protection Regulation grants the interested parties the possibility of exercising a series of rights related to the processing of their personal data.

Users may exercise the rights of access, rectification, deletion, limitation and portability in accordance with the provisions of current legislation on the protection of personal data. In essence, each right allows you:

• Access: it gives you the possibility of obtaining a copy of the personal data that is being processed at the request of the interested party, or you will be allowed remote access to a secure system that offers direct access to personal data.

• Rectification: the interested party will have the right to obtain, without undue delay, the rectification of the inaccurate personal data concerning him / her.

• Deletion (right to be forgotten): gives you the option to delete your personal data from a database when they:

– no longer necessary in relation to the purposes for which they were collected or otherwise treated;

– the interested party withdraws the consent on which the treatment is based;

– the interested party opposes the treatment and other legitimate reasons for the treatment do not prevail;

– personal data have been treated unlawfully;

– the personal data must be deleted for the fulfilment of a legal obligation established in European Union Law that applies to the data controller;

– personal data have been obtained in connection with the offer of services of the information society on «Conditions applicable to the consent of the child in relation to the services of the information society».

• Limitation of treatment: implies the non-application of your personal data to the appropriate treatment operations. It may be requested when:

a) The interested party has exercised the rights of rectification or opposition and the person in charge is in the process of determining whether to respond to the request.

b) The treatment is illegal, which would determine the deletion of the data, but the interested party is opposed to it.

c) The data is no longer necessary for the treatment, which would also determine its deletion, but the interested party requests the limitation because it needs them for the formulation, exercise or defense of claims.

• Portability: allows the interested party to obtain a copy in a structured format, of common use and mechanical reading of the data held by the File Manager.

To make use of the exercise of these rights, the user must contact them by written communication, providing documentation proving their identity (ID or passport), to the following address: GETREFUND, S.L., Calle Reyes Magos, 14, Bajo, 28009 Madrid. This communication must reflect the following information: name and surname of the user, the request for request, the address and the supporting data, also, and for greater ease of the interested party, the possibility of exercising these rights by sending an email is allowed. electronic, including in any case the documentation listed, to the address:

The exercise of rights must be performed by the user. However, they may be executed by a person authorized as legal representative of the authorized party. In this case, the documentation proving this representation of the interested party must be provided.

Inform you that the exercise of your rights will be completely free, unless the request is manifestly unfounded or excessive, especially by repetitive. In such cases, the interested party may be charged a fee that compensates the administrative costs of attending the request or of the refusal to act.

The deadline to meet your request will be ONE MONTH from the day of receipt of the same, may be extended to TWO MONTHS for those especially complex requests, always with the timely notification to the interested party of the aforementioned extension of the deadline.

If we consider not to comply with the request, we guarantee communication in that sense within ONE MONTH.


In the processing of personal data, the following principles will be applied, adjusted to the requirements of the new European Data Protection Regulation:

Principle of legality, loyalty and transparency: The consent of the interested parties will always be required for the processing of personal data for one or several specific purposes, which will be previously reported with absolute transparency.

Principle of minimization of data: Only strictly necessary data will be requested in relation to the purposes for which they are required. The possible minimums.

Principle of limitation of the conservation period: the data will be maintained for no longer than necessary for the purposes of the treatment, depending on the purpose. The corresponding conservation period will be informed, in the case of subscriptions, periodically lists will be reviewed and the inactive records will be eliminated for a considerable time.

Principle of integrity and confidentiality: The data will be treated in such a way that an adequate security of personal data is guaranteed, and confidentiality is guaranteed.


The legitimacy of the treatment of your data is the consent mainly, without prejudice to those other bases of legitimacy contemplated in the regulations and that could result from application, these being the following:

a) The treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the latter’s request of pre-contractual measures;

b) The treatment is necessary for compliance with a legal obligation applicable to the controller;

c) The treatment is necessary to protect vital interests of the interested party or another natural person;

d) The treatment is necessary for the fulfilment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller;

e) The treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests do not prevail the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child.


The categories of data that are treated are:

a) Identification data: including passport and photo selfie.

b) Email address.

c) Data related to billing: billing address and invoices scanned by the interested party.

d) Tourist collection methods.

e) Boarding card for the departure trip from Spain.

f) Geographical location data by GPS and IP Address.


The personal data will be kept following the following criteria:

Until the deletion is requested by the interested party, WOONIVERS may process the personal data of the interested party, provided that said treatment is adjusted to the purpose for which they were collected.


WOONIVERS is committed to the use and treatment of personal data of the interested parties, respecting their confidentiality and using them in accordance with the purpose thereof, as well as to comply with their obligation to save them and adapt all measures to avoid alteration, loss , treatment or unauthorized access, in accordance with the provisions of current data protection regulations.

As stipulated in article 32 of the RGPD, WOONIVERS will apply the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk involved in the processing of the data, which will include in any case:

– The encryption of personal data.

– The ability to guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.

– The ability to restore availability and access to personal data quickly in the event of a physical or technical incident.

– A process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment.


WOONIVERS reserves the right to modify this policy to adapt it to new legislation or jurisprudence, as well as industry practices. In these cases, the changes introduced will be announced on this page with reasonable notice before they are put into practice.


According to the LSSICE, WOONIVERS does not perform SPAM practices, so it does not send commercial e-mails that have not been previously requested or authorized by the user. Consequently, in each of the forms on the web, the user has the possibility of giving his express consent to receive the newsletter, regardless of the commercial information requested.

In accordance with the provisions of Spanish Law 34/2002 on Services of the Information Society and electronic commerce, WOONIVERS undertakes not to send communications of a commercial nature without properly identifying them.