Data Protection.
Data controller.
In compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), we inform you of the identity of the controller of the personal data collected through this website:
Data we collect.
We collect and process only the personal data strictly necessary to provide the services requested through the website. Under no circumstances do we request sensitive data or special categories without your explicit consent.
- Contact data: first name, surname, phone number and email address when you contact us by WhatsApp, phone call or email.
- Booking data: name, phone, date, time and number of diners when you book a table through the integrated Reserve with Google system.
- Event data: name, company (if applicable), phone, email, type of event, number of guests, approximate date and any additional notes you provide when requesting a quote for private or group events.
- Browsing data: IP address, browser type, operating system, pages visited and time of visit. This data is collected via analytics cookies (Google Analytics) subject to the user's prior consent.
Purpose of processing.
We process your personal data for the following purposes, depending on the channel through which you contact us:
| Purpose | Data processed | Legal basis |
|---|---|---|
| Booking management and restaurant communications | Name, phone, email, date and diners | Performance of a contract |
| Handling of enquiries and requests received by WhatsApp, email or phone | Name, phone, email, message content | Consent of the data subject |
| Preparation of quotes for private events and groups | Name, company, contact, event details | Pre-contractual measures |
| Statistical analysis of website use | Anonymised browsing data | Consent (cookies) |
| Compliance with legal and tax obligations | Billing data where applicable | Legal obligation |
We do not use your data for automated advertising purposes or to make automated decisions that produce legal effects on you. Nor do we carry out commercial profiling without your express consent.
Legal basis for processing.
The processing of your personal data is based on one or more of the following legal bases, depending on the case:
- Performance of a contract or pre-contractual measures (article 6.1.b GDPR), when you get in touch to book a table or request a quote for an event.
- Consent of the data subject (article 6.1.a GDPR), when you voluntarily write to us by WhatsApp, email or call with an enquiry or request.
- Legal obligation (article 6.1.c GDPR), when we are required to retain certain data for tax or accounting reasons.
- Legitimate interest (article 6.1.f GDPR), when necessary to defend rights or resolve claims.
Retention period.
We retain your personal data for the time strictly necessary to fulfil the purpose for which it was collected:
- Booking data: for the time needed to manage the booking and up to 30 days after the service to resolve any issues.
- Enquiry and event data: for the duration of the handling and up to 1 year afterwards, unless the customer becomes a regular or requests to keep receiving information.
- Tax and accounting data: for the legally established period (6 years under the Commercial Code).
- Browsing data: according to the specific duration of each cookie, indicated in our Cookie Policy.
Once the indicated periods have elapsed, the data will be irreversibly deleted or anonymised, unless applicable law requires it to be retained for longer.
Recipients of the data.
We do not disclose your personal data to third parties, except in the cases provided for by law or when strictly necessary to provide the service you have requested. The main recipients are:
- Technology service providers acting as data processors: website hosting, the booking system (Google · Reserve with Google), web analytics tools (Google Analytics), and email services.
- Messaging platforms when you contact us via WhatsApp: WhatsApp / Meta Platforms Ireland Limited, which applies its own privacy policies.
- Public authorities in cases where there is a legal obligation (tax, judicial or police authorities).
Some of these providers may be located outside the European Economic Area (EEA). In such cases, international transfers are carried out under the appropriate safeguards provided for by the GDPR (standard contractual clauses, adequacy decisions of the European Commission, etc.).
Your rights.
In accordance with the GDPR and the LOPDGDD, in relation to your personal data you have the following rights:
How to exercise your rights.
You can exercise any of the rights listed above by sending a written request through the following channels:
- Email: hola@aflamas.com with the subject "Data protection".
- Postal mail: Aflamas Restaurant, Carrer de Loreto 32, 08029 Barcelona.
To exercise these rights, you must prove your identity with a copy of your DNI, NIE or equivalent document. We will respond to your request within a maximum of one month of receipt, extendable by two further months in cases of particular complexity.
If you consider that the processing of your data does not comply with the regulations in force, you also have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es), C/ Jorge Juan 6, 28001 Madrid.
Security measures.
We apply the technical and organisational measures appropriate to the level of risk of the processing, as provided for in article 32 of the GDPR, to ensure the confidentiality, integrity, availability and resilience of the processing systems and services. These measures notably include: encryption of communications via SSL/TLS, access control, regular backups and staff training on data protection.
Changes to the policy.
This Privacy Policy may be amended at any time to adapt it to regulatory changes, the evolution of the website or new data processing practices. Any amendment will be published on this same page with the updated date. We recommend reviewing this policy periodically to stay informed of any changes.