PRIVACY POLICY DROPANDWALK.COM

BASIC DATA PROTECTION INFORMATION

• Heading: Basic information
• Controller: DROP&WALK LUGGAGE SERVICE S.L., CIF B75748863. Registered address: Avenida Costa Blanca 102, bloque 2, 3B, 03540 Alicante, Spain. Email: info@dropandwalk.com.
• Purposes: Managing bookings, payments, locker access, customer support, incidents, operational communications, premises security, video surveillance, legal compliance, complaint management and, where applicable, commercial communications or non-technical cookies with consent.
• Legal basis: Performance of the contract or pre-contractual measures, compliance with legal obligations, DROP&WALK’s legitimate interest and the User’s consent where applicable.
• Recipients: Providers necessary to provide the service: Stripe payment gateway, web hosting, booking systems, email, WhatsApp Business or other support channels, technology providers, maintenance, advisers, insurers, transport companies and public authorities where there is a legal obligation.
• International transfers: They may occur when technology providers are located outside the European Economic Area or process data from third countries, always with appropriate safeguards under the GDPR.
• Rights: Access, rectification, erasure, objection, restriction, portability and withdrawal of consent where applicable, by writing to info@dropandwalk.com. The User may also lodge a complaint with the Spanish Data Protection Agency.
• Retention: For the time necessary to manage the booking, handle incidents and comply with legal obligations. Video surveillance images will generally be kept for a maximum of 1 month, unless an incident occurs or retention is necessary for legal liabilities.

1. DATA CONTROLLER

The data controller responsible for processing personal data is:

• Company: DROP&WALK LUGGAGE SERVICE S.L.
• CIF / Tax ID: B75748863
• Registered address: Avenida Costa Blanca 102, bloque 2, 3B, 03540 Alicante, Spain
• Email: info@dropandwalk.com
• Website: www.dropandwalk.com
• Data protection contact: info@dropandwalk.com.

2. SCOPE OF APPLICATION

This Privacy Policy applies to the processing of personal data carried out by DROP&WALK in connection with:

• Browsing and use of the website www.dropandwalk.com.
• Booking, payment and use of DROP&WALK automated lockers.
• Customer support by email, telephone, WhatsApp Business or other enabled channels.
• Management of incidents, complaints, changes, cancellations and support requests.
• Security of the premises, including video surveillance systems where installed.
• This policy does not govern processing carried out directly by third parties acting as independent controllers, such as certain payment platforms, social networks, messaging providers or external websites. In those cases, their own privacy policies will also apply.

3. PERSONAL DATA WE PROCESS

DROP&WALK may process the following categories of data depending on the User’s use of the service:

• 3.1 Identification and contact data
• Name and surname, when requested.
• Email address.
• Telephone number.
• Selected city, location or premises.
• Data necessary to identify the booking and handle the User’s requests.
• 3.2 Booking and service use data
• Booking number.
• Start and end date and time of the contracted service.
• Type, size, number or identifier of the assigned locker.
• Personal access code or technical data necessary to enable the opening of the locker.
• Access, opening, closing, use or technical incident records linked to the locker, when such records are necessary to provide the service, resolve incidents or protect the security of the system.
• Amounts, rates, changes, extensions, additional charges, cancellations or refunds.
• 3.3 Payment data
• Payments are managed through Stripe or other payment gateways that DROP&WALK may enable. DROP&WALK may process payment-associated data such as amount, transaction status, transaction reference, date, limited payment method information and data necessary to confirm or manage the booking.
• DROP&WALK does not store full bank card numbers, CVV/CVC codes or complete payment credentials. These data are processed directly by the payment gateway in accordance with its own terms and privacy policies.
• 3.4 Communications and customer support data
• Content of emails, messages, requests or complaints sent by the User.
• Data provided to verify identity or booking: booking number, email used, name and city of booking.
• Information necessary to manage incidents, locker openings, luggage collection, changes, refunds, technical assistance or operational communications.
• Communication metadata where provided by the channel used, such as date, time, sender and delivery status.
• 3.5 Browsing data, cookies and similar technologies
• IP address, device or browser identifiers, pages visited, access date and time, language, approximate location derived from the IP address and technical browsing data.
• Technical cookies necessary for the operation of the website and the booking process.
• Analytics, advertising or third-party cookies when the User accepts them in accordance with the Cookie Policy.
• 3.6 Video surveillance images
• DROP&WALK premises may have video surveillance cameras for security, access control, protection of users, property and facilities, damage prevention and incident management. The existence of cameras will be indicated by visible signs at entrances or video-monitored areas.
• The purpose of the cameras is not labour control, commercial profiling or indiscriminate recording of public spaces. If a minimal strip of public space is captured, it will be only what is strictly necessary for security purposes.

4. PURPOSES AND LEGAL BASES OF PROCESSING

DROP&WALK will process personal data for the following purposes and on the following legal bases:

• Purpose
• Main data
• Legal basis
• Managing bookings, payments and access to lockers
• Identification, contact, booking, payment, assigned locker, access code and necessary technical records.
• Performance of the contract and pre-contractual measures.
• Sending confirmations, codes, operational notices and necessary service communications
• Email, telephone, booking details, location, dates and service status.
• Performance of the contract and legitimate interest in ensuring correct service provision.
• Handling enquiries, incidents, changes, cancellations, refunds and complaints
• Contact details, booking, communications, incidents, evidence and documentation provided.
• Performance of the contract, legal compliance and legitimate interest in handling and defending claims.
• Managing uncollected luggage, overstays, locker openings, custody and shipments
• Booking, contact, locker, access records, communications, reasonable inventory of contents where applicable.
• Performance of the contract, legitimate interest in freeing and protecting facilities, and legal compliance where applicable.
• Ensuring security of premises, users, goods and facilities through video surveillance
• Images and, where applicable, data derived from security incidents.
• Legitimate interest in the security and protection of persons, property and facilities; legal compliance where authorities are involved.
• Complying with legal, tax, accounting and consumer obligations
• Billing data, payments, bookings, complaints, accounting or tax documentation.
• Compliance with legal obligations.
• Preventing fraud, misuse, unauthorized access or damage to the service
• Technical data, access records, payments, incidents, communications and necessary evidence.
• Legitimate interest in security, fraud prevention and defence of rights.
• Analyzing website operation and improving user experience
• Technical data, browsing data, analytical cookies where applicable.
• Consent for non-technical cookies; legitimate interest for technical or strictly necessary cookies.
• Sending commercial communications, promotions or news
• Email, telephone or authorized contact channel.
• User consent or prior contractual relationship in legally permitted cases, with the possibility to object.

5. MANDATORY NATURE OF THE DATA

The data requested during the booking process and marked as necessary are essential to contract and provide the service. If the User does not provide such data, DROP&WALK will not be able to manage the booking, send the access code, process the payment or properly handle the request.

Data requested for non-essential purposes, such as commercial communications or certain non-technical cookies, are voluntary and refusal to provide them will not prevent contracting of the service.

6. PAYMENTS THROUGH STRIPE

DROP&WALK uses Stripe as a payment gateway to process online transactions. When making a payment, the User may enter data directly in Stripe’s environment or components. Stripe may process personal and payment data to process the transaction, prevent fraud, comply with legal obligations and provide its payment services in accordance with its contractual and privacy documentation.

DROP&WALK receives from Stripe the information necessary to confirm the transaction, link it to the booking, manage refunds or handle payment incidents. DROP&WALK does not receive or store the full card number or CVV/CVC code.

Where Stripe acts as a processor or as an independent controller for certain processing activities, the safeguards provided by data protection regulations and the corresponding data processing agreements shall apply.

7. CUSTOMER SUPPORT BY EMAIL, TELEPHONE AND WHATSAPP BUSINESS

DROP&WALK may handle enquiries and incidents by email, telephone, WhatsApp Business or other enabled channels. If the User contacts DROP&WALK via WhatsApp, the User accepts that the communication is carried out through that platform, which may process data in accordance with its own terms and privacy policy.

To protect the security of the booking and prevent unauthorized access, DROP&WALK may request verification data from the User, such as booking number, email used, name and city of booking. DROP&WALK will not request unnecessary data and will not recommend sharing access codes or sensitive information unless strictly necessary to resolve a specific incident securely.

8. VIDEO SURVEILLANCE ON THE PREMISES

DROP&WALK facilities may be video monitored for security, access control, damage prevention, protection of users, property and facilities, and incident management.

Images will be processed by DROP&WALK as data controller and, where applicable, by security or maintenance providers acting under documented instructions. Images will only be communicated to public authorities, courts, law enforcement bodies, insurers, advisers or legitimate third parties where necessary to investigate incidents, comply with legal obligations or defend rights.

As a general rule, images will be kept for a maximum period of 1 month from capture. They may be kept for a longer period when necessary to prove facts affecting the integrity of persons, goods or facilities, manage complaints, respond to requests from authorities or defend legal liabilities.

The User may exercise data protection rights regarding images by writing to info@dropandwalk.com, indicating the date, approximate time, premises and any information that allows the images to be located. In some cases, the exercise of rights may be limited when it affects third-party rights, security or ongoing investigations.

9. COOKIES AND SIMILAR TECHNOLOGIES

The website www.dropandwalk.com uses cookies and similar technologies. Some cookies are necessary to enable browsing, maintain security, remember technical preferences or manage the booking process. Other cookies, such as analytics, advertising or third-party cookies, will only be installed when the User gives consent, unless they are exempt under applicable law.

The User may accept, reject or configure non-essential cookies through the settings panel available on the website. Detailed information on the types of cookies, purposes, duration, third-party providers and how to withdraw consent must be available in a separate Cookie Policy.

10. RECIPIENTS AND PROVIDERS

DROP&WALK may communicate or allow access to personal data only where necessary to provide the service, comply with legal obligations or protect rights and legitimate interests. In particular, data may be processed by:

Payment gateway provider: Stripe or other enabled payment methods.

Web hosting, domain, website maintenance, booking systems and technical support providers.

Email, telephone, WhatsApp Business, messaging or customer support tool providers.

Maintenance, repair, technical locker opening, security, video surveillance or access control providers.

Transport or courier companies when it is necessary to send luggage or belongings to the User.

Accounting, tax and legal advisers, auditors, insurers or banking entities.

Public administrations, consumer authorities, the Tax Agency, courts, law enforcement bodies or other bodies where there is a legal obligation or valid request.

Where these providers act as processors, DROP&WALK will seek to ensure that the corresponding processing agreement exists under the GDPR, limiting processing to documented instructions and necessary purposes.

11. INTERNATIONAL DATA TRANSFERS

Some technology providers used by DROP&WALK or by its service providers may be located outside the European Economic Area or process data from third countries. In such cases, DROP&WALK will seek to ensure that transfers are made with appropriate safeguards under the GDPR, such as adequacy decisions, standard contractual clauses approved by the European Commission, binding corporate rules or other legally recognized mechanisms.

For services such as Stripe, WhatsApp Business, email providers, hosting, analytics or technology tools, the User should note that their own privacy policies and international transfer mechanisms may also apply.

12. RETENTION PERIODS

DROP&WALK will retain personal data only for the time necessary to fulfil the purposes for which they were collected and, thereafter, for the periods required to address possible legal, tax, accounting, contractual or consumer liabilities.

For guidance:

• Booking and service provision data: during the contractual relationship and thereafter for the period necessary to handle claims or liabilities arising from the service.
• Accounting, tax and payment supporting data: for the periods required by applicable commercial and tax regulations.
• Customer support communications and incidents: for the time necessary to resolve the request and thereafter for a reasonable period to handle claims or defend rights.
• Data processed on the basis of consent, such as commercial communications or non-essential cookies: until the User withdraws consent or unsubscribes, without prejudice to minimum retention necessary to prove such withdrawal.
• Video surveillance images: generally for a maximum of 1 month from capture, unless retention is necessary due to incidents, requests from authorities or legal liabilities.
• Blocked data: where applicable, data may be kept blocked during the applicable limitation periods, with access limited only to authorities, courts or the defence of liabilities.

13. RIGHTS OF DATA SUBJECTS

The User may exercise the following data protection rights:

• Access: to know what personal data DROP&WALK processes.
• Rectification: to request correction of inaccurate or incomplete data.
• Erasure: to request deletion of data where appropriate.
• Objection: to object to certain processing based on legitimate interest or to commercial communications.
• Restriction of processing: to request that processing be limited in certain cases.
• Portability: to receive the data in a structured format where applicable.
• Withdrawal of consent: to withdraw consent granted, without affecting the lawfulness of processing prior to withdrawal.
• To exercise these rights, the User may write to info@dropandwalk.com indicating the right they wish to exercise and providing sufficient information to identify the request. Where necessary, DROP&WALK may request additional documentation to verify the applicant’s identity, especially if the request concerns video surveillance images, bookings, payments or locker access.
• The User also has the right to lodge a complaint with the Spanish Data Protection Agency, especially if they consider that DROP&WALK has not properly addressed their rights.

14. MINORS

DROP&WALK’s service is mainly intended for persons of legal age or users with sufficient legal capacity to contract. If a minor uses the service, they must do so with the authorization and supervision of their parents, guardians or legal representatives where necessary.

In Spain, processing based on the consent of a minor may be based on the minor’s own consent only when they are over 14 years of age, unless the law requires the assistance of the holders of parental authority or guardianship. For minors under 14 years of age, consent must be given by the holder of parental authority or guardianship when processing is based on consent.

15. SECURITY MEASURES

DROP&WALK will apply reasonable technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration, disclosure or destruction. These measures may include access control, permission limitation, authentication systems, activity logs, encryption or equivalent measures where appropriate, backups, incident response protocols and selection of providers with appropriate guarantees.

However, no system is completely infallible. The User must cooperate by keeping their personal access code confidential, avoiding sharing it with third parties and immediately reporting any suspicion of improper use.

16. COMMERCIAL COMMUNICATIONS

DROP&WALK will only send commercial communications, promotions or news where there is a valid legal basis, such as the User’s consent or a prior contractual relationship under legally permitted terms. The User may object to receiving commercial communications at any time by using the unsubscribe mechanism included in the communication or by writing to info@dropandwalk.com.

Communications necessary for the provision of the service, such as booking confirmations, access codes, operational notices, incidents, additional charges or essential service information, are not considered commercial communications and may be sent while necessary to perform the contract.

17. THIRD-PARTY LINKS AND SOCIAL NETWORKS

DROP&WALK’s website may include links to websites, maps, social networks, payment platforms, booking tools or other third-party services. DROP&WALK does not control the privacy policies of such third parties and recommends that the User review them before providing personal data or using their services.

18. CHANGES TO THIS POLICY

DROP&WALK may amend this Privacy Policy to adapt it to legal, technical, operational or commercial changes. Where changes are relevant, DROP&WALK will endeavor to inform the User through the website or other reasonable means. The current version will be the one published at www.dropandwalk.com at any given time.

19. ADDITIONAL INFORMATION AND COMPLAINTS

For any query about this Privacy Policy or the processing of personal data, the User may contact DROP&WALK at info@dropandwalk.com.

If the User considers that the processing of their personal data does not comply with applicable regulations, they may lodge a complaint with the Spanish Data Protection Agency.

ANNEX I. BASIC INFORMATION FOR VIDEO SURVEILLANCE SIGN

This text may be used as a basis for the extended information linked to the video surveillance sign. The physical sign must be visible before entering the video-monitored area and must be adapted to the design and information required by applicable regulations.

Suggested visible text on the sign:

• VIDEO-MONITORED AREA
• Controller: DROP&WALK LUGGAGE SERVICE S.L. Purpose: security of persons, property and facilities. You may exercise your rights at info@dropandwalk.com. More information: www.dropandwalk.com/privacy-policy.
• Controller
• DROP&WALK LUGGAGE SERVICE S.L.
• info@dropandwalk.com
• Purpose
• Security of users, property and facilities; access control; damage prevention; incident management.
• Rights
• You may exercise your rights by writing to info@dropandwalk.com, indicating the premises, date and approximate time.
• Retention
• Maximum 1 month, unless retention is necessary due to incidents, claims or legal requests.
• Additional information
• Available in the Privacy Policy published at www.dropandwalk.com.