Skip to main content
lebbolebbo
Sign in

Legal

Data Processing Agreement (DPA)

This document regulates the processing of end-customer personal data by lebbo on behalf of and under instructions from the active tourism organizing company.

Last updated: 25 de mayo de 2026

Explanatory note: In compliance with the General Data Protection Regulation (GDPR - Art. 28), this Data Processing Agreement (DPA) regulates the relationship between your company (as the Data Controller, since you choose which data to collect from your customers) and lebbo (as the Data Processor, since we only store and process this information to enable your bookings and daily operations).

1. Purpose of the processing

The purpose of this agreement is to regulate the terms and conditions under which David Torres Rial (hereinafter, lebbo) will process the personal data for which the active tourism organizing company (hereinafter, the Company or the Controller) is responsible, for the provision of the booking management, capacity, invoicing, and calendar services contracted.

The processing will consist of the collection, registration, structuring, storage, consultation, extraction, and deletion of data of users who book activities of the Controller through the platform.

2. Data categories processed

For the correct operational management of active tourism experiences, lebbo will store and process the following data of end customers (data subjects) on behalf of the Company:

  • Identifying data: Full name, email address, phone number.
  • Activity data: Experience booked, date and time of the activity, applied tariff, number of adult and minor spots.
  • Allocation and equipment data: Equipment allocated (kayak sizes, bicycles, etc.) and additional operational notes entered for the activity.
  • Environmental permits data (if applicable): Data required by competent environmental authorities to process access permits (e.g., ID/Passport number, date of birth, sex, fiscal address) that the customer voluntarily enters.

3. Obligations of lebbo (Processor)

lebbo expressly undertakes to comply with the following legal obligations:

  1. Process data only under instructions: We will process personal data at all times following the written instructions of the Company and the terms of the Services Agreement, and we will not apply or use it for any other purpose, nor communicate it, even for its preservation, to other persons, without prejudice to the subprocessors expressly authorized in this document.
  2. Duty of confidentiality: We guarantee that the personnel authorized by lebbo to process personal data have signed a formal confidentiality agreement and are subject to the corresponding legal obligation of secrecy.
  3. Assistance to the Controller: We will assist the Company, as far as possible and taking into account the nature of the processing, to respond to requests for the exercise of data protection rights of the data subjects.
  4. Support in legal compliance: We will offer reasonable collaboration to the Company to ensure compliance with GDPR obligations regarding security, impact assessments, and prior consultations, considering the information available to us.

4. Obligations of the company (Controller)

The Company, as the Data Controller, undertakes to:

  • Ensure that it has a legitimate legal basis (consent of the end customer or execution of the booking/contract) to collect and transfer the personal data of its customers to lebbo.
  • Duly inform end customers in its own privacy policy about the fact that it uses the lebbo platform as a technological provider and data processor for the operational management of bookings.
  • Provide precise and lawful instructions regarding the processing of information at all times.

5. Security measures

lebbo has implemented the technical and organizational measures necessary to ensure a level of security appropriate to the risk of loss, alteration, unauthorized processing or access to personal data. These measures include:

  • Encryption in transit and at rest: Use of encrypted TLS connections (HTTPS) for all data transfers and AES-256 encryption in base databases at rest.
  • Row Level Security: Database policies in Supabase that fully isolate the data of each operator to ensure that no other company can consult or modify third-party information.
  • Strict access control: Passwordless authentication (OTP) based on verified email and rate limiting at the API level to prevent brute-force attacks.
  • Resilience: Automated periodic backups managed in highly available environments located within the European Union.

6. Authorized subprocessors

The Company grants general authorization to lebbo to sub-contract services with third parties that form part of the technical core of the platform. The current contracted subprocessors that process data within the EEA (or under equivalent legal safeguards) are:

ProviderService purposePhysical location of dataTransfer mechanism
Supabase Inc.Database hosting and user authentication.AWS eu-west-1 (Ireland, EU)EU-U.S. Data Privacy Framework (DPF) / SCCs
Vercel Inc.Next.js application hosting and web CDN.Paris (France, EU) / Frankfurt (EU)EU-U.S. Data Privacy Framework (DPF) / SCCs
Upstash Inc.Security rate limiting and database cache.AWS eu-west-1 (Ireland, EU)EU-U.S. Data Privacy Framework (DPF) / SCCs
Functional Software (Sentry)Real-time software error monitoring and logging.Frankfurt (Germany, EU - .de region)EU-U.S. Data Privacy Framework (DPF) / SCCs
Stripe Payments Europe, Ltd.Secure online payment gateway and financial verification.Dublin (Ireland, EU)Parent company adhered to DPF / SCCs

lebbo will inform the Company of any planned changes regarding the addition or replacement of subprocessors, giving it the opportunity to reasonably object for legitimate reasons.

7. Security breaches

In the event of a security incident that affects the confidentiality, availability, or integrity of personal data processed on behalf of the Controller, lebbo will notify the Company without undue delay and, at the latest, within **48 hours** from having knowledge of the event.

The notification will include details on the nature of the incident, affected data categories, immediate corrective measures adopted, and the contact point to coordinate the response.

8. Data subjects' rights

Should an end customer exercise their rights of access, rectification, erasure, objection, restriction, or portability directly before lebbo, we will immediately redirect such request to the Company's email address for resolution. lebbo will provide the technical assistance required so that the Company can attend to the request on time.

9. Term and destination of data

This agreement will remain in force for as long as the service provision relationship between the Company and lebbo lasts (active operator account subscription).

Upon termination of the contract or upon formal request for account deletion by the Controller, lebbo will proceed to destroy or return (at the choice of the Controller) all personal data under our control, except for those minimal transactional data that lebbo is legally required to keep blocked during fiscal prescription periods (6 years) under Spanish laws in force.