1. Subject of the engagement
The purpose of this agreement is to govern the terms and conditions under which David Torres Rial (hereinafter, lebbo) will process the personal data for which the active-tourism organizing company is responsible (hereinafter, the Company or the Controller) for the provision of the contracted booking, capacity, billing, calendar, permit-processing and other services.
Processing will consist of collecting, recording, structuring, storing, consulting, extracting, disclosing (to the public authority or to Google, in the cases set out in this agreement) and deleting the data of users who book the Controller’s activities through the platform.
2. Data and categories processed
For the proper operational management of active-tourism experiences, lebbo will store and process on behalf of the Company the following data of end customers (data subjects):
- Identification and contact data: Full name, email address and phone (mandatory, needed for the Company to communicate with the customer about their booking).
- Activity data: Booked experience, date and time of the activity, applied rate, number of adult and minor places.
- Assignment and equipment data: Assigned equipment (kayak sizes, seats, etc.) and additional operational notes entered for the activity.
- Emergency contact data: Name and phone of the contact person the customer provides for the activity.
- Participation and safety data: Check-in (attendance) records, payments collected on site, proof of acceptance of the liability waiver and, where applicable, incidents during the activity (description and photos).
- Reviews and ratings: Rating, review text and private feedback addressed to the Company after the activity.
- Payment and guarantee data: Stripe payment identifiers and, if the activity requires it, a payment method retained as a no-show guarantee together with the customer’s consent. lebbo does not store card numbers.
- Temporary data (in-progress bookings): While the customer completes payment, lebbo keeps the in-progress booking data (hold) for a few minutes; if it is not confirmed, this retention expires and is released automatically.
- Data for environmental permits (if the activity requires it): Data that the competent environmental authority requires per participant to issue the access authorization: first and last name, type and number of identity document (national ID, foreigner ID or passport), date or year of birth, sex, nationality/country, address, province and town. This data, although not a special category under art. 9 GDPR, is handled with particular diligence, is collected only when the activity needs a permit, and is limited to the fields required by the authority.
3. Obligations of lebbo (Processor)
lebbo expressly undertakes to comply with the following legal obligations:
- Process data only on instructions: We will process personal data following the Company’s written instructions and the terms of the Services Contract at all times, and will not apply or use it for any other purpose, nor disclose it, even for storage, to other parties, without prejudice to the sub-processors expressly authorized in this document and to disclosures to public authorities required by the activity or by law.
- Duty of confidentiality: We guarantee that the staff authorized by lebbo to process personal data have signed a formal confidentiality agreement and are subject to the corresponding legal duty of secrecy.
- Assistance to the Controller: We will assist the Company, as far as possible and taking into account the nature of the processing, in responding to data subjects’ requests to exercise their data protection rights.
- Support with legal compliance: We will offer reasonable cooperation to the Company to ensure compliance with GDPR obligations regarding security, impact assessments and prior consultations, considering the information available to us.
4. Obligations of the company (Controller)
The Company, as Controller, undertakes to:
- Ensure it has a legitimate legal basis (end customer’s consent or performance of the booking / contract) to collect and transfer its customers’ personal data to lebbo, as well as for the purpose of each processing activity (including, where applicable, syncing with Google Contacts).
- Properly inform end customers, in its own privacy policy, that it uses the lebbo platform as a technology provider and processor, of permit processing before the authority where applicable, and of the syncing of their data with the Company’s Google account if it enables it.
- Provide precise and lawful instructions regarding the processing of the information at all times.
5. Permit processing before public authorities
When an activity takes place in an area requiring authorization (for example, protected natural areas), lebbo transmits, on behalf of the Company and the customer, the required data to the competent authority (for example, the Xunta de Galicia) through its official channels.
- The receiving authority acts as an independent controller in the exercise of its public powers; it is not a sub-processor of lebbo.
- lebbo only transmits the data strictly required to obtain the authorization, through encrypted channels, and does not reuse it for any other purpose.
- The Company is responsible for ensuring that the activity and its processing comply with applicable environmental regulations.
6. Optional Google Contacts integration
The Company may, voluntarily, connect its own Google account so that lebbo automatically creates a contact for each booking (name, phone, email and a note with the reference and date) in the Company’s address book, making it easier to reach the customer.
- By connecting its account, the Company expressly authorizes lebbo to create such contacts on its behalf, and declares that it has a legal basis and adequate information for its customers to do so.
- lebbo requests the minimum contacts-management permission from Google and uses it exclusively to create the booking contact. It does not read, export or modify the Company’s existing contacts.
- The access credentials (Google refresh token) are stored encrypted (AES-256) at the application layer and used only on the server.
- The Company can disconnect the integration at any time from its dashboard. Contacts already created remain in the Company’s Google account, which manages and, where applicable, deletes them (including to address its customers’ erasure rights).
- lebbo’s use of information from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
7. Security measures
lebbo has implemented the technical and organizational measures necessary to ensure a level of security appropriate to the risk of loss, alteration, processing or unauthorized access to personal data. These measures include:
- Encryption in transit and at rest: Use of encrypted TLS (HTTPS) connections for all data transfer and AES-256 encryption in databases at rest. Companies’ Google credentials are additionally encrypted at the application layer.
- Row Level Security: Database policies in Supabase that fully isolate each operator’s data to ensure no other company can read or modify third-party information.
- Strict access control: Passwordless authentication (OTP) based on verified email and API-level rate limiting to prevent brute-force attacks.
- Resilience: Automated periodic backups managed in highly available environments located in the European Union.
8. Authorized sub-processors
The Company grants lebbo general authorization to subcontract third parties for services that form part of the platform’s technical core. The current sub-processors are:
| Provider | Service purpose | Physical data location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Database hosting and user authentication. | AWS eu-west-1 (Ireland, EU) | EU-U.S. Data Privacy Framework (DPF) / SCC |
| Vercel Inc. | Next.js application server and web CDN. | Paris (France, EU) / Frankfurt (EU) | EU-U.S. Data Privacy Framework (DPF) / SCC |
| Upstash Inc. | Security rate limiting and database cache. | AWS eu-west-1 (Ireland, EU) | EU-U.S. Data Privacy Framework (DPF) / SCC |
| Functional Software (Sentry) | Real-time software error monitoring and logging. | Frankfurt (Germany, EU - .de region) | EU-U.S. Data Privacy Framework (DPF) / SCC |
| Stripe Payments Europe, Ltd. | Secure online payment gateway and financial verification. | Dublin (Ireland, EU) | Parent certified under DPF / SCC |
| Google Ireland Ltd. / Google LLC | Usage analytics (Google Analytics), only with the end customer’s consent. | Google global infrastructure | EU-U.S. Data Privacy Framework (DPF) / SCC |
| Google LLC (People API) | Creating the booking contact in the Company’s Google account (only if the Company enables the integration). | Google global infrastructure | EU-U.S. Data Privacy Framework (DPF) / SCC |
lebbo will inform the Company of any intended change in the addition or replacement of sub-processors, giving it the opportunity to reasonably object on lawful grounds. The disclosure of data to public authorities to process permits (section 5) does not constitute subcontracting, but rather a transmission to an independent controller.
9. Security breaches
Should a security incident occur affecting the confidentiality, availability or integrity of the personal data processed on behalf of the Controller, lebbo will notify the Company without undue delay and, at the latest, within a maximum of 48 hours of becoming aware of the event.
The notification will include details of the nature of the incident, categories of affected data, corrective measures taken immediately and the point of contact to coordinate the response.
10. Data subject rights
If an end customer exercises their rights of access, rectification, erasure, objection, restriction or portability directly before lebbo, we will immediately redirect that request to the Company’s email for resolution. lebbo will provide the technical assistance required so the Company can address that request in time, including the deletion of data in lebbo’s systems. The deletion of contacts already created in the Company’s Google account is the responsibility of the Company itself.
11. Term and fate of the data
This agreement will remain in force for the duration of the service relationship between the Company and lebbo (active operator account subscription).
Once the contract ends or after the Controller’s formal request to delete the account, lebbo will destroy or return (at the Controller’s choice) all personal data under our control, except for the minimum transactional data that lebbo is legally required to keep blocked during the tax limitation periods (6 years) under applicable Spanish law.