Skip to main content
lebbolebbo
Sign in

Legal

Privacy policy

What data we collect, why we process it, how long we keep it and the rights you have over it.

Last updated: 17 de junio de 2026

Quick summary: we collect only the data strictly needed to manage your account, process bookings, handle the permits some activities require and comply with the law. We never sell your data to third parties. You can exercise your rights by writing to privacidad@lebbo.es.

1. Data controller

The controller of your personal data is:

  • Owner: David Torres Rial (individual, tax ID 35602692A)
  • Country: España
  • Address / Notices: Domicilio a efectos de notificaciones: pendiente de actualización. Para cualquier comunicación legal escríbenos a legal@lebbo.es
  • Privacy contact email: privacidad@lebbo.es

When you book an activity, the organizing company is the controller of your data for delivering the experience; LEBBO acts as its data processor (technology provider) to manage the booking, capacity, payments and, where applicable, permit processing. For everything related to your user account on the platform, LEBBO is the controller.

2. Data we process

We process different categories of data depending on how you interact with the service. We also include temporary data (kept for just a few minutes) and technical data so you have the full picture:

2.1. Registration and account data

  • First and last name.
  • Email address.
  • Authentication data needed for passwordless access (OTP codes).
  • Preferred language and user, company or affiliate role.

2.2. Booking data

  • Date, booked activity and number of participants (adults, children, babies and pets).
  • Contact phone (mandatory): we always ask for it because the organizing company needs it to contact you about your booking (schedule changes, weather, meeting point, incidents) by phone or messaging.
  • First and last name of the buyer and each participant; participants’ ages.
  • Emergency contact (name and phone) and any notes you provide for the activity.
  • Assigned equipment (kayak sizes, seats, etc.) and operational notes.
  • Payment data processed directly by Stripe (customer and payment identifiers). We do not store card numbers in our systems.
  • Card guarantee / no-show: if the activity requires it, Stripe stores a payment method for a possible no-show fee, together with your explicit consent (date and text accepted).

2.3. Participation, safety and check-in data

  • Check-in (attendance) records and, where applicable, payments collected on site.
  • Acceptance of the liability waiver when the activity requires it; we store proof of acceptance, not a handwritten signature.
  • Incidents during the activity: description and, where applicable, photos of the equipment or incident recorded by staff.

2.4. Reviews and ratings

  • Rating and review text after the activity.
  • Private feedback addressed to the company (not published).
  • If you choose to leave the review anonymously, we do not show your name publicly.

2.5. Data for environmental permits

Some activities take place in protected natural areas and require prior authorization from the competent authority. Only in those cases, and only to process it, do we collect the data the authority requires per person. See section 6.

2.6. Company data

  • Legal name, tax ID, registered address and bank details.
  • Published activities, prices and calendar.
  • If the company enables it, the Google account it connects to sync contacts (see section 7).

2.7. Affiliate data

  • Applicant information: name, email, audience and main channel.
  • Clicks, conversions and commissions generated.
  • Bank account or payment method for settlements.

2.8. Temporary, technical and security data

  • Temporary bookings (holds): while you complete payment, we keep the in-progress booking data (participants, contact and, if applicable, permit data) for a few minutes. If it isn’t confirmed, that temporary retention expires and is released automatically.
  • Session and technical cookies: authentication of your session and a temporary security identifier (anti-CSRF state) during the Google connection. See the Cookie policy.
  • Consent records: when you accept a document (e.g. the data processing agreement or the card guarantee), we store the accepted version, date and IP address as proof.
  • Email events: delivery status of transactional emails (delivered, bounced, marked as spam) so we stop writing to failing addresses.
  • IP address, used for rate limiting, abuse prevention and, where applicable, temporary security blocks.
  • Analytics (Google Analytics) via cookies, which are only activated with your consent.
  • Error and performance events (through Sentry) to detect and fix technical issues.

3. Purposes and legal basis

PurposeLegal basis
Create and manage your user accountPerformance of a contract (art. 6.1.b GDPR)
Process bookings and paymentsPerformance of a contract (art. 6.1.b GDPR)
Operational communication about the booking with the organizing company (phone, change notices, meeting point)Performance of a contract (art. 6.1.b GDPR)
Process environmental permits before the competent authority when the activity requires itPerformance of a contract (art. 6.1.b GDPR) and compliance with protected-area regulations; the authority processes the data in the exercise of its powers (art. 6.1.e GDPR)
Sync the booking contact into the organizing company’s Google account when it has enabled itLegitimate interest of the organizing company in being able to contact you (art. 6.1.f GDPR)
Comply with accounting and tax obligationsLegal obligation (art. 6.1.c GDPR)
Manage affiliate commissionsPerformance of a contract (art. 6.1.b GDPR)
Send transactional communications (confirmations, reminders, operational notices)Performance of a contract (art. 6.1.b GDPR)
Security, fraud prevention and protection of the platformLegitimate interest (art. 6.1.f GDPR)
Usage analytics (Google Analytics)Consent (art. 6.1.a GDPR)

4. Retention periods

  • Account data: while your account is active. After deletion, we keep minimal data for 6 years if there were transactions, due to accounting and tax obligations.
  • Bookings and invoices: 6 years, under the Commercial Code and applicable tax periods.
  • Temporary bookings (holds): released and deleted automatically within a few minutes if the booking is not confirmed.
  • Reviews and incidents: while the review is available and during the handling of the incident; incident photos are kept for the applicable legal periods.
  • Environmental permit data: the time needed to process the permit and address possible checks by the authority; afterwards it is blocked for the applicable legal periods and deleted.
  • Contacts in the company’s Google: LEBBO only creates the contact; once created, it is under the company’s control in its own Google account and is subject to the retention the company applies.
  • Transactional communications: for the duration of the contractual relationship and applicable legal periods.
  • Security logs and IPs: a maximum of 12 months, unless we need to keep them to investigate abuse or incidents.
  • Cookies: see the Cookie policy.

5. Recipients

We share data with the following processors, under art. 28 GDPR contracts where applicable:

ProviderPurposePhysical data locationCompany headquarters
Supabase Inc.Database and authenticationAWS eu-west-1 (Ireland, EU)USA — DPF
Vercel Inc.Web hosting and CDNcdg1 / eu-west-3 (Paris, France, EU)USA — DPF
Upstash Inc.Rate limiting and cacheAWS eu-west-1 (Ireland, EU)USA — DPF
Functional Software, Inc. (Sentry)Error monitoringFrankfurt (Germany, EU) — .de regionUSA — DPF
Stripe Payments Europe, Ltd.Payment processingDublin (Ireland, EU)US parent — DPF
Google Ireland Ltd. / Google LLCUsage analytics (Google Analytics), only with your consentGoogle global infrastructureUSA — DPF
Google LLC (People API)Creating the booking contact in the company’s Google account, if it enables itGoogle global infrastructureUSA — DPF

In addition, when you book an activity, your booking data is made available to the relevant organizing company, which needs it to provide the service. And we disclose data to public authorities where there is a legal obligation (tax authorities, Social Security, environmental or judicial authorities).

6. Permit processing (ID and sensitive data)

Some activities (for example, routes in protected natural areas such as the islet of Areoso) require an access authorization issued by the competent environmental authority (for example, the Xunta de Galicia). To process it on your behalf, the authority requires identifying each participant.

Only when the activity requires it, and only for that purpose, do we process:

  • First and last name.
  • Type and number of identity document (national ID, foreigner ID or passport).
  • Date or year of birth.
  • Sex (in the format the official form requires).
  • Nationality / country, address, province and town of residence.

This data is not a «special category» under art. 9 GDPR, but we handle it with extra care:

  • Minimization: it is only requested if the activity needs a permit, and only the fields the authority requires.
  • Limited purpose: it is used solely to process the authorization before the authority and for nothing else.
  • Recipient: it is transmitted to the competent authority, which acts as an independent controller in the exercise of its powers. Transmission takes place via official, encrypted channels.
  • Retention: per the periods in section 4.
  • Optional reuse: if you authorize it when booking, we save this data in your profile so we don’t have to ask again for future bookings. You can request its deletion at any time.

7. Access to Google APIs

Organizing companies may optionally connect their Google account so the contact for each booking is automatically added to their address book, helping them reach you faster. This connection is made and authorized by the company.

  • We request the minimum required Google permission (contacts management) and use it only to create the booking contact (name, phone, email and a note with the reference and date) in the company’s account.
  • We do not read, export or modify the company’s existing contacts, nor share that information with third parties.
  • The company’s Google access credentials are stored encrypted and used only on the server.

LEBBO’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.

8. International transfers

The vast majority of personal data is processed on infrastructure physically located within the European Economic Area (EEA). Specifically: Supabase and Upstash on AWS Ireland (eu-west-1), Vercel in Paris (cdg1, eu-west-3), Sentry in Frankfurt (European .de region) and Stripe in Dublin.

Exceptions (Google services): if the organizing company enables contact sync, the booking’s contact data is transferred to Google (global infrastructure, USA). Likewise, usage analytics (Google Analytics), if you accept it, involves processing by Google. These transfers rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.

In addition, several of the above providers are companies headquartered in the USA; although data does not routinely leave the EEA, there may be occasional access from outside the EEA by the parent companies for support, security or engineering. As safeguards:

  • The US providers we work with (Supabase, Vercel, Upstash, Sentry, Stripe and Google) are certified under the EU-U.S. Data Privacy Framework (DPF), recognized by the European Commission as an adequacy mechanism.
  • Standard Contractual Clauses (SCCs) approved by the European Commission are signed as an additional contractual safeguard.

You can request additional information about these safeguards by writing to privacidad@lebbo.es.

9. Your rights

You have the right to:

  • Access: know what data we process and obtain a copy.
  • Rectification: correct inaccurate data.
  • Erasure: request deletion of your data where appropriate.
  • Objection: object to processing based on legitimate interest or marketing.
  • Restriction: request that we restrict processing.
  • Portability: receive your data in a structured format.
  • Withdraw consent given, without retroactive effect.
  • Not be subject to automated decisions with significant legal effects.

To exercise them, write to privacidad@lebbo.es attaching a copy of your ID or equivalent document. We will respond within the legal maximum of one month. If your data is processed by an organizing company as controller (for example, contacts synced into its Google), we will help you direct your request to the right party.

If you believe we have processed your data improperly, you can lodge a complaint with the Spanish Data Protection Agency (AEPD), located at C/ Jorge Juan 6, 28001 Madrid, phone 901 100 099 / 912 663 517.

10. Security

We apply technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest (AES-256) where appropriate, role-based access control, row-level security policies that isolate each company’s data, rate limiting, error monitoring and backups in the EU. Companies’ Google credentials are stored encrypted at the application layer. Payments are processed through Stripe, which holds PCI-DSS level 1 certification.

11. Minors

Our registration and account-creation services are not aimed at children under 14, so we do not allow direct registration of users under that age. However, the active tourism activities and experiences offered through the platform may be aimed at or allow the participation of minors. In such cases, the minor’s participation is conditional on always being accompanied by a responsible adult (parent, legal guardian or duly authorized adult), who will make the booking on their behalf and provide the data strictly needed for the operational, logistical and safety management of the activity (such as equipment sizes, age, names or data to process mandatory environmental permits).

By providing such data, the responsible adult declares that they hold parental authority, guardianship or legal authorization to provide the minor’s information and consent to its processing on their behalf. If we detect the collection of data of a child under 14 without the proper parental or guardian authorization, we will delete that information from our systems as soon as possible.

12. Changes to this policy

We may update this policy to reflect legal or operational changes. The date of the last revision appears at the top of the document. If the changes are substantial, we will notify you by email or a prominent notice before they take effect.