RIU Store
Cart

Privacy policy

“RIU Hotels & Resorts” is deeply committed to complying with Spanish and European personal data protection regulations and ensures full compliance with the provisions thereof, as well as the implementation of the security measures provided for in the General Data Protection Regulation (GDPR) (EU) 2016/679, of 27 April, and Spanish Organic Law 3/2018, of 5 December, on the protection of personal data and guarantee of digital rights (LOPD and GDD, hereinafter LOPD).

In accordance with these regulations, we inform you that use of our website may require certain personal data to be provided through registration or contact forms, or through the sending of emails, and that this will be processed by “RIU Hotels & Resorts”, Data Controller, whose information is as follows:

  • Company name: RIUSA II, S.A.
  • Tax ID: A07632474 
  • Registered address: C/ Llaud S/N, 07610, Palma de Mallorca, Balearic Islands - Spain

Collection and processing of personal data

Personal data is any information relating to a person: name, email, address, telephone, tax ID. Additionally, when a User visits our website, certain information is automatically stored for technical reasons, such as the IP address assigned by their Internet provider.

“RIU Hotels & Resorts”, as the Data Controller, has a duty to inform Users of its website about the personal data that may be collected when they send an email or fill in forms on the website.

Only the precise data required to perform the contracted service, or to be able to respond adequately to the request for information made by the User, will be collected. The data collected is identifying in nature, and corresponds to the reasonable minimum required to perform the activity in question. In particular, no specially protected data will be collected at any time. In no case will the data be used for any purpose other than the one for which it was collected.

Contact/email forms 

Purpose: To respond to your request for information made using our contact form.

Legitimacy: The legal basis legitimising this processing is the consent of the User, which may be revoked at any time.

Data transfer: The personal data will be processed through servers managed by JoopBOX, which will act as the Data Processor.

Mailing list enrollment forms (newsletter) 

Purpose: Sending communications, including some commercial communications, which are of interest to the Users in keeping with the nature of the website. As established by the LSSICE, “RIU Hotels & Resorts” undertakes not to send commercial communications without identifying them as such. For these purposes, information sent to customers for the purposes of maintaining an existing contractual relationship, if applicable, will not be deemed commercial communications.

Legitimacy: The legal basis legitimising this processing is the consent of the User, which may be revoked at any time.

Data transfer: The personal data will be processed through servers managed by JoopBOX, which will act as the Data Processor.

Customer registration/enrollment/booking forms

Purposes:

  • Managing your User registration on our website.
  • Managing purchases made.
  • Providing information about the processing and status of purchases.
  • Managing access to the points and membership programme.
  • Record of purchases made on our website.
  • Sending communications via email and/or telephone, to inform the User of any possible incidents, errors, problems and/or order status.

User profiles: “RIU Hotels & Resorts” offers different types of user registrations that offer different features. 

  • Retail users will have access to their order purchase status, as well as storing billing information and payment methods to facilitate future purchases. 
  • Hotel users are subject to special previously agreed conditions that facilitate access to this user profile, in which they can access information on the purchase status of their orders and billing information. 
  • RIU Partner Club users are subject to special previously agreed conditions which facilitate access to this user profile. They will be able to make purchases using the RPC points programme, access their updated points balance and billing information.

Legitimacy: The legal basis that legitimises this processing is the fulfilment of a contract or application of pre-contractual measures.

Data transfer: “RIU Hotels & Resorts” will not transfer or communicate your data to any third party, except in the cases provided for by law or when strictly necessary for the provision of a service. In particular, your data may be transferred to Ravanetto, S.L., a trusted company that will be in charge of the management and distribution of products. In addition, the data may be transferred to:

  • IT or technology service providers.
  • Payment service providers.
  • Courier and parcel companies.
  • Third parties or intermediaries, in the form of service providers, operating on our behalf (management, consulting services, etc.).

Data transfers will be made in the strictest confidence, employing the necessary measures, such as the signing of confidentiality agreements, or adhering to the privacy policies established on their respective websites. The User may refuse to transfer their data to the Processors, by written request, by any of the aforementioned means.

In addition, in cases where it is necessary, Customer data may be transferred to certain bodies, in compliance with a legal obligation: Spanish Tax Agency, banking entities, Labour Inspectorate, etc.

Minors

Personal data may only be provided on this website by persons over the age of 14. As required by the LOPD and GDD, in the case of children under the age of 14, consent must be provided by their parents or guardians before we can process their personal data.

Moreover, only people over the age of 18 can contract our services. In the case of minors under the age of 18, consent must be provided by their parents or legal guardians in order for us to provide the services offered, unless the child is legally emancipated.

User registration

When the User registers using the appropriate form, the information we collect includes:

  • First and last name
  • Email address
  • IP
  • User name/password

The User must also provide a password, which must meet certain security requirements. They do not expire. In order to retrieve their password, the User must go to the specific recovery form and enter their email address to continue with the process. They will able to change the password by clicking the link that will be sent to the email address entered. The User is responsible for maintaining the confidentiality of their password, as well as all uses thereof. You must notify “RIU Hotels & Resorts” of any unauthorised use of your account or password as soon as possible.

The User, once registered, has access to a private panel, in which they will be able to view certain content, and account options (such as password or User data), etc.

The User may receive the following notifications:

  • When they sign up for the platform (account validation email).
  • When making purchases or entering into contracts (if applicable), such as receipts, incidents, deliveries, etc.
  • The User will receive the website newsletter if they have registered for it, from which they can unsubscribe in their User panel and via the corresponding links included in the footer of the newsletter.
  • For password recovery (as specified above).
  • When they unsubscribe or delete the account.

User accounts are not deleted due to non-use. The User may opt out by making a request to “RIU Hotels & Resorts” staff, sending an email to dpo@riu.com or through their account profile. 

At “RIU Hotels & Resorts” we will block a User account if you commit suspicious or fraudulent actions. By registering as a User, you agree that the owners of this site reserve the right, at any time and without notice, to modify or discontinue this website and its services, or to delete the data provided, either temporarily or permanently.

Security measures

Users of the “RIU Hotels & Resorts” website are informed that the security, technical and organisational measures within our power have been adopted to prevent the loss, misuse, alteration, unauthorised access and theft of data, and that they guarantee the confidentiality, integrity and quality of the information contained therein, in accordance with the provisions of the current data protection regulations. The personal data collected via the forms is processed only by personnel of “RIU Hotels & Resorts” or designated Processors.

The “RIU Hotels & Resorts” Website also has SSL encryption, which allows the User to securely send their personal data through the website’s contact or registration forms.

Data accuracy

The User represents that all data provided by the User is true and correct and agrees to keep it up to date. The User shall be liable for the accuracy of their data and shall be solely liable for any disputes or litigation that may result from the falsification thereof. In order for us to keep personal data up to date, it is important that the User inform “RIU Hotels & Resorts” whenever there are any changes.

Data transfer

“RIU Hotels & Resorts” will not transfer or communicate your data to any third party, except in the cases provided for by law or when strictly necessary for the provision of a service. Specifically, the data may be transferred to:

  • IT or technology service providers
  • Payment service providers
  • Courier and parcel companies
  • Third parties or intermediaries, in the form of service providers, operating on our behalf (management, consulting services, etc.).

Data transfers will be made in the strictest confidence, employing the necessary measures, such as the signing of confidentiality agreements, or adhering to the privacy policies established on their respective websites. The User may refuse to transfer their data to the Processors, by written request, by any of the aforementioned means.

In addition, in cases where it is necessary, Customer data may be transferred to certain bodies, in compliance with a legal obligation: Spanish Tax Agency, banking entities, Labour Inspectorate, etc.

Exercising User’s rights

The LOPD and GDD and GDPR give data subjects the ability to exercise a number of rights related to the processing of their personal data. To do so, the User must send an email to dpo@riu.com, or a written communication to the address that appears in our Legal Notice, providing documentation which proves their identity (national ID card or passport). Said communication must include the following information: the User’s first and last name, purpose of the request, address and supporting information. 

The exercise of rights must be carried out personally by the User. However, they may be executed by a person authorised as the User’s legal representative, by providing documentation that proves said representation.

The User may request the exercise of the following rights:

  • The right to request access to personal data, which is the right to obtain information about whether their own personal data is being processed, the purpose of the processing that is being carried out, where applicable, as well as the available information on the origin of such data and any communications or intended communication thereof.
  • Right to request rectification, in the event that personal data is incorrect or inaccurate, or deletion of data that proves to be inappropriate or excessive.
  • The right to request the limitation of data processing, in which case only the data which is strictly necessary for the exercise or defence of claims will be kept by “RIU Hotels & Resorts”.
  • The right to object to processing: refers to the right of the data subject to not have their personal data processed or to cease processing in cases where their consent is not necessary for the processing, in the case of commercial prospecting files, or those that have the purpose of making decisions regarding the data subject based solely on the automated processing of their data, unless they have to continue being processed for legitimate reasons or the exercise or defence of possible claims.
  • Right to data portability: if you want your data to be processed by another company, “RIU Hotels & Resorts” will provide you with the portability of your data in exportable format.

If the consent has been granted for any specific purpose, the User has the right to withdraw consent at any time, without this affecting the lawfulness of the processing based on the consent prior to the withdrawal. 

We are committed to enforcing all of these rights within the maximum legal period (1 month).

If a User considers that there is a problem with the way in which “RIU Hotels & Resorts” is handling their data, they may direct their complaints to the Security Manager or the corresponding data protection authority, which will be the Spanish Data Protection Agency in the case of Spain.

Data retention

The personal data of Users who use the contact form or who send us an email requesting information will be processed for the time that is strictly necessary to respond to the request for information, or until the granted consent is revoked.

Customers’ personal data will be processed until the contractual relationship ends. The retention period of the personal data will be the minimum necessary, up to a maximum of:

  • 4 years: Spanish Law on Labour Violations and Penalties (obligations regarding affiliation, registrations, de-registrations, quoting, payment of salaries, etc.); Arts. 66 et seq. Spanish General Tax Law (accounting books, etc.)
  • 5 years: Art. 1964 Spanish Civil Code (personal actions without special deadline)
  • 6 years: Art. 30 Spanish Commercial Code (accounting books, invoices, etc.)
  • 10 years: Art. 25 Spanish Law on the Prevention of Money Laundering and the Financing of Terrorism.
  • No time frame: disaggregated and anonymised data.

For their part, the data of Users who register for the newsletter will be kept indefinitely, until the granted consent is revoked.

Social media

“RIU Hotels & Resorts” has a profile on some of the main Internet social networks (Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest). The purpose of the processing of data by “RIU Hotels & Resorts” will be to inform its followers about its activities, using the tools that the social network in question allows, and to provide a personalised service to the user. The User should be aware that the use of these social networks is subject to their respective terms of use and platform privacy policies. “RIU Hotels & Resorts” encourages Users to consult these terms and privacy policies before using the links or applications provided.

In no event will “RIU Hotels & Resorts” extract data from social media, unless the User’s consent to do so is obtained in a timely and express manner. In addition, “RIU Hotels & Resorts” is not responsible for the privacy practices of these social networks or their applications, especially with respect to confidentiality, processing of personal data and content.

Confidentialiy

The information provided by the User shall, in any case, be deemed confidential, without it being used for purposes other than those described herein. “RIU Hotels & Resorts” undertakes not to disclose or reveal information about the User’s claims, the reasons for the advice requested or the duration of its relationship with the User.

Validity

This privacy and data protection policy was drafted on 4 June 2024. It may vary depending on any changes in regulations and case law that occur, The data subject is responsible for reading the updated document, in order to be aware of their rights and obligations in this regard at all times.