PRIVACY POLICY

Last Update: November 13, 2025

At Fondo ConSentido, we respect your privacy and are committed to protecting the personal data you provide us when using our website https://descubreconsentido.com (hereinafter, the “Site”). This Privacy Policy explains how we collect, use, store, protect, and process your information, in compliance with the General Data Protection Regulation (GDPR) of the European Union, the Organic Data Protection Law (LOPD) of Spain, the Personal Data Protection Law of Uruguay (Law No. 18,331), and applicable laws in Mexico regarding personal data protection.

1. DATA CONTROLLER

The legal entity responsible for processing your personal data is:

Fondo ConSentido

• Owner of properties: Finca ConSentido (Uruguay) and Casa ConSentido Tamarindo (Mérida, Mexico)
• Contact email: reservas.consentido@gmail.com
• Address: Mérida, Yucatán, Mexico
• Country: Mexico

For any questions, complaints, or to exercise your rights related to this policy, you can contact us as follows:

• Email: reservas.consentido@gmail.com
• Contact form: Available at https://descubreconsentido.com/contacto/

 

2. PERSONAL DATA WE COLLECT

We collect the following personal data when you use the website, complete a reservation, or communicate with us:

Identification Data:

• Full name
• Email address
• Phone number
• Country of origin

Payment and Reservation Data:

• Credit/debit card information (processed through secure payment gateways)
• Payment method
• Check-in and check-out dates
• Number of guests
• Reservation information

Preference Data:

• Length of stay and travel preferences
• Special requests for your stay
• Communication preferences

 

Technical Data:

• IP address
• Navigation data (cookies)
• Device used (type, browser, operating system)
• Approximate location (via IP)
• Browsing history on our site
• Session duration

Communication Data:

• Content of emails, messages, or inquiries you send us
• Conversation records (if you contact us via chat or WhatsApp)

3. LEGAL BASIS FOR PROCESSING

The processing of your data is carried out based on the following legal grounds:

• Contract Execution: Reservation data, payment data, and contact data for confirmation – Necessary to process your reservation and provide service
• Consent: Email for marketing/newsletter – Only if you check acceptance box
• Legitimate Interest: IP address and cookies, data for service improvement – Improve experience and optimize services
• Legal Obligation: Data for legal compliance – Comply with tax and legal requirements
• Fraud Prevention: Data for fraud prevention – Protect our rights and interests

 

4. PURPOSES OF PROCESSING

The personal data collected is used for the following purposes:

Contract Fulfillment Purposes:

• Manage, process, and confirm your reservations at Finca ConSentido and/or Casa ConSentido Tamarindo
• Process payments securely
• Provide customer service before, during, and after your stay
• Send information about your reservation (confirmation, check-in details, access instructions)
• Respond to your inquiries and requests

Service Improvement Purposes:

• Perform internal analysis to improve user experience and quality of our services
• Understand how you use the website to optimize it
• Personalize your experience on the site
• Conduct satisfaction studies and surveys

Communication Purposes:

• Send information about additional services or special promotions (only if you have given consent)
• Maintain contact with you about changes to your reservations
• Send reminders of upcoming reservations or personalized offers

Legal and Security Purposes:

• Comply with legal and tax obligations
• Prevent, investigate, and detect fraud
• Protect the security of the website and our users
• Comply with requirements from competent authorities

 

5. DATA RETENTION PERIOD

Your personal data will be retained for the period necessary to fulfill the mentioned purposes. Specific retention periods are:

• Completed reservation data: 5 years – Tax and accounting obligations (Mexican/Uruguayan tax law)
• Payment data: 7 years – Compliance with tax regulations and fraud identification
• Customer service data: 2 years – Complaint management and service improvement
• Email data for marketing: Until consent revocation – While we maintain business relationship and consent not withdrawn
• Cookies and technical data (IP, logs): 13 months – Google Analytics standard and privacy regulations
• Conversation data (chats, emails): 1 year – Customer service management and conflict resolution
• Temporary session data: End of session – Session data not retained after browser closure

IMPORTANT: When the retention period expires, we will completely delete or anonymize your data, except when we are obligated to retain it by law.

 

6. DATA TRANSFER TO THIRD PARTIES

Your data will NOT be shared with third parties without your consent, except in the following cases:

Transfers Necessary to Provide the Service:

• Secure payment gateway: To securely process transactions (Stripe, PayPal, or other payment processors)
• Reservation management platform: Lodgify (to manage availability and reservations)
• Email service: To send confirmations and communications
• Logistics operators: If access information or special services delivery is required
• Website hosting: Hostinger (data storage on secure servers)

Transfers by Legal Obligation:

• Competent authorities (Police, AFIP, SAT, etc.) if required for investigation or legal compliance
• Data protection authorities if they request
• Courts or judicial authorities in case of dispute or litigation

All third-party data processors sign contracts (Data Processing Agreements) that guarantee compliance with GDPR and protection of your data.

 

7. USER RIGHTS – ARCO RIGHTS

In accordance with Articles 15-22 of the GDPR, you have the right to:

a) RIGHT OF ACCESS (Art. 15 GDPR)

• Right to access your personal data and obtain a copy
• Right to know what data we have stored about you

b) RIGHT OF RECTIFICATION (Art. 16 GDPR)

• Right to correct inaccurate personal data
• Right to complete incomplete data
• Example: Update your phone number or address

c) RIGHT OF ERASURE / RIGHT TO BE FORGOTTEN (Art. 17 GDPR)

• Right to request deletion of your personal data
• Applicable when: data is no longer necessary for the purpose, you withdraw consent, or data has been processed unlawfully
• LIMITATION: Data cannot be deleted if there is legal obligation to retain it (e.g., tax data for 5 years)

d) RIGHT TO RESTRICT PROCESSING (Art. 18 GDPR)

• Right to request that we restrict processing of your data
• Example: While you verify data accuracy
• Your data is marked as restricted and not processed except for storage

 

e) RIGHT TO DATA PORTABILITY (Art. 20 GDPR)

• Right to receive your data in structured, commonly used format (e.g., CSV, JSON)
• Right to transmit that data to another controller without obstacles
• Example: If you change reservation agencies

f) RIGHT TO OBJECT (Art. 21 GDPR)

• Right to object to data processing based on legitimate interest
• Right not to receive direct marketing
• Example: Objection to behavioral analysis or marketing emails

g) RIGHTS RELATED TO AUTOMATED DECISIONS (Art. 22 GDPR)

• Right not to be subject to decisions based solely on automated processing
• Applies to decisions with legal effects or significantly affecting you
• Example: Objection to automatic scoring systems or profiling

h) RIGHT TO LODGE A COMPLAINT (Art. 77 GDPR)

• Right to lodge a complaint with the competent Data Protection Authority (DPA)
• In Mexico: INAI (National Institute of Transparency)
• In Uruguay: Data Protection Unit
• In Spain: AEPD (Spanish Data Protection Authority)

 

HOW TO EXERCISE YOUR RIGHTS?

To exercise any of your ARCO rights, please:

1. Send request to: reservas.consentido@gmail.com

2. Include in your request:
• Full name and registered email
• Specify which right you want to exercise (Access/Rectification/Erasure/Restriction/Portability/Objection)
• Describe the specific data you are requesting
• Attach a copy of your identification document (to verify identity)
• Any other relevant information

3. Response timeframe:
• We will respond within 30 business days of receiving your request (Art. 12.3 GDPR)
• If the request is complex, we may extend it up to 60 days, notifying you in advance

4. Response:
• You will receive acknowledgment of receipt immediately
• We will notify you about acceptance or denial of your request
• If accepted, you will receive the requested information clearly

NOTE: The request must be reasonable. If we receive repetitive or clearly unfounded requests, we may reject them or charge an administrative fee.

 

8. DATA PROTECTION AND SECURITY

We implement technical and organizational measures to protect your personal data against unauthorized access, alteration, or destruction:

Technical Measures:

• SSL/TLS encryption of data in transit
• Encryption of sensitive data in storage
• Firewalls and intrusion detection systems
• Restricted access to systems via secure passwords
• Regular data backups

Organizational Measures:

• Confidentiality agreements with employees and contractors
• Personnel training in data protection
• Access limitation to authorized personnel only
• Access control policies based on need
• Data access audit logs

IMPORTANT: Although we implement robust measures, no system is 100% secure. Transmitting data over the Internet presents inherent risks. We cannot guarantee absolute security.

 

9. COOKIES AND SIMILAR TECHNOLOGIES

The Site uses cookies and similar technologies to improve your browsing experience.

What are cookies?

Cookies are small text files stored on your device when you visit our site. They are used to remember information and preferences.

Types of cookies we use:

Essential/Technical cookies:

• Necessary for site functionality
• Allow navigation and use of basic features
• Do not require consent (sent regardless)
• Examples: Authentication, security, language preferences

Performance and Analytics cookies:

• Used to understand how users interact with the site
• Help us improve performance and user experience
• Require consent to be used
• Examples: Google Analytics, user behavior tracking

Functional cookies:

• Remember your preferences and choices
• Personalize your experience
• Require consent
• Examples: Language preference, saved settings

Marketing/Advertising cookies:

• Used for marketing purposes
• Track browsing behavior for targeted ads
• Require explicit consent
• May be shared with third parties

You can manage your cookie preferences through your browser settings or by using our cookie consent form on the website. By continuing to use the site, you consent to the use of cookies as described in this policy.