top of page
Privacy Policy / Data Protection

  1. Data Controller

In compliance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), it is hereby informed that the personal data provided through the Website will be processed by:

  • Controller: CHIMBAY EL MEDANO SL

  • Tax ID (CIF): B22755680

  • Address: Calle Picachos, 2, 38612, El Médano, Granadilla de Abona, Santa Cruz de Tenerife, Spain

  • Contact email: info@chimbay.es

    Hereinafter, the Controller.

2. Data Collected

The Website may collect the following categories of data:

  • Contact form: first name, last name, email address, phone number (optional), and message content. Chimbay

  • Reservation form / booking system: identifying and contact details (name, email, phone), reservation date and time, number of guests, and any additional information the User wishes to provide. Chimbay

  • Browsing data: IP address, device identifiers, browser, pages visited, browsing time, and other data obtained through cookies or similar technologies, as detailed in the Cookie Policy.

The User guarantees that the data provided are truthful, accurate, complete, and up to date, and will be responsible for any damage or harm arising from non-compliance with this obligation.


3. Purposes of Processing and Legal Bases

User data may be processed for the following purposes and legal bases:

- Management of inquiries and communications via the contact form

  • Purpose: to process requests for information, questions, or comments sent by the User through the contact form or email.

  • Legal basis: the User’s consent when submitting their inquiry (Art. 6.1.a GDPR) and/or the legitimate interest in responding to communications received (Art. 6.1.f GDPR).

 - Management of table reservations and restaurant services

  • Purpose: to process, manage, confirm and, where applicable, modify or cancel reservations made by the User, as well as send related communications (reminders, schedule changes, etc.).

  • Legal basis: performance of pre-contractual or contractual measures (Art. 6.1.b GDPR).

 - Sending of commercial communications (optional)

  • Purpose: to send the User information about activities, events, promotions, or news related to CHIMBAY, provided they have given their consent or a prior contractual relationship exists that allows it.

  • Legal basis: the User’s consent (Art. 6.1.a GDPR) or legitimate interest in the case of existing customers, pursuant to Art. 21.2 of the LSSI.

 - Security, technical maintenance, and improvement of the Website

  • Purpose: to ensure the security of the Website, prevent abusive or fraudulent use, and conduct statistical browsing analyses to improve content and user experience.

  • Legal basis: the Controller’s legitimate interest in ensuring network security and improving the service (Art. 6.1.f GDPR).

- Compliance with legal obligations

  • Purpose: to comply with possible legal obligations arising from the provision of services (tax obligations, food safety requirements, responses to authorities, etc.).

  • Legal basis: compliance with legal obligations applicable to the Controller (Art. 6.1.c GDPR).

 

4. Data Retention

  • Data will be retained for the following periods:

  • Contact inquiries: for the time necessary to respond to the request and, at most, 1 year from the last meaningful communication.

  • Reservation and billing data: for as long as the contractual relationship exists and, thereafter, for the time required to meet potential legal liabilities (typically 5–6 years under tax and commercial regulations).

  • Commercial communications data: until the User withdraws consent or objects to processing.

  • Browsing data: as indicated in the Cookie Policy and, in any case, for the retention periods established for each type of cookie.

 

5. Recipients and Data Processors

As a general rule, data will not be transferred to third parties, except:

  • Legal obligation (Public Administrations, Courts, Law Enforcement Agencies, etc.).

  • Service providers acting on behalf of the Controller (web hosting, booking platforms, email services, analytics tools, technical support, etc.), with whom the corresponding data processing agreements have been signed in accordance with Art. 28 GDPR.

In particular, the Website may be hosted or managed through third-party platforms located inside or outside the European Economic Area. If international data transfers occur, they will be carried out with appropriate safeguards, such as the European Commission’s standard contractual clauses or adequacy decisions, in accordance with Arts. 44 et seq. GDPR.

 

6. User Rights

The User may exercise at any time the following data protection rights:

  • Right of access: to know what personal data is being processed.

  • Right of rectification: to request correction of inaccurate or incomplete data.

  • Right of erasure (“right to be forgotten”): to request deletion of data when, among other reasons, it is no longer necessary for the purposes collected.

  • Right to object: to object to data processing for reasons related to their particular situation, especially in processing based on legitimate interest or for direct marketing.

  • Right to restriction of processing: to request limitation of data processing in certain circumstances.

  • Right to data portability: to receive their data in a structured, commonly used, machine-readable format and transmit it to another controller.

  • Right not to be subject to automated decisions: including profiling, when such decisions produce legal effects or significantly affect the User.

To exercise these rights, the User may submit a written request to:

CHIMBAY EL MEDANO SL
Calle Picachos, 2, 38612, El Médano, Granadilla de Abona, Santa Cruz de Tenerife, Spain
or by email to info@chimbay.es, indicating in the subject line “Data Protection – Exercise of Rights” and attaching a copy of their identification document (DNI, NIE, or passport).
Likewise, the User has the right to file a complaint with the Spanish Data Protection Agency (AEPD) if they consider that the processing of their data does not comply with current regulations (www.aepd.es).

 

7. Data of Minors

CHIMBAY’s services are not specifically directed to minors under 14 years of age. If the User is under that age, they must have prior authorization from their parents or legal guardians to provide personal data through the Website.
CHIMBAY reserves the right to request proof of such authorization and to delete any minor’s data collected without proper consent.

 

8. Data Security

CHIMBAY has adopted the technical and organizational measures reasonably necessary to ensure the integrity, availability, and confidentiality of personal data and to prevent its alteration, loss, unauthorized processing, or access, in accordance with the GDPR and LOPDGDD.
However, the User acknowledges that security measures on the Internet are not impregnable.

 

9. Updating of the Privacy Policy

CHIMBAY may modify this Privacy Policy when necessary to adapt it to legislative, jurisprudential, or operational changes. In such cases, the new version will be published on the Website and will be applicable from its publication.
Users are encouraged to review this policy periodically.

Made by Pepper Society

Legal Notice

Privacy Policy

bottom of page