PRIVACY POLICY

GENERAL INFORMATION

Sea Wave Yachting S.L. acts as a personal data controller.

The user, by providing their data through the website, confirms that they have read this Policy and agree to its terms.

This Policy applies only to data collected through the Company's website and does not cover information obtained by other means.

The user is responsible for providing personal data of third parties, as well as for their accuracy.

Sea Wave Yachting S.L. processes personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), Spanish Law 3/2018 of December 5 "On the protection of personal data and guarantee of digital rights" (LOPDGDD), as well as Law 34/2002 of July 11 "On information society services and electronic commerce" (LSSI-CE).

In cases where the user provides data on behalf of a third party (for example, when booking a tour for a group), they undertake to:

• Obtain prior consent from the relevant person to provide their data;
• Inform this person about the provisions of this Privacy Policy;
• Guarantee the accuracy of the transmitted information.

The Company reserves the right to make changes to the Privacy Policy in order to bring it into compliance with new regulations, jurisprudence or administrative requirements. All changes take effect from the moment of publication on the website. The user is recommended to periodically check this section.

This Policy applies to all web pages, subdomains and online forms placed on the Company's main domain, as well as to any other digital channels managed by the Company where personal data is collected.

In cases where data collection and processing are carried out through external platforms integrated into the website (for example, feedback forms, payment gateways, messenger widgets), the relevant processing is governed by both this Policy and the privacy policies of these external providers. The Company takes reasonable measures to ensure that such providers comply with data protection legislation requirements.

DATA PROCESSING PRINCIPLES

Sea Wave Yachting S.L. processes personal data in good faith, in compliance with the following principles established by Article 5 of Regulation (EU) 2016/679 (GDPR):

• Lawfulness, fairness and transparency. Processing is carried out on legal grounds, with respect for the rights of data subjects, as well as with complete transparency - the user is informed about the purposes and conditions of processing their data.
• Purpose limitation. Personal data is collected for specific, predetermined and legitimate purposes and is not processed further in a manner incompatible with those purposes.
• Data minimisation. Only those personal data that are strictly necessary to achieve the purposes of processing are subject to collection and storage.
• Accuracy. The Company takes measures to ensure the relevance and reliability of personal data. Inaccurate or outdated data is corrected or deleted without delay.
• Storage limitation. Data is stored no longer than necessary to achieve the purposes for which it is processed, taking into account the retention periods provided by law.
• Integrity and confidentiality. Data is processed in such a way as to ensure its proper security, including protection from unauthorized or unlawful processing, accidental loss, destruction or damage, using appropriate technical and organizational measures.

Accountability principle.

The Company is responsible for compliance with the above principles and is able to confirm this in writing upon request from supervisory authorities or data subjects (in accordance with Article 5.2 GDPR).

Privacy by design and by default principle.

The Company implements a "privacy by design and by default" approach, applying protection measures already at the service design stage, including minimizing the amount of data collected, restricting access, encryption and pseudonymization (Art. 25 GDPR).

Communication transparency principle.

The user has the right at any time to obtain access to simple and understandable information about the purposes, methods and terms of personal data processing, as well as about their rights and the procedure for their implementation.

In order to ensure compliance with processing principles, the Company:

• Conducts regular review of policies and practices in the field of data protection;
• Trains employees working with personal data;
• Maintains a record of personal data processing operations in accordance with Article 30 GDPR.

PURPOSES OF PERSONAL DATA COLLECTION

The Company processes personal data exclusively for lawful, predetermined and justified purposes, including:

Commercial service and fulfillment of contractual obligations:

• processing bookings and providing daily and weekly sea tour services (including individual, group and custom tours);
• processing payments, managing refunds, confirming orders and providing related documents (contracts, invoices, notifications);
• providing customer support before, during and after service delivery, including consultations via email, phone, CRM system or built-in website messengers.

Legal compliance:

• compliance with tax, accounting and financial reporting obligations;
• fulfillment of tourism and maritime legislation requirements, including those related to identification of persons on board (including guests and crew);
• providing information upon request from authorized government agencies (e.g., tax service, Guardia Civil, maritime police, etc.).

Technical and information security:

• ensuring secure access to personal account, bookings and order history;
• monitoring user activity to prevent fraud, unauthorized access, system attacks, violation of website terms of use.

Marketing and communications:

• sending emails with useful information, booking reminders, and marketing materials (with consent);
• informing about promotions, events, company news, contests, surveys;
• personalizing communication based on previous bookings, website behavior, interactions with email newsletters or advertising.

Analytics and product development:

• analyzing user behavior on the website, effectiveness of advertising and SEO campaigns, conversion rates and traffic sources;
• improving service quality, website structure, interface and mobile version (including through A/B testing);
• statistical and behavioral modeling to develop new services and optimize customer journey.

Use of digital tools and automation:

• maintaining customer records and interaction history in CRM system;
• using chatbots on the website and in messengers to automate responses to standard questions, booking or collecting contact data;
• automated email chains (email automation), including booking reminders, incomplete actions, feedback requests and congratulations;
• recording and storing telephone conversations with customers to improve service quality, resolve disputes, provide evidence base (in accordance with local legislation and customer notification about recording).

Legal protection and conflict resolution:

• protecting the rights and legitimate interests of the Company, users and third parties in judicial, administrative and claim procedures;
• proving fulfillment of contractual obligations and offer conditions, including storing information about transactions, correspondence and user requests.

CATEGORIES OF PROCESSED DATA

The Company may collect, store and process the following categories of personal data provided by the user directly or collected automatically when using the website and online services:

Identification data:

• first and last name;
• gender, date of birth, citizenship (if required by contract, insurance or international trip organization);
• passport data or identification numbers (if necessary for concluding an offer agreement, crew registration or reporting to authorities).

Contact data:

• email address;
• phone number (mobile and/or alternative);
• residential address, postal address (when necessary for issuing official documents).

Booking and service data:

• date, duration and type of tour (daily, weekly, charter, mixed, individual);
• number of guests, age, preferences, additional services;
• information about previous bookings, frequency and interaction history.

Financial and payment data:

• payment information (payment method, amount, transaction status);
• bank card and payment system data (processed exclusively through payment providers such as Stripe and not stored on Company servers);
• information about refunds, discounts, promotions.

Communication and behavioral data:

• correspondence with the company via email, website chat, messengers or social networks;
• responses to feedback forms, surveys, service reviews;
• telephone conversation recordings (if user is notified about recording).

Technical and analytical data:

• IP address, geolocation (based on IP);
• cookies data, session identifiers, referral URL;
• device type, browser, operating system, interface language;
• website behavior: pages, visit time, clicks, cart actions (including incomplete bookings).

Data from CRM and automated systems:

• information about sales funnel stage (lead, customer, repeat customer);
• email newsletter history, email opens, link clicks;
• interaction with chatbots (including through Facebook Messenger, Telegram, WhatsApp).

Marketing and preference data:

• consent/refusal to receive informational messages;
• preferences in tour topics, interests (when participating in surveys);
• traffic source (referral links, partner campaigns).

The Company does not collect special categories of personal data (particularly sensitive data, for example, about health, political views, religious beliefs), except when necessary:\n-to ensure safety on board (for example, information about allergies, chronic diseases, swimming/non-swimming ability);\n-when organizing tours with physical activity where health status consideration is required.

All data is processed within the minimization principle, strictly in the volume necessary to achieve the purposes specified in section 3.

LEGAL BASIS FOR PROCESSING

Sea Wave Yachting S.L. processes personal data based on the provisions of Article 6 of Regulation (EU) 2016/679 (GDPR). Depending on the specific purpose of processing, the following legal bases apply:

Performance of a contract or preparation for its conclusion (Art. 6.1(b) GDPR).

Data processing is necessary for:

• booking and providing tourist, educational or charter services;
• communicating with the user on contract performance matters (confirmation, modification, cancellation, feedback);
• providing access to personal account and order management;
• participating in regattas, courses and other activities organized by the Company.

Processing may also be carried out before contract conclusion if the user has requested information or taken steps to order services (for example, through website forms, chatbots, CRM requests).

Compliance with legal obligations (Art. 6.1(c) GDPR).

Personal data processing is necessary for:

• fulfilling tax, accounting and reporting requirements (including storing fiscal documentation);
• responding to requests from supervisory, law enforcement or other authorized bodies;
• complying with immigration, maritime and tourism legislation requirements (for example, crew registration, maintaining participant lists and insurance).

Consent of the data subject (Art. 6.1(a) GDPR)

Processing is carried out only with voluntarily provided user consent for the following purposes:

• sending email newsletters and marketing messages;
• using cookies that are not technically necessary;
• participating in surveys, feedback and collecting reviews;
• publishing images, video materials or personal data for advertising or informational purposes (for example, on social networks, website);
• processing sensitive data (for example, information about food allergies, health restrictions when participating in on-board events).

The user may withdraw their consent at any time by sending a request to the contacts specified in this document.

Legitimate interests of the Company (Art. 6.1(f) GDPR)

Processing is necessary for purposes justified by Sea Wave Yachting S.L. business interests, provided that such interests do not violate fundamental rights and freedoms of data subjects. In particular:

• ensuring information and physical security;
• preventing fraud and abuse;
• recording telephone conversations and processing correspondence to ensure service quality;
• improving website operation, interface and user experience;
• user behavior analytics and statistics using anonymized data;
• minimizing misunderstandings and legal risks when providing services;
• processing data in CRM systems and automated marketing platforms to support business processes.

Vital interests of the data subject or other persons (Art. 6.1(d) GDPR)

Certain data may be processed in exceptional cases when necessary for:

• emergency medical care or communication with emergency services during tour conduct;
• saving life or health of a person on board.

In cases where the legal basis for data processing changes (for example, from consent to legitimate interest), the Company will notify the user and explain how this affects their rights.

When transferring data outside the European Economic Area (EEA), the Company will use adequate legal mechanisms, including standard contractual clauses (SCCs), if the country is not recognized by the European Commission as providing an adequate level of protection.

Processing of personal data when paying through Stripe.

Payment for services through the Company's website is carried out using the Stripe Inc. payment platform (or its subsidiaries operating in the EEA). In this case:

• Stripe processes payment details, as well as data necessary for transaction verification (for example, name, email, IP address, country, browser type, device, card);
• The Company does not have access to and does not store complete payment details (for example, card number, CVV code) and transmits information to Stripe through a secure API connection;
• Stripe acts as a separate controller of personal data, and its privacy policy is available at: https://stripe.com/privacy;

The legal basis is:\n-contract performance - Art. 6.1(b) GDPR;\n-legal obligation for financial reporting - Art. 6.1(c) GDPR;\n-legitimate interest in protection against fraud and transaction security - Art. 6.1(f) GDPR.

DATA STORAGE

The Company stores personal data only for the period strictly necessary to achieve the purposes specified in section 3 of this Policy, or for the period established by applicable legislation of the European Union and Spain (including tax, accounting and consumer law).

After achieving the purposes of processing or upon expiration of the established retention period, personal data is:

• deleted in a secure manner;
• or subjected to irreversible anonymization for further use exclusively for statistical, research and analytical purposes without the possibility of data subject identification.

The Company may process anonymized and aggregated data, including user behavior analytics data (for example, through Google Analytics), for:

• website traffic analysis;
• marketing strategy evaluation;
• user interface and functionality optimization;
• internal reports and strategic planning.

Retention periods are determined by the following criteria:

• Payment and tax data - at least 5 years, according to Spanish tax and financial legislation requirements;
• Commercial correspondence, orders, booking history - at least 6 years (in accordance with civil code and warranty obligations);
• Marketing consent (for example, email newsletters, push notifications) - until consent withdrawal, but no more than 24 months from the date of last interaction;
• Call recordings or correspondence through chatbots/messengers/CRM - for up to 12 months, unless otherwise provided for evidence or service quality;
• Access logs, IP addresses, cookie files - for up to 26 months, unless the user has withdrawn consent earlier;
• CVs or personal data of job candidates - no more than 12 months from submission.

All data is stored on servers and cloud infrastructures providing a high level of information security (including physical and logical protection measures: encryption, two-factor authentication, firewalls, regular backups, access control, action logs, etc.).

Access to personal data is available only to those Company employees or contractors who need it to perform their job duties. All such persons sign a confidentiality agreement.

In case of consent withdrawal, deletion request or expiration of the retention period, the Company guarantees complete deletion of personal data, except when their preservation is required within legal obligations or to protect the Company's rights and interests in judicial and administrative procedures.

USER RIGHTS

In accordance with the General Data Protection Regulation (GDPR), each user whose personal data is processed by the Company has the following rights:

Right of access to data (Art. 15 GDPR)

the user may request confirmation whether their data is being processed, as well as obtain a copy of this data, including:

• processing purposes;
• data categories;
• recipients to whom data has been disclosed;
• expected retention period;
• sources of data acquisition (if not provided directly);
• fact of automated decision-making, including profiling.

Right to rectification (Art. 16 GDPR)

the user may request immediate correction of inaccurate personal data, as well as completion of incomplete data, if necessary - with submission of an additional statement.

Right to erasure ("right to be forgotten", Art. 17 GDPR)

the user may demand deletion of personal data if:

• data is no longer needed for the purposes for which it was collected;
• the user withdraws their consent and there is no other legal basis for processing;
• data was processed unlawfully;
• deletion is necessary to fulfill a legal obligation;
• the user objects to processing for direct marketing purposes.

Right to restriction of processing (Art. 18 GDPR)

the user may demand restriction of processing in the following cases:

• if the user disputes data accuracy (for the time of their verification);
• if processing is unlawful, but the user prefers restriction rather than deletion;
• if data is no longer needed by the Company, but required by the user for rights protection;
• if the user objects to processing (until confirmation that Company interests do not prevail).

Right to data portability (Art. 20 GDPR)

the user may request provision of their data in a structured, machine-readable format (for example, .CSV or .JSON) and, when technically possible, transfer of this data to another data controller, if processing is based on consent or contract and is carried out by automated means.

Right to object to processing (Art. 21 GDPR)

the user may at any time object to:

• processing carried out based on Company's legitimate interests;
• processing for direct marketing purposes, including profiling;
• automated decision-making (Art. 22 GDPR) if it significantly affects the user.

Right to withdraw consent (Art. 7.3 GDPR)

the user may withdraw previously provided consent at any time, without prejudice to the lawfulness of processing before withdrawal. Withdrawal may be carried out via email or other contact methods specified in this Policy.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

if the user believes their rights have been violated, they have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD):

• Website: https://www.aepd.es/
• Address: C/Jorge Juan, 6, 28001 Madrid, Spain

All requests related to the above rights can be sent in free form to the email or through contact forms specified in the "Contact Information" section. The Company undertakes to provide a response within no later than one month from receipt of the request; if necessary, this period may be extended by another two months - provided the user is notified with justification for the delay.

Exercise of user rights is free of charge. However, in case of unreasonable or excessively repetitive requests, the Company may charge a reasonable fee reflecting administrative costs or refuse to fulfill the request with appropriate justification.

The Company may request user identity confirmation before fulfilling the request to prevent unauthorized access to personal data.

DATA TRANSFER TO THIRD PARTIES

The Company does not sell users' personal data and transfers it to third parties exclusively to the extent necessary to achieve legitimate purposes, in the following cases:

Contract fulfillment with the user, including:

• online payment processing through certified payment providers (for example, Stripe, Redsys, PayPal);
• service reservation (if third-party booking platforms or aggregators are used);
• account management and communication through CRM systems and email automation services (for example, Zoho CRM, Mailchimp, Brevo).

Compliance with obligations established by legislation, in particular:

• data transfer upon request from tax, customs, judicial, police and other competent authorities within legal procedures;
• reporting to government control bodies.

Use of cloud, analytical and marketing solutions, such as:

• Stripe - for secure payment processing (card data is not stored on the Company side);
• Google Analytics/Google Tag Manager - for user behavior analysis and website interface improvement;
• Meta Pixel (Facebook/Instagram) - for retargeting and advertising campaign effectiveness evaluation;
• Hotjar/Clarity - for website interaction analysis (heat maps and page behavior);
• Cloudflare - for website loading acceleration and attack protection;
• Amazon Web Services (AWS) or other cloud providers - for hosting and data storage;
• Tawk.to / Crisp / Zendesk - for chats and user support.

In case data processing or transfer is carried out in countries outside the European Economic Area (EEA), the Company:

• transfers data only to countries recognized by the European Commission as providing an adequate level of protection (so-called white list);
• or uses Standard Contractual Clauses (SCCs) approved by the European Commission;
• or other additional measures provided by Chapter V GDPR, including technical and legal guarantees.

In case of personal data transfer to advertising, marketing and social platform providers (for example, Facebook, Instagram, Google), such transfer is carried out only with explicit user consent expressed through the cookie banner mechanism, according to ePrivacy Directive (2002/58/EC) and Spanish Information Society Services Law (LSSI-CE) requirements.

The user is provided with information about all categories of data recipients and, upon request, a copy of current cross-border transfer agreements (for example, SCC), to the extent that does not violate trade secrets.

DATA SECURITY

Sea Wave Yachting S.L. takes all reasonable technical, administrative and organizational measures aimed at ensuring the security of users' personal data from:

• unauthorized access;
• loss, destruction or alteration;
• disclosure, distribution or unlawful processing.

using SSL/TLS certificates (HTTPS) to encrypt all data transmitted between the user and the website;

• two-factor authentication (2FA) for administrator access to website management systems and CRM;
• firewalls and anti-DDoS mechanisms, including through cloud protection platforms (for example, Cloudflare);
• regular data backup with copy storage in protected, geographically distributed storages;
• role-based access rights differentiation (at the level of employees, contractors and services);
• audit of access logs and security systems;
• updating software and content management systems considering latest vulnerabilities.

The Company stores personal data only in certified data centers located within the European Economic Area (EEA), or in countries recognized by the European Commission as providing an adequate level of protection. In case of storage or processing outside the EEA, Standard Contractual Clauses (SCCs) and technical guarantees (for example, end-to-end encryption) are applied.

All providers with whom the Company cooperates undergo information security assessment and undertake to comply with GDPR provisions within concluded Data Processing Agreements (DPA).

In case of a personal data breach or incident, the Company:

• immediately conducts an internal investigation;
• notifies the Agencia Española de Protección de Datos (AEPD) within 72 hours after incident discovery (in accordance with Article 33 GDPR) if there is a risk of violation of data subjects' rights and freedoms;
• if necessary, informs users about the nature of the breach, potential consequences and recommended protection measures.

The user, for their part:

• is obliged to keep their logins, passwords and other authentication data secret;
• bears personal responsibility for any actions performed from their account;
• is obliged to use strong passwords, avoid using the same password on multiple platforms and change them regularly;
• is recommended to use password managers and antivirus programs, especially when accessing the website from a shared device or through public Wi-Fi.

Despite high protection standards, no method of data transmission over the internet or electronic storage can be absolutely secure. Nevertheless, the Company takes all reasonable and available measures to minimize possible risks and respond timely to potential threats.

COOKIES

The website of Sea Wave Yachting S.L. (hereinafter - "Company") uses cookies and similar technologies (web beacons, pixels, local storage and SDK) for the following purposes:

• ensuring correct website operation;
• improving user experience;
• content personalization;
• user behavior analysis;
• conducting marketing campaigns;
• compliance with legislation requirements.

Cookies can be:

• session - deleted when the browser is closed;
• persistent - stored in the browser for a certain period;
• first-party - set by the Company's website;
• third-party - set by external platforms (for example, Google, Meta).

Types of cookies used:

Technical (necessary):

ensure basic website functions (navigation, cart, authorization). Installation is carried out without consent request, in accordance with ePrivacy Directive, Art. 5(3).

Functional:

remember language choice, preferences, location and other user settings.

Analytical:

allow collecting statistics about website usage.

Example: Google Analytics (_ga, _gid, _gat, _utma, etc.).

Collected data is anonymized and used only in aggregated form.

Marketing:

help show personalized advertising and conduct remarketing.

Example: Meta/Facebook Pixel, TikTok Pixel, Google Ads.

Third-party:

used for social network integration (Like/Share buttons), commenting, video or widgets (YouTube, Instagram, Trustpilot, etc.).

Purposes of cookie usage:

• maintaining user sessions and CSRF protection;
• loading speed optimization;
• visit statistics collection (entry/exit points, viewing depth, traffic source);
• A/B testing of content and functionality;
• advertising targeting and retargeting;
• user journey analysis.

Google Analytics cookies:

Used for anonymous collection of information about user actions on the website. IP address masking is additionally applied. More details:

Example of third-party platforms using cookies:

• Google (Analytics, Ads, Tag Manager).
• Meta/Facebook (Pixel, Instagram)
• TikTok
• YouTube (embedded videos)
• Mailchimp / Sendinblue / Brevo (email newsletter tracking)
• Hotjar / Clarity (heat maps, behavioral analysis)

Cookie management:

The user can manage preferences through:

• banner on first website visit;
• built-in "Cookie Management" panel on the website;
• their browser settings:

• Chrome: https://support.google.com/chrome/answer/95647
• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
• Safari: https://support.apple.com/kb/PH21411
• Opera: http://www.opera.com/help/tutorials/security/cookies/
• Edge: https://support.microsoft.com/help/4027947

ePrivacy and LSSI-CE compliance:

The Company acts in accordance with:

• Directive 2002/58/EC (ePrivacy);
• Regulation (EU) 2016/679 (GDPR);
• Ley 34/2002 (LSSI-CE, Spain), regulating commercial electronic communication.

information about cookie categories and their purposes;

• ability to accept all, reject all, or configure cookies;
• option to withdraw or change consent at any time.

Cookie storage and duration:

Each cookie has a storage period depending on the purpose:

• technical - until session completion;
• analytical - from 1 day to 2 years;
• marketing - up to 13 months (in accordance with CNIL and GDPR recommendations).

Third-party service responsibility:

The Company is not responsible for cookie processing by third-party platforms such as Google or Facebook. The user should independently familiarize themselves with their privacy and cookie policies.

CHILDREN AND MINORS

The website of Sea Wave Yachting S.L., as well as all services provided by it (including tour booking, educational programs, marketing activities and feedback forms), are not intended for persons under 18 years of age.

The Company deliberately does not collect, process and store personal data of children and minors without prior explicit consent from a legal representative (parent or guardian), as required by Article 8 GDPR and corresponding Spanish legislation (Ley Orgánica 3/2018).

If the Company learns that personal data has been provided by a minor without appropriate consent, such data will be immediately deleted or anonymized.

In case of conducting events involving minors (for example, educational programs accompanied by parents), the Company:

• ensures collection of only the minimally necessary amount of data;
• takes measures to comply with the transparency principle;
• obtains confirmed consent from parent/guardian for personal data processing;
• provides access to a copy of consent and data subject rights.

If you are a legal representative of a minor and believe that the Company has received your child's data without your consent, you can contact us to request their deletion through the specified contact channels in section 14. CONTACT INFORMATION.

The Company also notes that any third-party platforms (Google, Meta, Instagram, etc.) with which the website may interact (for example, when displaying widgets, integrating social network buttons, etc.) have their own age restrictions. It is recommended to familiarize yourself with their policies in case of use by minors.

APPOINTMENT OF DATA PROTECTION OFFICER (DPO)

Sea Wave Yachting S.L. conducted an internal assessment of the nature, scope, context and purposes of personal data processing. Considering that:

• The Company is not a public authority;
• the Company's core activities do not include systematic large-scale monitoring of data subjects;
• there is no processing of special categories of data (for example, health data, biometric data or criminal conviction data) on a large scale,

The Company is not obliged to appoint an official Data Protection Officer (DPO) in accordance with Article 37 GDPR.

Despite this, the Company voluntarily undertakes obligations to comply with privacy standards and appoint responsible employees authorized to:

• review requests from users on personal data processing matters;
• ensure compliance with GDPR and ePrivacy principles;
• interact with supervisory authorities, including the Agencia Española de Protección de Datos (AEPD), in case of inspections or appeals;
• advise the Company team on data protection matters.

For all questions related to personal data processing, you can contact us through the following communication channels:

• Email: swyachting@gmail.com
• Postal address: Sea Wave Yachting S.L., Sant Tomas 2, Esc B, 6-2, Lloret de Mar, Girona, 17310, Spain
• Phone (for privacy matters): +34 674 444 756

The Company undertakes to provide responses to data subject requests within no later than one month from receipt, in accordance with Article 12 GDPR. In exceptional cases, the period may be extended to two months if there are objective reasons, about which a notification will be sent.

The Company periodically reviews its position regarding the need to appoint a DPO. In case of changes in activities, including processing of new data categories or expansion of user geography, the question of DPO appointment will be reconsidered in compliance with Articles 37-39 GDPR.

CHANGES TO THE PRIVACY POLICY

Sea Wave Yachting S.L. reserves the right to make changes, additions or updates to this Privacy Policy at any time in connection with:

• changes in current legislation (including GDPR, LSSI-CE, ePrivacy Directive);
• changes in technological solutions used by the Company (for example, implementation of new services, platforms or cookies);
• launch of new products or services requiring different personal data processing;
• clarification of processing purposes, data categories or legal bases.

All changes take effect from the moment of their publication on the Company's website and are accompanied by an indication of the last update date. The Company recommends Users to regularly check this document to be aware of current data processing conditions.

In case of significant changes that may affect User rights or change the nature of data processing (for example, change of processing purposes, recipient categories, introduction of new forms of analytics or profiling), the Company undertakes to:

• notify users about changes via email (if available), pop-up window or banner on the website;
• request renewed consent if the new basis for processing requires it in accordance with GDPR.

Continued use of the website after publication of the updated Policy, including interaction with website functions, forms or services, is considered expression of consent to the new version of the document.

Previous versions of the Policy may be provided upon request to ensure transparency of changes and compliance with the accountability principle.

CONTACT INFORMATION

If you have questions, comments or requests regarding personal data processing, you can contact us: