Introduction

Visiting the Website does not imply that the user must register or provide personal data.

When you wish to contact us through the Website to request information, you must complete a contact form where you are informed of the mandatory nature of providing certain basic identification data, such as your name, company, email address and telephone number, so that we can respond to you. Mandatory fields will be indicated with an asterisk [*].

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), Trivity wants you to understand, through the information provided below, the privacy policy applied to your personal data.

1. IDENTITY OF THE DATA CONTROLLER

Hereinafter, "Trivity".

2. WHO DOES THIS POLICY APPLY TO?

This Privacy Policy applies to:

• users who visit Trivity websites;
• activity providers who use the Platform;
• agents, accommodations or other professional collaborators;
• end users who interact with the Platform and/or the Site, exclusively with respect to processing activities in which Trivity acts as data controller (for example, security, fraud prevention, regulatory compliance or Trivity's own communications).

When Trivity processes personal data on behalf of a Provider, it acts as data processor, and such processing is governed by the corresponding Data Processing Agreement (DPA), available at https://trivityapp.com/en/dpa-providers-en/.

Under no circumstances does this Privacy Policy regulate the processing of personal data carried out by Providers in their capacity as data controllers, which is governed by their own privacy policies.

3. DATA PROTECTION ROLES

Depending on the context, Trivity may act in different roles:

Trivity as data controller

Trivity acts as data controller with respect to personal data processed for its own purposes, including:

• management of provider and agent accounts;
• registration and authentication on the Platform;
• billing, collections and accounting obligations;
• customer and user support;
• Trivity's own commercial communications;
• security, fraud prevention and regulatory compliance;
• technical operation and improvement of the Platform.

Trivity as data processor

When an end user books an activity, the activity Provider is the data controller for the end user's data.

In that context, Trivity acts exclusively as data processor, processing personal data on behalf of the Provider and in accordance with its instructions, pursuant to Regulation (EU) 2016/679 and the applicable DPA.

Under no circumstances does Trivity act as the activity provider or as a contractual party vis-à-vis the end user with respect to the performance of the activity.

Under no circumstances does Trivity autonomously determine the purposes of processing the personal data of end users associated with the performance of the activity, which correspond exclusively to the Provider as data controller.

The foregoing is without prejudice to processing activities in which Trivity acts as controller (for example, Platform security, fraud prevention, regulatory compliance and technical incident management).

4. WHAT PERSONAL DATA WE PROCESS

Depending on the context, Trivity may process the following categories of data:

Data processed as controller

• identification data (name, surname);
• contact details (email address, telephone number);
• Platform access data (user, credentials);
• billing data and data necessary for payment management (without access to full bank card details, which are processed directly by payment service providers);
• professional and business data;
• communications with Trivity;
• technical and usage data (logs, IP addresses, device, browser).

Data processed as processor (on behalf of the Provider)

• identification and contact data of end users;
• booking data (activity, date, participants);
• operational data necessary for the proper provision of the activity.

5. FIELDS AND QUESTIONS CONFIGURED BY PROVIDERS

During the booking process, Providers may configure additional questions or custom fields to collect information from end users (for example, identification data, operational requirements, logistical or safety information).

Trivity does not decide or control the content, purpose or legal basis of such questions.

The Provider is solely responsible for determining what data it requests and why.

Trivity acts only as a technology infrastructure provider, processing such data on behalf of the Provider.

The Provider is responsible for:

• ensuring that the requested data is adequate, relevant and limited;
• having a valid legal basis;
• obtaining, where required, the end user's consent;
• properly informing users in accordance with the GDPR.

Trivity does not mediate, control, assess or validate the type of data collected or processed by the Provider, nor the proportionality or lawfulness of such configurations. Therefore, Trivity is not responsible for such processing, but only for the technology service contracted by the Provider or the license to use the software provided.

In particular, Trivity does not request or encourage the collection of special categories of personal data under Article 9 of the GDPR, and the Provider is solely responsible for ensuring the lawfulness, necessity and proportionality of any data of that nature that it decides to collect.

To the extent permitted by applicable law, Trivity shall not be liable for determining the content, lawfulness, proportionality or legal basis of the data collected through such custom fields, nor for compliance with privacy or data protection regulations, which correspond exclusively to the Provider.

6. PURPOSES AND LEGAL BASES OF PROCESSING

When acting as controller, Trivity processes personal data for the following purposes and legal bases:

• Performance of a contract: account management, access to the Platform and provision of the Services.
• Compliance with legal obligations: tax, accounting, regulatory and fraud-prevention obligations.
• Legitimate interest: Platform security, prevention of misuse, technical improvement and service quality.
• Consent: sending commercial communications where required under applicable regulations.

When Trivity acts as technology processor, the legal basis for processing corresponds to the Provider as data controller. The license to use Trivity's software enables the performance of commercial agreements between professionals in the local tourism ecosystem, accommodations, agents or tourism operators in a single web environment.

When processing is based on consent, consent may be withdrawn at any time as explained in the section on exercising rights, without affecting the lawfulness of processing based on consent prior to its withdrawal.

7. RECIPIENTS AND SERVICE PROVIDERS

Trivity does not sell or otherwise commercialize your data to third parties.

Personal data may be disclosed when strictly necessary for compliance with our legal and/or contractual obligations, and within the same purposes stated above, to:

• technology providers (cloud infrastructure, email, support);
• payment service providers;
• public authorities where there is a legal obligation.

Trivity does not sell or transfer personal data to third parties for commercial purposes unrelated to the Platform.

In the context of a booking, the necessary data may be accessible to the activity Provider and, where applicable, to the Agent who channeled the booking, in accordance with the Legal Terms.

8. INTERNATIONAL DATA TRANSFERS

If the provision of Trivity's technology services requires the flow of personal data to recipients located in countries outside the European Economic Area (EEA), the entity undertakes to ensure a level of protection equivalent to that in Europe.

Such international transfers will be carried out strictly under the safeguards and protection mechanisms established in Regulation (EU) 2016/679 (GDPR). This preferably includes:

• The adoption of Standard Contractual Clauses (SCCs) approved by the European Commission.
• The provision of services in countries covered by an Adequacy Decision of the Commission.
• Any other legal instrument that guarantees the integrity and confidentiality of users' personal information.

9. DATA RETENTION

Personal data will be processed and retained:

• while there is a contractual relationship or use of the Platform;
• until you request cancellation;
• during the periods required by applicable regulations;
• subsequently, duly blocked or anonymized where appropriate.

The specific retention criteria are determined according to the type of data, the purpose of processing and the applicable legal obligations.

10. RIGHTS OF DATA SUBJECTS

The holders of personal data processed by Trivity have, in accordance with current regulations, the right to exercise the following rights:

• Access: to know what personal data is being processed.
• Rectification: to request correction of inaccurate or incomplete information.
• Erasure ("Right to be Forgotten"): to request deletion of their data when it is no longer necessary for the purposes for which it was collected.
• Objection: to object to the processing of their data on grounds relating to their particular situation.
• Restriction of Processing: to request temporary suspension of the use of their personal data.
• Portability: to receive their data in a structured, commonly used format in order to transmit it to another controller.

Request Management Channel

To exercise these rights, the data subject must send a written communication to admin@trivityapp.com. To ensure data security, Trivity may request proof of the applicant's identity (such as a copy of an ID document or equivalent document) if there are reasonable doubts about it.

Trivity as Data Processor

Given the technological nature of the platform, when Trivity acts strictly as data processor on behalf of a third party (for example, a Provider, agent or tourism operator), requests received will be forwarded to the corresponding data controller for resolution, unless the law requires otherwise.

Supervisory Authority

If the data subject considers that their rights have not been properly addressed, they may lodge a complaint with the Spanish Data Protection Agency (AEPD) through its website: www.aepd.es.

11. DATA SECURITY

Trivity will process personal data with the utmost confidentiality and will maintain professional secrecy with respect to such data, undertaking not to disclose it to unauthorized third parties without the corresponding consent, not even for storage purposes. This obligation will remain in force even after the commercial relationship with you has ended.

Trivity will adopt the technical, organizational and security measures necessary to protect the personal data processed and to prevent its alteration, loss or unauthorized processing, taking into account the state of the art, implementation costs, the nature of the stored data, the scope, context and purposes of processing, and the risks of varying likelihood and severity that the processing may entail for the rights and freedoms of natural persons.

12. CHANGES TO THE PRIVACY POLICY

Trivity may update this Privacy Policy to adapt it to legal, technical or operational changes. Relevant changes will be communicated through the usual channels.

The version in force will always be the one published on the Platform, indicating the date of the latest update.

13. CONTACT

For any matter relating to this Privacy Policy or the processing of personal data, you can contact: admin@trivityapp.com.