Privacy Policy - Málaga Mia

1. Data Controller

The data controller responsible for your personal data is:

Legal Company Name: MalagaMia.com
Registered Address: D24
Contact Email: privacy@malagamia.com

If you have questions or want to exercise your rights, contact us using the details above.

2. Who This Policy Applies To

This policy covers personal data we process about:

Visitors and users (including tourists) who browse the Website and/or create accounts to post content.
Businesses and business representatives who purchase listings, advertising, or other paid services and manage business profiles.

This policy does not cover how third-party businesses you find on our directory process your data when you interact with them directly (for example, booking a service with them). Those businesses are separate controllers for their own activities.

3. Personal Data We Collect

3.1 Data you provide (user accounts and contributions)

Account Information: name (or display name), email address, and password (stored in hashed form where applicable).
Profile Data: profile photo, location (if you choose to provide it), and preferences or settings.
User Content: reviews, ratings, photos, comments, and other information you post publicly on the Website.
Communications: messages or requests you send to us (e.g., via contact forms or email).

3.2 Data you provide (business customers)

Business and Contact Details: business name, address, phone number, website/social links, and representative contact details.
Listing Content: business description, category, images, opening hours, and any information submitted for publication.
Billing and Transaction Data: invoices, subscription status, and payment confirmation details (note: payment card details are processed by our payment provider, Stripe, and are not stored by us).

3.3 Data collected automatically

Technical Data: IP address, device identifiers, browser type, operating system, and referring URLs.
Usage Data: pages viewed, actions taken, and interaction data (e.g., clicks, session activity).
Cookies and similar technologies: as described in the Cookies section below.

4. How We Collect Data

We collect personal data when you:

create an account or update your profile;
post reviews, ratings, photos, or other content;
submit or manage a business listing;
purchase advertising or subscription services (business customers);
contact us via forms, email, or support channels;
browse the Website (through cookies and analytics tools, where applicable).

5. How We Use Personal Data

We use personal data to:

Operate and maintain the platform, including user accounts and business listings.
Publish community content (e.g., reviews, ratings, photos) you choose to submit.
Verify authenticity and prevent abuse, including spam detection and fraud prevention.
Provide customer support and respond to inquiries.
Communicate about accounts, services, policy updates, and administrative messages.
Process subscriptions and payments for business customers (where applicable).
Improve the Website using analytics and performance monitoring (where applicable).
Comply with legal obligations under Irish and EU law.

6. User Content and Public Visibility

The Website includes user-generated content features. If you post reviews, ratings, photos, or other content, that content may be publicly visible.

Public information: your username/display name and any content you post may be visible to all Website visitors.
Email address: your email address is not displayed publicly to other users or to businesses you review.
Think before you post: do not post personal data you do not want to be public (e.g., phone numbers, addresses, sensitive data).

If you want content removed, you can delete your content (where available), delete your account, or contact us. In some cases (for example, where we must keep records for legal reasons), we may retain limited information.

7. Legal Bases for Processing

Under GDPR, we rely on the following legal bases (depending on context):

Contract: where processing is necessary to provide the Website, user accounts, and paid services to business customers.
Legitimate Interests: to operate, secure, and improve the platform; prevent fraud; and maintain community integrity.
Consent: where required (for example, certain cookies or marketing communications, depending on your settings and local rules).
Legal Obligation: where we must comply with Irish/EU law (e.g., tax, accounting, lawful requests).

8. Sharing Your Information

We may share personal data with:

Service Providers: trusted partners who help run the Website (e.g., hosting, security, analytics, email delivery, payment processing).
Payment Processors: Stripe, which processes payments and manages subscription billing for business customers.
Professional Advisors: legal, accounting, or compliance advisors where necessary.
Authorities: where required by Irish or EU law, or to protect rights, safety, and security.

We do not sell personal data to third parties.

9. Cookies and Analytics

We may use cookies and similar technologies to operate the Website, remember preferences, enhance security, and understand how the Website is used.

Strictly necessary cookies: required for core functionality and security.
Analytics cookies: help us understand performance and usage (subject to consent where required).
Marketing cookies: used only if we run marketing/advertising features and where consent is required.

You can manage cookie preferences through our cookie banner or your browser settings (where available). For more information about cookies, click here.

10. Data Retention

We keep personal data only for as long as necessary for the purposes described in this policy, including:

while your user account remains active (and a reasonable period thereafter if needed for security and dispute handling);
for the duration of a business customer relationship (subscription/advertising), plus required retention for accounting/tax;
as needed to comply with legal obligations or to establish, exercise, or defend legal claims.

When data is no longer needed, we delete it or anonymize it where appropriate.

11. International Data Transfers

We may use service providers that process data outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we implement appropriate safeguards (for example, Standard Contractual Clauses and/or other lawful transfer mechanisms) to protect your data.

12. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. No system is 100% secure, but we work to maintain safeguards appropriate to the nature of the data processed.

13. Your Rights Under GDPR

Depending on the circumstances, you may have the right to:

Access your personal data and receive a copy.
Rectification of inaccurate or incomplete data.
Erasure (the “right to be forgotten”) in certain cases.
Restriction of processing in certain cases.
Data portability for data you provided to us, in a machine-readable format.
Object to processing based on legitimate interests in certain cases.
Withdraw consent where processing is based on consent (this does not affect processing already carried out).

To exercise your rights, contact us at privacy@malagamia.com and we may ask you to verify your identity.

13.1 Complaints

You also have the right to lodge a complaint with your supervisory authority. If you are in Ireland, this is the Data Protection Commission (DPC).

14. Children

The Website is not intended for individuals under 18 years of age. If you believe someone under the age of 18 has provided personal data to us, please contact us and we will take appropriate steps to remove the information where required.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be published on the Website and the “Last Updated” date will be revised.

16. Contact Us

For privacy questions, data requests, or concerns, contact:

Email: privacy@malagamia.com
Postal Address: D24