1. Data controller

• Controller: Alexander Lengyel (sole trader / self-employed)
• Trade name: LastMinuteAdventure
• Tax ID (NIF/NIE): Z4021977-H · VAT: ESZ4021977H
• Address: Calle Vía Mare 12, 35510 Tías (Puerto del Carmen), Lanzarote, Las Palmas, Spain
• Privacy contact: hello@lastminute-adventure.com (subject: “PRIVACY”)
• DPO: Not designated — not required by processing volume (Art. 37 GDPR). Privacy matters are handled internally; contact: hello@lastminute-adventure.com.

2. Data processed and purposes

End users: email, name, optional phone, language, approximate country, booking history. Payment data is handled directly by Stripe — LMA only stores the transaction ID. Base: contract performance (Art. 6(1)(b)). Retention: 5 years (tax law).

Adventure Passport subscribers: email, name, country, Stripe Customer/Subscription ID and billing history, to manage the subscription. Retention: 5 years.

WhatsApp Business: if you contact us via WhatsApp, we process your number and message content to reply. This channel runs through Meta (WhatsApp Cloud API) — see sections 3 and 8.

Operators / restaurants (B2B): business name, tax ID, address, contact, IBAN, licence. Retention: 6 years after end of relationship.

Visitors: anonymous, aggregated cookieless analytics (no cookies, no IP stored, no fingerprinting, no individual profiling). No consent banner is shown.

3. Recipients and processors

• Publishing operator / restaurant (activity delivery).
• Stripe Payments Europe (Ireland) — payments. DPA + SCCs.
• Supabase (EU, Frankfurt) — database & storage. DPA.
• Vercel (web hosting, EU region — Paris). DPA.
• Meta Platforms Ireland Ltd. (WhatsApp Business) — messaging; number, message content and aggregated metrics. DPA + SCCs (transfer to Meta US — see section 8).
• Transactional email provider (EU).
• Spanish Tax Authorities — legal obligation.

LMA does not sell data or share it for third-party commercial purposes.

4. Retention

• Booking & subscription data: 5 years (tax obligation).
• Operator data: 6 years after end of relationship.
• Security logs: max 12 months.
• Aggregated analytics: indefinite (anonymous after aggregation).

5. Your rights

Access, rectification, erasure, objection, restriction, portability and withdrawal of consent. Write to hello@lastminute-adventure.com. Response within 30 calendar days (extendable +60 in complex cases). To erase your data see also the Data Deletion page. You may complain directly to the Spanish DPA — AEPD (aepd.es).

6. Security

TLS 1.3 in transit, AES-256 at rest, passwordless auth, Row Level Security, daily encrypted backups (30-day retention), breach notification < 72h.

7. Minors

Services are not directed at children under 14.

8. International transfers

Infrastructure generally stays within the EEA (Supabase Frankfurt, Stripe Ireland, Vercel EU). The only transfer outside the EEA is WhatsApp Business messaging via Meta (US servers), covered by EU Standard Contractual Clauses (SCCs) and limited to your number, message content and aggregated metrics. See the WhatsApp/Meta Privacy Policy.

9. Changes

Material changes notified by email to registered users.