Café De La Mar

Privacy policy

We take the protection of your personal data seriously. This page explains what we collect, why, how long we keep it and what rights you have.

Reservations

When you make a reservation we store your name, email, optional phone and the reservation details (date, time, party size, area). Purpose: handling and confirming your table. Legal basis: Art. 6(1)(b) GDPR (contract).

Retention: name, email and reservation date are kept for 3 years (commercial record-keeping). Phone, dietary notes, occasion and internal notes are automatically deleted 30 days after your visit.

Dietary notes (Art. 9 GDPR)

Information about allergies, intolerances or religious dietary rules may constitute special-category data under Art. 9(1) GDPR. Providing it is voluntary; the legal basis is your explicit consent under Art. 9(2)(a) GDPR, which you grant when submitting the form. You can withdraw consent at any time; these entries are automatically deleted within 30 days of your visit.

E-Mail

Once activated, transactional emails are delivered via Resend.com (Resend, Inc., USA) under EU Standard Contractual Clauses and a signed data processing agreement. Until this function is enabled, you will receive confirmations exclusively via WhatsApp/SMS directly from the restaurant.

Analytics

We use Plausible Analytics (Plausible Insights OÜ, Estonia). It does not set cookies, does not store personal data, and does not transfer data to third countries outside the EU.

Hosting & database

This site is served via Vercel Inc. (USA); static content is delivered worldwide via the Vercel Edge Network and dynamic requests are processed primarily in EU regions. Reservation and order data is stored in a managed PostgreSQL database provided by Neon (Neon, Inc., USA), currently in AWS region us-east-1 (Virginia, USA). Transfers to the USA are covered by EU Standard Contractual Clauses (Modules 2 / 3) and the respective data processing agreements with Vercel and Neon. Migration of the database to the EU region (Frankfurt, eu-central-1) is planned.

Subprocessors

  • Vercel Inc.: hosting & edge delivery (US, SCCs, DPA)
  • Neon, Inc.: database (US, SCCs, DPA)
  • Resend, Inc.: email delivery, once activated (US, SCCs, DPA)
  • Meta Platforms Ireland Ltd.: WhatsApp confirmations, once activated (IE/US, SCCs, DPA)
  • Plausible Insights OÜ: Analytics (EE), cookieless, no personal data

Your rights

You have the right to access, rectification, erasure, restriction of processing, portability and objection. You can request erasure via the automated endpoint /api/gdpr/delete or by contacting us by phone or WhatsApp at +34 602 13 68 96. You may also file a complaint with the Spanish data protection authority AEPD (aepd.es).