Privacy Policy
Effective date: May 27, 2026
This Privacy Policy explains how OSCO HOUSE S.L. ("OSCO", "we", "us") collects, uses, shares and protects personal data when you visit oscohouse.com, when you contact us, and when you book or stay in an OSCO House property. We are committed to the principles of Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and to Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD").
1. Who we are
The data controller is:
OSCO HOUSE S.L. (ESB12345678)
Registered office: Barcelona, Spain
Email for privacy matters: privacy@oscohouse.com
Email for general enquiries: ops@oscohouse.com
We have not appointed a formal Data Protection Officer because we are not required to under Article 37 GDPR; the privacy@oscohouse.com mailbox is monitored by the operations lead and is the single point of contact for any data-protection question.
2. What personal data we collect
The categories of personal data we may collect depend on how you interact with us. They include:
- Identification documents. Passport (or, for EU/EEA residents, national identity card) for every adult guest, as required by Real Decreto 933/2021. This includes the document image, full name, document number, date of birth, nationality, and the fields prescribed by SES.Hospedajes.
- Contact information. Name, email address, phone number, postal address, and the contact details of any companion you add to the booking.
- Booking and payment data. Property booked, dates, price, and the metadata that Stripe returns after a payment (such as the card brand, last four digits, billing country and a transaction reference). We do not see or store full card numbers — full PAN data goes directly to Stripe.
- Smart-home access data. If you choose to enable HomeKit access during check-in, the Apple ID (an email address) that you provide so we can issue a Home invitation. This is shared only with Apple's iCloud Home service.
- Communications. Messages exchanged with us by email, in the in-app inbox, or via WhatsApp, including any attachments.
- Website usage data. IP address, browser and device type, approximate location derived from the IP, referring URL, pages visited, and time stamps. Analytics events are collected only if you opt in via the cookie banner.
- Cookies and similar technologies. See Section 9.
3. Why we collect it
- To manage your booking — quoting, confirming, modifying, billing and ending the stay, and providing support before, during and after.
- To comply with Spanish law — in particular registering travellers with the Ministry of the Interior under Real Decreto 933/2021, issuing legally required invoices, and meeting our tax-record obligations.
- To operate the property — granting smart-home access, scheduling cleaning and maintenance, and handling any incident that occurs during the stay.
- To prevent fraud and protect the property — verifying identity, screening for suspicious bookings, and resolving payment disputes.
- To improve the product — analysing aggregated usage of the website (only with your consent) so we can make it faster, clearer and more useful.
- To send transactional emails — confirmations, reminders, check-in instructions and post-stay messages.
4. Legal basis for processing
Each processing activity rests on at least one of the legal bases set out in Article 6 GDPR:
- Performance of a contract (Art. 6(1)(b)). Booking management, payment processing, the seasonal lease, and all guest communications necessary to deliver the stay you booked.
- Compliance with a legal obligation (Art. 6(1)(c)). Traveller registration under Real Decreto 933/2021, invoicing and the seven-year accounting-record duty under Spanish commercial and tax law.
- Legitimate interests (Art. 6(1)(f)). Fraud prevention, network and information security, defending legal claims, and basic non-identifying server logs. We balance these interests against your rights and freedoms; you can object at any time (see Section 7).
- Consent (Art. 6(1)(a)). Analytics cookies, optional marketing emails, and any specific consent you give us. Consent can be withdrawn at any time without affecting processing carried out before withdrawal.
5. Who we share your data with
We do not sell personal data. We share it only with the following categories of recipients, and only to the extent strictly necessary:
- Spanish authorities. The General Directorate of the Police and the Civil Guard via the SES.Hospedajes platform, as required by Real Decreto 933/2021. The Spanish Tax Agency (AEAT) when invoices or returns are requested.
- Stripe Payments Europe, Ltd. (Ireland) — payment processing. Stripe is the data controller for card-network data.
- Resend, Inc. — delivery of transactional email (booking confirmations, check-in instructions).
- Vercel Inc. — hosting of the oscohouse.com website and its serverless functions. Data is processed in EU regions.
- Apple Inc. — only the Apple ID you choose to share, and only when you opt to enable HomeKit access. Apple processes this data as an independent controller under its own privacy policy.
- OSCO operations staff and contractors. Cleaning, maintenance, and on-the-ground host teams, each bound by confidentiality and access-on-need-to-know.
- Professional advisors. Lawyers, accountants and auditors, where retained and bound by professional secrecy.
Each processor is bound by a written data-processing agreement under Article 28 GDPR.
6. How long we keep your data
- Passport / identity-document images: deleted within fourteen (14) days of the Spanish police registration acknowledgment for your stay. The minimum legal fields (name, document number, dates) are retained for the period prescribed by Real Decreto 933/2021.
- Booking, invoice and accounting records: retained for seven (7) years from the end of the relevant tax year, in line with Spanish commercial-code and tax-record obligations.
- Marketing or analytics consents: retained until you withdraw consent or for 24 months of inactivity, whichever is sooner.
- Support correspondence: retained for three (3) years for quality and dispute-resolution purposes.
- Server and security logs: retained for up to ninety (90) days.
When a retention period ends, the data is securely deleted or fully anonymised.
7. Your rights under the GDPR
Subject to the conditions set out in the GDPR, you have the right to:
- Access the personal data we hold about you and obtain a copy.
- Rectification of inaccurate or incomplete data.
- Erasure of data, where one of the grounds in Article 17 GDPR applies. Note: data we are required by law to keep (e.g. invoices) cannot be erased until that obligation ends.
- Restriction of processing in the cases listed in Article 18 GDPR.
- Data portability — receive the data you provided in a structured, machine-readable format, and have it transmitted to another controller where technically feasible.
- Object to processing based on legitimate interests, on grounds relating to your particular situation.
- Withdraw consent at any time, without affecting prior lawful processing.
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently perform such automated decision-making.
To exercise any of these rights, write to privacy@oscohouse.com from the email address associated with your booking, or attach proof of identity. We will respond within thirty (30) days; we may extend by up to two further months for complex requests, in which case we will explain the reason.
8. International transfers
OSCO stores personal data in the European Union (Vercel and Resend EU regions). Where a processor (such as Stripe) processes data in or accesses it from outside the EU, the transfer is covered by Standard Contractual Clauses approved by the European Commission and, where appropriate, by supplementary safeguards (technical encryption, access controls). You may request a copy of the safeguards in place by writing to privacy@oscohouse.com.
9. Cookies and similar technologies
We use a small number of cookies and similar technologies:
- Strictly necessary cookies / local-storage entries. Required to make the site work — e.g. day/night-mode preference, language preference, the cookie-banner consent flag (
osco-cookies-consent), and the booking session. These are always on; they do not require consent under Article 22 of the Spanish LSSI. - Analytics cookies. Used only if you opt in via the cookie banner. They help us understand which pages are popular and where users drop off. You can change your mind at any time by clearing the
osco-cookies-consententry or by re-opening the banner from the footer.
We do not use advertising or cross-site-tracking cookies.
10. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, in the law, or in the technology we use. The "Effective date" at the top tells you when the current version took effect. Material changes will be highlighted on the website and, where the change affects you and we have your email, notified by email at least fifteen (15) days before they take effect.
11. Contact and complaints
For any question or to exercise your rights, contact us at privacy@oscohouse.com.
You also have the right to lodge a complaint with the Spanish Data Protection Authority:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
aepd.es
We would, however, appreciate the chance to address your concern first — please write to us before escalating.