Last updated: 28 December 2025

This Privacy Policy explains how Tossa Cycling SL (“Tossa Cycling”, “we”, “us”)
processes personal data when you use our website, create an account, book services, register for events,
make purchases, or contact us.

1) Who is responsible for your data (Controller)

Controller: Tossa Cycling SL
Tax ID: B67652990
Address: Av Costa Brava 34, 17320 Tossa de Mar, Spain
Email (privacy): privacy@tossacycling.com
Phone: +34 673690458

2) What data we collect

Depending on how you use the website, we may process:

• Identity & contact data: name, email, phone, address.
• Account data: account details and login-related information (including social login identifiers if you choose that method).
• Orders / bookings / registrations: items purchased, booking dates, event registration details, communications related to the service.
• Payment status data: payment confirmations and transaction references (we do not store full card numbers on our servers).
• Form submissions: information you send via contact/booking/registration forms, and any files you upload if applicable.
• Technical data: IP address, device/browser information, logs (security and troubleshooting).
• Cookie/analytics data (optional): only if you accept non-essential cookies.

3) Why we use your data and our legal basis

We process data for the following purposes and bases (GDPR):

1. To provide our services and fulfil purchases/bookings/registrations
   Legal basis: Contract (to deliver what you requested).
2. To communicate with you about your booking/order (support, changes, cancellations, operational messages)
   Legal basis: Contract and/or Legitimate interests (customer support).
3. To process payments and prevent fraud/abuse
   Legal basis: Contract and Legitimate interests (security/fraud prevention).
4. To comply with legal obligations (invoicing, accounting, tax)
   Legal basis: Legal obligation.
5. To secure and maintain the website (logs, backups, incident prevention)
   Legal basis: Legitimate interests (IT/security and service continuity).
6. Analytics and non-essential cookies (website measurement and improvement)
   Legal basis: Consent (you can refuse or withdraw at any time via cookie settings).

4) Cookies and consent controls

We use a consent tool (CookieYes) to manage cookie categories and record your preferences.
You can change or withdraw your consent at any time using the cookie settings available on the site.
(Details of cookie names, providers, and durations should appear in a separate Cookie Policy
aligned with your consent tool configuration.)

5) Who we share data with (recipients / processors)

We do not sell your personal data.

We share data only as needed with:

• Hosting and IT providers (website hosting, backups, security, maintenance).
• Payment provider: Stripe (when you choose Stripe or Stripe-powered payment methods).
• Analytics provider (only if you consent): Google Analytics (Google).
• Cookie consent provider: CookieYes (to store consent choices).
• Operational providers where necessary (e.g., email delivery for transactional messages, accounting support, professional advisors), strictly for the purposes above.

We may also disclose information if required by law or to protect our legal rights.

6) International transfers

Some providers (notably Google and Stripe) may process data outside the European Economic Area
depending on configuration and service use. Where international transfers occur, we rely on appropriate transfer
mechanisms/safeguards recognised under GDPR (e.g., adequacy decisions and/or Standard Contractual Clauses,
depending on the provider and context).

7) How long we keep your data (retention)

We keep personal data only as long as necessary for the purposes above, and longer where required by law.

Typical retention criteria:

• Invoices/accounting records: generally retained according to Spanish business record-keeping rules (commonly 6 years for business documentation).
• Tax-related records: limitation periods commonly 4 years for certain tax matters.
• Bookings/event registrations and related communications: retained as needed for service delivery and support, and for handling claims (then deleted/anonymised when no longer needed unless legal retention applies).
• Security logs: kept for a limited period for security and troubleshooting.

8) Your rights

You have the right to:

• access your data,
• correct it,
• request deletion,
• restrict or object to processing,
• data portability (in certain cases),
• withdraw consent at any time (where processing is based on consent),
• lodge a complaint with a supervisory authority (in Spain, the AEPD).

To exercise your rights, email privacy@tossacycling.com.
We may request information to verify your identity. We respond without undue delay and generally within
one month (extendable in specific cases allowed by law).

9) Automated decisions

We do not make automated decisions (including profiling) that produce legal or similarly significant effects about you.
If this changes, we will update this policy and provide the required information.

10) Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date shows when it was most recently revised.