In accordance with the provisions of Regulation (EU) 2016/679, the General Data Protection Regulation ("GDPR"), and Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights ("LOPDGDD"), this Privacy Policy informs users and customers (hereinafter, the "Data Subject") of the conditions under which their personal data is processed by SOMOS MANDALA GROUP, S.L. (hereinafter, the "Company").
1. Identification of the Data Controller
**Owner:** SOMOS MANDALA GROUP, S.L.
**Registered office:** Calle Villalar 4, Esc. Dcha. Planta 1 Ext., 28001, Madrid
**Tax ID (N.I.F.):** B-75761635
**Contact email address:** reservations@mandalaticket.com
2. Processing Activities
### Reservations Management
**Source:** From the Data Subject themselves through the website, the reservation platform, the Company´s communication channels, or authorised third-party collaborators.
**Legal basis:** Performance of the contractual relationship and the implementation of pre-contractual measures at the Data Subject´s request (Art. 6(1)(b) GDPR).
**Purposes of processing:** To manage reservation requests and confirmations, table arrangements, zone allocation, modifications, and the provision of the services requested by the Data Subject.
**Categories of data:** First name, surname(s), email address, telephone number, reservation details, and any other data provided by the Data Subject.
**Recipients:** Reservation platforms, technology providers, and third-party service providers necessary for the management of reservations and events.
**Retention periods:** The data will be retained for as long as the contractual or commercial relationship subsists and, subsequently, for the periods legally required to address any potential legal or contractual liabilities.
### Management of Access, Consumption, Payments, and Services
**Source:** From the Data Subject themselves and from the management and payment systems used by the Company.
**Legal basis:** Performance of the contractual relationship (Art. 6(1)(b) GDPR) and compliance with the legal obligations applicable to the Company (Art. 6(1)(c) GDPR).
**Purposes of processing:** To manage access to the premises, consumption, payments, invoicing, contracted services, operational control, and the general functioning of the Company´s activity.
**Categories of data:** Identification data, contact data, payment information, consumption, invoicing, and means of payment.
**Recipients:** Financial institutions, payment gateways, technology providers, crypto-asset service providers, and accounting or tax advisers where necessary.
**Retention periods:** The data will be retained for the periods legally required in tax, accounting, and contractual matters.
### Management of Enquiries and Requests for Information
**Source:** From the Data Subject themselves via forms, email, telephone, or any contact channel made available by the Company.
**Legal basis:** Implementation of pre-contractual measures at the Data Subject´s request (Art. 6(1)(b) GDPR) and the Data Subject´s consent where necessary (Art. 6(1)(a) GDPR).
**Purposes of processing:** To handle requests for information, enquiries, communications, or requests submitted by the Data Subject.
**Categories of data:** First name, surname(s), email address, telephone number, and any personal data that the Data Subject includes in the request or communication.
**Recipients:** No disclosure of data to third parties is envisaged, except where there is a legal obligation or where it is necessary in order to address the request made.
**Retention periods:** The data will be retained for as long as necessary to handle the request and, subsequently, for the legally applicable periods.
### Management of Cancellations, Refunds, and Incidents
**Source:** From the Data Subject themselves and from the platforms or management systems used by the Company.
**Legal basis:** Performance of the contractual relationship (Art. 6(1)(b) GDPR) and compliance with applicable legal obligations (Art. 6(1)(c) GDPR).
**Purposes of processing:** To manage cancellations, refunds, incidents, complaints, and requests relating to reservations, payments, access, or events organised by the Company.
**Categories of data:** Identification data, reservation information, payments, incidents, and communications held with the Data Subject.
**Recipients:** Payment platforms, financial institutions, technology providers, and third parties involved in the management of the relevant incident or refund.
**Retention periods:** The data will be retained for as long as any legal or contractual liabilities relating to the incident managed may arise.
### Identity Verification and Fraud Prevention
**Source:** From the Data Subject themselves, from financial institutions, payment platforms, and control systems used by the Company.
**Legal basis:** Compliance with applicable legal obligations (Art. 6(1)(c) GDPR).
**Purposes of processing:** To verify the Data Subject´s identity, validate means of payment, and prevent fraud, chargebacks, improper access, or unlawful activities.
**Categories of data:** Identification data, identity documents, payment information, access logs, and technical data associated with transactions carried out.
**Recipients:** Financial institutions, anti-fraud providers, payment platforms, crypto-asset service providers, and competent authorities and bodies where legally necessary.
**Retention periods:** The data will be retained for the periods necessary to prevent legal liabilities and to address potential complaints or investigations.
### Sending of Commercial Communications
**Source:** From the Data Subject themselves.
**Legal basis:** The Data Subject´s consent (Art. 6(1)(a) GDPR).
**Purposes of processing:** To send commercial information about events, activities, promotions, products, or services relating to the Company´s activity.
**Categories of data:** First name, surname(s), email address, and telephone number.
**Recipients:** Communication-dispatch platforms and technology providers related to commercial campaigns.
**Retention periods:** The data will be processed until the Data Subject withdraws their consent or exercises their right to object.
### Security and Access Control at Premises and Events
**Source:** From the Data Subject themselves and from video surveillance or access control systems installed by the Company.
**Legal basis:** The Company´s legitimate interest in ensuring the security of persons, facilities, and events (Art. 6(1)(f) GDPR), as well as compliance with applicable legal obligations regarding security and public entertainment events (Art. 6(1)(c) GDPR).
**Purposes of processing:** To manage security, access control, incident prevention, and the protection of persons, facilities, and the Company´s assets.
**Categories of data:** Identification data, access logs, and images captured by video surveillance systems.
**Recipients:** Law enforcement agencies, competent authorities, and private security providers where necessary.
**Retention periods:** The data will be retained for the periods legally prescribed and in accordance with the regulations applicable to video surveillance and security.
3. International Transfers
The Company may use technology service providers, reservation platforms, payment gateways, or crypto-asset service providers located both within and outside the European Economic Area.
Where international transfers of personal data take place, these will be carried out with the appropriate safeguards required by the applicable regulations, including, where necessary, the signing of Standard Contractual Clauses approved by the European Commission or other legally valid mechanisms.
4. Data Subject´s Responsibility
The Data Subject warrants that the data provided is true, accurate, complete, and up to date, and is liable for any damage or loss that may arise from the communication of incorrect or inaccurate information.
Where the Data Subject provides third-party data, they warrant that they have previously informed those third parties and that they hold, where applicable, the necessary authority to communicate their data to the Company.
5. Exercise of Rights
The Data Subject may exercise their rights of access, rectification, erasure, objection, restriction of processing, portability, and any other rights recognised by the applicable regulations by means of a communication addressed to the Company through the email address indicated in this Policy, duly evidencing their identity.
Likewise, the Data Subject shall have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) if they consider that their rights have been infringed.
6. Security Measures
The Company will adopt reasonable and appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of the personal data processed and to prevent its alteration, loss, or unauthorised processing or access.
7. Amendments to the Privacy Policy
The Company may amend this Privacy Policy where necessary for legal, regulatory, technical, or operational reasons.
The version in force shall be the one published and accessible on the Companys website, platform, or official channels at any given time, and the Data Subject is therefore advised to review it periodically.