Home Car Types Airport Local Story Quick Guide

Palma Aquarium Catedral-Basilica de Santa Maria Cuevas del Drach Castillo de Bellver

Privacy Policy

How CarPalma collects, uses, and protects your personal data in accordance with Spanish and EU law.

1. Introduction and Scope

CarPalma ("we", "us", "our") is a car rental service operating in Palma de Mallorca, Spain. This Privacy Policy explains how we collect, process, store, and protect your personal data when you use our website at carpalma.com, make a booking, or interact with our customer support team.

This policy applies to all individuals who visit our website, submit an enquiry, reserve a vehicle, or communicate with us by email, telephone, or any other channel. It covers all services provided by CarPalma, including our no-deposit vehicle hire, airport pickup at Palma de Mallorca Airport (PMI), hotel delivery across the city, and long-term rental arrangements.

We are committed to complying fully with the General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 - as implemented under Spanish law through Ley Organica 3/2018 de Proteccion de Datos Personales y garantia de los derechos digitales (LOPDGDD). This document constitutes our legally required privacy notice under Article 13 and Article 14 of the GDPR.

2. Data Controller

The data controller responsible for your personal information is:

Business name: CarPalma
Address: Palma de Mallorca, Spain
Email: info@carpalma.com
Phone: +34 684 757 493

If you have any questions about how your data is handled, or if you wish to exercise any of your rights under applicable data protection law, please contact us directly using the details above.

3. Information We Collect

We collect only the personal data that is necessary to provide our car rental services and to maintain the security and quality of those services. The categories of information we may collect include:

3.1 Identity and Contact Details

When you make a booking or contact us, we collect your full name, email address, telephone number, home or billing address, nationality, and date of birth where required for insurance or age verification purposes.

3.2 Driver Licence and Travel Documents

To comply with insurance regulations and Spanish traffic law, we collect your driving licence number, issuing country, and expiry date. For non-EU licence holders we may also request a copy of your passport or national identity document. These are collected at the point of vehicle handover and are not stored beyond the legally required retention period.

3.3 Booking and Rental Data

We record details of your vehicle reservation including rental dates, pickup and return locations in Palma de Mallorca, vehicle category, optional extras selected (such as child seats, GPS navigation, or additional driver cover), and any special requests submitted at the time of booking.

3.4 Payment Information

CarPalma does not store or process card payment data directly. All financial transactions are handled by our PCI-DSS-compliant third-party payment processors. We receive only a confirmation reference and, where applicable, the last four digits of the card used for audit and dispute resolution purposes. Our no-deposit booking model means we do not place pre-authorisation holds on your card at the time of reservation.

3.5 Browsing and Technical Data

When you visit carpalma.com we automatically collect certain technical information including your IP address, browser type and version, device type, operating system, referring URLs, pages viewed, and session duration. This data is used in aggregated, anonymised form to improve our website performance and user experience.

3.6 Location Data

If you use our website on a mobile device and grant location permissions, we may use approximate geolocation data to display relevant pickup points near your current position in Palma de Mallorca. We do not track your precise location during the rental period through our website.

3.7 Communications Data

We retain records of written communications you send to us by email or via our contact form, including the content of those messages and any attachments. Telephone calls to our support line at +34 684 757 493 may be recorded for training and quality assurance purposes, and you will be notified before any recording takes place.

4. How We Use Your Personal Data

We process your personal data on the basis of one or more of the following lawful grounds as set out in Article 6 of the GDPR:

4.1 Performance of a Contract (Article 6(1)(b))

The primary purpose for which we process your data is to fulfil your car rental booking. This includes confirming your reservation, arranging vehicle handover at our Palma de Mallorca Airport collection point or at your designated hotel address, processing any modifications or cancellations you request, and handling incidents such as vehicle damage or roadside assistance claims.

4.2 Legal Obligation (Article 6(1)(c))

Spanish traffic regulations and insurance law require us to verify driver identity and maintain certain rental records. We also retain financial records to comply with Spanish fiscal obligations under Ley General Tributaria.

4.3 Legitimate Interests (Article 6(1)(f))

We process technical browsing data to maintain the security and functionality of our website, detect fraud, and improve the booking journey for future customers. We may also contact previous customers with a direct service-related message where we have a legitimate interest in doing so and it does not override your rights and interests.

4.4 Consent (Article 6(1)(a))

Where you have opted in to receive marketing communications - including promotional offers, seasonal discounts on vehicle hire in Palma de Mallorca, or newsletter updates - we process your email address for that purpose on the basis of your freely given consent. You may withdraw this consent at any time by clicking the unsubscribe link in any marketing email or by contacting us at info@carpalma.com.

5. Data Sharing with Third Parties

We do not sell your personal data to any third party. We share your information only in the following limited and controlled circumstances:

5.1 Payment Processors

Your payment details are processed securely by our authorised payment gateway partners who operate independently under their own PCI-DSS compliance programmes and privacy policies.

5.2 Insurance Providers

We share relevant driver and booking data with our insurance partners to cover vehicles rented through CarPalma. This includes your name, driving licence details, and rental dates as required to validate coverage.

5.3 Booking and Technology Integrators

Our online booking platform and reservation management systems are provided by third-party technology partners. These partners act as data processors on our behalf under written data processing agreements that comply with Article 28 of the GDPR.

5.4 Legal and Regulatory Authorities

We may disclose personal data to Spanish law enforcement, courts, the Agencia Espanola de Proteccion de Datos (AEPD), or other competent authorities where we are legally required to do so, or where disclosure is necessary to protect our legal rights or prevent imminent harm.

5.5 International Transfers

Where any of our service providers are located outside the European Economic Area, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, before any transfer of personal data takes place.

6. Data Retention

We retain your personal data only for as long as is necessary for the purposes for which it was collected, unless a longer retention period is required by Spanish or EU law. Our standard retention periods are:

Booking and rental records: 5 years from the end of the rental period, in line with Spanish civil and fiscal obligations.
Financial transaction records: 6 years from the date of the transaction, as required under Spanish tax regulations.
Identity and driving licence copies: Deleted within 30 days of the rental end date unless an active insurance claim or legal dispute requires retention.
Marketing communications data: Retained until you withdraw consent or request erasure, whichever is earlier.
Technical and browsing logs: Retained in anonymised form for up to 13 months for analytics purposes.
Customer support correspondence: Retained for 2 years from the date of the last communication unless related to an ongoing claim.

7. Your Rights Under GDPR

As a data subject under the GDPR and Spanish data protection law, you have the following rights with respect to your personal information. You may exercise any of these rights free of charge by contacting us at info@carpalma.com:

7.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you and to receive information about how it is being processed.

7.2 Right to Rectification (Article 16)

If any personal data we hold about you is inaccurate or incomplete, you have the right to request that it be corrected without undue delay.

7.3 Right to Erasure (Article 17)

You may request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, or where you object to processing and there are no overriding legitimate grounds. This right is subject to our legal retention obligations described in Section 6.

7.4 Right to Data Portability (Article 20)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

7.5 Right to Object (Article 21)

You have the right to object at any time to the processing of your personal data for direct marketing purposes, or where processing is based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

7.6 Right to Restriction of Processing (Article 18)

In certain circumstances you may request that we restrict the processing of your personal data, for example while you contest its accuracy or while an objection is being considered.

7.7 Right to Lodge a Complaint

If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority in Spain: the Agencia Espanola de Proteccion de Datos (AEPD), Calle Jorge Juan 6, 28001 Madrid. Further information is available at www.aepd.es.

We will respond to all valid requests within one calendar month. In exceptional cases involving complex or numerous requests, we may extend this period by a further two months and will notify you accordingly.

8. Data Security

CarPalma implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These measures include:

TLS/SSL encryption for all data transmitted via our website and booking systems.
Access controls restricting internal access to personal data on a strict need-to-know basis.
Regular security assessments and vulnerability testing of our web infrastructure.
Secure disposal procedures for physical documents containing personal data.
Staff training on data protection obligations and secure data handling practices.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay.

9. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to ensure the correct functioning of the booking platform, to analyse traffic patterns, and where you have given consent, to serve relevant advertising. Full details of the cookies we use, their purpose, and how to manage your preferences are set out in our Cookie Use policy.

10. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, applicable law, or data processing practices. The current version will always be published at carpalma.com/privacy_policy with the effective date indicated below. Where changes are material, we will notify active customers by email. We encourage you to review this policy periodically.

Continued use of our website or services following the publication of an updated policy constitutes your acknowledgement of the changes.

Effective date: 1 January 2025

11. Contact Us About Privacy

If you have any questions, concerns, or requests relating to this Privacy Policy or to the personal data CarPalma holds about you, please contact our team using the details below. We aim to respond to all privacy-related enquiries within 10 business days.

Email: info@carpalma.com
Telephone: +34 684 757 493
Address: Palma de Mallorca, Spain
Contact form: carpalma.com/get_in_touch