Política de privacidad

Controller
Malagaikikai
Email: malagaaikikai@gmail.com
(“we”, “us”)

Legal Representative: Juan Pablo González
Data Protection Contact: malagaaikikai@gmail.com
(A formal Data Protection Officer is not appointed.)

Scope
This policy explains how we process personal data when you visit our website [malagaaikikai.com], contact us, book a trial class, or join classes (adults and kids from 6 years).

1) Purposes, Legal Bases, Data Categories

1.1 Website visit (server logs)

  • Data: IP address, date/time, URL, referrer, user agent, status code.

  • Purpose: Provide the website, security (e.g., attack prevention).

  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

  • Retention: Typically 7–30 days.

1.2 Contact (form/email/phone)

  • Data: Name, contact details, message, preferred date/time.

  • Purpose: Handle enquiries, schedule trial classes.

  • Legal basis: Art. 6(1)(b) GDPR (pre-contractual), Art. 6(1)(f) GDPR (communication); optional info via Art. 6(1)(a) GDPR (consent).

1.3 Trial class & class registration (Adults & Kids)

  • Adults data: Name, contact, level, optional health notes.

  • Kids data: Child’s name and birth date/year, parent/guardian name & contact, optional medical/allergy notes, emergency contact.

  • Purpose: Class organisation, participant management, safety on the mat, billing.

  • Legal basis: Art. 6(1)(b) GDPR (contract/participation), Art. 6(1)(c) GDPR (legal/ tax duties), Art. 6(1)(f) GDPR (organisation), and Art. 6(1)(a) GDPR (consent for optional info).

  • Minors: For children under 14 (Spain) we collect data only with parental consent (Art. 8 GDPR and Spanish LOPDGDD).

1.4 Newsletter

  • Data: Email, name (optional).

  • Purpose: Updates on classes, schedules, events.

  • Legal basis: Art. 6(1)(a) GDPR (consent; double opt-in).

  • Opt-out: Anytime with future effect.

1.5 Photos & videos (events/training)

  • Data: Image/video of participants/groups.

  • Purpose: Dojo documentation; website/social media (only if agreed).

  • Legal basis: Art. 6(1)(a) GDPR (consent). For minors, parental consent is required. Consent can be withdrawn at any time; we remove published media where reasonably possible.

1.6 Payments / invoicing

  • Data: Billing and payment data, provider transaction IDs.

  • Purpose: Accounting and statutory retention.

  • Legal basis: Art. 6(1)(b) and 6(1)(c) GDPR.

  • Retention: Typically 6–10 years (tax law).

1.7 Cookies & analytics (optional).

  • Legal basis: Consent for non-essential cookies; essential cookies under Art. 6(1)(f) GDPR.

  • Control: Manage choices via the cookie banner/settings.

2) Cookies

We use essential cookies for site functionality. Optional cookies (analytics/marketing) are set only with your consent. Details appear in the cookie settings on our site.

3) Recipients & Processors

  • Hosting/IT: Ionos, Spain for website, email and security.

  • Payment service: sevdesk.

  • Storage/Cloud: Ionos
    All processors operate under Art. 28 GDPR data processing agreements.

International transfers: Only where necessary and with safeguards under Art. 44 ff. GDPR (e.g., EU Standard Contractual Clauses), plus risk-mitigation (encryption, minimisation).

4) Retention

We store data only as long as needed for the purposes above, then delete or anonymise it unless legal duties require longer retention.

  • Enquiries: usually 6–12 months after completion.

  • Contract/billing: 6–10 years (tax/accounting).

  • Consent records: stored until withdrawal + limitation periods.

5) Your Rights (Arts. 12–22 GDPR)

You have the right to access, rectify, erase, restrict, portability, and to object to processing based on legitimate interests. You may withdraw consent at any time with future effect.

To exercise rights, contact: malagaaikikai@gmail.com. We respond within one month.

Supervisory authority (Spain):
Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan, 6, 28001 Madrid — aepd.es.
You may lodge a complaint with any EU authority, especially where you live or work.

6) Necessity of data

Certain details are required for trial/class organisation and billing (e.g., contact, identification). Optional medical info helps us adapt training safely, but is not mandatory.

7) Minors

For children under 14, we process personal data only with verified parental/guardian consent. We may request proof of consent.

8) Security

We apply technical and organisational measures: TLS encryption, access controls, backups, logging, need-to-know access, and staff guidance to protect data from loss or misuse.

9) Social media & embeds (optional)

If we link or embed third-party content (e.g., Instagram/YouTube), we do so data-minimising (e.g., two-click). Legal bases: consent (embeds) or legitimate interest (communication).

10) Updates

We may update this policy if services or laws change.
Effective date: [add date]

Practical checklist (keep internally)

  • Cookie banner with consent log (if using non-essential cookies).

  • Separate parental consent for kids (<14), plus media consent (photos/videos).

  • Processor agreements (host, newsletter, analytics).

  • Clear Imprint/Contact, TLS/HTTPS enabled.