Privacy Policy | Bravo Students

Purpose of the Privacy Policy
Definition of personal data
Identity of the Data Controller
Applicable laws and regulations
Principles applicable to the processing of personal data
Security measures
Purposes of processing
Legal basis for processing
Recipients of your data
Data Processing Activities carried out
Personal data of minors
Origin and types of data processed
Rights of data subjects
Modification

1. Purpose of the policy

At Bravo Students SL (hereinafter, Bravo Students), we respect your privacy and protect your personal data. This policy details how we collect, use and share your information in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR).

This privacy policy applies to the website https://www.bravostudents.com. If you do not provide us with your personal data, no processing of your information will be carried out.

We will inform you about the purposes of processing, the entities that may access your data and your rights as the data subject. Some processing activities may be based on legal obligations, contracts or legitimate interests, without requiring your express consent.

If the website uses cookies, we will clearly notify you in our Cookie Policy, where you can obtain more information about the use of cookies and how to manage your preferences.

This policy guarantees transparency and is designed so that you can know and exercise your rights with clarity.

2. Definition of personal data

Personal data: Personal data means any information relating to an identified or identifiable natural person (“Website user”). An identifiable natural person is one whose identity can be determined, directly or indirectly, by means of identifiers such as a name, an identification number, location data, an online identifier, or through elements specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

3. Identity of the data controller

Who collects and processes your data?

The Data Controller is:

Bravo Students SL — NIF/DNI B09930025

Your personal data are processed by all the entities of our Group of Controllers or Bravo Students Corporate Group, comprising, in addition to the entity detailed above, the following organisations:

Entity	Address
Bravo Students Moncloa SL (B10664274)	Paseo de la Castellana Nº 140 planta 11. 28046, Madrid (Madrid), Spain
Bravo Students Murcia SL (B09758004)	Address: Paseo de la Castellana Nº 140 planta 11. 28046, Madrid (Madrid), Spain. Postal address: Av. Futbolista Antonio Ruiz Cervilla, 14. 30107, Madrid (Murcia), Spain
Bravo Students Salamanca SL (B67687988)	Avda de la Merced 108, 37005, Salamanca (Salamanca), Spain
Bravo Students Sevilla SLU (B67688036)	Paseo de la Castellana Nº 140 planta 11. 28046, Madrid (Madrid), Spain
Bravo Students Zaragoza, S.L (B13891577)	Address: Paseo de la Castellana Nº 140 planta 11. 28046, Madrid (Madrid), Spain. Postal address: Avenida José Atares Nº 20. 50018, Zaragoza (Zaragoza), Spain

How can you contact us?

Postal address and address of our offices: Paseo de la Castellana Nº 140 planta 11. 28046, Madrid (Madrid), Spain
Registered address: Paseo de la Castellana Nº 140 planta 11. 28046, Madrid (Madrid), Spain
Email: info@bravostudents.com
Phone: 619425252

Who can help you with our Data Protection Policy?

At Bravo Students we have a Data Protection Officer (DPO), whose role is to ensure compliance with current data protection regulations within our entity. If you have any questions or need assistance regarding the processing of your personal data, you can contact our DPO through the following means:

Auratech Legal — NIF B87984621
Email: rgpd@auratechlegal.es
Phone: 911134963

4. Applicable laws and regulations

This Privacy and Data Protection Policy is developed based on the following data protection regulations and laws:

Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Hereinafter GDPR.
Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights. Hereinafter LOPD/GDD.
Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce. Hereinafter LSSICE.

5. Principles applicable to the processing of personal data

At Bravo Students we process personal data in accordance with the principles established in current regulations, ensuring that the processing is:

Lawful, fair and transparent: We inform clearly and accessibly about how data are collected and used.
Limited to specific purposes: Data are collected for legitimate purposes and are not used for other purposes.
Data minimisation: We only request strictly necessary data.
Accuracy: We keep data up to date and correct inaccurate ones.
Storage limitation: Data are kept only for the time necessary for the purposes indicated.
Integrity and confidentiality: We apply appropriate security measures to protect data.
Proactive accountability: We assume responsibility for complying with and demonstrating compliance with these principles.

6. Security measures

What do we do to guarantee the privacy of your data?

At Bravo Students, we have implemented the technical and organisational measures necessary to guarantee the security of the personal data we process. These measures are designed to prevent the alteration, loss, unauthorised access or improper processing of data, adapting to the state of the art and to potential risks.

Among the measures we highlight:

Confidentiality: Only authorised persons can access the information.
Integrity: Information is kept accurate and protected against unauthorised modifications.
Availability: We guarantee that data are accessible to authorised persons at all times.
Continuous evaluation: We regularly review and improve our security measures to adapt to new threats and technological advances.
Pseudonymisation and encryption: We apply these techniques to reinforce data protection, especially for sensitive data.

7. Purposes of processing

For what purposes do we want to process your data?

Below we detail the intended uses and purposes:

Cookies, pixel and tracking

The activity comprises several differentiated layers of processing. Firstly, the use of technical or strictly necessary cookies for the operation of the site, language management, cookie banner configuration, basic security and protection against automated traffic, including tools such as WordPress, WPML, Complianz or Google reCAPTCHA, to the extent that they are necessary to provide the service requested by the user. Secondly, the use of analytical and measurement cookies to learn how users access, navigate and interact with the site, detect errors, measure traffic, evaluate performance and improve the user experience. Thirdly, the use of marketing cookies, pixels and advertising identifiers, whether proprietary or third-party, to measure campaigns, attribute conversions, track browsing behaviour and, where appropriate, display or optimise interest-based advertising. Lastly, the site may incorporate content or functionalities from third parties, such as YouTube videos, the loading of which may involve connections with external domains and the installation of cookies or identifiers by such third parties. Non-exempt purposes may only be activated after a clear affirmative action by the user through the configuration panel or corresponding acceptance.

Integrate and play third-party content or functionalities, such as embedded videos.
Measure campaigns and advertising attribution.
Obtain analytical and statistical data on browsing, use, performance and traffic of the website.
Enable the technical and secure operation of the website.
Protect forms and services against bots, spam or abusive access.
Carry out advertising tracking and, where appropriate, personalisation or commercial segmentation based on browsing behaviour, where applicable.
Remember user preferences and their consent choices.

Handling enquiries, requests for information and visits through the website

Commercial follow-up will be limited to actions reasonably connected with the enquiry or request made by the data subject, including responses, expansion of information, scheduling of visits, reminders or continuation of the commercial conversation initiated by the data subject. The sending of electronic commercial communications not related to the initial request, as well as general promotions and additional purposes, will require specific, separate and verifiable consent.

Handle enquiries and requests received.
Provide information about residences, availability, conditions and visits.
Manage and document the commercial follow-up linked to the data subject’s initial request.

Management of accommodation bookings through the booking engine

Includes confirmations, modifications, cancellations, check-in, check-out, room assignment and associated services. It also includes compliance with administrative, accounting, tax and, where appropriate, traveller registration obligations. Internal statistics shall only be carried out with aggregated or pseudonymised data.

Handle incidents and complaints.
Comply with associated legal obligations.
Invoice and collect payments.
Formalise the accommodation.
Manage the stay.
Manage requests and bookings.

Management of communications received through the whistleblowing channel

Create an internal communication channel to enable the delivery of information about irregular practices in order to correct them and repair any damage they may have caused.
Inform employees and third parties about the existence of anonymous information systems regarding actions or omissions that may go against the legal system.
Protect citizens who report on actions or omissions that violate the legal system, affect financial interests or impact the internal market.
Adequately protect those persons who, by reporting irregularities of which, in their work or professional environment, they are aware, publicise them through the organisation’s whistleblowing channel, thereby allowing public authorities to act, and to be able to put an end to the unlawful activity reported when it affects the general interest.

Investigation of received reports

Process and decide on the admission for processing of the report received, proceed to its analysis and instruct the files and carry out the actions that proceed for that purpose.

Creation of a procedure for managing communications received that identifies this channel, sending acknowledgement of receipt and communication to the informant of the actions or omissions carried out.
Management of the register of communications received and of internal investigations to which they have given rise.
Inform the person under investigation of their right to submit allegations in writing and of the processing of their personal data.
Carry out the necessary investigations to respond to the informant.

Social Media

Foster community interaction and engagement through the publication of relevant content and the promotion of dialogue.
Inform followers about news, events and activities related to the organisation.
Carry out market analysis and studies to improve the social media content strategy.

Management of Bravo Group Corporate Data

Regulatory Compliance: Ensure compliance with applicable laws in all group companies.

For how long do we keep your data?

We use your data for the time strictly necessary to fulfil the purposes indicated above. Unless there is a legal obligation or requirement, the planned retention periods are:

Cookies, pixel and tracking. Data associated with cookies and similar technologies will be retained for the lifetime periods defined for each cookie in the cookie policy and, where appropriate, for the additional periods necessary to demonstrate consent management, handle incidents, prevent fraud, prepare aggregated statistics or defend claims. Technical or strictly necessary cookies will be retained for the time essential to provide the requested service or maintain the session. Analytical, preference, advertising and third-party cookies will have the specific duration indicated in the cookie policy and in the CMP configuration, and their need, duration and validity must be reviewed periodically. If the purposes, third parties or technologies used change, the policy must be updated and consent must be obtained again when required.

Handling enquiries, requests for information and visits through the website: For a period of 1 year from the last confirmation of interest. Data will be retained while necessary to handle the enquiry, provide the requested information and carry out the commercial follow-up directly related to it. If within 1 year from the last effective interaction no booking, contracting or new action is formalised that justifies the continuity of the processing, the data will be deleted. When necessary for the formulation, exercise or defence of claims, or to comply with applicable legal obligations, the data may be kept duly blocked during the corresponding limitation periods.

Management of accommodation bookings through the booking engine: While the commercial or contractual relationship is maintained. Data will be kept during the term of the booking, the stay and the contractual relationship. Once concluded, they will be kept blocked only for the periods required by applicable regulations to address legal, accounting, tax, administrative and contractual responsibilities. Unfinished requests must be reviewed periodically and deleted when they cease to be necessary for the pre-contractual purpose, except for legal obligation or associated claim.

Management of communications received through the whistleblowing channel: For a period of 10 years from the last confirmation of interest.

In the event that investigation actions are not initiated, the information relating to the report will be retained in the system for a maximum period of three months. These communications will be archived anonymously in order to leave evidence of their receipt.
If the report progresses, information relating to the reports received and to the investigation procedures will be stored in a register of actions in order to provide evidence of the functioning of the model for preventing the commission of offences. In no case shall personal data concerning such actions be stored for a period exceeding ten years.
The data of those who make the communication, of employees and of third parties will be retained in the whistleblowing system only for the time strictly necessary to decide on the appropriateness of initiating an investigation into the reported facts. Information not relevant for the investigation of the facts or belonging to special categories of data will be immediately deleted.
In the event that the information provided or part of it is not truthful, it will be immediately deleted from the moment such circumstance is known. In the event that such lack of truthfulness could constitute a criminal offence, it will be retained for the period necessary to exercise actions.

Investigation of received reports: All data processed and captured during the investigation phase are deleted after 3 months. If the report progresses, the maximum period may not exceed 10 years.

Social Media: Until the data subject requests its deletion. Personal data will be retained as long as they are necessary or relevant for the purpose for which they were collected or recorded. In the event of a deletion request by the data subject, the data will be blocked and reserved under the established conditions, preventing their processing except to make them available to competent authorities if necessary, for a period of three years.

Management of Bravo Group Corporate Data: For a period of 6 years from the last confirmation of interest. Labour: 4 years from the last confirmation of interest. Financial: 6 years from the last confirmation of interest. Secure deletion of data once the retention period has ended, unless there is a legal obligation to keep them for longer.

8. Legal basis for processing

Why do we process your data?

The collection and processing of your data is always legitimised by one or more legal bases, which we detail below:

Cookies, pixel and tracking

(Art. 6.1.a GDPR) Consent of the data subject.
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties.

Handling enquiries, requests for information and visits through the website

(Art. 6.1.a GDPR) Consent of the data subject, only for commercial communications not linked to the initial request or for additional purposes not necessary for handling the enquiry.
(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract, when the enquiry has the purpose of receiving information about accommodation, availability, economic conditions, services, booking process or scheduling of a visit.
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties, to manage, respond to and follow up on enquiries linked to its activity, always within the reasonable expectations of the data subject and without using the data for incompatible purposes.

Management of accommodation bookings through the booking engine

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract: managing the booking request and the contractual relationship with the resident.
(Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller: traveller registration and tax and accounting obligations.
(Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties: preparation of aggregated statistics and quality control; commercial communications after the stay will only be made if there is justified legitimate interest or prior consent has been obtained.

Management of communications received through the whistleblowing channel

(Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller: Law regulating the protection of persons who report regulatory infringements and against corruption, transposing Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, on the protection of persons who report breaches of Union law.
(Art. 6.1.e GDPR) Performance of a public mission or exercise of public powers conferred on the Data Controller:
GDPR and LOPDGDD, compliance with legal obligation: General Data Protection Regulation (GDPR) and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (LOPDYGDD)
Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and execution of criminal penalties.
(Art. 9.2.g GDPR) Processing necessary for reasons of essential public interest established by Law.

Investigation of received reports

(Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller: Law regulating the protection of persons who report regulatory infringements and against corruption, transposing Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, on the protection of persons who report breaches of Union law.
(Art. 6.1.e GDPR) Performance of a public mission or exercise of public powers conferred on the Data Controller: Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and execution of criminal penalties.
(Art. 9.2.g GDPR) Processing necessary for reasons of essential public interest established by Law: Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and execution of criminal penalties.

Social Media

(Art. 6.1.a GDPR) Consent of the data subject.

Management of Bravo Group Corporate Data

(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract.

9. Recipients of your data

To whom do we transfer your data within the European Union?

On occasions, in order to comply with our legal obligations and our contractual commitment to you, we are required and have the need to transfer some of your data to certain categories of recipients, which we specify below:

Cookies, pixel and tracking: Companies dedicated to advertising or direct marketing.
Handling enquiries, requests for information and visits through the website: Intra-group communication of data to the company that owns the residence subject to the enquiry, when necessary for handling the request, the commercial follow-up linked to it and, where appropriate, the subsequent pre-contractual or contractual management.
Management of accommodation bookings through the booking engine: State Security Forces and Bodies and other competent authorities, when legally required, in compliance with regulatory obligations linked to accommodation and traveller registration. Tax administration, courts and tribunals, banking entities and other public bodies when there is a legal obligation or it is necessary for the execution of the contract.
Management of communications received through the whistleblowing channel: Other public administration bodies. External channel managed by the Independent Authority for the Protection of the Informant or by analogous regional independent authorities with competence. Data will also be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority within the framework of a criminal, disciplinary or sanctioning investigation. Information relating to reports will be communicated to the Compliance Officer and those persons whose collaboration is necessary within the framework of an investigation or for the adoption of corrective or disciplinary measures, such as Human Resources or Legal Services managers. The identity of the informants will under no circumstances be disclosed to the persons to whom the reported facts refer or to third parties.
Investigation of received reports: Other public administration bodies. External channel managed by the Independent Authority for the Protection of the Informant or by analogous regional independent authorities with competence. Data will also be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority within the framework of a criminal, disciplinary or sanctioning investigation.
Social Media: International Transfers, given the global nature of social media platforms, there may be transfers of data outside the European Economic Area (EEA). To ensure the protection of personal data in these transfers, appropriate safeguard mechanisms will be adopted in accordance with the requirements of the GDPR, such as the Standard Contractual Clauses approved by the European Commission, binding corporate rules for multinational companies, or adequacy decisions for those countries that the European Commission considers to offer an adequate level of data protection. Big Data and Analytics Service Providers: for the analysis of user behaviour and the improvement of content strategies, always under agreements that guarantee the protection of personal data in accordance with the GDPR.
Management of Bravo Group Corporate Data: Authorised personnel of the various Bravo Group companies. Technology service providers under confidentiality and data protection agreements. Competent public authorities in compliance with legal obligations. Group companies for internal administrative purposes.

Recipients — Cookies, pixel and tracking

Entity	Identifier	Group / Data
Google Ireland Limited	Irish Company No. 368047	Website users — ID generated by the Pixel or Cookie
Google LLC	LLC California – Charter 201727810678	Website users — ID generated by the Pixel or Cookie
Meta Platforms Ireland Limited	Irish Company No. 462932	Website users — ID generated by the Pixel or Cookie
Meta Platforms, Inc.	CIK 0001326801 (SEC) / Charter 645635	Website users — ID generated by the Pixel or Cookie
TikTok Information Technologies UK Limited	Company Number 10165711	Website users — ID generated by the Pixel or Cookie
TikTok Technology Limited	Irish Company No. 635755	Website users — ID generated by the Pixel or Cookie

Recipients — Handling enquiries, requests for information and visits

Entity	NIF/DNI	Data communicated
Bravo Granada SL	B88400007	Name and surname; Phone; Email address; Message; Residence you want to book
Bravo Students Moncloa SL	B10664274	Name and surname; Phone; Email address; Message; Residence you want to book
Bravo Students Murcia SL	B09758004	Name and surname; Phone; Email address; Message; Residence you want to book
Bravo Students Salamanca SL	B67687988	Name and surname; Phone; Email address; Message; Residence you want to book
Bravo Students Zaragoza, S.L	B13891577	Name and surname; Phone; Email address; Message; Residence you want to book

Do we carry out International Transfers of your data outside the European Union?

Within the context of our data processing activities, we may use external services that involve the storage and/or processing of your data by organisations outside the European Union. This entails carrying out international transfers of your data.

Cookies, pixel and tracking

Recipient	Level of protection guaranteed	Category of safeguards	Detail
Google LLC – United States	Adequacy decision of the EU Commission	Specific and binding adequacy agreements	Data Privacy Framework International transfer of data to Google LLC in the context of the use of Google services integrated in the website, such as Google Analytics, Google Ads, YouTube, DoubleClick and reCAPTCHA. Google indicates that it has servers worldwide and that information may be processed outside the user’s country of residence. Google LLC has certified its adherence to the EU-US Data Privacy Framework, and Google further states that it remains responsible for personal information shared with third parties for external processing on its behalf.
Meta Platforms, Inc. – United States	Adequacy decision of the EU Commission	Specific and binding adequacy agreements	Data Privacy Framework International transfer of data to Meta Platforms, Inc. in the context of the use of Meta cookies and technologies for advertising, measurement, attribution and conversion tracking. Meta Platforms, Inc. is listed as adhering to the EU-US Data Privacy Framework. The group entity in the EEA for these services is Meta Platforms Ireland Limited, while the international transfer to the United States is documented with respect to Meta Platforms, Inc.
TikTok Information Technologies UK Limited – United Kingdom	Adequacy decision of the EU Commission	Countries with adequacy decision	United Kingdom.

10. Data processing activities

The data processing activities carried out through https://www.bravostudents.com are described below, specifying:

Activity: Name of the data processing activity.
Purposes: Uses and processing carried out with the data collected.
Legal basis: Legal grounds that legitimise the data processing.
Data processed: Types of data processed.
Origin: Source of the data.
Retention: Data retention period.
Recipients: Third parties to whom the data are transferred.
International transfers: Transfers of data outside the European Union.

10.1 Processing activities

These are data processing activities whose purposes are necessary for the provision of the services.

Management of accommodation bookings through the booking engine

Legal bases	(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract (managing the booking request and the contractual relationship with the resident); (Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller (traveller registration and tax and accounting obligations); (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties (preparation of aggregated statistics and quality control; commercial communications after the stay will only be made if there is justified legitimate interest or prior consent has been obtained).
Purposes	Handle incidents and complaints; Comply with associated legal obligations; Invoice and collect payments; Formalise the accommodation; Manage the stay; Manage requests and bookings. Includes confirmations, modifications, cancellations, check-in, check-out, room assignment and associated services. It also includes compliance with administrative, accounting, tax and, where appropriate, traveller registration obligations. Internal statistics shall only be carried out with aggregated or pseudonymised data.
Categories of data and groups	Residents (Identifying data; Academic and professional; Economic, financial and insurance; Commercial information). Potential residents (Identifying data).
Origin of data	The data subject themselves or their legal representative; data are provided by the resident or by their legal guardian in the case of minors at the time of signing the rental agreement.
Category of recipients	State Security Forces and Bodies and other competent authorities, when legally required, in compliance with regulatory obligations linked to accommodation and traveller registration. Tax administration, courts and tribunals, banking entities and other public bodies when there is a legal obligation or it is necessary for the execution of the contract.
International transfer	Not envisaged.
Retention period	While the commercial or contractual relationship is maintained. Data will be kept during the term of the booking, the stay and the contractual relationship. Once concluded, they will be kept blocked only for the periods required by applicable regulations to address legal, accounting, tax, administrative and contractual responsibilities. Unfinished requests must be reviewed periodically and deleted when they cease to be necessary for the pre-contractual purpose, except for legal obligation or associated claim.
Security measures	Access control by username and password with two-factor authentication. Restricted access by profiles to authorised personnel of the residence and administration. Encryption in transit and, where applicable, at rest. Logging of accesses and operations. Periodic backups. Incident and breach management. Identity verification procedures. Permission segregation. Confidentiality duty of personnel. Periodic review of active users. Processor agreement with the booking engine provider.

Management of communications received through the whistleblowing channel

Legal bases	(Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller (Law regulating the protection of persons who report regulatory infringements and against corruption); (Art. 6.1.e GDPR) Performance of a public mission or exercise of public powers conferred on the Data Controller (GDPR and LOPDGDD; Organic Law 7/2021, of 26 May); (Art. 9.2.g GDPR) Processing necessary for reasons of essential public interest established by Law.
Purposes	Create an internal communication channel to enable the delivery of information about irregular practices in order to correct them and repair any damage they may have caused; Inform employees and third parties about the existence of anonymous information systems regarding actions or omissions that may go against the legal system; Protect citizens who report on actions or omissions that violate the legal system, affect financial interests or impact the internal market; Adequately protect those persons who, by reporting irregularities of which, in their work or professional environment, they are aware, publicise them through the organisation’s whistleblowing channel, thereby allowing public authorities to act, and to be able to put an end to the unlawful activity reported when it affects the general interest
Categories of data and groups	Internal whistleblowing channel informants (Identifying data; Criminal data; Other categories). Persons allegedly involved (Identifying data; Criminal data).
Origin of data	The data subject themselves or their legal representative; Data are communicated by the informant themselves through the organisation’s whistleblowing channel; Other persons other than the data subject or their representative; Data are provided by the informant or are known during the investigation and inquiry process.
Category of recipients	Other public administration bodies. External channel managed by the Independent Authority for the Protection of the Informant or by analogous regional independent authorities with competence. Data will also be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority within the framework of a criminal, disciplinary or sanctioning investigation. Information relating to reports will be communicated to the Compliance Officer and those persons whose collaboration is necessary. The identity of the informants will under no circumstances be disclosed to the persons to whom the reported facts refer or to third parties.
International transfer	Not envisaged.
Retention period	For a period of 10 years from the last confirmation of interest. In the event that investigation actions are not initiated, the information relating to the report will be retained in the system for a maximum period of three months. These communications will be archived anonymously in order to leave evidence of their receipt. If the report progresses, information relating to the reports received and to the investigation procedures will be stored in a register of actions in order to provide evidence of the functioning of the model for preventing the commission of offences. In no case shall personal data concerning such actions be stored for a period exceeding ten years. The data of those who make the communication, of employees and of third parties will be retained in the whistleblowing system only for the time strictly necessary to decide on the appropriateness of initiating an investigation into the reported facts. Information not relevant for the investigation of the facts or belonging to special categories of data will be immediately deleted. In the event that the information provided or part of it is not truthful, it will be immediately deleted from the moment such circumstance is known. In the event that such lack of truthfulness could constitute a criminal offence, it will be retained for the period necessary to exercise actions.
Security measures	In order to safeguard the security of the personal data of the whistleblowing channel, the organisation undertakes to maintain the security and confidentiality of the data provided and, in particular, of the data of the Informants who carry out a communication through the internal whistleblowing channel, preventing access to such data by those who caused the communication due to the alleged commission of actions within the organisation contrary to the Law or to the entity’s Code of Conduct. The organisation has adopted the legally required levels of security for the Protection of personal Data and used the technical means at its disposal to prevent the loss, misuse, alteration, unauthorised access and theft of such data. Likewise, the organisation informs that all its personnel, whatever the phase of the processing in which they intervene, have undertaken the commitment to process your data with the utmost care and confidentiality.

Investigation of received reports

Legal bases	(Art. 6.1.c GDPR) Compliance with legal obligations of the Data Controller (Law regulating the protection of persons who report regulatory infringements and against corruption); (Art. 6.1.e GDPR) Performance of a public mission or exercise of public powers conferred on the Data Controller (Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and execution of criminal penalties.); (Art. 9.2.g GDPR) Processing necessary for reasons of essential public interest established by Law (Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and execution of criminal penalties.)
Purposes	Creation of a procedure for managing communications received that identifies this channel, sending acknowledgement of receipt and communication to the informant of the actions or omissions carried out; Management of the register of communications received and of internal investigations to which they have given rise; Inform the person under investigation of their right to submit allegations in writing and of the processing of their personal data; Carry out the necessary investigations to respond to the informant; Process and decide on the admission for processing of the report received, proceed to its analysis and instruct the files and carry out the actions that proceed for that purpose
Categories of data and groups	Internal whistleblowing channel informants (Identifying data; Criminal data; Other categories). Persons allegedly involved (Identifying data; Criminal data).
Origin of data	The data subject themselves or their legal representative; Data are communicated by the informant themselves through the organisation’s whistleblowing channel; Other persons other than the data subject or their representative; Data are provided by the informant or are known during the investigation and inquiry process.
Category of recipients	Other public administration bodies; External channel managed by the Independent Authority for the Protection of the Informant or by analogous regional independent authorities with competence. Data will also be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority within the framework of a criminal, disciplinary or sanctioning investigation.
International transfer	Not envisaged.
Retention period	All data processed and captured during the investigation phase are deleted after 3 months. If the report progresses, the maximum period may not exceed 10 years.
Security measures	In order to safeguard the security of the personal data of the whistleblowing channel, the organisation undertakes to maintain the security and confidentiality of the data provided and, in particular, of the data of the Informants who carry out a communication through the internal whistleblowing channel, preventing access to such data by those who caused the communication due to the alleged commission of actions within the organisation contrary to the Law or to the entity’s Code of Conduct. The organisation has adopted the legally required levels of security for the Protection of personal Data and used the technical means at its disposal to prevent the loss, misuse, alteration, unauthorised access and theft of such data. Likewise, the organisation informs that all its personnel, whatever the phase of the processing in which they intervene, have undertaken the commitment to process your data with the utmost care and confidentiality.

Management of Bravo Group Corporate Data

Legal bases	(Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract.
Purposes	Regulatory Compliance: ensure compliance with applicable laws in all group companies.
Categories of data and groups	Residents (Identifying data).
Origin of data	The data subject themselves or their legal representative; data are provided by the resident or by their legal guardian in the case of minors at the time of signing the rental agreement.
Category of recipients	Authorised personnel of the various Bravo Group companies. Technology service providers under confidentiality and data protection agreements. Competent public authorities in compliance with legal obligations. Group companies for internal administrative purposes.
International transfer	Not envisaged.
Retention period	For a period of 6 years from the last confirmation of interest. Labour: 4 years from the last confirmation of interest. Financial: 6 years from the last confirmation of interest. Secure deletion of data once the retention period has ended, unless there is a legal obligation to keep them for longer.
Security measures	1. Technical measures: Data encryption: Encryption of data in transit and at rest. Access control: Implementation of role-based access controls and multi-factor authentication. Backups: Periodic backups and secure storage. Monitoring and intrusion detection: Monitoring systems to detect and respond to security incidents. 2. Organisational measures: Staff training: Continuous training in data protection and information security. Security policies: Clear policies and procedures for the safe use of data. Audits: Regular audits to ensure regulatory compliance.

Cookies, pixel and tracking

Legal bases	(Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties.
Purposes	Integrate and play third-party content or functionalities, such as embedded videos; Measure campaigns and advertising attribution; Obtain analytical and statistical data on browsing, use, performance and traffic of the website; Enable the technical and secure operation of the website; Protect forms and services against bots, spam or abusive access; Carry out advertising tracking and, where appropriate, personalisation or commercial segmentation based on browsing behaviour, where applicable; Remember user preferences and their consent choices; The activity comprises several differentiated layers of processing. Firstly, the use of technical or strictly necessary cookies for the operation of the site, language management, cookie banner configuration, basic security and protection against automated traffic, including tools such as WordPress, WPML, Complianz or Google reCAPTCHA, to the extent that they are necessary to provide the service requested by the user. Secondly, the use of analytical and measurement cookies to learn how users access, navigate and interact with the site, detect errors, measure traffic, evaluate performance and improve the user experience. Thirdly, the use of marketing cookies, pixels and advertising identifiers, whether proprietary or third-party, to measure campaigns, attribute conversions, track browsing behaviour and, where appropriate, display or optimise interest-based advertising. Lastly, the site may incorporate content or functionalities from third parties, such as YouTube videos, the loading of which may involve connections with external domains and the installation of cookies or identifiers by such third parties. Non-exempt purposes may only be activated after a clear affirmative action by the user through the configuration panel or corresponding acceptance.
Categories of data and groups	Website users (Identifying data; Other categories).
Origin of data	The data subject themselves or their legal representative.
Category of recipients	Companies dedicated to advertising or direct marketing: Google Ireland Limited (Irish Company No. 368047); Google LLC (LLC California – Charter 201727810678); Meta Platforms Ireland Limited (Irish Company No. 462932); Meta Platforms, Inc. (CIK 0001326801 / Charter 645635); TikTok Information Technologies UK Limited (Company Number 10165711); TikTok Technology Limited (Irish Company No. 635755).
International transfer	Google LLC — United States (Google Analytics, Google Ads, YouTube, DoubleClick and reCAPTCHA) — Adequacy decision of the EU Commission. Meta Platforms, Inc. — United States (Meta Pixel / Facebook Ads / advertising measurement) — Adequacy decision of the EU Commission. TikTok Information Technologies UK Limited — United Kingdom (TikTok Pixel / TikTok Ads / advertising measurement) — Adequacy decision of the EU Commission.
Retention period	Data associated with cookies and similar technologies will be retained for the lifetime periods defined for each cookie in the cookie policy and, where appropriate, for the additional periods necessary to demonstrate consent management, handle incidents, prevent fraud, prepare aggregated statistics or defend claims. Technical or strictly necessary cookies will be retained for the time essential to provide the requested service or maintain the session. Analytical, preference, advertising and third-party cookies will have the specific duration indicated in the cookie policy and in the CMP configuration, and their need, duration and validity must be reviewed periodically. If the purposes, third parties or technologies used change, the policy must be updated and consent must be obtained again when required.
Security measures	Restricted access control to web management systems, cookie panel (CMP), tag manager, analytics tools and advertising platforms through individual credentials, robust passwords and, when possible, multi-factor authentication. Profile and permission management based on the principle of least privilege, limiting the configuration of cookies, tags, pixels and third-party integrations only to authorised personnel. Updated inventory of cookies, tracking technologies, tags and active scripts on the website, with periodic review of their purpose, provider, duration and legal basis. Configuration of the consent panel to block by default cookies and non-necessary technologies until a valid affirmative action by the user is obtained, as well as recording and retention of consent preferences for their accreditation. Prior validation procedure before incorporating new cookies, scripts, plugins, pixels, analytics, marketing or third-party content tools, including analysis of need, provider and possible international transfers. Encryption of communications through secure protocols (HTTPS/TLS) throughout the website and in connections with external providers (analytics, CMP, forms, embedded services). Logging and monitoring of access and changes in the configuration of the website, CMP, tag manager and associated tools, allowing traceability of modifications. Periodic backups of the website and the configuration of cookies, consent and tagging, with verified restoration procedures. Periodic updating of the CMS, plugins, libraries, scripts and tools used, in order to correct vulnerabilities and maintain the security of the web environment. Implementation of protection measures against unauthorised access, malware, code injection, script manipulation and abusive automated traffic. Application of the principle of data minimisation in analytical and advertising tools, including, where appropriate, anonymisation or pseudonymisation of IP addresses and limitation of unnecessary functionalities. Formalisation of processor agreements or review of equivalent conditions with providers that access personal data through cookies, analytics, marketing, security or third-party content. Evaluation and documentation of possible international transfers derived from the use of external providers, verifying the existence of adequate safeguards. Periodic review of the cookie policy and the banner configuration to ensure their consistency with the technologies actually used on the website. Procedure for the immediate withdrawal or modification of cookies, tags or providers when the purposes, legal basis change or security or compliance incidents are detected. Management of incidents and security breaches related to the web environment, including detection, analysis, containment and documentation in accordance with internal procedures. Training and internal instructions to personnel with access to web management, digital marketing or analytics on the proper use of tools, consent and configuration of tracking technologies.

Handling enquiries, requests for information and visits through the website

Legal bases	(Art. 6.1.a GDPR) Consent of the data subject (only for commercial communications not linked to the initial request or for additional purposes not necessary for handling the enquiry.); (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through contract or pre-contract (when the enquiry has the purpose of receiving information about accommodation, availability, economic conditions, services, booking process or scheduling of a visit.); (Art. 6.1.f GDPR) Legitimate interest of the Data Controller or third parties (to manage, respond to and follow up on enquiries linked to its activity, always within the reasonable expectations of the data subject and without using the data for incompatible purposes).
Purposes	Handle enquiries and requests received; Provide information about residences, availability, conditions and visits; Manage and document the commercial follow-up linked to the data subject’s initial request; Commercial follow-up will be limited to actions reasonably connected with the enquiry or request made by the data subject, including responses, expansion of information, scheduling of visits, reminders or continuation of the commercial conversation initiated by the data subject. The sending of electronic commercial communications not related to the initial request, as well as general promotions and additional purposes, will require specific, separate and verifiable consent.
Categories of data and groups	Website users (Identifying data; Academic and professional; Personal characteristics; Credit information; Other categories).
Origin of data	The data subject themselves or their legal representative.
Category of recipients	Intra-group communication of data to the company that owns the residence subject to the enquiry, when necessary for handling the request, the commercial follow-up linked to it and, where appropriate, the subsequent pre-contractual or contractual management. Bravo Granada SL (NIF/DNI: B88400007); Bravo Students Moncloa SL (NIF/DNI: B10664274); Bravo Students Murcia SL (NIF/DNI: B09758004); Bravo Students Salamanca SL (CIF: B67687988); Bravo Students Zaragoza, S.L (NIF/DNI: B13891577);
International transfer	Not envisaged.
Retention period	For a period of 1 year from the last confirmation of interest. Data will be retained while necessary to handle the enquiry, provide the requested information and carry out the commercial follow-up directly related to it. If within 1 year from the last effective interaction no booking, contracting or new action is formalised that justifies the continuity of the processing, the data will be deleted. When necessary for the formulation, exercise or defence of claims, or to comply with applicable legal obligations, the data may be kept duly blocked during the corresponding limitation periods.
Security measures	Individualised access control through username and password to corporate email, forms and/or CRM. Multi-factor authentication on corporate accounts and remote access. Permission management by profiles and principle of minimum access. Encryption in transit of forms and communications. Periodic backups with restoration control. Activity logging and access review when applicable. Robust password policy and periodic renewal. Confidentiality duty and basic training of personnel with access. Internal procedures for incident management and security breaches. Data minimisation in emails and commercial communications. Periodic review, debugging, blocking or deletion of inactive contacts. Control of providers with access to data through the corresponding processor agreements.

Social Media

Legal bases	(Art. 6.1.a GDPR) Consent of the data subject.
Purposes	Foster community interaction and engagement through relevant content and the promotion of dialogue; Inform followers about news, events and activities; Carry out market analysis and studies to improve the social media content strategy.
Categories of data and groups	Followers (Identifying data).
Origin of data	The data subject themselves or their legal representative.
Category of recipients	International Transfers: Given the global nature of social media platforms, there may be transfers of data outside the European Economic Area (EEA). To ensure the protection of personal data in these transfers, appropriate safeguard mechanisms will be adopted in accordance with the requirements of the GDPR, such as the Standard Contractual Clauses approved by the European Commission, binding corporate rules for multinational companies, or adequacy decisions for those countries that the European Commission considers to offer an adequate level of data protection. Big Data and Analytics Service Providers: For the analysis of user behaviour and the improvement of content strategies, always under agreements that guarantee the protection of personal data in accordance with the GDPR.
International transfer	Not envisaged.
Retention period	Until the data subject requests its deletion. Personal data will be retained as long as they are necessary or relevant for the purpose for which they were collected or recorded. In the event of a deletion request by the data subject, the data will be blocked and reserved under the established conditions, preventing their processing except to make them available to competent authorities if necessary, for a period of three years.
Security measures	In accordance with Article 32 of the GDPR, Recital 83 of the GDPR, and the first additional provision of the LOPDDD, the following security measures are implemented: Access Policies: Restricted access to the personal data of social media users only to authorised personnel who need such information to perform their tasks. Data Protection Training: Continuous training to personnel involved in social media management on the principles of data protection and privacy. Security Monitoring: Regular monitoring of social media accounts to detect and respond to potential security incidents. Third-Party Agreements: Collaboration only with social media platforms that demonstrate compliance with the GDPR, especially regarding international data transfers.

11. Data of minors

How do we handle the data of minors?

Minors under 14 years of age may not use the services offered through our website without prior authorisation from their parents, guardians or legal representatives. They will be solely responsible for all actions carried out through the website by the minors in their care, including the completion of online forms with the personal data of the minors and, where appropriate, the selection of the corresponding boxes.

In accordance with the provisions of Article 8 of the GDPR and Article 7 of the LOPD/GDD, only persons over 14 years of age may grant their consent for the lawful processing of their personal data by Bravo Students.

12. Origin and types of data processed

Where have we obtained your data from?

Cookies, pixel and tracking

Website users: The data subject themselves or their legal representative.

Handling enquiries, requests for information and visits through the website

Website users: The data subject themselves or their legal representative.

Management of accommodation bookings through the booking engine

Residents: The data subject themselves or their legal representative. Data are provided by the resident or by their legal guardian in the case of minors at the time of signing the rental agreement.
Potential residents: The data subject themselves or their legal representative.

Management of communications received through the whistleblowing channel

Internal whistleblowing channel informants: The data subject themselves or their legal representative. Data are communicated by the informant themselves through the organisation’s whistleblowing channel.
Persons allegedly involved: Other persons other than the data subject or their representative. Data are provided by the informant or are known during the investigation and inquiry process.

Investigation of received reports

Internal whistleblowing channel informants: The data subject themselves or their legal representative. Data are communicated by the informant themselves through the organisation’s whistleblowing channel.
Persons allegedly involved: Other persons other than the data subject or their representative. Data are provided by the informant or are known during the investigation and inquiry process.

Social Media

Followers: The data subject themselves or their legal representative.

Management of Bravo Group Corporate Data

Residents: The data subject themselves or their legal representative. Data are provided by the resident or by their legal guardian in the case of minors at the time of signing the rental agreement.

What types of your data have we collected and process?

Activity / Group	Categories of data
Cookies, pixel and tracking — Website users	Identifying data: IP address. Other categories: ID generated by the Pixel or Cookie.
Handling enquiries, requests for information and visits — Website users	Identifying data: Email address; IP address; Name and surname; Phone. Academic and professional: Type of room. Personal characteristics: Gender. Credit information: Bank card details (debit or credit). Other categories: ID generated by the Pixel or Cookie; Message; Residence you want to book; Booking dates.
Booking management — Residents	Identifying data: Name and surname; ID card or Passport; Email address. Academic and professional: Type of room. Economic, financial and insurance: Payment method and bank details. Commercial information: Stay dates (Check-in and Check-out).
Booking management — Potential residents	Identifying data: Email address; Postal address; Name and surname; Phone.
Whistleblowing channel — Informants	Identifying data: Email address; Postal address; Name and surname; Phone. Criminal data: Administrative infringements; Criminal infringements. Other categories: Telephone conversation.
Whistleblowing channel — Persons allegedly involved	Identifying data: Name and surname. Criminal data: Administrative infringements; Criminal infringements.
Investigation of reports — Informants	Identifying data: Email address; Postal address; Name and surname; Phone. Criminal data: Administrative infringements; Criminal infringements. Other categories: Telephone conversation.
Investigation of reports — Persons allegedly involved	Identifying data: Name and surname. Criminal data: Administrative infringements; Criminal infringements.
Social Media — Followers	Identifying data: Email address; Name and surname.
Bravo Group Corporate Data — Residents	Identifying data: Name and surname.

13. Rights of data subjects

What are your rights regarding your data?

Data protection regulations grant you specific rights that you can exercise in relation to the processing of your data. These rights are personal and non-transferable, which means that only you, as the data subject, can exercise them after verification of your identity.

Your rights are described below:

Right of access: You can request confirmation of whether Bravo Students is processing your data and access information related to its processing.
Right of rectification: If your personal data are inaccurate or incomplete, you can request their correction.
Right of erasure (“right to be forgotten”): You can request the deletion of your data when they are no longer necessary for the purposes for which they were collected, or if you withdraw your consent.
Right to restriction of processing: You can request the restriction of the processing of your data, for example, while its accuracy is being verified or in other cases provided for by law.
Right to data portability: You have the right to receive your data in a structured, commonly used and machine-readable format, and to transmit them to another data controller.
Right to object: You can object to the processing of your data on grounds relating to your particular situation, or when the processing is based on a legitimate interest.
Right not to be subject to automated decisions: You can request not to be subject to decisions based solely on the automated processing of your data, including profiling.
Right to withdraw consent: You can withdraw your consent at any time, without this affecting the lawfulness of the processing based on prior consent.
Right to lodge a complaint: If you consider that your rights have not been respected, you can lodge a complaint with the corresponding supervisory authority: Spanish Data Protection Agency — info@aepd.es — https://www.aepd.es.

To exercise any of these rights, you can contact Bravo Students using the following contact information:

Controller: Bravo Students SL
Address: Paseo de la Castellana Nº 140 planta 11. 28046, Madrid (Madrid), Spain
Phone: 619425252
E-mail: info@bravostudents.com
Website: https://www.bravostudents.com

You can also exercise your rights before the Data Protection Officer:

Email: rgpd@auratechlegal.es — Phone: 911134963

How can you exercise your rights regarding your data?

To exercise your rights of access, rectification, deletion, restriction or objection, portability and withdrawal of your consent, you can do so by sending an email to rgpd@auratechlegal.es or postal mail to: Paseo de la Castellana Nº 140 planta 11. 28046, Madrid (Madrid), Spain.

How can you lodge a complaint if you consider that your rights are not being respected?

If you believe that the processing of your personal data does not comply with data protection regulations, you have the right to lodge a complaint with the corresponding Supervisory Authority in your country of residence or place of activity.

Depending on your location, you can contact the competent authority in your country. For example:

In Germany, you can contact the Berliner Beauftragte für Datenschutz und Informationsfreiheit.
In France, the competent authority is the Commission Nationale de l’Informatique et des Libertés (CNIL).

The specific contact details for Spain are as follows:

Spanish Data Protection Agency
C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain
Email: info@aepd.es — Phone: 900293183
Web: https://www.aepd.es

If you are not sure which authority corresponds to you or you need information about other supervisory authorities, you can consult the article on Data Protection Supervisory Authorities, where you will find contact details and links according to your location.

14. Modification and information principle

This document ensures that you understand how we process your personal data. By using our website or services, you confirm that you have been informed about the terms of our Privacy Policy, in accordance with the information principle established in Article 13 of the GDPR. The legal bases for the processing of your personal data are set out in Article 6 of the GDPR, and may include the performance of a contract, compliance with legal obligations or legitimate interest, among others.

This policy has been prepared with the collaboration of Auratech Legal, a firm specialising in data protection, and will be reviewed periodically to ensure its adequacy and compliance.

Bravo Students reserves the right to modify this Privacy Policy in accordance with legislative or jurisprudential changes or guidelines from supervisory authorities. Any relevant modification affecting the purposes of the processing, retention periods or rights of users will be communicated explicitly.

Last updated: 22 April 2026.

Table of Contents

1. Purpose of the policy

2. Definition of personal data

3. Identity of the data controller

Who collects and processes your data?

How can you contact us?

Who can help you with our Data Protection Policy?

4. Applicable laws and regulations

5. Principles applicable to the processing of personal data

6. Security measures

What do we do to guarantee the privacy of your data?

7. Purposes of processing

For what purposes do we want to process your data?

Cookies, pixel and tracking

Handling enquiries, requests for information and visits through the website

Management of accommodation bookings through the booking engine

Management of communications received through the whistleblowing channel

Investigation of received reports

Social Media

Management of Bravo Group Corporate Data

For how long do we keep your data?

8. Legal basis for processing

Why do we process your data?

Cookies, pixel and tracking

Handling enquiries, requests for information and visits through the website

Management of accommodation bookings through the booking engine

Management of communications received through the whistleblowing channel

Investigation of received reports

Social Media

Management of Bravo Group Corporate Data

9. Recipients of your data

To whom do we transfer your data within the European Union?

Recipients — Cookies, pixel and tracking

Recipients — Handling enquiries, requests for information and visits

Do we carry out International Transfers of your data outside the European Union?

Cookies, pixel and tracking

10. Data processing activities

10.1 Processing activities

Management of accommodation bookings through the booking engine

Management of communications received through the whistleblowing channel

Investigation of received reports

Management of Bravo Group Corporate Data

Cookies, pixel and tracking

Handling enquiries, requests for information and visits through the website

Social Media

11. Data of minors

How do we handle the data of minors?

12. Origin and types of data processed

Where have we obtained your data from?

Cookies, pixel and tracking

Handling enquiries, requests for information and visits through the website

Management of accommodation bookings through the booking engine

Management of communications received through the whistleblowing channel

Investigation of received reports

Social Media

Management of Bravo Group Corporate Data

What types of your data have we collected and process?

13. Rights of data subjects

What are your rights regarding your data?

How can you exercise your rights regarding your data?

How can you lodge a complaint if you consider that your rights are not being respected?

14. Modification and information principle