HOSTELELLA Legal documentation

Privacy Policy

Version 1.5 Effective 27 June 2026 GDPR · LOPDGDD

1. Data controller

In accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), Organic Law 3/2018 (LOPDGDD), the rules derived from Directive 2002/58/EC (ePrivacy), the LSSI-CE (where applicable to cookies/electronic communications), Regulation (EU) 2024/1689 (Artificial Intelligence Act) where applicable, and other applicable European and Spanish law, the data controller is:

Company: HERMANOS VARELA LUIS SL
Tax ID (CIF): B67073320
Registered office: Travessera de les Corts 356, Local 2, 08029 Barcelona, Spain
Commercial Registry: Barcelona Commercial Registry, Section 8, Sheet B-509004, entry 4 (I/A 4); background: Volume 46087, Folio 53
Legal and privacy email: legal@hostelella.com

HOSTELELLA has not formally appointed a Data Protection Officer where this is not mandatory under Article 37 GDPR and Article 34 LOPDGDD. If this becomes mandatory in the future or one is appointed voluntarily, the corresponding contact will be published and the AEPD notified where applicable.

2. Scope, recipients and B2B nature

HOSTELELLA is a professional digital platform (SaaS and, where applicable, marketplace features and business-to-business interactions) intended exclusively for business and commercial use (B2B), offering tools for operational management, document processing, team and shift management, and analytical assistance.

The Service is not intended for personal, household or consumer use. Users act in a professional or business context. When a user contracts, configures a business or accepts terms on behalf of a company, they must have sufficient authority to do so.

3. Exclusion of minors as users

Access to and use of the Service as a user is reserved for adults. Users must be at least 18 years old. HOSTELELLA does not deliberately collect or process the personal data of minors acting as users.

Important clarification: the 18-year restriction applies to whoever uses the platform. By contrast, the data of persons managed by the business Customer (e.g., employees included in shift planning) may, where applicable, relate to minor workers lawfully employed. In that case, the Customer acts as Controller and is solely responsible for the legality of employing minors and for complying with labor rules protecting minors (working hours, rest, night work, etc.). Any access to or use of the platform by a minor is unauthorized and contrary to the intended scope of the Service.

4. Categories of data subjects

5. Categories of personal data processed

Depending on the use of the Service, the following categories of data may be processed:

5.1 Data that may reveal sensitive information (absences)

Managing absences and time off may include categories such as “sick leave”. Where an absence is linked to sick leave, that information may reveal data concerning health (a special category under Article 9 GDPR). In these cases:

Other than the above, the Service is not designed to process special categories under Article 9 GDPR. The Customer must not upload them unless it has an adequate legal basis, it is necessary and sufficient safeguards are applied.

6. Source of the data

7. Allocation of roles (Controller / Processor / Joint controller)

7.1 When HOSTELELLA acts as Controller

HOSTELELLA acts as Controller in respect of the data needed to operate the Service, such as: account administration, authentication, access control, security, fraud/abuse prevention, support, service communications and billing (where applicable).

7.2 When HOSTELELLA acts as Processor

When business customers upload business documents and records or configure staff data (including shift, team and absence management) containing personal data of employees, customers, suppliers or other third parties, HOSTELELLA acts as Processor on behalf of the business customer, in accordance with the corresponding Data Processing Agreement (DPA) under Article 28 GDPR.

In these cases, the business customer remains the Controller and is solely responsible for: (i) informing data subjects, (ii) having an adequate legal basis, (iii) handling rights and (iv) complying with applicable obligations, including labor obligations (working hours, rest, protection of minors and informing workers' legal representatives).

7.3 Joint controllership (if applicable)

In certain flows (e.g., marketplace features, business-to-business communications or exchange of orders/data between parties), HOSTELELLA and other entities may jointly determine the purposes and means of processing and act as joint controllers under Article 26 GDPR. In those cases, the applicable framework of responsibilities and the contact point for exercising rights will be defined. Joint controllership is not presumed by default and will only apply where an agreement, configuration or flow justifies it.

8. Purposes of processing

9. Legal bases

We process personal data on one or more of the following legal bases:

For data processed on behalf of the Customer (including shift planning and team management), the legal basis vis-à-vis the workers is determined by the Customer as Controller (typically performance of the employment contract, compliance with labor obligations, or a legitimate interest in organizing work).

PurposeMain legal basisNotes
Account, authentication, roles and provision of the ServiceContract or pre-contractual measures; legitimate interest in securityNecessary to operate a professional account.
Documents, OCR/AI, reports and business data uploaded by the CustomerProcessing on behalf of the Customer; contractThe Customer decides the legal basis towards its employees, customers, suppliers or third parties.
Team, working-time, shifts and absences management (incl. AI-assisted generation)Processing on behalf of the Customer; the Customer determines the labor basis towards its workersSupport tool with human review; the Customer retains the final decision.
Support, incidents, security notices and transactional communicationsContract and legitimate interestNot commercial communications unless expressly stated.
Billing, accounting, tax obligations and legal defenseLegal obligation and legitimate interestStatutory periods and blocking apply where relevant.
Non-essential web analyticsConsentGoogle Analytics is loaded only after analytics/cookie acceptance.
B2B direct marketingConsent or legitimate interest where the law allowsAlways with an opt-out mechanism.

10. Device permissions (Mobile app)

For certain features, the App may request optional device permissions:

These permissions are based on your consent and can be revoked at any time from your device settings. Revocation may limit the use of certain features but will not prevent basic use of the Service where possible.

11. Artificial Intelligence and automated processing

HOSTELELLA may use automated processing and artificial intelligence to extract information from documents, classify data, assist with queries and generate shift-planning proposals, and to resolve the applicable labor framework or collective agreement based on the business's location and sector.

These features are designed as assistance and productivity tools, not as a substitute for human review nor as a system intended by default to make labor, tax, accounting, credit, legal or significantly impactful decisions. AI-generated shift proposals require human review and approval (by a person with a manager role or above) before publication or application; the Customer and its managers retain the final decision at all times.

No solely automated decisions. HOSTELELLA does not make decisions based solely on automated processing that produce legal effects on individuals or similarly significantly affect them within the meaning of Article 22 GDPR. Shift generation is decision support subject to human intervention.

Artificial Intelligence Act (EU 2024/1689). AI features are conceived as support tools. Where a feature is used in the employment context (e.g., shift planning), the Customer acts as the deployer within its organization and must ensure lawful use, human oversight and information to affected persons. In particular, in Spain, the Customer must comply with the right of workers' legal representatives to be informed of the parameters, rules and instructions of the algorithms or AI systems that affect working conditions (Art. 64.4.d of the Workers' Statute).

To minimize processing, before sending information to AI providers measures such as pseudonymization are applied (e.g., the shift generator operates with initials and operational data, not full names) and unnecessary data is excluded (e.g., the reason for absences is not transmitted). Results may contain inaccuracies or limitations. The Service is not designed for biometric identification, social scoring, emotion recognition, recruitment, automated disciplinary assessment or other prohibited or high-risk purposes unless under specific contract, assessment and safeguards. HOSTELELLA does not use Customer Data to train its own or third parties' models unless under express authorization, specific contract or clear Customer configuration.

12. Cookies and tracking technologies (web/PWA)

On the website and/or PWA, HOSTELELLA may use cookies, pixels or similar technologies for:

Non-essential cookies will only be used where consent exists, in accordance with ePrivacy and applicable law. The specific Cookies Policy supplements this information and prevails for granular cookie management.

13. Recipients, processors and sub-processors

We do not sell personal data. Data may be accessible to selected providers acting as processors/sub-processors under contractual obligations of confidentiality, security and compliance, including providers of:

When HOSTELELLA acts as a processor, sub-processors are governed by the DPA, the Sub-processors Annex and the requirements of Article 28 GDPR. The up-to-date list of sub-processors is published in the Sub-processors Annex.

14. Authorities and defense of rights

We may disclose data to competent authorities where there is a legal obligation or legitimate request, and/or to defend rights, prevent fraud, ensure security or respond to claims, in accordance with the GDPR.

15. Corporate restructurings

In the event of a merger, acquisition, reorganization, sale of assets or equivalent procedures, data may be disclosed to third parties to the extent necessary and proportionate, with adequate safeguards.

16. International transfers

Where international transfers of data outside the European Economic Area occur, we apply adequate safeguards, including adequacy decisions, Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework where applicable and supplementary measures, in accordance with Articles 44–49 GDPR. Certain AI and communications providers are located in the United States; in such cases the above mechanisms and the minimization described in this Policy apply.

In certain cases there may be a risk of access by authorities of third countries. In such cases we will apply supplementary measures where appropriate and, where necessary, inform and/or obtain consent in accordance with applicable law.

17. Data retention

We retain personal data only for as long as necessary for the purposes described in this Policy and for the periods required by legal, tax, accounting, audit and security obligations. Thereafter, data will be deleted or anonymized, unless there is a retention obligation or a need to defend claims.

Retention is detailed in the Retention Policy. When HOSTELELLA acts as a processor, retention is governed by the DPA and the customer's instructions, without prejudice to legal obligations.

18. Security measures

HOSTELELLA applies appropriate technical and organizational measures (Art. 32 GDPR) to ensure a level of security appropriate to the risk. The Security Policy describes the main measures, including access control, least privilege, encryption where appropriate, activity logging, incident management and service continuity.

Nonetheless, no system can guarantee absolute security. Users are responsible for keeping access to their accounts and devices secure.

19. Personal data breaches

In the event of a personal data breach, HOSTELELLA will follow internal procedures to assess the risk and, where appropriate, notify the competent supervisory authority and/or affected persons in accordance with Articles 33 and 34 GDPR.

When HOSTELELLA acts as a processor, notifications to the controller will be handled in accordance with the DPA.

20. Rights of data subjects

Data subjects may exercise their rights of access, rectification, erasure, restriction, objection and portability, as well as withdraw consent where applicable, by contacting: legal@hostelella.com.

We may request reasonable information to verify identity or representation. We will respond within one month of receipt of the request; this period may be extended by up to two additional months where necessary due to complexity or number of requests, informing the requester in accordance with the GDPR.

If the request relates to data processed by HOSTELELLA as a processor on behalf of a business customer, we may refer the requester to the relevant controller, who is the party that must handle the request.

21. Complaints

You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

22. Communications

We may send communications necessary for the operation of the Service (e.g., security alerts, transactional notifications, account notices). Commercial communications, if implemented, will be sent only in accordance with applicable law and, where required, with consent (opt-in) and an opt-out mechanism.

23. Third-party links

The platform may contain links to third-party services (e.g., maps, integrations). HOSTELELLA is not responsible for the privacy practices of such third parties. We recommend reviewing their respective policies.

24. Changes to this Policy

This Privacy Policy may be updated to reflect legal, regulatory or operational changes. The current version will be available within the Service and will apply from its publication date.

25. Limitation of liability (Privacy)

Nothing in this Policy limits the mandatory rights provided by data-protection law. To the maximum extent permitted by law, HOSTELELLA will not be liable for damages arising from: (i) misuse of the Service, (ii) unlawful data uploads by customers/users, or (iii) actions taken solely on the basis of informational results, including AI proposals applied without the required human review.