Privacy Policy
Last updated: 24 May 2026
1. Who is responsible for your data?
The data controller (responsable del tratamiento) for the personal data collected through this website is:
- Controller: VibeBCN S.L.
- Tax ID: [NIF / CIF — pending]
- Registered address: Barcelona, Spain
- Contact email: hola@vibebcn.com
VibeBCN Concierge acts as an intermediary and mandatary that obtains official attraction tickets in your name. It is not a travel agency.
2. What data do we collect?
To provide our concierge service we collect the data you enter at checkout and a limited amount of technical data:
- Identification & contact data: full name, email address and phone number of the lead passenger and the name of each additional passenger.
- Identity document data: ID / passport number and country, required by some venues to issue nominative tickets.
- Age: used to apply the correct official ticket tariff (e.g. child, youth or senior fares).
- Special category data (health): if you tick the "Disability" option, we process data that may reveal a health condition solely to apply the corresponding reduced official tariff. This is processed only with your explicit consent (see section 4).
- Booking & preference data: attractions, dates, time slots, "student" status and any observations you provide.
- Payment data: processed directly by Stripe. We do not store your card number.
- Technical data: IP address, device/browser information and server logs, for security and to operate the website.
3. Why do we use your data (purposes)?
- To manage, obtain and deliver the official tickets you order, acting as your mandatary.
- To calculate the correct ticket price, including reduced tariffs (under-age, youth, senior, student or disability).
- To process payment through our payment provider.
- To contact you about your order and provide customer support.
- To comply with our legal, accounting and tax obligations.
- To keep the website secure and prevent fraud.
4. Legal basis for processing
- Performance of a contract (Art. 6.1.b GDPR): to provide the concierge service you request.
- Legal obligation (Art. 6.1.c GDPR): to meet tax, accounting and consumer-protection duties.
- Explicit consent (Art. 9.2.a GDPR): for any health-related data (disability status). You can withdraw this consent at any time.
- Legitimate interest (Art. 6.1.f GDPR): for website security and fraud prevention.
5. Who do we share your data with?
We only share data with the providers strictly necessary to deliver the service, each acting as a data processor under a data-processing agreement, and with the official ticket issuers:
| Recipient | Purpose |
|---|---|
| Stripe Payments Europe | Payment processing and fraud prevention |
| Supabase | Database and secure document storage |
| Resend | Transactional emails (confirmations, tickets) |
| Vercel | Website hosting and delivery |
| Official attractions / ticket providers | To issue the nominative tickets you ordered, in your name |
| Public authorities | Only where required by law |
We do not sell your personal data or use it for advertising.
6. International data transfers
Where possible we use providers hosted within the European Union. Where a provider processes data outside the EU/EEA, the transfer is protected by an adequacy decision or by the European Commission's Standard Contractual Clauses and additional safeguards.
7. How long do we keep your data?
We keep your booking data for as long as needed to provide the service and afterwards only for the periods required by law (for example, invoicing and tax records are kept for the statutory period, generally 4–6 years). Health-related data is deleted once it is no longer needed to apply the relevant tariff, unless a legal obligation requires otherwise.
8. Your rights
You may exercise the following rights free of charge by emailing hola@vibebcn.com, attaching proof of identity:
- Access, rectification and erasure of your data.
- Restriction of, and objection to, processing.
- Data portability.
- Withdrawal of consent at any time (without affecting prior processing).
If you believe your rights have not been respected, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.
9. Security
We apply appropriate technical and organisational measures to protect your data against unauthorised access, loss or alteration, including encrypted connections (HTTPS) and access controls on stored documents.
10. Minors
Bookings must be made by an adult. Where a booking includes minors, the adult lead passenger confirms they are authorised to provide the minors' data.
11. Changes to this policy
We may update this Privacy Policy. The current version, with its date, is always available on this page.