At Vista Estrella Luxury Retreat, we are committed to protecting the privacy and rights of our
guests in compliance with the General Data Protection Regulation (GDPR) and other applicable
data protection laws. This statement outlines how we collect, process, and protect personal
data in accordance with GDPR principles.

1. Lawful Basis for Data Processing:
We collect and process personal data based on one or more lawful bases as defined by GDPR, including consent, contractual necessity, legal obligations, and legitimate interests.

2. Data Collection and Use:
We collect personal data from guests for specified, legitimate purposes, and we do not process data in a manner incompatible with those purposes. Personal data is collected transparently, and guests are informed of the purposes for which their data will be processed.

3. Data Minimization and Accuracy:
We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We take reasonable steps to ensure that personal data is accurate, complete, and up-to-
date.

4. Data Security and Confidentiality:
We implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data and to protect it against unauthorized access, disclosure, alteration, or destruction. Access to personal data is restricted to authorized personnel who have a legitimate need to access such data.

5. Data Subject Rights:
We respect the rights of data subjects under GDPR, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing. Data subjects may exercise their rights by contacting us using the contact information provided in this statement.

6. Data Transfer and Disclosure:
We may transfer personal data to third parties or international recipients only when necessary for the purposes for which it was collected and in accordance with GDPR requirements. Personal data may be disclosed to third parties only with the consent of the data subject or when required by law.

7. Data Retention:
We retain personal data for no longer than necessary to fulfill the purposes for which it was collected, unless otherwise required by law.

8. Data Breach Notification:
In the event of a data breach involving personal data, we will promptly assess the risk to individuals' rights and freedoms and notify the relevant supervisory authority and affected data subjects as required by GDPR.

9. Compliance Monitoring and Review:
We regularly review and update our data protection policies and practices to ensure compliance with GDPR and other applicable data protection laws.