Language. This English version is provided for convenience only. The Spanish version (Política de Privacidad) is the legally binding text under Spanish law. In case of discrepancy, the Spanish version prevails.
This Privacy Policy describes how Soline Transfer collects, uses and protects the personal data of Users who access https://soline.es or contact us through the available channels. It is drafted in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), Spanish Organic Law 3/2018, of 5 December, on Personal Data Protection and Digital Rights (LOPDGDD) and other applicable rules.
1. Data Controller
| Controller | Lukasz Krzysztof Chmielewski — Soline Transfer |
|---|---|
| Tax ID | Z1870346Z (NIE) |
| Address | Carrer de Parcerisa 25, 08014 Barcelona, Catalonia, Spain |
| Contact email | info@soline.es |
| Data Protection Officer (DPO) | Not applicable. Given the nature and scale of processing, the Controller is not obliged to appoint a DPO under Article 37 GDPR. Data protection enquiries are handled directly by the Controller at the contact email above. |
2. Data we process
2.1 Data provided through the booking form
- Identification: first name and surname.
- Contact: phone number (with country code), email if provided.
- Service details: route, pick-up address, drop-off address, date and time, number of passengers, round-trip indication.
- Additional information: free-text "Notes" field — may include flight number, child seat requirements, special luggage or any other remarks the User chooses to share.
The form does not include any payment field. When submitted, the data is composed into a WhatsApp message that the User reviews and sends manually from their own device.
2.2 Data received via WhatsApp, email or phone
- Content of the User's communications and associated metadata (date and time, sender phone or email).
2.3 Browsing data
- IP address, date and time of access, pages visited, browser and device type, browser language. Recorded in the hosting server logs for security and technical diagnostic purposes.
- The language chosen by the User, stored locally in the browser (
localStorage) for strictly technical purposes. See the Cookies Policy.
3. Purposes and legal basis
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Handle the User's quote request, communicate price and availability and, where applicable, manage the booking. | Art. 6(1)(b) — Pre-contractual steps at the User's request and, where applicable, performance of the transport contract. |
| Maintain communication before, during and after the service (confirmations, live ETA, incident management). | Art. 6(1)(b) — Performance of the contract. |
| Comply with the Provider's legal obligations (tax, accounting, transport, data protection). | Art. 6(1)(c) — Compliance with a legal obligation. |
| Handle data subject rights requests and enquiries sent through the contact channels. | Art. 6(1)(c) — Compliance with a legal obligation (GDPR/LOPDGDD). |
| Ensure the security of the Website, prevent fraud and abuse, and maintain technical logs. | Art. 6(1)(f) — Legitimate interest in keeping the service secure and abuse-free. |
| Aggregated, anonymised statistical analysis of Website use (pages visited, traffic sources, devices, language) to improve experience and services. Processing performed via Google Analytics 4 with IP anonymisation, no data-sharing with advertising and no profiling. | Art. 6(1)(a) — User consent, given through the cookie banner. Consent can be withdrawn at any time via the "Cookie preferences" link in the footer. |
The Provider does not carry out any processing for marketing, behavioural advertising or profiling purposes. No commercial electronic communications will be sent without the prior explicit consent of the User. Web analytics is configured with IP anonymisation (anonymize_ip) and all Google advertising features are kept denied under any consent state.
4. Retention periods
- Requests that do not result in a service: up to 12 months from the last contact, unless erasure is expressly requested earlier.
- Booked and rendered services: throughout the contractual relationship and, after termination, for the minimum legal periods required by tax and commercial law (generally 6 years under the Commercial Code and 4 years under the General Tax Law).
- Communications via WhatsApp, email or phone: up to 24 months from the last contact, in order to respond to possible later claims or enquiries, unless erasure is expressly requested earlier.
- Server logs: up to 12 months for Website security purposes.
- Data processed to comply with legal obligations: for the periods set out in the applicable legislation.
5. Recipients and data sharing
Personal data will not be shared with third parties except:
- Where required by law (Tax Authorities, Law Enforcement, Courts, transport authorities).
- With service providers acting as data processors under a contract meeting the requirements of Article 28 GDPR. These providers process the data exclusively to deliver the service contracted by Soline Transfer and under its instructions.
5.1 Processors and suppliers
| Provider | Service | Location |
|---|---|---|
| WhatsApp Ireland Ltd / Meta Platforms, Inc. | Messaging service used to receive bookings and communicate with Users. The User starts the conversation by sending a message from their device. | Ireland (EU) and USA |
| Hosting provider | Website hosting and email service tied to the domain. | European Union |
| Google Ireland Limited | Web fonts (Google Fonts) loaded from fonts.googleapis.com and fonts.gstatic.com. The User's IP address is transmitted to Google when loading. | Ireland (EU), possibly with US servers. |
| Google Ireland Limited / Google LLC | Google Analytics 4 (property G-VNC81YDZ4N) for Website usage statistics. Only activated if the User gives express consent via the banner. Configured with Google Consent Mode v2, IP anonymisation and no advertising signals. See the Cookies Policy. |
Ireland (EU) and USA |
| Unsplash Inc. | Illustrative images loaded from images.unsplash.com. The User's IP address is transmitted to Unsplash when loading. | Canada / USA |
WhatsApp. When the User submits the booking form, WhatsApp opens with a pre-filled message and the User voluntarily chooses to send it. From that point, the message content is also governed by WhatsApp/Meta's terms and privacy policy. We recommend reading whatsapp.com/legal/privacy-policy-eea.
6. International data transfers
Some of the processors listed may process personal data in countries outside the European Economic Area, in particular in the United States. These transfers rely on one of the mechanisms under Chapter V GDPR, in particular:
- Adequacy decision (Art. 45 GDPR) — for the US, under the EU–U.S. Data Privacy Framework, where the provider has self-certified.
- Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR), supplemented by additional measures where appropriate.
A copy of the safeguards in place can be requested by writing to info@soline.es.
7. Your rights
Under Articles 15 to 22 GDPR and 13 to 18 LOPDGDD, the User may exercise at any time, free of charge, the following rights:
- Access: confirmation of whether data is being processed and, if so, access to it.
- Rectification: correction of inaccurate or incomplete data.
- Erasure (right to be forgotten): deletion of data no longer needed for the original purposes.
- Objection: to processing based on legitimate interest.
- Restriction of processing in certain cases.
- Portability: receive the data in a structured, commonly used and machine-readable format and transmit it to another controller, where processing is based on consent or contract.
- Withdrawal of consent at any time, where consent is the basis of processing, without affecting the lawfulness of processing before withdrawal.
To exercise these rights, the User may send a written request to info@soline.es or by post to the address indicated in section 1, including:
- Identification of the requester (name and surname) and, where appropriate, a copy of an identity document.
- The right being exercised and a description of the request.
- An address for notifications.
The Controller will resolve the request within one month, extendable by a further two months where necessary due to complexity or volume.
8. Automated decisions and profiling
Soline Transfer does not take automated decisions producing legal or similarly significant effects on the User, nor does it carry out profiling.
9. Minors
The Website is aimed at adults. We do not knowingly collect personal data of children under 14. Where minors travel as part of a booking, their data (age and specific needs such as child seats) will be provided by their parent or legal guardian as part of contract performance.
10. Security measures
The Controller has adopted reasonable technical and organisational measures to ensure a security level appropriate to the risk, including:
- HTTPS/TLS encryption of communications.
- Restricted data access on a need-to-know basis.
- Periodic backups and server access logs.
- Regular review of the measures.
No system is absolutely secure. In the event of a personal data breach posing a high risk to the rights and freedoms of data subjects, the Controller will notify the AEPD and the affected individuals within the deadlines under Arts. 33 and 34 GDPR.
11. Right to complain to the AEPD
If the User believes that the processing infringes the law, or is not satisfied with the response to a rights request, they may lodge a complaint with the Spanish Data Protection Agency (AEPD):
- Website: www.aepd.es
- Address: C/ Jorge Juan, 6 — 28001 Madrid, Spain
- Phone: +34 901 100 099 / +34 912 663 517
12. Changes to this Policy
The Controller reserves the right to amend this Privacy Policy to reflect legal or operational changes. Amendments are effective upon publication on the Website. Users are advised to review this document periodically.