Privacy Policy

Please take a few minutes to read our privacy policy — it won’t take long. We want to explain in a simple, clear, and transparent way how we handle and protect your personal information and your rights. The security of your personal data is fundamental to IN-OUT TRAVEL, and we take its proper protection very seriously.

Who is this policy for and to whom does it apply?

This privacy policy applies to all users of the Website, whether or not they are clients of IN-OUT TRAVEL (hereinafter referred to as “the user” or “users”), provided they are natural persons. By personal data, we mean any information relating to an identified or identifiable natural person.

This Website is intended for users over the age of 14. Use of the site by individuals under this age is prohibited, as is registration, contracting of services, or payment for any services offered through the site by persons under 18. Additionally, the user responsibly acknowledges that they have sufficient legal capacity to enter into any agreements for services offered by IN-OUT TRAVEL, if applicable.

Minors under the age of 14 must first obtain permission from their parents, guardians, or legal representatives, who will be considered responsible for any actions taken by the minors in their care, in accordance with current regulations.

Processing Information

As provided in the General Data Protection Regulation (EU) “GDPR”, the user must receive timely and specific information regarding the data controller and the purposes and uses of the data processing.

To this end, the following information is provided:

If you browse or use our website, who is responsible for processing your data?

Viajes In Out Travel S.L., hereinafter “IN-OUT TRAVEL”
Tax ID (CIF): B-82.652.835
Address: c/ Cristobal Bordiú nº 53, 28003 – Madrid
Contact phone: +34 91 326 31 20
Contact email (Data Protection Officer): info@inout-travel.com

For what purpose do we process your personal data?

Our Website is maintained and updated with the utmost responsibility by INOUT TRAVEL. The personal data you provide will be processed for the specific purpose outlined in this privacy policy and for the purpose for which it was collected through the various data forms available on the site.

What information can we collect about you?

The processing of your data is necessary to give you access to the content and/or functionalities of our Website or, should you require it, to send you information or provide you with the services available through it. In this regard, we maintain a firm commitment to legitimately and consistently process your personal data in accordance with the principles and legal obligations set forth by the current personal data protection regulations.

When you browse our Website, and particularly when you interact with it, you provide us with data directly. For example, when you complete any information form regarding a product, service, or request available online, in accordance with the processing purposes indicated in each case.

The data you provide to us is related to such forms. We will always request only the data that is adequate, relevant, and limited to what is necessary for the aforementioned processing purposes (principle of data minimization):

Contact and Identification Data: name, surname, address, phone number, email address.

Commercial and Preferences Data: information you provide about your preferences, such as the type of product or service you are interested in.

Curriculum Data: in addition to identification data, any information you provide when attaching your résumé.

Connection and geolocation data: in cases where you interact with us, for example, from a mobile device.

Browsing data: all websites collect browsing data from visitors through the well-known cookies. Likewise, when you browse our Website, you should pay attention to the cookies installed on your device, as this involves the processing of your personal data depending on the type of cookies used and their specific purposes. For more information about cookies, please refer to the “Cookies Policy” link.

Connection data: IP address of the device or equipment used, provided by the browser you use to connect to a website. The purpose of an IP address is to enable network connectivity, ensure the unique identification of each device, and thereby prevent errors, fraud, etc. IN-OUT TRAVEL will not use your computer or device’s IP address for any processing related to your personal data, nor to identify you or associate your browsing data with you.

Please remember that when we ask you to provide your personal data to access a specific feature or service on the website, some fields are mandatory — we need them in order to provide the service. Therefore, please note that if you choose not to provide this data, you may not be able to complete your registration, access those services, or make a purchase.

For what purpose do we use your data?

IN-OUT TRAVEL processes your data for the following purposes:

To enable you to browse our Website, thereby granting you access to the information and content available on it.

To respond to and manage your inquiries and requests.

To handle and manage subscriptions to the services we offer to the user, such as (but not limited to) newsletters.

To manage recruitment processes.

To send you all the necessary information regarding the features of the product or service you have requested.

If you give your consent, or if there is sufficient legal basis, to send you information about our products and services.

To properly provide support services to interested parties (for example, students).

To carry out quality control of our services through possible opinion surveys.

If you have accepted the cookie policy, to carry out the purposes associated with the various types of cookies described therein — particularly analytical (browsing) cookies — in order to perform analysis and statistics related to website navigation, with the aim of improving our services and their quality. At any time, if you wish, you can configure the use of cookies and have the right to withdraw your consent regarding the purposes associated with these cookies. Please note that withdrawing your consent for the processing of data related to certain types of cookies, such as session or technical cookies, may prevent you from browsing our Website (see cookie policy).

Implement all applicable protection measures in accordance with current regulations, including the potential anonymization of your personal data by applying appropriate available techniques for this purpose. Consequently, in this regard, anonymization and pseudonymization processing may also be carried out for the enhanced protection of your personal data.

To apply the appropriate technical and/or organizational security measures to your personal data, based on the level of risk at any given time.

In general, to comply with the regulations applicable to IN-OUT TRAVEL in accordance with its sector of activity, including actions aimed at fraud detection and the prevention of crimes or unlawful activities.

What happens if you provide us with third-party data?

If you provide us with personal data of third parties, you guarantee that you have informed them about the purposes and the way in which we need to process their personal data.

How do we collect your data?

When you contact IN-OUT TRAVEL directly — for example, through the website or via our customer service phone lines — to request information about our products or services.

When you participate in our marketing campaigns, either through the website or in person at events organized by IN-OUT TRAVEL.

When, with your express authorization, third-party entities share your personal data with us.

PURPOSES OF PROCESSING	LAWFUL BASIS FOR PROCESSING
To enable you to browse our Website, thereby allowing you access to the information and content available on it.	The processing of your data is based on your consent (Art. 6.1, a of the GDPR) and, where applicable, the satisfaction of legitimate interest (Art. 6.1, f of the GDPR), whether our own or that of third parties, related to the proper management, maintenance, development, and evolution of the platform, tools, network, and associated information systems. This enables their correct functioning, features, access to content and services, as well as the overall security of all the aforementioned elements.
To send you all the necessary information regarding the characteristics of the service or product you have requested from us.	The processing of your data is based on the application of pre-contractual measures (Art. 6.1, b of the GDPR) at the request of the data subject, or on your consent (Art. 6.1, a of the GDPR).
To enable you to subscribe to our newsletter.	The processing of your data is based on your consent (Art. 6.1, a of the GDPR).
Management of recruitment processes	We will process your data based on your explicit consent (Art. 6.1, a of the GDPR).
To properly provide customer service.	The processing of your data is based on the application of pre-contractual measures (Art. 6.1, b of the GDPR) or your consent (Art. 6.1, a of the GDPR). When your inquiry is related to the management of incidents or claims, the processing is necessary to address pre-contractual or contractual measures (Art. 6.1, b of the GDPR). When your inquiry is related to the exercise of rights, the processing is necessary for compliance with legal obligations (Art. 6.1, c of the GDPR).
To send you informational and commercial communications about products and services related to our activity.	The processing of your data is based on your consent (Art. 6.1, a of the GDPR), and when such commercial communications may be supported by the provisions of Article 21.2 of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce, on the legitimate interest (Art. 6.1, f of the GDPR) prevailing of IN-OUT TRAVEL.
To carry out quality control of our services through the conduct of possible opinion surveys.	The processing of your data is based on your consent (Art. 6.1, a of the GDPR) and the legitimate interest (Art. 6.1, f of the GDPR) of IN-OUT TRAVEL in order to improve the quality of the services and products contracted by customers.
In the event that you have accepted the cookie policy provided for this purpose, to allow the processing purposes associated with them.	The processing of your data is based on your consent (Art. 6.1, a of the GDPR).
To adopt all applicable protection measures in accordance with current regulations, including the possible pseudonymization and anonymization of your personal data by applying the appropriate techniques available for this purpose.	The processing is necessary for compliance with legal obligations (Art. 6.1, c of the GDPR) and the Spanish personal data protection regulation, Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, the “LOPDGDD”). In cases where processing is intended to guarantee the security of the platform, network, and associated information system, the legitimate interest (Art. 6.1, f of the GDPR) of IN-OUT TRAVEL or, where applicable, a third party (Recital 49 of the GDPR) may be invoked when appropriate.
To apply the appropriate technical and/or organizational security measures to your personal data, with a focus on the existing risk at any given time.	The processing is necessary for compliance with legal obligations (Art. 6.1, c of the GDPR) and the LOPDGDD. In cases where processing is intended to guarantee the security of the platform, network, and associated information system, the legitimate interest (Art. 6.1, f of the GDPR) of IN-OUT TRAVEL or, where applicable, a third party (Recital 49 of the GDPR) may be invoked when appropriate.
In general, to comply with the regulations applicable to IN-OUT TRAVEL according to its specific sector of activity, including actions aimed at detecting fraud and preventing crimes or unlawful acts in the development of IN-OUT TRAVEL’s compliance programs.	The processing is necessary for compliance with legal obligations (Art. 6.1, c of the GDPR), or the prevailing legitimate interest (Art. 6.1, f of the GDPR) of IN-OUT TRAVEL concerning actions for the detection or prevention of fraud (Recital 47 of the GDPR).

When the legal basis for the processing of your personal data is your consent, we remind you that you have the right to withdraw it at any time in a simple and free manner by writing to us at info@inout-travel.com.

How long do we keep your data?

Your personal data will be retained for as long as necessary to fulfill the purpose for which it was collected, unless a longer retention period is legally permitted or required.

Our data retention periods are based on business needs; afterward, we will keep them properly stored and protected for the time during which liabilities related to the processing may arise, in compliance with the regulations in force at all times. Once any possible actions have expired in each case, we will proceed to delete the personal data.

PERSONAL DATA ASSOCIATED WITH THE INFORMED PURPOSES OF PROCESSING	RETENTION PERIODS OR CRITERIA FOR THE STORAGE OF YOUR PERSONAL DATA
To enable you to navigate our platform, thereby allowing you access to the information and content available on it.	As a general rule, your data will be retained for these purposes for the minimum time necessary to enable you to properly navigate and use our platform and the content available through it that you access. Regarding data associated with your browsing profile, related to the analytical cookies you have accepted as indicated in INOUT TRAVEL’s cookie policy, you should refer to the section regarding their retention period (see cookie policy).
To properly provide customer service.	For the strictly necessary time to resolve or address them.
To send you all the necessary information regarding the characteristics of the product or service you have requested from us.	For the strictly necessary time to resolve or address them.
To send you informational and commercial communications about products and services related to our activity.	Until the moment you exercise your right to withdraw your consent for the processing of your data for advertising and/or promotional purposes or, where applicable, object to processing for direct marketing purposes in accordance with the provisions of Article 21.2 of the GDPR.
To enable you to subscribe to our blog/newsletter.	Until the moment you request the effective cancellation of such subscription.
Management of recruitment processes.	We will retain your curriculum data until you exercise your right to withdraw your consent or, in the case of not having participated in any selection process, your curriculum will be deleted within one (1) year from its receipt. In the case of participating in a selection process, the outcome will become part of your file at IN-OUT TRAVEL if you are selected and will be deleted when it is no longer necessary.
To carry out quality control of our services through the conduct of possible opinion surveys.	As long as there is a pre-contractual/contractual relationship with the user.
In the event that you have accepted the cookie policy provided for this purpose, to allow the processing purposes associated with them.	They will be retained as indicated in the Cookie Policy.
To adopt all applicable protection measures in accordance with current regulations, including the possible pseudonymization and anonymization of your personal data by applying the appropriate techniques available for this purpose.	As long as the user’s personal data is processed, including the retention of such data during the legally established periods, regardless of the legal basis for processing claimed by IN-OUT TRAVEL.
To apply the appropriate technical and/or organizational security measures to your personal data, with a focus on the existing risk at any given time.	As long as the user’s personal data is processed, including the retention of such data during the legally established periods, regardless of the legal basis for processing asserted by IN-OUT TRAVEL.
In general, to comply with the regulations applicable to IN-OUT TRAVEL according to its specific sector of activity, including actions aimed at detecting fraud and preventing crimes or unlawful acts in the development of IN-OUT TRAVEL’s compliance programs.	10 years in accordance with the Law on Money Laundering and Terrorist Financing.

In any case, and without prejudice to the foregoing, the user is also informed of the following:

Our data retention periods are based on business needs; they will be kept for as long as necessary to fulfill the purpose for which they were collected, unless a longer retention period is legally permitted or required.

In accordance with current personal data protection regulations, regarding the proper processing of personal information by INOUT TRAVEL, this entity may also securely retain the information for three years from its collection/acquisition (statute of limitations for violations in this area).

Regarding the retention period of cookies, users are advised to consult our cookie policy.

As a general rule, when personal data is no longer necessary for the processing purposes for which it was collected, it will be blocked and made available only to the competent authorities for the possible clarification of legal responsibilities related to its processing, always in accordance with applicable regulations, and it cannot be used for purposes other than these. Once the corresponding legal blocking periods have elapsed, such personal data will be deleted as provided by applicable regulations and, if applicable, may also be securely anonymized by INOUT TRAVEL (anonymized/non-personal data).

What are the consequences of not providing us with your data?

We strive to request or apply the minimum and essential data necessary to carry out the personal data processing we perform in full development of our purpose and social objectives, all in accordance with the principles contained in the applicable regulations.

However, the failure to provide your personal data may result in the inability to:

You may not be able to navigate our website properly (due to non-acceptance of technical or session cookies).

Process your specific request or application (for example, due to lack of or insufficient completion of the corresponding form or application).

In any case, the personal information and data you provide us, depending on each case, must always be:

Sufficient, yet tailored, limited, and proportionate to the legitimate processing purposes informed in each case, with the utmost respect for the principles of purpose limitation and minimization of personal data.

Accurate, up-to-date, and truthful, in order to properly verify identity, capacity, and, where applicable, representation, as well as to adjust, in each case, the data processing activities to your specific needs and actual situation. All of this in accordance with the principle of accuracy of personal data.

Users will be fully responsible for the personal data and information they provide to IN-OUT TRAVEL and, where applicable, for the services they request or contract from us.

Do we share your personal data with third parties?

As a general rule, we do not share your data with third parties, nor do we sell or offer it to them; however, in order to fulfill the purposes indicated in this Privacy Policy, we may share your minimal personal data with partner companies that support us in the services we provide, for example (not limited or exclusive):

Fraud detection and prevention entities.

Technology service providers (storage, security, and maintenance).

Providers and collaborators of services related to marketing and advertising.

These companies providing us with other types of services only have access to the personal information necessary to carry out such services, and they are required to maintain the confidentiality of any personal information they may access, being prohibited from using it in any other way than that which we have requested.

For compliance with legal and regulatory obligations, your data will be disclosed to (not limited or exclusive):

Public administrations.

Judges, courts, and law enforcement agencies, for addressing any liabilities arising from the processing, within their respective jurisdictions and upon their request.

For service efficiency, some service providers may be located in territories outside the European Economic Area that do not provide a level of data protection comparable to that of the European Union, such as the United States. In such cases, we inform you that we transfer your data with appropriate safeguards and always ensuring the security of your data, with these service providers certified under Privacy Shield.

If you wish to consult the certification of US providers, you can find it at the following link: https://www.privacyshield.gov/welcome

Likewise, IN-OUT TRAVEL has various data processors under its control, granting them access as trusted providers, only to the extent strictly necessary for the provision of the contracted services. These data processors operate under a service contract with the terms, conditions, and guarantees contained in Article 28 of the GDPR, with IN-OUT TRAVEL conducting the corresponding controls, inspections, and audits in this area to ensure that such data processors strictly comply with the contracts signed for this purpose and the applicable regulations.

Finally, you are informed that your data may be disclosed to competent authorities and agencies according to the applicable legislation in each case.

Are international transfers of your data carried out?

We inform you that your data will not be disclosed to entities outside the European Economic Area without your explicit consent, except in cases where a mandatory regulation allows such disclosure; in such cases, we will inform you, whenever possible, of the purposes of such disclosure.

Notwithstanding the above, our cookie policy informs about possible international transfers of personal data related to the services provided to us by certain companies (third-party cookies). All these international transfers are fully guaranteed according to applicable regulations and involve entities included in the list of entities certified under the Privacy Shield framework (see cookie policy).

What are your rights when you provide us with your data?

We are committed to respecting the confidentiality of your personal data and to ensuring the exercise of your rights.

How can I request my rights?

You can exercise them free of charge:

By sending an email to info@inout-travel.com, indicating in the subject line “Request to exercise rights” and specifying the right you wish to exercise.

You may also send the request to the postal address: C/ Cristobal Bordiú nº 53, 28.003 – Madrid, indicating the reference “Request to exercise rights” and specifying the right you wish to exercise.

To properly identify you and ensure the security of your data (for example, to prevent identity theft), we request that you send us a copy of an identity document; DNI, NIE, or passport.

In particular, regardless of the purpose or legal basis under which we process your data, you have the right to:

RIGHT	WHAT IS IT?
Right to information	The right to be provided by IN-OUT TRAVEL with appropriate information, both at the time your personal data is collected (whether obtained from you or through a third party) and at any later time regarding the processing of your personal data. You have control over your personal information.
Right of access	The right to obtain from IN-OUT TRAVEL confirmation as to whether or not your personal data is being processed, and to basic information related to such processing, as well as to obtain a copy of the personal data being processed.
Right to rectification	The right to obtain the rectification of your personal data without undue delay by IN-OUT TRAVEL.
Right to erasure	The right to obtain the erasure of your personal data without undue delay by IN-OUT TRAVEL.
Right to restriction of processing	Right to obtain from IN-OUT TRAVEL the restriction of processing of your data when: – You contest the accuracy of your personal data, during a period that allows IN-OUT TRAVEL to verify its accuracy. – The processing is unlawful and you object to its erasure (and instead request the restriction of its use). – IN-OUT TRAVEL no longer needs the personal data, but you need them for the establishment, exercise, or defense of legal claims.
Right to data portability	The right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to transmit them to another data controller when technically feasible.
Right to object	The right to object at any time to the processing of your personal data, including profiling, when such processing is based on the legitimate interests of IN-OUT TRAVEL or a third party.
Right not to be subject to a decision based solely on automated processing (including profiling).	Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you.
Right to withdraw the consent given	You have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of the processing carried out by IN-OUT TRAVEL based on your consent prior to its withdrawal.
Right to lodge a complaint with the competent supervisory authority (AEPD).	It implies the possibility of appealing to the supervisory authority if you believe your personal data protection rights have been violated.

We recommend that before filing any complaint or claim with the Spanish Data Protection Agency (AEPD), you contact us to analyze the specific situation and, if applicable, try to find an effective and amicable solution. Regardless of the above, if you wish, you can also visit the AEPD website at www.aepd.es.

The exercise of these rights on your part is subject to certain exceptions for reasons of public interest, such as the prevention or detection of crimes, or for our own interests, such as maintaining the confidentiality of legal advice. If you exercise any of these rights, we will verify that you are duly authorized to do so and will respond within one month (according to the GDPR), which may be extended by an additional two months if necessary, taking into account the complexity and number of requests.

What security measures do we provide for your personal data?

IN-OUT TRAVEL is committed to fulfilling its obligation of confidentiality, the duty to safeguard data, and to adopting the necessary technical and organizational measures that guarantee the security of personal data and prevent its alteration, loss, unauthorized processing, or access.

The information provided by the user is considered confidential and may not be used for purposes other than those related to the services contracted with IN-OUT TRAVEL.

Third parties collaborating with IN-OUT TRAVEL who have any involvement in the services provided are committed not to disclose or misuse any information they have accessed.

All our providers, acting as Data Processors, operate under a service contract with the terms, conditions, and guarantees contained in Article 28 of the GDPR.

Although absolute protection against intrusions cannot be guaranteed during data transmissions over the internet or from a website, both we and our subcontractors and business partners make every effort to maintain physical, electronic, and procedural protection measures to ensure the protection of your data in accordance with applicable legal requirements.

Among the measures we use are the following:

a) Physical measures:

“Clean desk” policy.

Document shredder.

Fireproof cabinets with specialized locks.

Classified and labeled documents.

Workplaces secured with key access, preventing entry by unauthorized persons.

Procedures for the use of media outside the office.

b) Logical measures:

Limiting access to your data only to those individuals who need to know it based on the tasks they perform.

As a general rule, transfer collected data in encrypted format.

Store the most sensitive data (such as credit card information) only in encrypted format.

Install perimeter protection systems for IT infrastructures (“firewalls”) to prevent unauthorized access, such as from hackers.

Regularly monitor access to IT systems to detect and prevent any misuse of personal data.

Commercial transactions are carried out in a secure server environment under SSL protocol.

Original and up-to-date software.

Computer equipment with access through a unique and non-transferable username and password.

Disk encryption.

Backup and restoration capability.

Procedures for the use of automated devices, incident logging, and use of media outside the office.

User locked when idle, screensaver with password lock.

In cases where we have provided you (or you have chosen) a password that allows you to access certain parts of our websites or any other portal, application, or service under our control, you are responsible for keeping it confidential and for complying with all other security procedures we notify you of.

We recommend some precautions you should take to ensure the security of your personal data:

Do not share your username or password with anyone.

Do not write it down in easily accessible places such as your computer or planner.

Always use our SSL security system.

Always log out of the browser session after accessing a secure area or after entering your username or password into the system.

c) Training measures:

Training at IN-OUT TRAVEL in data protection, cybersecurity, and related matters is ongoing.

Security measures are reviewed periodically, both manually and through specialized software.

Modification of the privacy policy

IN-OUT TRAVEL reserves the right to modify this policy to adapt it to future legislative, doctrinal, or jurisprudential developments that may apply, or for technical, operational, commercial, corporate, and business reasons, informing you reasonably in advance of any changes whenever possible. In any case, it is recommended that each time you access this platform, you carefully read this policy, as any modifications will be published here.

Additionally, IN-OUT TRAVEL may personally and in advance inform you of any proposed changes to this policy before they come into effect, whenever technically and reasonably possible, particularly if you are a registered user or a client of IN-OUT TRAVEL.

Jurisdiction and applicable law

As a general rule, any dispute or conflict will preferentially be submitted by the parties for resolution through amicable and mutual agreement, using, for this purpose, the channel and email provided in this policy.
If this is not possible, according to the criteria contained in the GDPR for determining the competence of the lead or principal authority to address any dispute, controversy, or claim regarding this privacy policy, it is hereby informed that such authority will be the Spanish Data Protection Agency (AEPD), and, in any case, the provisions of Article 56 of the GDPR must be observed.

Regarding the right to effective judicial protection against IN-OUT TRAVEL in these cases, Article 79.2 of the GDPR will also apply, and legal action may be taken before the Courts and Tribunals of the city where the Data Controller resides, insofar as the responsible entity is a company established in Spain. The applicable Spanish and European regulations in this area will be observed.

Contact us

Contacta con nosotros