Privacy Policy
Last updated: 24 May 2026
At COSTAKEY we process your personal data in accordance with GDPR and Spanish LOPDGDD. COSTAKEY is a real estate agency and vacation rental manager; this site is our official booking and payment channel, not a marketplace or intermediary platform for independent third-party sellers.
1. Data controller
The data controller is COSTAKEY, operator of the digital platform at https://costakey.life, with registered address at Av. País Valenciano, 17, 03140 Guardamar del Segura, Province of Alicante, Valencian Community, Spain.
Privacy and rights requests: legal@costakey.life (subject: “Data protection”). General enquiries: info@costakey.life.
2. Scope
This policy applies to data processed through our website, private areas (clients, owners, agents, administration), email communications, and booking and payment flows linked to the platform.
It does not cover third-party websites linked from COSTAKEY (e.g. Stripe Checkout), which have their own privacy policies.
3. Categories of data we process
Depending on how you use the platform, we may process:
- Identity and contact data: name, surname, email address, phone number, preferred language.
- Account data: hashed credentials (Argon2id), user role (client, owner, agent, administrator), registration date, session preferences.
- Booking data: check-in and check-out dates, number of guests, amount, booking status, property identifier, related management messages.
- Payment data: amount, currency, payment status, Stripe transaction identifiers. We do not store full card numbers; processing is carried out by Stripe as a PCI-DSS certified processor.
- Property portfolio data: title, description, location, prices, availability, images and documents for properties managed by COSTAKEY (including data from authorised staff or associated owners under a management mandate).
- Technical data: IP address, browser type, pages visited, session tokens, security and internal audit logs.
- Communications: enquiries sent to support or the legal department.
4. Source of data
Data is obtained from you when you register, book or contact us; automatically through cookies and logs; and from authorised COSTAKEY staff managing the portfolio and bookings in our internal systems.
5. Purposes and legal basis
We process your data for the following purposes:
- Account management and authentication — legal basis: contract performance and legitimate interest in security.
- Provision of accommodation and booking management by COSTAKEY — contract performance.
- Payment processing — contract performance and legal obligation (billing, fraud prevention).
- Customer support and complaints — contract performance and legitimate interest.
- Regulatory compliance (tax, tourism, LSSI) — legal obligation.
- Platform security, abuse detection and audit logs — legitimate interest.
- Marketing communications — only with your explicit consent; you may withdraw at any time.
- Non-essential cookies / analytics — consent (see our Cookie Policy).
6. Recipients and processors
We do not sell your personal data. We may share it with:
- Stripe Payments Europe, Ltd. — payment processing (data processor).
- Infrastructure and hosting providers in the EU or with appropriate safeguards (standard contractual clauses, adequacy decisions).
- Authorised COSTAKEY staff and partners under management contracts, only as needed to fulfil your booking (not for marketplace resale).
- Legal, accounting advisers or public authorities when required by law.
7. International transfers
Our servers and database are oriented to the European market. If a provider (e.g. Stripe) processes data outside the EEA, it does so with GDPR safeguards (standard contractual clauses, certifications or European Commission adequacy decisions).
8. Retention periods
We retain data while you maintain an active account or a contractual relationship exists, and thereafter for periods required by Spanish law (e.g. commercial and tax obligations, typically up to 6 years for accounting records).
Security logs are kept for a limited period (usually 12 months) unless an incident investigation requires longer retention.
After the applicable period, data is deleted or irreversibly anonymised.
9. Security measures
We apply appropriate technical and organisational measures: encrypted transmission (HTTPS/TLS), Argon2id password hashing, role-based access control (RBAC), JWT tokens for the API, CSRF protection on web forms, database backups and logging of relevant activity in the admin panel.
10. Your rights
You may exercise your rights of access, rectification, erasure, objection, restriction of processing, portability and not to be subject to automated decisions by emailing legal@costakey.life with a copy of identification. We will respond within one month (extendable by two months in complex cases).
Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.
You may lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.
11. Minors
Booking services are intended for persons aged 18 or over. We do not knowingly collect data from minors. If we detect an unauthorised minor account, we will delete it.
12. Changes to this policy
We may update this policy to reflect legal or service changes. The current version will be published on this page with the update date. For material changes, we will notify you by email or a prominent notice on the platform.