Privacy Policy
Your trust matters. This policy explains how Hotel Montané handles personal data in line with Andorra's privacy and tourism laws while delivering memorable stays in Arinsal.
At-a-Glance
We adhere to LQPD 29/2021, tourism regulations and EU adequacy standards. Highlights below summarise our privacy commitments before detailed sections.
Need Assistance?
Reach out to our privacy contact or the Andorran Data Protection Agency (APDA).
APDA: Carrer Prat de la Creu 59-65, Esc. A, 3r 1a, Andorra la Vella — +376 808 115 — [email protected]
Data Controller & Contact Details
Hotel Montané | Ctra. d'Arinsal, 56, AD400 Arinsal, Principality of Andorra. Phone +376 737 535. Email [email protected].
- Legal representative: Hotel Montané, trading as a registered tourist accommodation under the General Law of Tourist Accommodation (Llei 16/2017).
- For privacy enquiries, contact the Front Desk or email [email protected]. We respond within 30 calendar days.
- Complaints may also be addressed to the Andorran Data Protection Agency (APDA), Carrer Prat de la Creu 59-65, Esc. A, 3r 1a, AD500 Andorra la Vella, +376 808 115, [email protected].
Applicable Legal Framework
Our processing is governed by the Qualified Personal Data Protection Law 29/2021 (LQPD), its implementing decrees of 2022, the General Law of Tourist Accommodation 16/2017, and EU adequacy decisions recognising Andorra.
- LQPD 29/2021 and implementing Decree 391/2022 require accountability, security measures, breach notification within 48 hours and, where applicable, the appointment of a Data Protection Officer.
- Tourist regulations (Llei 16/2017) and the ROAT Regulation oblige us to register guest stays and retain related documentation for official inspections.
- The European Commission confirms that Andorra maintains an adequate level of data protection, allowing data flows with EU/EEA countries without additional safeguards.
Personal Data We Collect
We collect only the data needed to deliver hospitality services, fulfil legal duties and provide personalised experiences.
- Identification & contact data: full name, postal address, email, phone number, nationality, ID/passport details, travel document copies when required by ROAT.
- Booking data: arrival/departure dates, room type, rate plans, preferences, special requests, loyalty details, payment status, third-party booking references.
- Financial data: masked payment card details managed through PCI-compliant booking and payment processors; invoicing and tax information.
- Stay data: companions, ages of minors (limited to what is legally required), dietary or accessibility notes you choose to share for service customisation.
- Digital interactions: contact form submissions, email correspondence, website usage metrics captured via essential analytics tools with anonymisation wherever feasible.
Purposes & Legal Bases for Processing
Processing relies on contractual necessity, legal obligations, legitimate interests or consent. We document each activity in our records of processing.
- Reservation management, check-in, accommodation and billing are processed to perform the accommodation contract and pre-contractual steps.
- ROAT submissions, tourist tax reporting and safety obligations are processed under legal duties in Andorran tourism and fiscal regulations.
- Customer care, concierge communications and post-stay feedback rely on our legitimate interest in service improvement. You may object at any time.
- Marketing communications (newsletters, special offers) are sent only with opt-in consent and include clear unsubscribe options.
- Sensitive data (e.g. allergies, reduced mobility) is processed solely with explicit consent to deliver tailored hospitality services.
Data Sharing & International Transfers
We restrict access to trusted partners who support our operations and comply with Andorran and EU-equivalent safeguards.
- Accommodation technology: Our booking engine and channel manager providers (e.g. SiteMinder) process reservation data under contractual confidentiality and security clauses.
- Guest registry: ROAT submissions are transmitted via the Government of Andorra portal; police and tourism authorities may access records for compliance checks.
- Tax & accounting: licensed advisers receive invoice data to meet tourist tax and IGI obligations. Only necessary fields are shared.
- Travel partners: With your consent, we liaise with transfer companies or activity providers using minimal data to confirm arrangements.
- International transfers outside Andorra/EEA occur only to countries with EU adequacy or using standard contractual safeguards; Andorra's adequacy status supports EU-to-Andorra flows.
Retention & Security
We apply retention schedules aligned with tourism, tax and privacy law and protect data with layered security controls.
- Guest registration logs and signed house documents are retained for the minimum periods mandated by ROAT and inspection authorities (typically one year) unless longer retention is required for disputes.
- Financial and invoicing records are stored while Andorran accounting regulations require auditability, after which they are anonymised or securely destroyed.
- Digital systems use access controls, encryption in transit and at rest, regular backups, and supplier due diligence to mitigate risks.
- Security incidents are logged and, when required, notified to APDA and affected individuals within the statutory deadlines.
Your Data Protection Rights
Under LQPD you can exercise robust rights over your personal data handled by Hotel Montané.
- Right to information and access to understand how we process your data.
- Right to rectification of inaccurate or incomplete information.
- Right to erasure when data is no longer necessary, subject to legal retention duties.
- Right to object or restrict processing, especially for marketing or legitimate interest uses.
- Right to data portability for information you provided to us in digital form.
- Right not to be subject to automated decisions without meaningful human involvement.
- Right to lodge a complaint with the APDA if you believe your rights are infringed.
Policy Updates
We review this notice annually or whenever regulations or operations change. The latest revision date appears below.
- Current version effective 27 September 2025.
- Material changes will be communicated via our website, booking confirmations or direct email where appropriate.
How to Exercise Your Rights
Email [email protected] or complete the contact form with "Data Subject Request" in the subject line. Provide enough detail to verify your identity (booking reference, stay dates or ID copy when legally required).
We respond within 30 calendar days and may extend once by 30 days for complex requests, notifying you in advance. There is no charge unless the request is manifestly unfounded or excessive.
Data Protection Impact Assessments & DPO
We assess high-risk projects (e.g. new digital guest experiences) through Data Protection Impact Assessments in line with LQPD guidance. If an assessment indicates residual high risk, we consult the APDA prior to launch.
Based on current processing categories, a dedicated DPO is not mandatory. Should this change, we will update this notice with the DPO's contact details.