Skip to main content

Privacy notice

This privacy notice explains what data we collect, why we collect it, how we use it, the conditions under which we may transfer it and how we keep it secure. Hacienda Zalama is committed to handling your information transparently, in accordance with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and its Regulations.

Controller details

The party responsible for processing the personal data collected through this website is:

  • Legal name: Hacienda Zalama S.A. de C.V.
  • RFC: XAXX010101000
  • Address: Calle 45, Tulum, Tulum, Mexico.
  • Data protection contact: privacidad@haciendazalama.com

Hacienda Zalama is located in Tulum, in the state of Quintana Roo, Mexico. This privacy notice applies to the accommodation's public website. The booking itself is made outside this site, on the booking engine's platform, which has its own notice.

Data we collect

This website is informative. At present it does not include contact forms, subscriptions or a customer area.

When you browse, the hosting provider (Cloudflare) records minimal technical data needed to serve the site and protect its security: IP address, browser user agent, pages visited, response times and events relating to abuse mitigation. These records are not linked to a user profile that we identify.

If in the future we enable a form, subscription or any other channel that requires your identifying data, we will update this section and ask for your express consent before collecting it, making the corresponding privacy notice available to you. For details on cookies, see the Cookies policy.

Purposes

The technical browsing data is processed, as primary purposes, in order to:

  • Serve the requested pages to those who request them.
  • Keep the site secure: detect unusual activity, mitigate denial-of-service attacks and filter malicious traffic.
  • Diagnose technical issues when incidents occur.
  • Improve the performance and reliability of the service.

What we do not do. We do not use browsing data for commercial profiling, personalised advertising or automated decisions with legal effects on the data owner. Nor do we share it with third parties for commercial purposes.

Retention periods

The technical data recorded by the hosting provider is kept only for as long as strictly necessary for the purposes described above, typically between 7 and 30 days, after which it is irreversibly deleted or anonymised.

Any data you actively provide in the future (for example, through a contact form) will be kept for as long as is needed for the purpose for which it was collected, and then for the applicable legal limitation periods.

Transfers and processors

We do not transfer your data to third parties for commercial purposes. We work with providers acting as data processors under contract, who only process data on our instructions:

Once the booking engine (Guesty) is in place, using it will take you to its own platform. Booking data will be processed under the privacy notice of Guesty and of the property responsible for the accommodation; this website does not process the booking or store guest information.

International transfers

Cloudflare is a US company with a global presence. Technical browsing data may be processed, in whole or in part, on servers located outside Mexican national territory.

These transfers are made under articles 36 and 37 of the LFPDPPP, which allow the transmission of data to a processor for the provision of a service and the transfer where it is necessary for the maintenance or fulfilment of the legal relationship. The level of protection required from the processor is equivalent to that provided for by the LFPDPPP and its Regulations.

Your ARCO rights

As the data owner, you have the right to exercise the following powers, known as ARCO rights, over your personal data:

  • Access: find out what personal data we process about you and the conditions of its processing.
  • Rectification: correct inaccurate or incomplete data.
  • Cancellation: request the deletion of your data when you consider it is not required for any of the stated purposes.
  • Opposition: object to the processing of your data for specific purposes.
  • Limitation of use or disclosure: ask for the use or disclosure of your data to be limited in certain cases.
  • Portability: receive your data in a structured, commonly used format where applicable.
  • Withdrawal of consent: withdraw at any time the consent you have given for the processing of your data.

Withdrawing consent does not affect the lawfulness of processing based on consent given before that withdrawal.

How to exercise your rights

You can exercise any of the rights above by submitting an ARCO request addressed to the controller, writing to privacidad@haciendazalama.com , putting "Protección de datos" in the subject line and including a copy of a document proving your identity or, where applicable, the corresponding legal representation.

We will respond to your request within a maximum of twenty business days from receipt, in accordance with the LFPDPPP, informing you of the decision adopted so that, if it is appropriate, it can be made effective within the following fifteen business days. The deadlines may be extended in the cases provided for by law, in which case we will tell you the reason.

If you believe your request has not been handled correctly, or that the processing of your data breaches the applicable regulations, you may turn to the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) through its website: inai.org.mx.

Security

We apply reasonable technical and organisational measures to protect data against unauthorised access, alteration, loss and disclosure. These include:

  • Encryption in transit via HTTPS, with HSTS enabled.
  • Security headers: Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
  • Periodic review of hosting provider configurations and site dependencies.
  • Minimisation principle: we collect only the data essential for each purpose.

No system is completely invulnerable. Should a security incident occur that may pose a risk to your rights, we will act with care and transparency, notifying the affected data owners and the competent authority within the terms set out by the regulations.

Changes to this notice

If the way we process data changes substantially, we will update this privacy notice and indicate the new revision date in the header. The version currently in force is always the one published on this page.