SES PeregrinoSES Peregrino

Privacy Policy — SES Peregrino

Last updated: March 22, 2026

This Privacy Policy describes how personal data is collected, processed, and protected through the SES Peregrino mobile application, in compliance with the GDPR (EU Regulation 2016/679) and Spain's LOPDGDD (Organic Law 3/2018).

1. Data Controller and Wise Pilgrim's Role

1.1. Data Controller for guest data: The accommodation provider (you) using the Application is the sole controller of guest personal data. You are responsible for: the lawfulness of data collection, providing guests with privacy information before or at the point of data collection (GDPR Articles 13 and/or 14 as applicable), responding to data subject rights requests, reporting data breaches to the AEPD, and complying with Royal Decree 933/2021 retention requirements.

1.2. Wise Pilgrim's Role — Guest Data: Wise Pilgrim SL (Galicia, Spain) provides encrypted cloud storage infrastructure for guest data. All guest data is encrypted on your device before transmission using zero-knowledge encryption (see Section 4). Wise Pilgrim does not possess your encryption key, cannot access or read guest data in decrypted form, and does not determine the purposes or means of processing guest personal data. Wise Pilgrim is not a Data Processor for guest data within the meaning of GDPR Article 4(8). Wise Pilgrim's role is limited to providing a secure, encrypted storage service.

1.3. Wise Pilgrim as Data Processor — Operational Data: For operational metadata (submission logs, timestamps, API responses, technical logs), Wise Pilgrim acts as Data Processor on your behalf. This processing is governed by a separate Data Processing Agreement (DPA), which forms part of the Terms and Conditions.

1.4. Wise Pilgrim as Data Controller — Property Listing Data: For property listing information you provide for publication (property name, address, contact details, services, pricing), Wise Pilgrim acts as an independent Data Controller. You provide this data with the explicit understanding and consent that it will be published in Wise Pilgrim's applications, guidebooks, websites, and related media.

Contact: privacy@wisepilgrim.com

2. Categories of Personal Data

2.1. Guest Data (encrypted, controller: accommodation provider). This includes all data submitted to the Ministry of Interior (MIR) via the SES.HOSPEDAJES system, plus check-in and payment details:

  • Identity: full name, identity document type and number (NIF/NIE/passport), date of birth, sex, nationality
  • Contact: postal address, phone number, email address
  • Travel companions: names, relationships, dates of birth (including minors)
  • Guest signature
  • Check-in and check-out details
  • Payment information
  • Scanned identity document data

All guest data is encrypted on your device with your personal encryption key before being stored on Wise Pilgrim's cloud infrastructure. Wise Pilgrim cannot access this data in decrypted form.

2.2. Operational Metadata (processor: Wise Pilgrim, on your behalf):

  • Submission logs: date/time of SES.HOSPEDAJES submissions, submission status (success/failure), API responses from the Ministry of Interior
  • Technical logs: timestamps, error logs, app performance data

2.3. Property Listing Data (controller: Wise Pilgrim, with your consent):

  • Property name, address, and location
  • Contact details (phone, email, website)
  • Services offered and pricing
  • Property descriptions and photographs you provide

This data is published in Wise Pilgrim's applications and guides and is not treated as confidential. Providing property listing data is entirely optional and is not required to use the core compliance features of the Application.

2.4. Owner Account Data:

  • Email address used for registration
  • Session identifiers (encrypted secure tokens)
  • Password (salted hash, never stored or transmitted in plain text)

3. Purposes and Legal Basis

3.1. Legal Obligation (GDPR Article 6.1(c)): Guest data processing is required by Royal Decree 933/2021 for guest registration with the SES.HOSPEDAJES system. The accommodation provider (as controller) processes this data to comply with Spanish law. Wise Pilgrim provides the encrypted storage infrastructure to support the 3-year retention obligation.

3.2. Contract Performance (GDPR Article 6.1(b)): Operational metadata is processed to deliver the SES Peregrino service: confirming submissions, troubleshooting errors, and providing proof of submission. Owner account data is processed for account management and authentication.

3.3. Consent and Contract Performance (GDPR Article 6.1(a) and (b)): Property listing data is processed and published based on your explicit consent, given when you provide this information through the Application with knowledge that it will appear in Wise Pilgrim's apps and guides. You may withdraw consent at any time (see Section 7).

3.4. Legitimate Interest (GDPR Article 6.1(f)): Technical and security logs (IP addresses for security monitoring, error diagnostics) are processed for the legitimate interest of maintaining the security and stability of the Application. Wise Pilgrim has assessed that this interest is not overridden by data subject rights.

3.5. Consent (GDPR Article 6.1(a)): Optional features such as marketing communications are processed only with your prior explicit consent, which may be withdrawn at any time.

4. Data Storage, Encryption, and Security

4.1. All data — encrypted guest data, operational metadata, property listings, and account data — is hosted by Supabase Inc. on Amazon Web Services servers located in the EU (AWS region eu-west-1, Ireland).

4.2. Guest Data Encryption. Guest data is encrypted on your device using AES-256-GCM (authenticated encryption) with a key derived from your password via PBKDF2-SHA256. Only the encrypted ciphertext is transmitted to and stored on Wise Pilgrim's cloud infrastructure. Wise Pilgrim does not possess, store, or have access to your encryption key at any time.

4.3. CRITICAL: Data Loss from Key Loss. Because of the zero-knowledge architecture, if you lose both your password and your recovery code, your encrypted guest data is permanently and irreversibly unrecoverable. Wise Pilgrim cannot recover, restore, or decrypt this data under any circumstances. This applies regardless of the reason — forgotten password, lost recovery code, device damage, or any other cause. This is the inherent trade-off of zero-knowledge encryption: maximum privacy (no one, including Wise Pilgrim, can access your data) in exchange for the risk of permanent loss if you lose your credentials.

4.4. SES.HOSPEDAJES credentials are stored exclusively in your device's secure keychain (iOS Keychain or Android Keystore) and are never transmitted to Wise Pilgrim servers.

4.5. Scanned identity document data is automatically deleted from your device within 24 hours or immediately after successful SES submission, whichever occurs first.

4.6. Security Measures:

  • Encryption at rest: AES-256-GCM for all guest data
  • Encryption in transit: HTTPS/TLS for all network communications
  • Key derivation: PBKDF2-SHA256 to protect against brute-force attacks
  • Screenshot protection: Personal information screens are protected against screenshots
  • Input validation: All data validated against schemas before processing
  • Access controls: Wise Pilgrim employees cannot access encrypted guest data
  • Infrastructure security: Supabase SOC 2 Type II certified; AWS ISO 27001 certified

4.7. Password Change Re-Encryption. When you change your password, the Application must re-encrypt all stored guest data with your new password-derived key. Records are processed in batches to minimise the volume of data held in decrypted form on your device at any given time. During this process: (a) a temporary backup copy of your encrypted data (under your old key) is retained on Wise Pilgrim's servers to enable recovery if the process is interrupted; (b) only the current batch of guest data is temporarily present in decrypted form in your device's memory during re-encryption; (c) upon your in-app confirmation of successful completion, Wise Pilgrim will separately verify and confirm with you before deleting the temporary backup copy. The backup is not deleted automatically — it is retained until Wise Pilgrim has confirmed successful completion with you and manually initiates deletion. This manual verification may be replaced with an automated process in the future if the protocol demonstrates consistent reliability at scale. This temporary backup is stored under the same encryption and security conditions as your original data. No duplicate copies are retained beyond what is necessary for process integrity, verification, and data minimisation.

4.8. The Application does not use third-party analytics services, advertising trackers, or device fingerprinting. Crash reporting and app performance data may be collected by the device operating system (Apple Crash Reporter, Google Play Vitals) in accordance with your device settings. Wise Pilgrim does not receive personally identifiable information from these operating system services.

5. Recipients and Transfers

5.1. Ministry of Interior (MIR): Guest data is submitted to SES.HOSPEDAJES by you (the data controller) through the Application. Wise Pilgrim facilitates this submission but does not independently transmit guest data to the government.

5.2. Supabase Inc.: All data is hosted on Supabase Inc.'s infrastructure (AWS eu-west-1, Ireland). Supabase Inc. is a US-headquartered company. Wise Pilgrim has Standard Contractual Clauses (SCCs) in place with Supabase Inc. to ensure GDPR-compliant data transfers, along with supplementary technical measures including encryption of all guest data with keys Supabase cannot access. Supabase's sub-processors (including Amazon Web Services) are documented in the DPA and available upon request.

5.3. Wise Pilgrim does not sell, rent, or share personal data with third parties for commercial purposes. Property listing data is published in Wise Pilgrim's own applications and guides as described in Section 2.3.

6. Retention Periods

6.1. Encrypted guest data: Retained for a maximum of 3 years from the date of guest check-in, as required by Royal Decree 933/2021, then automatically purged from Wise Pilgrim's servers. You may also delete guest data from your device at any time, though you acknowledge this may affect your compliance with the retention obligation.

6.2. Scanned identity document data: Deleted from your device within 24 hours or upon successful SES submission.

6.3. Operational metadata: Retained while your account is active; deleted within 30 days of account closure.

6.4. Property listing data: Retained and published while your account is active. Removed from digital publications within 30 days of your request or account closure. Previously published print editions issued before the removal request may continue to display the listing. Wise Pilgrim will not include the listing in new print editions published after the removal date.

6.5. Owner account data: Retained while your account is active; deleted within 30 days of account closure.

7. Your Rights

Under GDPR Articles 15-22, you may exercise the following rights:

For guest data: You are the controller. Guests should contact your accommodation directly to exercise their rights (access, rectification, erasure, restriction, portability, objection). You are responsible for responding within 30 days. Because guest data is encrypted with your key, Wise Pilgrim cannot assist with these requests directly — only you can access the data.

For property listing data: You may update, correct, or request removal of your property listing at any time by contacting privacy@wisepilgrim.com or through the Application settings.

For owner account and operational data: Contact privacy@wisepilgrim.com. Wise Pilgrim will respond within 30 days.

Right to erasure limitations: The right to erasure (GDPR Article 17) is limited where guest data must be retained to comply with Royal Decree 933/2021 (legal obligation, Article 17(3)(b)). Guests cannot demand erasure during the legally mandated 3-year retention period. After this period, data is automatically deleted.

You may file a complaint with Spain's Data Protection Authority (Agencia Española de Protección de Datos, AEPD, www.aepd.es).

8. Controller Responsibilities — Important Notice for Property Owners

As the data controller for guest data, you are legally responsible for:

a) Informing guests of their privacy rights. Before or at the time you collect guest data, you must provide guests with the information required by GDPR Articles 13 and/or 14 as applicable: who controls their data (you), why it is collected (Royal Decree 933/2021 compliance), who receives it (Ministry of Interior via SES.HOSPEDAJES), how long it is retained (up to 3 years), and how they can exercise their rights (by contacting your accommodation). Wise Pilgrim provides a guest privacy notice template within the Application that you may use or adapt.

b) Responding to data subject requests. If a guest requests access to, rectification of, or erasure of their data, you must respond within 30 days. Because data is encrypted with your key, only you can fulfill these requests.

c) Reporting data breaches. If guest data is compromised (for example, through device theft, unauthorized access, or loss of your encryption key to an unauthorized person), you must assess the risk and, if required, notify the AEPD within 72 hours and affected guests without undue delay.

d) Safeguarding your encryption key and recovery code. Loss of these credentials means permanent loss of access to guest data, which may impair your ability to fulfill legal obligations.

9. Minors

The Application may process data of minors only as travel companions of adult guests, as required by Royal Decree 933/2021. This data is provided by the accompanying adult guest or the accommodation provider. Minors under 14 cannot use the Application directly. The accommodation provider (as controller) is responsible for ensuring lawful processing of minors' data.

10. Automated Decision-Making

The Application does not use automated decision-making or profiling that produces legal effects on data subjects. Data validation (format checks, required field verification) is used to assist data entry but does not result in automated decisions about individuals.

11. Data Protection Impact Assessment

Wise Pilgrim maintains a Data Protection Impact Assessment (DPIA) in accordance with GDPR Article 35, evaluating risks associated with processing identity documents, minors' data, zero-knowledge encrypted storage, and legal data retention. The DPIA includes a formal assessment under GDPR Recital 26 of the "means reasonably likely to be used" for re-identification of encrypted guest data, and a cryptographic assessment aligned with the AEPD's Encryption Guide for SMEs (December 2025). The DPIA is reviewed and updated periodically, including reassessment of the cryptographic architecture against current best practices and post-quantum cryptography developments. The DPIA concluded that the zero-knowledge encryption architecture, automatic retention limits, and local-device processing provide adequate safeguards to mitigate identified risks. A summary of the DPIA is available upon request by contacting privacy@wisepilgrim.com.

12. Changes

Substantial changes to this Privacy Policy will be communicated through the Application and by email at least 30 days before taking effect.

13. Contact

Wise Pilgrim SL
Galicia, Spain
Privacy and data protection: privacy@wisepilgrim.com
Security issues: security@wisepilgrim.com