Menu Icon Favorites Settings Settings Icon Cabinet Icon
Icon

PRIVACY POLICY

OKTOWN Platform
Last updated: 3 March 2026

Introduction

The protection of personal data is one of the fundamental principles of OKTOWN’s activities. We recognize the importance of the trust of users, partners, and Platform Operators and ensure transparent, secure, and responsible processing of information in accordance with European Union standards.

This Privacy Policy describes:

  • what personal data we collect;

  • for what purpose and on what legal basis we process it;

  • to whom and under what conditions it may be disclosed;

  • how long it is retained;

  • what rights data subjects have;

  • what technical and organizational security measures are applied.

This Policy applies to the processing of personal data within the use of the OKTOWN digital platform, including:

  • visiting the website;

  • creating and administering user accounts;

  • publishing and managing activities (Travs);

  • interactions between users and Operators;

  • making payments for the Platform’s digital services;

  • communication with support;

  • the use of analytical, marketing, and technical tools.

1. GENERAL PROVISIONS

OKTOWN is a digital SaaS platform that provides tools for publishing, promoting, and managing local activities (Travs), as well as CRM functionality for independent Operators.

Personal data is processed transparently, lawfully, and responsibly in accordance with:

  • Regulation (EU) 2016/679 (GDPR);

  • Organic Law 3/2018 (LOPDGDD);

  • Law 34/2002 (LSSI-CE);

  • other applicable provisions of EU law and the laws of the Kingdom of Spain.

This Policy applies to all Platform users — both B2C (end users) and B2B (Operators).

2. DATA CONTROLLER

The Data Controller is:
KASIAN OLENA
Sole proprietor (self-employed / autónoma)
NIF: Y9824979Z
Tax address: Av. Mare Nostrum 85 BJ, 12593 Moncofa, Castellón, Spain
Data protection email: support@oktown.es
Official email: office@oktown.es
Website: https://oktown.es

The Controller determines the purposes and means of processing personal data in accordance with Article 4(7) GDPR.

3. ALLOCATION OF ROLES

3.1. OKTOWN as Controller

OKTOWN acts as the Controller of personal data in relation to:

  • creating and administering user accounts;

  • providing SaaS functionality;

  • the Platform’s CRM tools;

  • processing subscription payments;

  • technical support;

  • marketing communications;

  • ensuring Platform security.

3.2. Operators as Separate Controllers

Independent Operators who publish Travs on the Platform act as separate Controllers of personal data with regard to:

  • activity bookings;

  • communication with customers;

  • the provision of their own services;

  • processing payments for Travs;

  • refunds, changes, and cancellations.

OKTOWN is not a joint controller with such Operators unless expressly provided otherwise by a separate agreement.

Within the Platform’s technical infrastructure, OKTOWN may process data necessary to display and transmit requests/orders to an Operator, without acquiring Controller status in relation to the Operator’s performance of the service.

4. CATEGORIES OF PERSONAL DATA

4.1. User Data (B2C)

The following data may be processed:

  • first and last name;

  • email;

  • phone number (if provided);

  • account data;

  • profile data (city, date of birth — if provided);

  • interests and preferences;

  • saved/selected activities;

  • history of requests/bookings via the Platform;

  • social login (if applicable);

  • notification settings;

  • history of interactions with the Platform;

  • technical data (IP, browser, device);

  • data regarding cookie and marketing consents.

  • notification settings

  • history of interactions with the Platform;

  • technical data (IP, browser, device);

  • data regarding cookie and marketing consents.

4.2. Operator Data (B2B)

On the OKTOWN Platform, individuals, individual entrepreneurs (sole proprietors) or legal entities may register to provide services online or offline.

Operators may act personally or through authorized persons (representatives, administrators) who are granted access to the account.

Within the operation of an Operator account, the following data may be processed:

  • name of the representative or authorized person;

  • company name (if applicable);

  • entity status (individual / sole proprietor / legal entity);

  • NIF/VAT or other registration details;

  • legal or actual address;

  • bank details (for invoicing);

  • verification documents;

  • subscription data and selected plan;

  • account analytics indicators;

  • communication with customers through the Platform’s infrastructure.

4.2.1. Delegation of Access and Administrators

An Operator may add administrators or other authorized persons to manage services within their account.
In such cases, contact details of such persons (name, email, access role) may be processed, as well as information about their actions in the system.
For security and access control purposes, OKTOWN may maintain a log of user logins and actions (audit log).

4.2.2. Order Tracking and Analytics

Within the SaaS functionality, the Platform may provide the display and tracking of requests/orders received by an Operator through the OKTOWN technical infrastructure.
The system may record order statuses (including: new, in progress, paid, postponed, declined, archived, etc.), change history, and internal notes.
The Platform may also generate statistics of views, interactions, and activity for different periods (for example, 7, 14, 30, 90 days, or other selected periods).

Such data is processed exclusively for the purpose of providing digital SaaS functionality, analytics, and management of the Operator’s services.

Legal basis for processing:

  • performance of a contract (Article 6(1)(b) GDPR);

  • the Controller’s legitimate interest in developing and optimizing the Platform (Article 6(1)(f) GDPR).

4.3. Payment Data

Subscription payments are processed through third-party payment providers (Stripe, PayPal, etc.).
OKTOWN does not store full bank card details.
Payment providers act as independent controllers under their own privacy policies.

5. AUTOMATIC COLLECTION OF TECHNICAL DATA

5.1. What data may be collected automatically

When visiting the website https://oktown.es, certain technical information may be collected automatically to ensure the secure and stable operation of the Platform.

In particular, the following may be processed:

  • IP address;

  • date and time of access;

  • requested page URL (referrer);

  • browser type and version;

  • operating system;

  • browser language;

  • device type;

  • connection country (determined by IP);

  • technical logs (log files);

  • information about technical failures;

  • navigation data (subject to consent for analytics cookies).

These data are not used on their own to directly identify a person without being combined with other data.

5.2. Purpose of processing

Technical data is processed for the purpose of:

  • ensuring the operation of the Platform;

  • maintaining security and protection from malicious actions;

  • preventing fraud;

  • analyzing technical failures;

  • optimizing performance;

  • improving structure and user experience.

5.3. Legal basis

Processing is carried out on the basis of:

  • Article 6(1)(b) GDPR — performance of a contract;

  • Article 6(1)(f) GDPR — legitimate interest (Platform security and development).

5.4. Retention period

Log files are stored for the period necessary to ensure the security and stability of the Platform, after which they are deleted or anonymized, unless otherwise required by law.

6. COOKIES AND TRACKING TECHNOLOGIES

6.1. What cookies are

Cookies are small text files stored on the user’s device when visiting a website.
In addition to cookies, web beacons, pixels, scripts, and other analytics technologies may be used.

6.2. Cookie categories

1. Essential (Necessary)
Technically necessary for the functioning of the Platform.
Legal basis: Article 6(1)(b) and Article 6(1)(f) GDPR.
Consent is not required under the LSSI-CE.

2. Analytics (Analytical)
Used to assess usage of the Platform.
May include:

  • Google Analytics

  • Google Tag Manager (as a tag management tool)

Legal basis: Article 6(1)(a) GDPR — consent.
Analytics cookies are activated only after explicit consent is provided via the cookie banner.

6.3. International transfers

If Google services are used, data may be transferred outside the EEA in accordance with mechanisms provided by the GDPR (SCC or other lawful bases).

6.4. Cookie management

The user may provide or withdraw consent via the cookie banner or change settings in their browser. Withdrawal of consent does not affect the lawfulness of prior processing.

6.5. Research and UX surveys

The Platform may conduct voluntary surveys and UX research.
Participation is voluntary and based on consent (Article 6(1)(a) GDPR).

7. INTEGRATED THIRD-PARTY CONTENT

The OKTOWN website may integrate elements of external content or functionality that are loaded from third-party providers’ servers. In particular, these may include:

  • embedded maps (e.g., Google Maps or OpenStreetMap);

  • booking or tour widgets from affiliated partners;

  • video and media content (e.g., YouTube or Vimeo);

  • Instagram or other social media widgets;

  • interactive calendars or forms integrated via iFrame, SDK, or API.

When such content is loaded, the user’s device may transmit technical data to the third-party provider, including the IP address, browser type, device identifiers, or other information necessary for the correct display of the content.

The legal basis for such processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR), consisting in ensuring the functionality, interactivity, and full user experience of the Platform.

The processing of personal data within integrated widgets or services is governed by the privacy policy of the relevant provider (including, in particular, Google, Meta, YouTube, Vimeo, Contentstack, Viator, or other partners).

8. CONTENT PERSONALIZATION

OKTOWN may personalize the content and functionality of the Platform in order to improve the user experience.

Personalization may include:

  • displaying relevant activities (Travs) depending on geolocation or prior interaction with the Platform;

  • adapting the language version of the website;

  • displaying recommended content;

  • optimizing the order in which search results are displayed.

Such processing is carried out on the basis of the Controller’s legitimate interest (Article 6(1)(f) GDPR), namely providing a relevant and user-friendly digital service.

Personalization does not involve automated decision-making producing legal effects for the user within the meaning of Article 22 GDPR.

 

BLOCK II — OPERATOR DATA (B2B)

 

9. OPERATOR REGISTRATION AND ACCOUNT

Registration is not required to view public content on the OKTOWN Platform.
However, in order to publish information, manage a subscription, or use digital tools as an Operator (Partner), it is necessary to create an account.

During registration, the following personal data may be processed:

  • full name or company name;

  • email address;

  • password (in encrypted form);

  • contact phone number (optional);

  • country and city of activity.

Authorization via third-party services (e.g., Google, Apple) may also be available. In such case, the Platform may receive basic information from the relevant profile, including name, email, and a unique account identifier.

Purpose of processing: creating and administering the Operator’s account, granting access to Platform functionality, managing the subscription, and communication within the selected plan.
Legal basis: performance of a contract (Article 6(1)(b) GDPR).

10. PROFILE AND FUNCTIONALITY MANAGEMENT

The Operator may edit, update, and delete information in their profile via the Personal Account area.

Within the use of the functionality, the following may be processed:

  • data about published Travs;

  • service descriptions, prices, images;

  • view and interaction statistics;

  • analytics indicators on the use of functionality;

  • profile change history.

This data is processed to ensure the full functioning of the SaaS service, provide analytics, and improve the quality of the tools.
Legal basis: performance of a contract (Article 6(1)(b) GDPR) and legitimate interest (Article 6(1)(f) GDPR) in the development and optimization of the Platform.

11. SUBSCRIPTION PAYMENTS AND DIGITAL SERVICES

Payment for plans and digital services is made through third-party payment providers (including Stripe, PayPal, or others).

When a payment is made, payment data is processed directly by the payment provider. OKTOWN does not store full bank card details.
Payment providers act as independent controllers of personal data in accordance with their own privacy policies.

Purpose of processing: subscription administration, invoicing, accounting and financial records.
Legal basis: performance of a contract (Article 6(1)(b) GDPR) and compliance with legal obligations (Article 6(1)(c) GDPR).

12. CRM AND COMMUNICATION WITH OPERATORS

To effectively manage interactions with Operators, process requests, administer subscriptions, and support communications, OKTOWN uses CRM functionality integrated into the Platform or implemented via third-party services that comply with GDPR requirements.

The CRM may store:

  • the Operator’s name and contact details;

  • history of requests and communications;

  • account activity data;

  • information about the subscription and use of functionality;

  • data on interaction with messages (where consent has been provided).

This enables OKTOWN to:

  • respond to inquiries promptly and in a personalized manner;

  • send service messages and updates;

  • analyze demand and improve functionality;

  • carry out marketing communications (where consent has been provided).

Legal basis:

  • performance of a contract (Article 6(1)(b) GDPR) — for service communications;

  • legitimate interest (Article 6(1)(f) GDPR) — to maintain interactions and develop the service;

  • consent (Article 6(1)(a) GDPR) — for marketing messages, push notifications, or personalized advertising.

Where third-party CRM platforms or infrastructure services are used, such providers are engaged in accordance with Article 28 GDPR (if the provider acts as a processor) or according to their respective roles as defined in the applicable terms. If data is transferred outside the European Economic Area, appropriate safeguards apply (including Standard Contractual Clauses or the Data Privacy Framework, where applicable).

Service and system notifications

As part of the Platform’s operation, OKTOWN may send service or system messages, including:

  • notifications about new requests or orders;

  • status changes;

  • deadline reminders;

  • subscription or plan-related messages;

  • technical notifications and system updates;

  • messages from Operators within the Platform’s infrastructure.

Such messages are an integral part of providing the digital service and are sent on the basis of performance of a contract (Article 6(1)(b) GDPR).
Opting out of service messages may result in limited account functionality.

 

BLOCK III — COMMUNICATION

13. SUPPORT AND REQUEST HANDLING

If you contact OKTOWN support via email, the website, feedback forms, or social networks, we may process the following personal data:

  • first and last name or company name;

  • email address;

  • the content of the request, inquiry, or complaint;

  • attached documents or files (if any).

This data is used exclusively for:

  • handling your request;

  • providing a response;

  • resolving technical or service issues;

  • improving service quality.

Disclosure of such data to third parties occurs only if necessary to resolve the request (e.g., involvement of a hosting provider or a payment service).

Purpose of processing: ensuring communication and support for users and Operators.
Legal basis: legitimate interest (Article 6(1)(f) GDPR) and/or performance of a contract (Article 6(1)(b) GDPR) if the request relates to the use of the service.

14. MARKETING COMMUNICATIONS

14.1. Newsletter

Users may subscribe to the OKTOWN newsletter to receive updates about:

  • new Travs and events;

  • special offers and discounts;

  • partner initiatives;

  • Platform functionality updates.

During subscription, the following may be processed:

  • email;

  • IP address;

  • date and time of subscription (to evidence consent).

Legal basis:

  • consent (Article 6(1)(a) GDPR);

  • where a prior customer relationship exists — legitimate interest (Article 6(1)(f) GDPR) in accordance with the LSSI-CE.

We do not share email addresses with third parties for external marketing.

14.2. Unsubscribe and withdrawal of consent

A user may withdraw consent at any time:

  • via the “Unsubscribe” button in the email;

  • by contacting support@oktown.es;

  • through account settings (if such functionality is available

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

14.3. Technical implementation

At present, the newsletter may be sent using the Platform’s internal tools.
If professional email marketing services are connected (e.g., Mailchimp, Brevo, or others), data processing will be carried out in accordance with Article 28 GDPR with appropriate safeguards in place.

15. MARKETING AND REMARKETING SERVICES

OKTOWN may use marketing and analytics tools of third-party platforms to promote the service, including:

  • Google Ads;

  • Google Analytics;

  • Meta (Facebook/Instagram) Ads;

  • TikTok Ads.

These tools may use cookies or similar technologies to:

  • analyze advertising effectiveness;

  • build audiences;

  • remarket (display ads again to users who have interacted with the Platform).

Legal basis: user consent (Article 6(1)(a) GDPR) via the cookie banner.
If data is transferred outside the European Economic Area, appropriate safeguards apply (SCCs or other lawful bases).

OKTOWN does not carry out automated decision-making producing legal effects for users within the scope of marketing campaigns.

BLOCK IV — SECURITY AND CONTROL

16. FRAUD PREVENTION

In order to protect the OKTOWN Platform, its users, and Operators from fraudulent or unlawful activities, technical and organizational security measures are implemented.

16.1. Analysis of user activity

OKTOWN may use analytics and fraud detection systems to identify suspicious actions, potential security threats, or misuse of the service.

Within such processes, the following may be analyzed:

  • user behavior on the Platform;

  • IP addresses and technical characteristics of the device;

  • transaction, booking, or request patterns;

  • technical data transmitted by the browser.

Such data is processed on the basis of the Controller’s legitimate interest in ensuring service security and preventing fraud (Article 6(1)(f) GDPR).

16.2. Verification of Operators and providers

Operators who publish their services on the OKTOWN Platform may be subject to a verification procedure.

Depending on the entity’s status, the following data may be processed:

  • for individuals — a copy of a passport or residence permit;

  • for sole proprietors and legal entities — a registry extract, tax identification number (NIF/VAT), and company details;

  • where required by law — licenses or permits for carrying out the relevant activity.

Purpose of processing such data:

  • confirmation of the accuracy of information;

  • fraud prevention;

  • protection of consumer rights;

  • ensuring compliance with legal requirements.

Legal basis: legitimate interest (Article 6(1)(f) GDPR) and/or compliance with a legal obligation (Article 6(1)(c) GDPR), where such verification is required by law.

16.3. Disclosure of data to third parties

Where necessary, OKTOWN may disclose relevant data to:

  • authorized contractors;

  • payment services;

  • public authorities or law enforcement bodies;

  • courts.

Such disclosure is carried out strictly within the framework of applicable law and only when necessary for:

  • investigating fraudulent activities;

  • protecting the rights of the Platform, users, or Operators;

  • fulfilling legal obligations.

17. AUTOMATED DECISION-MAKING AND PROFILING

OKTOWN may use automated risk analysis tools as part of security and fraud prevention measures.

In particular, systems may automatically analyze transactions or user actions based on:

  • behavioral patterns;

  • technical characteristics of the device;

  • activity history;

  • other risk indicators.

If suspicious activity is detected, the system may temporarily restrict or block the relevant action (for example, a transaction or authorization attempt).

If a decision is made solely by automated means and has a significant impact on the user, the individual has the right to:

  • obtain human intervention;

  • express their point of view;

  • challenge the decision.

For this purpose, you may contact:
support@oktown.es

Automated processes are not used to make decisions producing legal effects for users, except in cases related to security and fraud prevention and within the limits permitted by Article 22 GDPR.

 

BLOCK V — DATA TRANSFERS

18. TECHNICAL SERVICE PROVIDERS

To ensure the stable, secure, and efficient operation of the OKTOWN Platform, external technical service providers may be engaged.

Such providers may include:

  • hosting providers;

  • cloud infrastructure providers;

  • server solution providers;

  • backup services;

  • technical support providers;

  • analytics or system monitoring tools.

In performing their functions, such providers may access personal data only to the extent necessary for providing the relevant services.

The transfer of data to such companies is carried out in accordance with Article 28 GDPR based on Data Processing Agreements (DPA), which require them to:

  • ensure confidentiality;

  • implement appropriate technical and organizational security measures;

  • not use the data for their own purposes.

19. OTHER DATA DISCLOSURES

OKTOWN may disclose personal data to third parties only in cases provided for by law or necessary to protect the legitimate interests of the Platform.

Such disclosure may occur to:

  • public authorities or law enforcement agencies — upon lawful request;

  • courts — within judicial proceedings;

  • legal or audit advisors — to protect the rights and interests of the Platform;

  • financial or tax advisors — in the course of fulfilling legal obligations;

  • partners — where necessary to fulfill contractual obligations toward a user or Operator.

Disclosure is carried out exclusively:

  • on the basis of compliance with a legal obligation (Article 6(1)(c) GDPR);

  • to protect legitimate interests (Article 6(1)(f) GDPR);

  • or in the performance of a contract (Article 6(1)(b) GDPR).

OKTOWN does not sell personal data to third parties.

 

BLOCK VI — DATA RETENTION AND RIGHTS

20. DATA RETENTION PERIODS

Personal data is stored only for the period necessary to achieve the purposes for which it was collected or used in accordance with this Privacy Policy.

Once the relevant purposes have been achieved, the data:

  • is deleted; or

  • anonymized, unless its further retention is required by law or based on the Controller’s legitimate interest (Article 6(1)(f) GDPR), particularly for the protection of rights in dispute situations.

If an account is deleted, the profile and personal settings are permanently removed.

However, certain data may be stored in backups or archives if necessary for:

  • compliance with legal obligations (Article 6(1)(c) GDPR);

  • protection of the rights of the Controller or third parties (Article 6(1)(f) GDPR).

During the mandatory retention period, such data is blocked and used solely for the specified purposes.

21. RIGHTS OF DATA SUBJECTS

In accordance with the GDPR, you have the following rights:

21.1. Right of access (Article 15 GDPR)

To obtain confirmation as to whether your data is being processed and access to such data.

21.2. Right to rectification (Article 16 GDPR)

To request correction of inaccurate or incomplete data.

21.3. Right to erasure (Article 17 GDPR)

To request deletion of personal data if there are no legal grounds for its continued processing.

21.4. Right to restriction of processing (Article 18 GDPR)

To restrict processing in cases provided by law (for example, while verifying data accuracy).

21.5. Right to data portability (Article 20 GDPR)

To receive personal data in a structured, commonly used, machine-readable format and transmit it to another service provider.

21.6. Right to object (Article 21 GDPR)

To object to processing based on legitimate interest.

21.7. Right to withdraw consent (Article 7(3) GDPR)

To withdraw previously given consent without affecting the lawfulness of processing carried out before withdrawal.

21.8. Right to lodge a complaint (Article 77 GDPR)

To lodge a complaint with the competent supervisory authority for personal data protection.

21.9. Procedure for exercising rights

To exercise the above rights, you may send a request to:
support@oktown.es

Requests are processed in accordance with Article 6(1)(c) GDPR (compliance with a legal obligation).

OKTOWN may request additional information to verify the identity of the applicant in order to prevent unauthorized access to data.

22. CHANGES TO THE PRIVACY POLICY

OKTOWN reserves the right to update this Privacy Policy periodically.

In the event of significant changes, we may:

  • publish a notice on the website;

  • notify users by email (if they have an account).

The updated version enters into force from the moment of its publication unless otherwise specified.

We recommend periodically reviewing this page to stay informed about the current version of the Policy.