Privacy and GDPR

Privacy policy.

How Casocero processes the personal data we collect through the contact form and browsing, in compliance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 of 5 December (LOPDGDD).

This is an English translation provided for convenience. The legally binding version is the Spanish original, since the controller is established in Spain.

1. Data controller

  • Controller: María Retamero Pascual
  • Spanish tax ID (NIF): 74684910T
  • Address: Calle San Bernardo 82, 28015 Madrid, Spain
  • Email: maria@madescaperoom.com
  • Phone: +34 654 401 902

2. Personal data we collect

Through the contact form we collect the following data, all of it provided voluntarily by the user:

  • Full name.
  • Work or personal email.
  • Company and job title (the latter optional).
  • Event data: number of participants, tentative date, preferred format, indicative budget.
  • Free-text comments provided in the corresponding field.
  • Where applicable, indication of belonging to an event agency.

Additionally, through analytical cookies (with your consent), we may collect aggregated and anonymised browsing data. More detail in our cookies policy.

3. Purposes of processing

We process your personal data for the following purposes:

  1. To handle your enquiry: draft and send you the custom event proposal, manage contracting if applicable and execute the agreed service.
  2. Operational communications: contact you by email to resolve queries, adjust logistics, send the proposal and, after the event, request feedback (NPS).
  3. Compliance with legal obligations: issuing invoices and retaining accounting and tax documentation.

We do not send unsolicited commercial communications, do not profile users and do not sell data to third parties.

4. Legal basis

  • Performance of a contract or pre-contractual measures at the data subject's request (Art. 6.1.b GDPR): for handling the form and drafting the proposal.
  • Compliance with legal obligations (Art. 6.1.c GDPR): for invoicing and accounting retention.
  • Consent (Art. 6.1.a GDPR): for optional analytical cookies.

5. Retention periods

  • Form data without subsequent contracting: 12 months from last contact, unless prior request for deletion.
  • Client data with contracting: for the duration of the relationship plus the legally required periods (Spanish Commercial Code: 6 years; tax legislation: 4-10 years depending on the case).
  • Analytical cookies data: the period defined in our cookies policy.

6. Recipients and processors

Your data is not communicated to third parties except by legal obligation. To deliver the service we may rely on providers acting as data processors under signed contracts with clauses compliant with Art. 28 GDPR:

  • Hosting and site delivery: Netlify, Inc. (USA) — under European Commission Standard Contractual Clauses.
  • Transactional email and CRM: EU-based email/CRM provider [TO BE SPECIFIED ON CONTRACTING].
  • Web analytics: Google Analytics (Google Ireland Ltd.), if you give consent, with anonymised IP.

7. International transfers

Some of the providers above may process data outside the European Economic Area. In those cases, the transfer is covered by Standard Contractual Clauses approved by the European Commission or other appropriate safeguards provided for in the GDPR.

8. Your rights

As the data subject you may exercise the following rights at any time:

  • Access: know what data we hold about you.
  • Rectification: correct inaccurate data.
  • Erasure: have us delete your data when no longer necessary.
  • Objection: object to processing based on legitimate interest.
  • Restriction of processing in the cases provided for in the GDPR.
  • Portability: receive your data in a structured format.
  • Withdraw consent given, without affecting the lawfulness of prior processing.

To exercise these rights, write to maria@madescaperoom.com indicating the right you wish to exercise and providing, if necessary, a copy of an ID document.

If you consider that we have not properly handled your request, you may file a complaint with the Spanish Data Protection Agency (www.aepd.es).

9. Security

We apply reasonable technical and organisational measures to protect personal data against unauthorised access, loss or unlawful processing, including encryption in transit (HTTPS), role-based access control and regular backups.

10. Modifications

This policy may be updated to reflect legislative, technical or operational changes. The date of the last update appears at the end of the document. In case of substantial changes, we will notify affected users.

Last update: .