Basket
0
Close
Party calendar
Party calendar

Ibiza Spotlight privacy policy

This is a privacy policy for Ibiza Spotlight S.L. Our homepage on the Web is located at www.ibiza-spotlight.com. We invite you to contact us if you have questions about this policy.

Before you read further we wish to highlight that we use only pseudonymous tracking cookies. We never set cookies containing your name, email or other directly identifying information ourselves. Third-party services such as Google and Meta may, however, associate the cookies they set on our site with their own user profiles. Cookies are denied by default until you make a choice via our cookie banner.

You may contact us via the following e-mail account. Or you may call us at +34 971 34 66 71, Monday to Friday, during office hours. Our address is:

Ibiza Spotlight S.L.
Crta. San José km 3, Sec. 1, Pol. 1, no. 7605
Apdo. de correos 1027
07817 Sant Jordi de ses Salines
Islas Baleares
Spain

PERSONAL DATA PROTECTION INFO

Ibiza Spotlight S.L. is the controller of the user's personal data and informs him/her that these data shall be processed in accordance with the provisions of Regulation (EU) 2016/679 of 27 April (GDPR) and the Organic Law 3/2018 of 5 December (LOPDGDD).

Data controller: IBIZA SPOTLIGHT S.L, Crta. San José km 3, Sec. 1, Pol. 1, no. 7605, apdo. de correos 1027, 07817 Sant Jordi (Islas Baleares, Spain)

Purpose:

  • (1) order processing and customer service for tickets, villas and other bookings;
  • (2) marketing communications about Ibiza and our products, with your consent;
  • (3) traffic measurement and advertising, partly with your consent and partly under legitimate interest (cookieless aggregate measurement only — see below);
  • (4) security, fraud prevention and error monitoring under legitimate interest;
  • (5) affiliate referral attribution under legitimate interest.

Lawful basis for processing: Performance of a contract or data subject's consent. For non-essential cookies (analytics and advertising), our legal basis is your explicit consent under Article 6(1)(a) GDPR. For strictly necessary cookies (recording your consent choices, your basket contents, login session) the legal basis is our legitimate interest under Article 6(1)(f) GDPR. For aggregate, cookieless traffic measurement that happens before you make a cookie choice, our legal basis is also legitimate interest under Article 6(1)(f) GDPR — see "How we measure traffic before you accept cookies" below.

Data disclosure: Your personal data will not be disclosed unless forced to by law, with the exception of partner pixels described below in the cookies section, which receive purchase information when you buy a ticket to one of their events and have granted social media cookie consent.

Rights: You have right of access, right to rectification, right to erasure and data portability, and right to restriction of processing, writing a letter accompanied by a copy of an official document evidencing your identity to the Data Controller. You have also the right to lodge a complaint with a Supervisory Authority (Spanish Supervisory Authority is Agencia Española de Protección de Datos).

More info: Please visit the legal notice on our website.

What data do we collect during e-commerce transactions?

We do collect some online contact information (email address) and sometimes the name and address and contact details (telephone, email address) from visitors who purchase club, activity or other tickets or rent a villa.

Payment data: card details are entered directly into a hosted iframe served by our PCI DSS-certified payment processor Redsys (operated by CaixaBank or Banco Santander), or you are redirected to PayPal's hosted payment page. Your card number, expiry date and CVV never reach our servers and are not stored by us. We retain only the order identifier, an opaque processor token (Redsys idOper or PayPal transaction ID), the authorisation reference returned by the processor, and which processor was used, for the period stated under Retention.

What do we use this data for?

In accordance with the provisions of Regulation (EU) 2016/679 of 27 April (GDPR) and the Organic Law 3/2018 of 5 December (LOPDGDD), this data will only be used during the processing of your order and occasionally to inform you of forthcoming events and products/services which we think may be of interest. This is never more than three times per year. You can opt-out at any time. Clear instructions to unsubscribe are sent with every mailing.

Retention periods

We keep personal data for the following periods, after which it is deleted or anonymised:

  • Order data and invoices: 6 years (Spanish Commercial Code Art. 30 + tax obligations under LGT)
  • Customer name and email linked to orders: anonymised 6 years after the last transaction
  • Payment API responses (Redsys / PayPal raw response data): 6 years (matches accounting retention)
  • Newsletter subscription: until you unsubscribe
  • Cookie consent records (consent-*, cb-seen-v3 cookies): 180 days from your last choice
  • Analytics cookies (_ga, _ga_*, with consent): 13 months (Google default)
  • Advertising cookies (_gcl_au, __gads, __gpi): 90 days to 13 months depending on the cookie
  • Meta Pixel cookies (_fbp): 90 days
  • Error monitoring logs (Sentry): 90 days
  • Support correspondence: 2 years after case closure
  • Server access logs: 30 days

Newsletter subscriptions

Our newsletter database is opt-in only. You can sign up during the purchase process or elsewhere in our site. We will not add you to our newsletter database without your explicit consent. The purpose the newsletter is to send you information about Ibiza and Formentera which we think will be useful when planning your holiday. You can unsubscribe at any time.

Social networks

By opting to follow us on our social media networks (Facebook, Instagram, X), you give us consent to use the personal data in your profile (you can configure what information you wish to be made public from within each social network). We may use this data to advertise products from our website to you within the social networks.

Access and registration to our social networks is prohibited to minors under the age of 18. We can not be held responsible for the use of social networks by minors and do not consciously collect any personal information from minors.

What anonymous data do we collect during your use of this website?

  • HTTP cookies / Query-string portion of URI
  • Full IP address
  • HTTP request method
  • Data bytes in response
  • Response status code

This type of information is deemed non-identifiable. This means that there is no reasonable way for the site to identify the individual person this data was collected from. The query string portion of the URI and HTTP Cookies are used to track referrals from Search Engines. Our Web Server collects access logs containing some of this information. We use it for maintaining and improving our website. Synthetic monitoring traffic from our uptime checker (OhDearApp) is excluded from all tracking.

How our cookie consent works

When you first visit the site you will see a banner offering three choices: Accept all, Reject all, or Manage your choices. Until you make a choice, all non-essential cookies are denied by default — Google Analytics, Google Ads and the Meta Pixel receive only cookieless, modelled pings under Google Consent Mode v2 and Meta's equivalent consent signal, with no client identifier and no profile linkage.

The Manage page allows you to toggle three categories independently:

  • Advertising cookies (Google Ads and DoubleClick)
  • Analytics cookies (Google Analytics 4)
  • Social media cookies (Meta Pixel — our own and our partner promoters')

Your choice is saved in a cookie called cb-seen-v2 for 180 days, alongside three per-category cookies (consent-ad-storage, consent-analytics-storage, consent-facebook-pixel). You can change or withdraw your consent at any time from the cookie consent page, also linked in the footer.

How we measure traffic before you accept cookies

Even when you have rejected or not yet responded to the cookie banner, the Google Analytics script (gtag.js) is still loaded on every page. While consent for analytics is denied, GA4 does not set or read cookies, does not store a client ID, and does not link your visits across sessions or across sites.

GA4 does however still send anonymous "pings" to Google for aggregate, modelled traffic measurement. Each ping transmits:

  • Your IP address (truncated by Google server-side and not stored in GA4)
  • Your browser's User-Agent string
  • The page URL and the page you came from (Referer)
  • A coarse, non-persistent session signal used only for aggregate reporting

While consent is denied, no personalised advertising, no remarketing audiences and no Google Signals data are processed.

The legal basis for these cookieless pings is our legitimate interest in aggregate measurement of traffic to our site (Article 6(1)(f) GDPR), with no identifiers stored and no cross-site profiling. Under strict readings by some EU supervisory authorities (CNIL, Austrian DSB), an IP address may count as personal data even when it is not stored, so we disclose this transmission here for full transparency. If you click Reject all, only these cookieless pings continue; if you click Accept all, full GA4 measurement, Google Ads and the Meta Pixel are enabled in addition.

Cookies set or permitted by this website

  • cb-seen-v2 — Records that you've seen the cookie banner. Set by: ibiza-spotlight.com. Duration: 180 days. Category: Strictly necessary.
  • consent-ad-storage — Stores your advertising consent choice. Set by: ibiza-spotlight.com. Duration: 180 days. Category: Strictly necessary.
  • consent-analytics-storage — Stores your analytics consent choice. Set by: ibiza-spotlight.com. Duration: 180 days. Category: Strictly necessary.
  • consent-facebook-pixel — Stores your social media consent choice. Set by: ibiza-spotlight.com. Duration: 180 days. Category: Strictly necessary.
  • _ga, _ga_* — Google Analytics 4 visitor and session identifiers. Set by: Google. Duration: 13 months. Category: Analytics.
  • _gcl_au — Google Ads conversion linker. Set by: Google. Duration: 90 days. Category: Advertising.
  • __gads, __gpi — DoubleClick (Google Ad Manager) ad selection and frequency capping. Set by: Google. Duration: 13 months. Category: Advertising.
  • _fbp — Meta Pixel browser identifier (our own pixel and, on shop pages, our partner promoters' pixels). Set by: Meta + partner promoters. Duration: 90 days. Category: Social media.

ABOUT third-party applications and cookies

  • Google Analytics (GA4): We use Google Analytics 4 to understand how visitors use the site. With consent, Google receives standard GA4 event data and writes the _ga / _ga_* cookies. Without consent we operate under Google Consent Mode v2, so Google receives only modelled, cookieless pings with no client identifier. For more information and to update your cookie preferences for analytics, visit the cookie consent page.
  • Google Ads (AdWords, account AW-670582457): We use Google Ads to measure conversions from our advertising and for remarketing. With consent, Google Ads receives conversion events (including order value and an internal transaction ID on ticket purchases) and writes the _gcl_au cookie. Without consent, conversions are reported in cookieless modelled mode. To update your cookie preferences for advertising, visit the cookie consent page.
  • Google DoubleClick / Ad Manager: We use Google's DoubleClick (now Google Ad Manager) to serve display advertising on our website. To update your cookie preferences for advertising, visit the cookie consent page.
  • Meta Pixel (Facebook / Instagram) — our own pixel: We use the Meta Pixel to measure the performance of our Facebook and Instagram campaigns and to build remarketing audiences. With consent the Pixel writes _fbp and Meta receives PageView events on the main site and PageView, AddToCart and Purchase events in our shop. Without consent the Pixel is held in a revoked state and no events are sent. The Meta Pixel performs profiling for advertising attribution and audience building. You have the right to object to this profiling under Article 21 GDPR; the simplest way to do so is to withdraw social media cookie consent on our cookie consent page.
  • Meta Pixel — partner promoters (shop only): When you visit a page in our ticket shop (/shop/tickets/), in addition to our own pixel we load the Meta Pixel of some promoters whose tickets are currently relevant to that page. On the order confirmation page, each partner promoter's pixel receives a Purchase event scoped to only the line items for their own events, with the value being our commission share for those line items. This means, for example, that if you buy a ticket to an Ushuaïa party, Ushuaïa's Meta Pixel receives a Purchase event for that line. Partner pixels are only loaded if you have granted social media cookie consent. Each partner promoter's Meta Pixel performs profiling for their own advertising attribution. You can object by withdrawing social media cookie consent or by toggling off the specific partner on the cookie consent page.
  • Affiliate program (in-house): We run an in-house affiliate program for partners who refer traffic to our shop. When you arrive via an affiliate link, the URL parameters aid, tid1 and tid2 are recorded server-side via a 1×1 tracking image. On purchase, a second 1×1 image records the order ID against the affiliate so we can credit the referral. No personal data is shared with the affiliate — only the referral attribution is recorded on our own servers. The program is operated entirely by Ibiza Spotlight; we do not use external affiliate networks.
  • Youtube: When we embed Youtube videos, we always use the domain youtube-nocookies.com, which means no identifiable cookies.
  • Vimeo: When we embed Vimeo videos, we append the do not track variable to the URL (dnt=1), which means no identifiable cookies.
  • Spotify: Embedded playlists are automatically set to "do not track".

Data processors

We use the following data processors to operate the website. They may process your IP address and other technical data on our behalf:

  • Google LLC / Google Ireland Ltd — Google Analytics, Google Ads, Google Ad Manager (DoubleClick)
  • Meta Platforms Ireland Ltd — Meta Pixel
  • Amazon Web Services (CloudFront) — content delivery network for images and static assets
  • BunnyWay d.o.o. (Bunny CDN) — secondary content delivery network
  • Functional Software, Inc. (Sentry) — application error monitoring; processes IP address and technical request metadata under legitimate interest (Art. 6(1)(f) GDPR)

International data transfers

The processors listed above (Google, Meta, Functional Software (Sentry), Amazon Web Services, BunnyWay) may transfer personal data to the United States. We rely on:

  • The EU-US Data Privacy Framework (DPF) for Google LLC and Meta Platforms Inc., both DPF-certified
  • Standard Contractual Clauses (SCCs) under Article 46 GDPR for any transfers not covered by the DPF

You may request a copy of the relevant transfer safeguards by contacting us.

Our policy

This data will be used only by ourselves, with the limited exception of partner promoter Meta Pixels on shop pages as described above. Ibiza Spotlight will never sell or rent your personally identifiable information to anyone.

Dispute resolution

All disputes regarding the access to and storing of personal user information will be handled by our office. You may contact us via the following e-mail account.

To manage or withdraw your cookie preferences at any time, visit our cookie consent page.