Privacy Policy
Last updated: 24 February 2026
Privacy Policy
1. Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:
menzemedia.de GmbH
Am Wunderhügel 27
58644 Iserlohn
Germany
Email: datenschutz@mallorca.com
2. General Information on Data Processing
2.1 Scope of Processing
We process personal data of our users only to the extent necessary to provide a functional website and our content and services. Processing is generally only carried out with the user's consent or in cases where prior consent cannot be obtained for practical reasons and processing is permitted by law.
2.2 Legal Basis
Where we obtain consent for the processing of personal data, Art. 6(1)(a) GDPR serves as the legal basis. For processing for the performance of a contract, Art. 6(1)(b) GDPR serves as the legal basis. Legitimate interests pursuant to Art. 6(1)(f) GDPR may also serve as a legal basis.
2.3 Data Deletion and Storage Period
Your data will be deleted as soon as the purpose of storage no longer applies. Storage may continue if required by legal provisions.
3. Website Provision and Log Files
Each time our website is accessed, our system automatically collects:
- IP address of the user
- Date and time of access
- Websites from which the user's system accessed our website
- Browser type and version
- Operating system
The legal basis is Art. 6(1)(f) GDPR. Storage serves to ensure the functionality and security of our IT systems.
4. User Account and Classifieds Services
4.1 Registration
The following data is collected during registration:
- Email address
- Name (optional)
- Password (stored encrypted)
4.2 Classifieds
When creating listings, we process:
- Listing title and description
- Category and location
- Price and contact details
- Uploaded images
This data is publicly displayed on the platform.
The legal basis is Art. 6(1)(b) GDPR (performance of a contract).
5. Cookies and Consent
5.1 Types of Cookies
We use the following types of cookies:
- Necessary Cookies: Session management, language settings, cookie consent
- Analytics Cookies: Google Analytics for audience measurement
- Marketing Cookies: Partner integrations
5.2 Consent Management
When you first visit our website, a cookie banner is displayed where you can grant consent for individual cookie categories. Your consent decision is logged server-side as required by Art. 7(1) GDPR. The following data is stored:
- Pseudonymized hash of your IP address (SHA-256, no plaintext storage)
- Timestamp of consent
- Scope of consent (which cookie categories were accepted/rejected)
- Type of action (initial consent, revocation, modification)
- Consent version
Logging is carried out on the basis of our legal obligation under Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR. You can adjust or revoke your cookie settings at any time via the "Cookie Settings" link in the website footer.
5.3 Legal Basis
The legal basis for technically necessary cookies is Art. 6(1)(f) GDPR. For other cookies, your consent pursuant to Art. 6(1)(a) GDPR is required.
6. Google Analytics
We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
6.1 How It Works
Google Analytics uses cookies that enable analysis of your use of the website. The information generated by the cookie about your use is generally transmitted to and stored on a Google server in the USA.
6.2 IP Anonymization
We use the "IP anonymization" feature. This means your IP address is truncated by Google within EU member states before being transmitted to the USA.
6.3 Opt-Out
You can prevent tracking by Google Analytics by deactivating analytics cookies in our cookie settings.
Alternatively, you can install the browser add-on to disable Google Analytics: https://tools.google.com/dlpage/gaoptout
6.4 Legal Basis
The use of Google Analytics is based on your consent (Art. 6(1)(a) GDPR). For more information, see Google's Privacy Policy: https://policies.google.com/privacy
7. Affiliate Partners
7.1 Stay22
We work with Stay22 (Stay22 Inc., Canada) as an affiliate partner. When using accommodation recommendations, data may be transmitted to Stay22, including:
- IP address
- Device information
- Click behavior on affiliate links
Stay22 sets its own cookies to attribute bookings. The legal basis is your consent (Art. 6(1)(a) GDPR). More information: https://www.stay22.com/privacy
7.2 Travelpayouts
We use Travelpayouts (Travelpayouts Ltd.) as an affiliate network for travel and flight recommendations. When using corresponding links, the following data may be transmitted:
- IP address
- Browser and device information
- Click behavior
Travelpayouts uses cookies to attribute bookings. The legal basis is your consent (Art. 6(1)(a) GDPR). More information: https://www.travelpayouts.com/privacy
8. Hosting and Technical Service Providers
8.1 Vercel
Our website is hosted by Vercel Inc. (San Francisco, USA). Vercel processes data on our behalf pursuant to Art. 28 GDPR. Data transfer is based on EU Standard Contractual Clauses.
8.2 Supabase
We use Supabase (Supabase Inc., San Francisco, USA) as our database and authentication service. Supabase processes data on our behalf pursuant to Art. 28 GDPR.
8.3 Resend
For sending emails (registration confirmation, password reset), we use Resend. Data processing is based on Art. 6(1)(b) GDPR.
8.4 Stripe
For the processing of payments for paid services (directory plans, premium features), we use Stripe (Stripe Inc., San Francisco, USA). Stripe processes the following data: name, email address, payment details (credit card number, expiry date, CVC), billing address, and transaction data. Data processing is based on Art. 6(1)(b) GDPR (contract performance). Data transfer to the USA is based on EU Standard Contractual Clauses. Further information can be found in Stripe's privacy policy at https://stripe.com/privacy.
8.5 Meilisearch
For the search functionality in the business directory and classifieds platform, we use Meilisearch Cloud (Meili SAS, Paris, France). Meilisearch processes entered search terms as well as publicly available directory data (company names, categories, locations). Data processing is based on Art. 6(1)(f) GDPR (legitimate interest in an efficient search function). Data is stored on servers within the EU (Frankfurt).
9. Your Rights as a Data Subject
You have the following rights:
- Right of Access (Art. 15 GDPR): Information about your processed data
- Right to Rectification (Art. 16 GDPR): Correction of inaccurate data
- Right to Erasure (Art. 17 GDPR): Deletion of your data
- Right to Restriction (Art. 18 GDPR): Restriction of processing
- Right to Data Portability (Art. 20 GDPR): Receipt of your data in a machine-readable format
- Right to Object (Art. 21 GDPR): Objection to processing
- Right to Withdraw Consent (Art. 7(3) GDPR): Withdrawal of granted consent
- Right to Lodge a Complaint: Complaint with a supervisory authority
9.1 Data Export (Art. 15 & 20 GDPR)
You can download a copy of all your personal data at any time in a structured, commonly used, and machine-readable format (JSON). This function can be found in your Dashboard under Settings → Export My Data. The export includes:
- Profile data (name, email, settings)
- All created listings
- Messages
- Favorites and saved searches
- Consent history
9.2 Account Deletion (Art. 17 GDPR)
You can delete your user account at any time via Settings → Delete Account. After the deletion request, a 14-day grace period applies during which you can cancel the deletion. After this period, your data will be irreversibly deleted or anonymized:
- Profile data will be anonymized
- Listings will be deactivated
- Messages, favorites, and saved searches will be deleted
- Your authentication account will be permanently deleted
The deletion request is logged for compliance purposes (IP hash, timestamp, reason).
9.3 Exercising Your Rights
To exercise your rights, you can use the self-service features in your Dashboard or contact us at datenschutz@mallorca.com. We will process your request within 30 days.
10. Special Provisions for Spain (LOPD)
Pursuant to the Spanish Data Protection Act (Ley Orgánica 3/2018 - LOPD):
- Minors under 14 years of age require the consent of a legal guardian.
- You may also exercise your rights with the Agencia Española de Protección de Datos.
Last updated: February 2026