Privacy Policy

This Privacy Policy governs the processing of personal data carried out by Turismo de Gran Canaria in connection with the Christmas postcard generation campaign using artificial intelligence.

1. Data Controller

In accordance with Article 13 of Regulation (EU) 2016/679 of 27 April (GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights, the following information is provided:

• Data Controller: Turismo de Gran Canaria
• Tax ID: P8500008A
• Postal Address: Calle Triana 93, Las Palmas de Gran Canaria, 35002
• Telephone: 928219600
• Electronic Office: https://turismograncanaria.sedelectronica.es/info.1
• Data Protection Officer: Josué Castellano Reyes
• DPO Email: dpd@turismograncanaria.com

2. Personal Data We Process

During use of the platform, the following data are collected:

• User-provided image, which may contain identifiable physical features.
• Contact data, consisting of:
  • Email address
  • Mobile phone number (only for sending the postcard)
• Technical usage data necessary for the operation of the platform (e.g., IP address, technical logs).

Important: Turismo de Gran Canaria does not request or require additional information and asks users not to include sensitive data other than the image necessary to generate the postcard.

3. Purposes of Processing

The images uploaded by users will be processed solely to generate a Christmas postcard as part of the campaign. They will not be used for any other purpose, nor integrated into AI model training systems.

Accordingly, data will be processed for the following purposes:

1. Generate a personalized Christmas postcard using an artificial intelligence system.
2. Integrate the provided image into the design chosen by the user.
3. Send the postcard to the provided email address or phone number.
4. Maintain the security and proper functioning of the service.

The data are not used to train AI models, improve algorithms, or for any additional purpose.

4. Legal Basis for Processing

The legal basis for data processing is:

• Explicit user consent, granted when uploading the image and providing contact details to receive the postcard. Consent may be withdrawn at any time by sending a request to dpd@turismograncanaria.com.
• Legitimate interest in processing operational metrics.

5. Data Retention

• Images: Automatically deleted after the postcard is generated and not stored or reused.
• Contact data: Retained only for the time necessary to send the postcard and, where applicable, manage incidents or user requests.
• Technical data: Retained for the time necessary to ensure service security.

In accordance with Article 26 of the LOPD, processing by this Entity of data for archiving purposes in the public interest shall be lawful, provided that current archival and documentation regulations are complied with.

6. Processing Using Generative Models (AI) and Regulatory Compliance

The postcard generation is carried out using a generative artificial intelligence model. Below is the relevant information in compliance with Regulation (EU) 2016/679 (GDPR) and Regulation (EU) 2024/1689 (Artificial Intelligence Act).

6.1. Technology Provider and AI Model

• Technology Provider: The service is technically operated by our provider Flecher.co.
• AI Model: Flecher.co integrates a generative AI model developed and maintained by Google LLC.
• Data Processing: Images are processed on Google’s servers. Turismo de Gran Canaria has entered into the necessary agreements to ensure such processing is carried out solely for image generation purposes and in compliance with the GDPR.
• Data Processing Agreement (DPA): A DPA exists between Flecher.co and Google governing data processing and prohibiting Google from using the images for any purpose other than service provision, including training its AI models. You may consult Google’s AI services privacy policy at: https://cloud.google.com/terms/data-processing-addendum

6.2. Compliance with the Artificial Intelligence Act (AIA)

In compliance with the transparency obligations of Article 52 of the AI Regulation:

• Explicit Labeling: All content generated through this platform (the Christmas postcard) is clearly identified as «AI-generated» through a visual watermark. This ensures that users and third parties can easily recognize that the image is not a real photograph but an artificial creation.
• Risk Assessment: An assessment has been conducted to ensure that the system does not present a high risk under the criteria of the AI Act. Its use is limited to a low-risk, recreational and creative purpose.

6.3. Prohibition of Model Training

It is explicitly guaranteed that neither Turismo de Gran Canaria, nor Flecher.co, nor Google will use user-uploaded images or generated postcards to train, retrain, or improve any artificial intelligence model.

7. Recipients and Data Processors

In order to provide the service, Turismo de Gran Canaria communicates data to the following technology providers:

• Google: Artificial intelligence provider responsible for processing the image and generating the postcard.
• Flecher.co: Technology provider responsible for platform integration and operation.
• Web hosting providers, technical infrastructure, communications, or email/SMS delivery services necessary to operate the service.

All of them act as data processors in accordance with Article 28 of the GDPR.

If any of these providers are located outside the European Economic Area, appropriate safeguards will be adopted through Standard Contractual Clauses or other applicable legal mechanisms.

8. Protection of Minors

Turismo de Gran Canaria does not have mechanisms to actively verify the age of individuals appearing in images uploaded by users. Therefore, it is the sole responsibility of the user who uploads the image to:

• Ensure that, if minors appear in the image, they have the explicit and verifiable consent of the minor’s parents or legal guardians for the processing of their image for the purpose of generating the Christmas postcard.
• Acknowledge that the use of a minor’s image without proper parental consent may constitute a violation of data protection regulations and of the minor’s rights to honor, personal and family privacy, and their own image.

By accepting the terms and uploading the image, the user declares under their responsibility that they comply with this obligation. Failure to comply with this condition releases Turismo de Gran Canaria from any liability arising therefrom.

9. User Rights

Any person has the right to obtain information as to whether or not this Entity is processing their personal data.

Data subjects may exercise the following rights:

• Right of access to their personal data, the retention period, and to obtain a copy of the processed data, in accordance with the GDPR and Article 13 of the LOPD.
• Right to rectification of inaccurate or incomplete data (Art. 14 LOPD).
• Right to erasure when data are no longer necessary and provided that the conditions set out in the GDPR and Article 15 LOPD are met.
• Right to object to and restrict processing where applicable. Requests must be submitted to the data controller, who must suspend processing when rectification or erasure is requested until the request is resolved (Articles 16 and 18 LOPD).
• Right to data portability, where applicable (Art. 17 LOPD).

Data subjects may exercise the rights listed above through the forms available on this Entity’s electronic office or by sending a written request by post. For these purposes, the following contact details are provided:

• Postal Address: Calle Triana 93, Las Palmas de Gran Canaria, 35002
• Electronic Office: https://turismograncanaria.sedelectronica.es/info.1
• DPO Email: dpd@turismograncanaria.com

You may also submit a complaint to the Spanish Data Protection Agency (AEPD) if you believe your rights have been violated, by sending a written request to C/Jorge Juan No. 6, 28001 Madrid, or by accessing its electronic office: https://www.aepd.es

10. Data Security

Turismo de Gran Canaria adopts the necessary organizational and technical measures to ensure the security and integrity of personal data and to prevent alteration, loss, unauthorized processing or access, in accordance with the National Security Framework (ENS) and applicable data protection regulations. These measures include, among others, the following security systems:

• Encryption in transit (TLS/SSL)
• Automatic image deletion
• Restricted access to data
• No reuse of images
• Secure processing through accredited providers

11. Updates

This Privacy Policy may be updated to reflect changes in the service or applicable regulations. The current version will be available on the website.

Document version 2.0 – December 2025
Last updated: December 17, 2025