Privacy Policy

The data controllers of the processing your personal data are Zoos Ibéricos, S.A. the company operating Zoo Aquarium Madrid, and the company managing its central services, Parques Reunidos Servicios Centrales, S.A., both with registered office at Calle Federico Mompou 5, Parque Empresarial "Las Tablas," Building 1 - 3rd Floor, 28050, Madrid, Spain. Both companies act individually as data controllers and jointly as joint controllers (hereinafter, the “Controllers”). 

If you have any questions regarding the processing of your personal data or wish to request the essential parts of the joint controllership agreement between the Controllers, you may contact the Data Protection Officer (DPO) by sending your request to the above postal address or via email at dpo@grpr.com.

The Controllers will process your personal data for the purposes detailed below, depending on the purpose informed in the channel through which you provided your personal data:

Managing the contractual relationship for the purchase or booking of products and services

The personal data provided will be processed to manage the purchase or booking of the Controllers’ products and services, process the payment, and send you the confirmation and the receipt via email, along with any relevant documentation for your visit and access to the park.

If during the purchase or booking process you use promotions subject to specific eligibility conditions (such as large family discounts or discount codes for certain groups), please note that at the park’s ticket offices, we may request the corresponding documentation to verify compliance with these conditions (e.g., large family card, official document proving membership in certain groups, ID card/NIE/Passport/Driver’s License, etc.), without recording or storing this information.

In case of unforeseen events or circumstances affecting the product or service you purchased (such as weather conditions, security reasons, or public health concerns), the Controllers may contact you via electronic means (email, SMS, or phone calls) to inform you about any possible impact on your visit.

Categories of personal data processed: name, surname, email, phone number, transactional information related to the purchase or booking of products and services, payment details and receipts, date of birth (to ensure you are over fourteen (14) years old, as required by European data protection legislation, otherwise, we would need consent from your legal guardian or custodian), and country (to ensure that any communication sent to you is in the language of the country you provided, guaranteeing full comprehension).

Legal basis: the legal basis for processing your personal data is the performance of the contract between you and the Controllers for the purchase or booking of products and services (Contractual Terms and Conditions). Without the personal data provided, the purchase or booking of the Controllers' products and services would not be possible.

Customer service

If you request information about products and services or send us inquiries, suggestions, complaints, claims, or incident reports via any of the channels provided by the Controllers (specific form, phone, or email), your personal data will be processed to manage and respond to your request via email or phone call, depending on the means you used to contact us.

Categories of personal data processed: name, surname, phone number, email, transactional information related to the purchase or booking of products and services, date of birth (to ensure you are over fourteen (14) years old, as required by European data protection legislation, otherwise, we would need consent from your legal guardian or custodian), country (to ensure we respond to your request in the language of the country you provided, guaranteeing full comprehension), and any other information you voluntarily provide in your request.

Legal basis: the processing of your data is necessary for taking pre-contractual measures at your request or for the performance of the contract (Contractual Terms and Conditions) related to the purchase or booking of products and services. Without the required personal data, your request could not be processed.

Sending commercial communications, including personalized communications, about our own products and services, those of other companies in the Parques Reunidos Group in Europe and other third-party collaborators

Only if you give your express consent by ticking the box included for this purpose on the various forms on this website or by clicking the ‘Submit/Send‘ button on the newsletter form, your personal data will be processed by the Data Controllers to send you commercial communications by any means, including electronic means (e-mail, SMS, telephone calls). These communications, which may be personalized by means of profiling, will be related to our own products and services and those of the other companies of the Parques Reunidos Group in Europe (leisure and hospitality sectors), as well as those of third parties with whom we have collaboration or sponsorship agreements (sectors: leisure, hospitality, travel, energy, transport and food).

These commercial communications may include surveys, newsletters, discounts, promotions, relevant information, commercial information about their activities, brand and image promotion, events, products, and services. These communications may be personalized based on profiling and analysis of your preferences through automated decisions, ensuring they align with your interests. The configuration and filtering of these parameters are detailed below in our email marketing platform: demographic criteria based on the postal code and country you provide, transactional information from our own sources related to your purchase history and the type of products and services acquired (tickets, season pass or parks pass, experiences, parking, or food and beverage-related products) and inferred socioeconomic parameters based on your age, the type of product or service you purchase, and your behavior when receiving a commercial communication (whether or not you proceed with the purchase of the product or service offered in the commercial communication).

The aforementioned profiling will not be used to make automated decisions with legal effects on you or that could significantly affect you in a similar way (economic impact, denial of services, discrimination, disadvantages compared to other customers, etc.). It will solely be used to ensure that our customers and potential customers receive communications better suited to their interests.

Categories of Personal Data Processed: your email address and phone number will be processed to send commercial communications, and your country will be used to ensure these communications are sent in the appropriate language. Additionally, transactional information related to your purchase or reservation of products and services, as well as any other information you provide through surveys, will be processed. The personalization parameters mentioned above (demographic criteria, transactional information, and inferred socioeconomic parameters) will be used to ensure that you only receive commercial communications with information that we believe aligns best with your interests.

Legal Basis: this process will only take place if you voluntarily give your explicit consent by checking the corresponding box in the various forms on this website or by clicking the "Submit/Send" button in the newsletter form.

Please note that, in addition to all other rights granted to you under data protection regulations, you may withdraw your consent at any time and request to opt out of receiving commercial communications. You may also request not to be subject to automated individual decision-making, including profiling, request human intervention in automated decisions, express your opinion, clarify any doubts, or challenge such decisions as outlined in the section ‘What are your rights when you provide us with your personal data?’ included in this Privacy Policy.

Anonymization of Personal Data for Research, Market Analysis, and Customer Experience

The Controllers will anonymize certain personal data provided by you through the forms on this website, where you are specifically informed of this processing, as well as responses you provide in surveys. This anonymized data will be used to generate aggregated statistical reports for conducting market analysis and research. These reports will help us assess our market positioning and customer experience, allowing us to make strategic business decisions (e.g., sales trends).

Categories of Personal Data Processed: aggregated information related to postal code and country, as well as survey responses you provide, will be processed after being dissociated from any personal data to ensure that your individual identification is not possible.

Legal Basis: this process is necessary to satisfy the legitimate interests pursued by the Controllers. The Controllers consider that the rights and freedoms of their customers are not undermined and that a balance exists between the interests of both parties (customers and Controllers). This is because processing allows for the achievement of its intended purpose (research, market analysis, and customer experience), which is essential for the Controllers to make strategic business decisions and improve their products, services, and internal operational processes. These improvements ultimately enhance the quality of customer experience.

Furthermore, we consider that there is no more moderate mechanism to achieve this purpose with the same level of effectiveness. Only basic, non-sensitive information is used (postal code, country, and survey responses), which is previously dissociated from any personal data to ensure customers cannot be individually identified during this process.

Additionally, we understand that customers may have a reasonable expectation regarding this processing based on their contractual relationship with the Controllers, the specific information provided by the Controllers, and the fact that such processing is a standardized and common practice in the service industry.

Nevertheless, you may object to the processing of your personal data at any time or exercise your other data protection rights in accordance with the procedure described in the section ‘What are your rights when you provide us with your personal data?’ included in this Privacy Policy.

Cart Management and Recovery

Only if you provide your email address and give your explicit consent through the pop-up that will appear during the online purchase process in case of inactivity on your part, your personal data will be processed so that, if you do not complete the purchase or booking of the products and services you have previously selected, we can send you an email reminder to finalize the purchase or booking. If you ultimately do not complete the purchase or booking of such products and services, you will receive a brief survey via email to understand the reason for not completing it, which will help us improve our customers’ web experience.

Category of personal data processed: Email address.

Legal basis: this process will only be carried out if you voluntarily give your explicit consent through the pop-up that will appear during the online purchase process in case of inactivity on your part. We remind you that, in addition to the other rights granted to you under data protection regulations, you may also withdraw your consent at any time and request to unsubscribe from abandoned cart reminders as set out in the section ‘What are your rights when you provide us with your personal data?’ included in this Privacy Policy.

Compliance with Legal Obligations

Personal data will be processed to comply with the legal obligations applicable to the Controllers as a result of the relationship maintained with you as a customer and the processing of your personal data in accordance with European Union law and/or the applicable national legal framework (legal obligations required by tax regulations, personal data protection regulations, commercial law, consumer and user protection regulations, information society services and e-commerce regulations, civil law regulations, accounting regulations, etc.).

Category of personal data processed: name, surname, phone number, email address, document proving the identity of the data subject or customer status (ID card, NIE, Passport, Driver’s License), large family card, season pass card, transactional information about your purchase (where applicable), data collected through the use of cookies or similar technologies as indicated in this website’s Cookie Policy, or any other information necessary to fulfill legal obligations at the request of competent supervisory authorities.

Legal basis: Compliance with legal obligations applicable to the Controllers under European Union law and/or the applicable national legal framework. Without your personal data, the Controllers would not be able to properly comply with the stated legal obligations or address potential legal responsibilities arising from the relationship maintained with you or the processing of your personal data.

Prevention and Detection of Potentially Fraudulent Activities

Activating the necessary mechanisms to prevent and detect the misuse of the website or potential fraud related to the purchase or booking of products and services that may affect the Controllers or their customers. If potentially fraudulent activities related to the payment of products and services are detected, the Controllers may share the information regarding the affected transaction and the identifying details of the person who carried it out with the owner of the payment platform used and, if necessary, with the competent public authorities to take appropriate action in each case.

Category of personal data processed: transactional information, payment information, and contact details provided during potential fraudulent purchase processes.

Legal basis: this processing is necessary for the pursuit of the legitimate interests of the Controllers. The Controllers understand that the rights and freedoms of individuals are not unduly affected and that there is a balance of legitimate interests, as this processing aims to achieve the intended purpose (preventing and detecting potential fraudulent activities) and is beneficial for customers and website users. It enables necessary measures to protect them from illicit activities such as fraud attempts by third parties, protects the Controllers from the misuse of the website and its products and services, and benefits society as a whole by discouraging fraudulent activities and ensuring they are detected when they occur.

Dissemination of the content of users who have previously mentioned or tagged the park on social networks.

If you share content on your social networks and mention the park's user account (for example, you mention us in stories or posts...), we may process your personal data to promote the image of the park on your social network profiles by sharing that publication where you mention the park.

Please note that we do not control the processing of personal data of users of social networks where the park has a registered account (Facebook, Twitter, Instagram and Tik Tok). For more information on how and for what purposes the social media provider collects and processes personal data, and on users' rights and options to protect privacy, please refer to the applicable privacy policies of the social media provider.

Category of personal data processed: user account, image and/or voice of the social network user and/or third parties that may appear in your post.

Legal basis: this processing will only be carried out if you voluntarily give your express consent by replying in the affirmative to the direct message sent from the social network profile of the Controllers. We remind you that, in addition to the other rights granted to you by data protection regulations, you may also withdraw your consent for us to delete the publication at any time, either in accordance with the provisions of the section ‘What are your rights when you provide us with your personal data?’ included in this Privacy Policy, or by sending a direct message to our profile on the social network where we have shared said content.

Use of Cookies and Similar Technologies

The Controllers use first-party and third-party cookies and similar technologies (HTTP Cookies, Pixel Tracker, and Local Shared) through this website. As a result, they process, store, and share users' information and personal data while they browse the site, in accordance with specific purposes and configuration parameters that are always made available to users.

You can find all the information regarding the use of cookies and similar technologies on this website, the personal data processing that results from it, and how to manage your consent in our Cookies Policy.

Depending on the purpose for which we process your personal data, the applicable retention criteria are as follows:

• Management of the contractual relationship for the purchase or reservation of products and services: While the contractual relationship with you remains in effect due to the purchase or reservation of products and services.
• Customer service: For as long as necessary to process and respond to your request, complaint, incident, or claim.
• Sending commercial communications, including personalized communications, about our own products and services, those of other companies in the Parques Reunidos Group in Europe and other third-party collaborators: Until you withdraw the express and informed consent you previously provided, request to unsubscribe through the means provided in each commercial communication you receive, or exercise your right to erasure, objection, or your right not to be subject to automated decisions, including profiling. In such cases, your personal data will no longer be processed for this purpose.
• Anonymization of Personal Data for Research, Market Analysis, and Customer Experience: The information processed for this purpose is anonymized and cannot be linked to your other personal information. However, if you request the erasure of your data or object to the processing before anonymization, your data will no longer be processed for this purpose.
• Compliance with legal obligations: Personal data will be retained in a blocked state for as long as legal liabilities may arise for the Controllers in relation to their legal obligations.
• Prevention and detection of potentially fraudulent activities: Until any detected fraudulent activities are resolved, after which the data will remain blocked as long as legal liabilities may arise for the Controllers as a result.
• Cart management and recovery: For a maximum of 30 days, unless you withdraw your express consent or request to unsubscribe from abandoned cart reminders beforehand. In such cases, your personal data will no longer be processed for this purpose.
• Dissemination of the content of users who have previously mentioned or tagged the park on social networks: depending on the type of publication, personal data will be retained according to the following criteria: (i) in the case of publications shared on our stories, personal data will be processed for twenty-four (24) hours, being subsequently deleted without the possibility of recovery; (ii) in the case of publications shared on our feed, personal data will be processed until the user withdraws their consent to their data being published, without affecting the lawfulness of the processing based on consent prior to its withdrawal.
• Use of cookies and similar technologies: The information will be processed for as long as the consent granted by users for the installation of cookies on their devices remains valid. If users do not revoke this consent through the mechanisms provided in our Cookies Policy, the information will be retained for the duration of the validity period of the installed cookies or similar technologies.

In any of the above cases, once the personal data is no longer relevant for the collected purposes or, where applicable, you withdraw your consent or exercise your right to erasure or objection regarding the indicated processing activities, the Controllers may retain the data in a blocked state (meaning that the personal data will be identified and reserved, with technical and organizational measures implemented to prevent its processing, including its visualization). This ensures that the data remains available, if necessary, to competent public authorities, particularly the relevant Data Protection Supervisory Authority, Courts, Tribunals, or the Public Prosecutor’s Office, for the duration of the statute of limitations of any legal actions that may arise from the relationship with you or the processing of your personal data, as well as for the legally established retention periods in accordance with European Union law and/or applicable domestic regulations. Once these periods expire, your personal data will be permanently deleted without the possibility of recovery.

Only if necessary to comply with legal retention periods or to address potential legal liabilities, your personal data may be disclosed to the competent Public Authorities, in particular the Data Protection Supervisory Authority, Courts, Tribunals, or the Public Prosecutor’s Office, in accordance with European Union law and/or applicable domestic legal frameworks.

Additionally, the Controllers engage service providers who may process your personal data to deliver services related to the purposes for which you have been informed. By way of example and without limitation, such service providers operate in the following sectors: information security, customer relationship management (CRM), technology, legal advisory, marketing, customer support, multidisciplinary professional services, IT services, among others. These service providers shall only access your personal data to perform their services on behalf of and under the instructions of the Controllers, and under no circumstances may they use such data for their own purposes and/or for unauthorized processing activities.

Among these providers, Salesforce is engaged to provide CRM and marketing cloud services, operating through entities worldwide. This provider shall act on our behalf and under our instructions within the European Economic Area (EEA), in compliance with the applicable European data protection regulations. However, exceptionally, in certain circumstances such as disaster recovery (a process aimed at recovering data and functionalities in the event of a system disruption caused by a natural or human-made disaster), Salesforce may also render its services through entities located outside the EEA. In such cases, it may be necessary to process your personal data in countries that do not offer an equivalent level of data protection to that provided under European data protection law (for example, in the United States).

Nonetheless, even in such scenarios, the Controllers have entered into binding contractual commitments with Salesforce and have ensured the implementation of appropriate security measures to guarantee that your personal data is processed at all times with a level of protection adequate and equivalent to that required within the EEA. These safeguards include the execution of Standard Contractual Clauses approved by the European Commission in accordance with the General Data Protection Regulation (GDPR), the adoption of supplementary security measures, and adherence to recognized certification mechanisms.

For further information or to exercise any of the rights granted to you under data protection law, please do not hesitate to contact the Controllers as described in the section “What are your rights when you provide us with your personal data?” included in this Privacy Policy.

If you expressly consent to receiving commercial communications from the Parques Reunidos Group companies, please note that these companies are located within the European Union and primarily engage in the management and operation of amusement parks, water parks, zoos, aquariums, leisure centers, and travel agency activities, including offering hotel and theme park packages. Specifically, these companies include:

• Spanish Companies of Parques Reunidos Group: Parques Reunidos Servicios Centrales, S.A. (Bono Parques); Parque de Atracciones Madrid, S.A.U. (Parque de Atracciones Madrid); Madrid Theme Park Management, S.L.U. (Parque Warner and Parque Warner Beach); Gestión Parque de Animales Madrid, S.L.U. (Faunia); Zoos Ibericos, S.A. (Zoo Aquarium Madrid); Parques de la Naturaleza Selwo, S.L. (Selwo Aventura and Hotel Selwo Lodge); Aquopolis Cartaya, S.L.U. (Aquopolis Cartaya); Leisure Parks, S.A. (Aquopolis de Villanueva de la Cañada, Aquopolis Costa Dorada - Vilaseca, Costa Dorada Delfinario, Costa Dorada – Vilaseca, Costa Dorada, Selwo Marina, Aquopolis de Cullera, Aquopolis de Torrevieja, Teleférico de Benalmádena); Mall Entertainment Centre Acuario Arroyomolinos, S.L.U. (Atlantis Aquarium); Travelpark Viajes, S.L.U. (products and services related to ticket packages for parks and leisure centres of the Parques Reunidos Group in Europe and hotel accommodation bookings).
• Rest of the Companies of Parques Reunidos Group in Europe: Italy - Parco della Standiana S.R.L (Mirabilandia and Mirabeach) and Travelparks Italy, S.R.L. (products and services related to ticket packages for parks and leisure centres of the Parques Reunidos Group in Europe and hotel accommodation bookings); Norway - Tusenfryd A/S (Tusenfryd) and Bø Sommarland AS (Bo Sommarland); Belgium - Bobbejaanland, B.V.B.A (Bobbejaanland); BonBon-Land A/S (BonBon -Land); Germany - Movie Park Germany GmbH and Movie Park Germany Services GmbH (Movie Park), Event Park GmbH (Belantis), Nature Park Germany GmbH (Vogelpark Walsrode), Tropical Island Management (Tropical Island) and TI Hotel Asset GmbH (Tropical Island Hotels); The Netherlands - Attractie- en Vakantiepark Slagharen B.V. (Slagharen y Slagharen Beach); France - Marineland SAS (Aquasplash y Adventure Golf), Marineland Resort SAS (So.Blue Hôtel); England- Grant Leisure Group LTD (Blackpool Zoo), Real Live Leisure Company LTD (The Bournemouth Aquarium and Aquarium of the lakes) and Lakeside Mall Entertainment Centre Limited (Nickelodeon Adventure-Lakeside).

You may exercise your right to access, rectification, objection, restriction, portability, and, where applicable, not to be subject to automated individual decision-making, including profiling, by submitting a written request addressed to the DPO at the postal address: Calle Federico Mompou 5, Parque Empresarial “Las Tablas,” Edificio 1 – 3rd Floor, 28050, Madrid, Spain, or via email at dpo@grpr.com. If there are reasonable doubts regarding the identity of the data subject, a copy of an official document (ID card, NIE, or passport) may be requested to process the request.

Regarding processing based on your consent, please note that you may withdraw your consent or object to processing at any time by following the procedure described in the previous paragraph. Additionally, if you have expressly consented to receiving commercial communications, we also provide you with the option to unsubscribe using the means available in each commercial communication you receive.

Furthermore, when applicable, you may also request not to be subject to individualized decision-making based solely on automated processing of your personal data for profiling purposes. You may also request human intervention, express your viewpoint, clarify any doubts, or challenge such decisions by submitting your request to the DPO following the procedure described in the previous paragraph.

The personal data processed by the Controllers is provided directly by you as the data subject through this website and/or during your relationship with us.

If you provide personal data from third parties, you must obtain their explicit and informed consent before sharing their personal data with the Controllers, in accordance with the provisions described in this Privacy Policy.

If it is necessary to provide the Controllers with information about allergies and/or intolerances (for example, to configure menus for an event or activity previously booked by you), please ensure that you only provide the number of people and the type of allergy and/or intolerance, without including any personal data that could individually identify the person with the allergy or intolerance.

Minors under fourteen (14) years of age are not permitted to purchase or book any of the products or services offered on this website.

Notwithstanding the above, if, as a result of purchasing or booking any of the products or services offered through this website (e.g., birthday or communion celebrations), you freely and voluntarily decide to provide personal data of a minor under fourteen (14) years of age (e.g., to personalize the space where the contracted services will be provided), you, as the holder of parental authority or legal guardian of the minor, must provide explicit and informed consent for the Controllers to process the minor’s personal data within the contractual relationship established with you as a result of the purchase or booking of such products or services, in accordance with the provisions of this Privacy Policy.

You may file a complaint with the Spanish Data Protection Agency if you believe your rights have been violated. However, we recommend that you first contact the DPO via email at dpo@grpr.com or by post at Calle Federico Mompou, 5, Parque Empresarial "Las Tablas," Edificio 1 - 3rd Floor, 28050, Madrid, Spain, so we can assist you with your request and address any concerns regarding the processing of your personal data.

Privacy Policy updated in March 2025