This page explains how we handle personal data when you work as a monitor at LayosCamp and use the monitor mobile app (LayosCamp Monitor, available on the App Store and Google Play). It complements our general privacy policy with the specifics of the mobile channel.
If you only want to delete your account and do not use the app, go directly to delete my monitor account.
Data controller
| Company | Castillo de Layos S.L. (LayosCamp is our trading name) |
| Spanish tax ID | B-78583366 |
| Registered address | Calle Garza 11, 28023 Madrid, Spain |
| General contact | info@layoscamp.com |
| Data Protection Officer (DPO) | dpo@layoscamp.com |
For anything related to your personal data, please write to the DPO.
What data we handle in the app
About you as a monitor
- Identification and contact: name, surname, photo, login email, mobile phone, city, gender, date of birth.
- Employment documents: Spanish DNI/NIE, Social Security number, IBAN.
- Criminal record certificate (sexual offences) — legally required to work with minors in Spain.
- Academic / internship: academic tutor, internship agreement, parental authorisation if you are 16-17.
- Operational: role, availability, shift assignment, internal evaluations.
- Device technical data: push notification token, app version, platform (iOS/Android). We do not collect advertising identifiers (IDFA/AAID), do not access your GPS location, do not read your contacts or calendar.
About the minor camper (visible from your app because their parents entrusted us with the data)
- Identification: name, age, gender, photo.
- Health data (special-category data — GDPR Art. 9): allergies, intolerances, medication, medical observations, mental health, disability, daily health checks.
- Operational: registrations, travel, room assignment, emergency contacts.
- Financial: camper's pocket money (balance and movements).
- Multimedia: photos during the shift.
These data were provided by the minor's parents when registering them on our website. The app is a work tool to help you care for the minor properly; it is not a channel for collecting new data.
Why we handle the data (legal bases)
| Block | Legal basis |
|---|---|
| Your employment and contact data | Performance of the employment / internship contract (GDPR Art. 6(1)(b)) + legal obligations (Art. 6(1)(c)) |
| Your criminal record certificate | Legal obligation — Spanish Organic Act 1/1996 as amended by Act 26/2015 |
| Minor's health data | Healthcare and custody (GDPR Art. 9(2)(h)) + vital interest of the minor (Art. 9(2)(c)) |
| Other minor data | Performance of the service contracted by the parents (Art. 6(1)(b)) |
| Photos of the minor | Specific parental consent collected during web registration (Art. 6(1)(a) + Art. 8 GDPR + LO 1/1996) |
| Push notifications and operational communications | Service performance (Art. 6(1)(b)) and legitimate organisational interest (Art. 6(1)(f)) |
| Audit logs | Accountability principle (Art. 5(2)) |
Retention periods
Summary — full detail in our monitor app retention policy:
- Your employment and tax data: 4 years after end of employment (4–6 years for accounting and tax records).
- Health data about minors where your name appears: 5 years (reinforced regime under GDPR Art. 9 + Spanish Organic Data Protection Act). Your name is anonymised when you close your account.
- Minor's pocket money: 6 years (Spanish Commercial Code).
- Technical and communication logs: 4–5 years.
- Your photo, password and push token: deleted when you close your account.
Data processors
| Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | App server | Germany (EU) |
| Amazon Web Services (S3) | Photos and documents | EU region |
| Microsoft 365 | Internal email | Ireland (EU) |
| Google (Firebase Cloud Messaging) | Push notification delivery for Android and iOS | United States |
| Apple (APNs) | Push notification delivery for iOS | United States |
International transfers
Only to the United States to deliver push notifications (Google and Apple). These transfers rely on the European Commission's Standard Contractual Clauses and the EU-US Adequacy Decision of 10 July 2023 (Data Privacy Framework). Push notification payloads are sanitised: they do not contain your name or health information; they carry only an identifier so that the app knows which screen to open when you tap.
We do not sell your data to third parties. We do not use advertising or behavioural analytics within the app.
Security measures
- TLS 1.2+ encryption for all communications between the app and our server.
- Your session is stored in the native secure storage of the operating system (iOS Keychain or Android EncryptedSharedPreferences).
- Your password is stored as a non-reversible bcrypt hash, never in plain text.
- Mandatory reauthentication for sensitive actions such as account deletion or password change.
- Push notifications with generic content on the lock screen — health data only appears after unlocking the device and opening the authenticated app.
- Access restricted by role and by assigned shift: a monitor can only see campers in their shift.
- Highly sensitive data (mental health, disability) only accessible to coordinators and medical staff.
- Full audit log of access and exports.
- No advertising tracking and no third-party analytics SDKs.
Your rights
You can exercise the following rights at any time:
- Access — know what data we hold about you and obtain a copy.
- Rectification — correct anything inaccurate.
- Erasure (right to be forgotten) — via My profile → Security → Delete my account inside the app, or by writing to us.
- Objection — to non-mandatory processing.
- Restriction — freeze processing while a dispute is resolved.
- Portability — receive your data in a structured format.
Single channel: dpo@layoscamp.com. We respond within 1 month maximum (extendable to 2 months if complex; we will tell you).
If you believe we are not responding properly, you can lodge a complaint with the Spanish Data Protection Agency (aepd.es).
Direct account deletion
If you want to delete your account without opening the app, follow the deletion instructions.
Changes to this policy
When retention periods, processors, purposes or security measures change. Each version is dated. For material changes, we will notify you by email and inside the app.
Last updated: 2026-06-02 · Version: 1.0
Castillo de Layos S.L. · Spanish tax ID B-78583366 · Calle Garza 11, 28023 Madrid, Spain · dpo@layoscamp.com