Privacy Policy

Last updated – 25/07/2022

At Beyoo we are committed to protecting and respecting your privacy in accordance with the Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter also referred to as the “GDPR“). For the purpose of the data protection laws the data controller is Hartly Invest S.L, Calle Principe De Vergara, 112-4 PLT 28002, Madrid, Spain (“We” or “Us”).

This policy (together with our terms of use at and our and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
By visiting or engaging with us, you are accepting and consenting to the practices described in this policy.
Our nominated representative for the purpose of the Act is the Data Protection Officer who can be contacted at


In order to provide our services, we collect and process a range of information about individuals. We may collect and process the following data about you:

  • Information you give us. You may give us information about you by filling in forms on our site (our site), via our student portal , or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register to use our site, subscribe to a service, search for a product or service, make a booking on our site, in person or over the phone, participate in discussion boards or other social media functions, enter a competition, promotion or survey, and when you report a problem.

We collect information on tenants, applicants, guarantors, visitors to our website or premises, and clients.

We have categorised the types of data we may collect from you as follows:

I. Tenant, Prospective Tenant, Parent and Next of Kin

  • Identity Data: Your name, date of birth, gender, photograph, information about your nationality, marital status, emergency contact or Next of Kin including relationship, passport information, VISA information, entitlement to live in the Spain, Fiscal code;
  • Contact Data: postal and e-mail address, phone number;
  • Course Data: Details of your University, College or Institution and your Faculty, Course and Year of Study;
  • Financial Data: Financial and credit card information and/or details of your bank account;
  • Profile Data: Preferences including details of room requirements, in case of shared rooms – friends to share with, religious or belief requirements or other such preferences provided by you;
  • CCTV Images: images of you in the property or an external area covered by our CCTV cameras. We use CCTV to prevent and detect criminal activity, fraud and misuse of or damage to our property;
  • Marketing and Communication Data: Your marketing preferences in receiving information from us;
  • Special Categories of Personal Data: we may process some personal information that is more sensitive in nature, because it relates to your physical or mental health or wellbeing or your gender identity (such as to enable us to accommodate or support any disabilities you may have); or your religious views or ethnic origin. We may collect this information directly from you and with your consent.
  • Covid 19: your room number, flat and property details, reason for self-isolating and date you registered as self-isolating. We use this information to allow us to take extra precautions to keep you and our teams safe.

II. Client

If you are a client, the information you give us may include:

  • your name, date of birth, contact details (e.g. postal and e-mail address, phone number, and Fiscal number);
  • company details (e.g. Know Your Costumer details (KYC), ownership structure, shareholders, details of the beneficial owner);

III. Physical location data

  • CCTV systems are installed at all of our premises. All internal and external CCTV cameras are clearly labelled or otherwise notified to staff and visitors and are visible;
  • Electronic entry systems including, swipecard and fob entry, are installed at the majority of our sites to allow you access to our premises;

IV. Information we receive from other sources:

  • We work closely with a number of third parties who may provide us with your personal data directly, such as landlords, Universities, referral partners or credit reference agencies to enable us to provide our services;
  • We may receive information if you have provided permission to referees or other organisations to share it with us. Before providing permission to such third party organisations to share your personal data, you should check their privacy notices carefully;
  • In order to manage and provide our services, we work with a number of other partners including to process payments for rent or other monies we are owed, to verify your identity or status through credit reference checks;
  • We may also search publicly available records, including business records;
  • We may combine this information with information you give to us and information we collect about you.

V. Information we automatically collect about you when using our online services

With regard to each of your visits to our site we may automatically collect the following information:

  • technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.


Under the data protection laws, to protect individuals, We are only permitted to collect and use data for certain specified lawful purposes. We use information held about you in the following ways:

  • Information that is necessary for the purpose of entering into or fulfilling a contract:
    – This applies to any personal information that We process for the purpose of delivering accommodation services to our tenants, or for the purpose of entering into a guarantee or other activities related to the management and administration of a tenancy, the maintenance of the building; to process your application for a tenancy or guarantor; to communicate with you and respond to your requests;
    – We will process information to enable Us to manage payments including to recover any unpaid sums due to Us or the landlord.
    Your personal data are necessary for the proper performance of the services/contract requested by you. In light of the above, refusal to provide such data will make it impossible for us to enter into the contract with you and to execute the requested services.
  • Information necessary to protect vital interests:
    – Whilst we hope that this is not required, We will collect and process information to support tenants in an emergency situation. This includes processing information on Next of Kin and emergency contacts;
    – We may also pass on information to security, police, accommodation managers or emergency services where necessary.
  • For the fulfilment of legal, regulatory and fiscal obligations deriving from existing relations with you or provided for by an order of the Authority
  • Information processed for our own legitimate business interests:
    – acquisition of images and/or audio-video recordings of you (with preference to group images) captured within the structure for advertising purposes. The images taken will be processed and used exclusively for social, informative and divulgation purposes related to the statutory activities of the Data Controller, conducted through the publication and dissemination of the images on the website and/or on the Data Controller’s pages on the following social channels (e.g. LinkedIn, Facebook, Instagram, Twitter). Since this is photo/video footage taken on public occasions and diffused solely on the Data Controller’s website or social channels, the related processing must be considered lawful as it is aimed at pursuing a legitimate interest of the Data Controller pursuant to article 6, paragraph 1, letter f, of EU Regulation 679/2016. This is without prejudice to the right of the data subjects to object, at any time and in accordance with the procedures set out below, to the diffusion of the images;
    – the processing of the images / data collected through the CCTV systems and electronic entry systems is aimed at guaranteeing the security of all our premises; the images collected through the CCTV systems will be viewed in real time by the Accommodation Team in order to control those who request access to our premises and to guarantee an adequate level of security; the images will also be recorded using special computerised systems and normally stored for a maximum of 30 days before being overwritten. Overwriting guarantees the definitive and automatic deletion of previously stored images. The duration of storage of the recordings may be increased at the request of the Judicial Authority, in relation to offences that have occurred for the time necessary for investigations.
    – the recording of images and the subsequent processing, although optional in nature, are necessary for the purposes of compliance with the internal security plan and its procedures and are based on the principle of the ‘balancing of interests’, according to which the collection of images may take place without the consent of the data subject for the pursuit of a legitimate interest of the Data Controller, i.e. for the purpose of protecting persons and property against possible aggression, theft, robbery, damage, vandalism;
    – We use the automated data collected from users of our online services to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; to improve our site to ensure that content is presented in the most effective manner for you and the device you are using to view our website; as part of our efforts to keep our site safe and secure; and to measure or understand the effectiveness of advertising we provide to you and others, and to deliver relevant advertising to you; for details please read our cookie policy under;
    – We also provide interactive features of our online services, when you choose to do so, and may make suggestions and recommendations to users of our site about goods or services that may interest you.
  • Information processed based on Promotional Communications:
    – If We are providing you with e-mail based communications, We will only do so with your consent. If you have given Us your consent, you can withdraw your consent at any time by contacting the Accommodation Team or by clicking on the unsubscribe link provided at the bottom of each e-mail. In case of withdrawal of your consent for this specific purpose of data processing, the use of the services requested by you will not be interrupted or limited.
  • Information processed based on special categories of information (i.e. information revealing racial ethnic origin, health data, sexual orientation) We must have a further lawful basis for the processing. This may include:
    – Where you have given us your explicit consent to do so (e.g. to cater for your medical needs, to offer the catering service).
    – Where the processing is necessary to protect your vital interests or someone else’s vital interests.
    – Where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.


We inform you that for the processing of the abovementioned data and information there is NO automated decision-making process, pursuant to article 22 of the GDPR.


In order to provide our services, and within the lawful conditions for processing personal data, We may share your information with selected third parties including:

  • subjects, bodies or authorities to whom the communication of your personal data is mandatory under the provisions of the law or orders of the authorities;
  • accounting, administrative, legal, tax and financial consultants in relation to the provision of the services requested;
  • companies that carry out auditing and certification of the financial statements;
  • to support local authorities, and universities (where the university is assisting local authorities) with managing a local outbreak of Covid-19;
  • Business partners, landlords, suppliers, and sub-contractors for the performance of any contract we enter into with them or you;
  • If you are a tenant and you fail to pay your rent, We may contact the Guarantor and inform them of this failure when exercising the landlords rights under the guarantee;
  • With your emergency contact or Next of Kin in the event this is required;
  • Analytics and search engine providers that assist us in the improvement and optimisation of our site.
  • We may also provide aggregated statistics about our sales, customers, traffic patterns and other site information to third parties, but these statistics will not include any information that could personally identify you.


We take the security of your data seriously. We operate internal policies and controls to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by its employees, sub-contractors and landlords in the performance of their duties and each for their respective profiles of competence.

We also inform you that your data will be collected, processed and stored in full compliance with the provisions of Articles 32 et seq. of the GDPR – on security measures.

The company engages third parties to process personal data that we collect from you by staff operating outside the European Union. Such staff do so on the basis of written instructions, a GDPR data processing agreement, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. They maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Moreover, please note that any transfer of your personal data by Us to a country outside the European Union or to an international organisation will always be done either:

a) by presence of an adequacy decision in accordance with article 45, par. 3 of the GDPR; or
b) by presence of adequate safeguards in accordance with article 46 of the GDPR, including standard contractual clauses approved by the European Commission or binding corporate rules (article 47 of the GDPR); or
c) only if the conditions set forth in article 49 of the GDPR are met (e.g. after having provided adequate information and obtained your explicit consent).

All information you provide to us is stored on secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.


The data collected will be kept (in electronic or paper files) for the time strictly necessary for their processing and in any case no later than the period provided for by current legislation and / or the recommendations of the Spanish Data Protection Authority or until any revocation of the consent you may give.

For marketing purposes, your personal data will be stored and processed for a period of 24 months, subject to your right of revocation.
In some circumstances the company may anonymise your personal data for research and statistical purposes where we may use this information indefinitely without further notice to you.


Pursuant to and for the purposes of the GDPR, you have the following rights as a data subject that you may exercise against Us:

  • Right of access: to obtain confirmation as to whether or not personal data relating to you are being processed and, if so, to receive information relating, in particular, to the purposes of the processing, the categories of personal data processed and the retention period to which they may be disclosed (art. 15 GDPR);
  • Right to rectification: to obtain, without undue delay, the rectification of inaccurate personal data concerning you and the integration of incomplete personal data (art. 16 GDPR);
  • Right to erasure: obtain, without undue delay, erasure of personal data concerning you, in cases provided for by the GDPR (art. 17 GDPR);
  • Right to restriction of processing: obtain from the Data Controller the restriction of processing, in the cases provided for by the GDPR (art. 18 GDPR);
  • Right to data portability: receive in a structured format, commonly used and readable by an automatic device, the personal data provided by you to the Data Controller, and ensure that they are transmitted to another data controller without hindrance, in the cases provided for by the GDPR (art. 20 GDPR);
  • Right to object: object to the processing of personal data concerning you, unless there are legitimate reasons for the Data Controller to continue the processing (art. 21 GDPR);
  • Right to lodge a complaint with the supervisory authority: lodge a complaint with the agencia española protección datos, C/ Jorge Juan, 6. 28001 – Madrid.

It should be noted that the revocation of consent for the processing of data for which consent is requested does not affect the lawfulness of processing based on consent prior to revocation.

If you would like to exercise any of these rights, please contact You can make a request by completing the company’s form for making a subject request which can be found [here]. Please note that any subject request made will require proof of identity for the person making the request.

If you believe that We have not complied with your data protection rights or as an alternative to the above you can contact the Spanish Data Protection Authority using the form available on the website


Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy. This privacy policy was last updated on 25 July 2022.


Please contact us if you have any questions, comments and requests regarding this privacy policy or information we hold about you:

  • By email to;
  • Or write to us at: Data Protection Officer, Hartly Invest S.L, Calle Principe De Vergara, 112-4 PLT 28002, Madrid, Spain
Open chat
Hello There,
Can we help you today?