01
What are cookies?
Cookies (together with similar technologies like localStorage and sessionStorage) are small pieces of data a website may store in your browser. They let a site remember information between page loads and visits. Some are strictly necessary for the site to work or to protect it from automated abuse; others measure usage or personalise content and, under Article 22.2 of Spain's LSSI-CE law and the GDPR, require your prior consent.
02
What this site actually uses
On a standard visit this site sets no cookies in your browser, writes no identifiers to localStorage or sessionStorage, embeds no advertising pixels, and embeds no social-media widgets. Your language preference (English or Spanish) is taken from the URL (/es/… or /en/…) and from your browser's declared language; nothing is stored persistently.
There are two narrow exceptions, described below: the security cookies of our perimeter network provider (Cloudflare) and the contact form.
03
Cloudflare security cookies
The site is served via the Cloudflare Inc. content-delivery network. When Cloudflare detects a pattern of automated or suspicious traffic (for example, bursts of requests from a single IP address) it may set the following strictly-necessary cookies:
• __cf_bm (Cloudflare Bot Management). Distinguishes human traffic from automated traffic to protect the site from bots. Maximum duration: 30 minutes. Category: strictly necessary (security).
• cf_clearance. Stores the result of a JavaScript or interactive challenge when Cloudflare presents one. Maximum duration: 30 days. Category: strictly necessary (security).
These cookies are governed by the security purpose described in Cloudflare's public documentation (https://developers.cloudflare.com/fundamentals/reference/policies-compliances/cloudflare-cookies/) and, per the Spanish data-protection authority (AEPD) cookie guide and Article 22.2 LSSI-CE, do not require consent because they are indispensable for providing the service the user requests.
In the audit run on 9 May 2026 none of these cookies were set on a normal visit to estadia.host's public pages; we disclose them in case of a future mitigation scenario.
04
Cookieless web analytics (Umami Cloud)
To understand which pages work we use Umami Software, Inc. (Umami Cloud). Umami is an analytics service designed specifically to set no cookies and to collect no personally identifying information: visits are counted via an ephemeral per-session identifier and events are aggregated at the page level, not the user level.
Because Umami writes no cookies, no persistent identifiers and no personal data to your device, this analytics service is exempt from the prior-consent requirement of Article 22.2 LSSI-CE under the AEPD's guidance on strictly privacy-respecting analytics. Transmission of server logs to Umami Cloud is governed by Umami's DPA and, where applicable, the EU Standard Contractual Clauses.
06
Why we don't show a cookie banner
Under the AEPD cookie guide and Article 22.2 LSSI-CE, a consent banner is only required when information is stored on the user's device for purposes other than those strictly necessary. On this site:
1. No analytics cookies with persistent identifiers are used.
2. No advertising or social-media cookies are used.
3. The only cookies that may ever be set are Cloudflare's security cookies, which are exempt from the consent requirement.
A banner is therefore not required. If we ever introduce technologies that do require consent, we will update this policy and ask for your authorisation before turning them on.
07
How to control cookies and other technologies
You can manage and delete cookies and storage data at any time from your browser's privacy settings. Doing so may affect Cloudflare's security features during an active mitigation, but will not prevent normal navigation of this site.
08
Updates
This policy is reviewed whenever the technologies used by the site or by the perimeter security provider change. The current version is the one published here, with the date shown at the top.