Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is:

2. Personal Data We Collect

We collect personal data only when you voluntarily provide it through our website forms or when you enter into a contractual relationship with us. The categories of data we process include:

• Contact data: full name, email address, phone number
• Company data: company name, CUI/VAT number, company address, billing email
• Booking data: check-in/check-out dates, number of persons, accommodation preferences
• Communication data: messages and inquiries submitted via contact forms
• Technical data: IP address, browser type, pages visited (collected via Google Analytics 4 and Microsoft Clarity)

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR (EU 2016/679):

• Contract performance (Art. 6(1)(b)): processing necessary to fulfil a rental agreement or to take pre-contractual steps at your request.
• Legitimate interest (Art. 6(1)(f)): responding to inquiries, improving our services, and preventing fraud.
• Consent (Art. 6(1)(a)): sending marketing communications and using non-essential cookies, where you have given explicit consent.
• Legal obligation (Art. 6(1)(c)): issuing fiscal invoices and complying with Romanian accounting and tax law.

4. Purposes of Processing

Your personal data is used exclusively for the following purposes:

• Processing and responding to accommodation inquiries and booking requests
• Preparing and executing rental contracts and fiscal invoices
• Sending booking confirmations and operational communications
• Improving website functionality and user experience
• Complying with legal and fiscal obligations under Romanian law

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We may share data with the following categories of processors solely to deliver our services:

• Email service providers (SMTP infrastructure) for sending booking confirmations
• Google LLC — Google Analytics 4 (anonymised analytics data)
• Microsoft Corporation — Microsoft Clarity (session replay and heatmaps)
• Accounting and legal advisors bound by professional confidentiality obligations

All third-party processors are bound by data processing agreements and are required to protect your data in accordance with GDPR.

6. Data Retention

We retain your personal data for the following periods:

• Contractual data and fiscal invoices: 10 years, as required by Romanian fiscal law (Law 82/1991)
• Inquiry and contact form data: 2 years from the date of last contact
• Analytics data: 14 months (Google Analytics 4 default retention)
• Marketing consent records: until consent is withdrawn

7. Your Rights Under GDPR

As a data subject, you have the following rights under EU Regulation 2016/679:

• Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy
• Right to rectification (Art. 16): correct inaccurate or incomplete data
• Right to erasure (Art. 17): request deletion of your data where no legal basis for retention exists
• Right to restriction (Art. 18): limit processing in certain circumstances
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interest
• Right to withdraw consent: withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Romanian supervisory authority: ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal), www.dataprotection.ro.

8. Cookies and Tracking Technologies

Our website uses the following types of cookies and tracking technologies:

• Essential cookies: required for the website to function correctly. No consent required.
• Analytics cookies (Google Analytics 4): collect anonymised data about website usage. Requires consent.
• Behaviour analytics (Microsoft Clarity): session recordings and heatmaps. Requires consent.

You can manage cookie preferences through your browser settings or by contacting us directly.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These measures include SSL/TLS encryption for data in transit, access controls, and regular security reviews.

10. Changes to This Policy

We may update this Privacy Policy periodically. The date of the most recent revision is indicated at the top of this page. Continued use of our website after any changes constitutes acceptance of the updated policy.