In short: We only collect data needed to respond to your requests and manage your bookings. We never sell your data. Analytics and marketing cookies load only with your explicit consent.
1. Data Controller
The controller of personal data collected through this site is:
Legal name: [TODO_FIRMA: legal entity name]
Tax ID (CUI): [TODO_FIRMA: tax ID]
Trade register: [TODO_FIRMA: trade register number β if applicable]
Operating location: Strada Clujului 8, Predeal, 505300, BraΘov County, Romania
Phone: +40 747 679 188
GDPR contact email: [TODO_FIRMA_EMAIL]
2. What data we collect and why
2.1 Data submitted through contact and booking forms
When you fill out the booking or contact form, we collect:
First and last name
Email address
Phone number
Booking details (check-in / check-out date, number of guests, room type, free-form message)
Purpose: respond to your request and, where applicable, manage the booking. Legal basis: performance of a contract (booking) or, prior to that, pre-contractual measures at your request (Art. 6(1)(b) GDPR). Retention: 3 years from the last interaction for commercial records, and up to 10 years for invoices, in compliance with Romanian fiscal law.
Strictly necessary cookies β we only store your cookie choice (localStorage, 12 months). Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
Analytics cookies (Google Analytics 4) β anonymized data about visited pages, session duration, traffic source. Legal basis: consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy Directive).
Marketing cookies (Google Ads) β conversion measurement and remarketing. Legal basis: consent.
2.3 Basic server traffic (logs)
Our hosting provider (Vercel) keeps basic technical logs (IP address, user agent, accessed pages) for security and troubleshooting. Legal basis: legitimate interest (security). Retention: up to 30 days.
3. Who we share your data with (processors)
We use external providers to operate the site. They process your data strictly on our behalf, under data processing agreements:
Vercel Inc. β web hosting. Data: standard web traffic. Server location: EU (Frankfurt) or US. US transfers under Standard Contractual Clauses + Data Privacy Framework.
Supabase Inc. β booking database. Data: form submissions. Location: EU (Frankfurt).
Resend β booking confirmation emails sent to us. Data: form contents. Location: EU / US under SCCs.
FormSubmit β backend for the contact form (text messages). Data: form submissions. Location: US under SCCs.
Google LLC (Google Analytics + Google Ads) β ONLY AFTER consent. Data: anonymized navigation behavior + cookie identifiers. Location: US under Data Privacy Framework + IP-Anonymization enabled.
We never sell or transfer your data to third parties for commercial purposes.
4. Your GDPR rights
Under the EU General Data Protection Regulation (EU) 2016/679, you have the following rights:
Right of access β to know what data we hold about you.
Right to rectification β to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") β to request deletion of your data, within legal limits.
Right to restriction β to request a temporary halt to processing.
Right to portability β to receive your data in a structured format (e.g. JSON).
Right to object β to object to processing based on legitimate interest.
Right to withdraw consent β for analytics and marketing cookies, at any time via in the footer. Withdrawal does not affect the lawfulness of processing carried out previously.
Send a written request to [TODO_FIRMA_EMAIL] or by post to the registered office address. We respond within 30 days at most. To verify your identity, we may request a copy of an ID document (with irrelevant data anonymized).
6. Data security
All data is transmitted over an encrypted HTTPS connection. The processors we work with comply with international security standards (ISO 27001, SOC 2 where applicable). Internal access to data is limited to staff who need it to respond to your requests.
7. Data about minors
The site is not directed at children under 16. We do not intentionally collect data from minors. If you become aware that a minor has submitted data through the site, please notify us at [TODO_FIRMA_EMAIL] and we will delete it.
8. Changes to this policy
We may update this policy periodically, especially when we introduce new services or applicable law changes. Significant changes are announced by re-displaying the consent banner. The date of the last update appears at the beginning of the document.
9. Contact
For any question regarding this policy or your personal data: [TODO_FIRMA_EMAIL] or phone +40 747 679 188.