Privacy Policy

Privacy Policy

PRIVACY AND COOKIES POLICY OF THE SERVICE

I. Data Controller and Definitions

  1. The personal data controller of the Guests/Users of the Service is: EPOL HOLDING SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, +48 669 902 180, 7282749467.

  2. The Data Controller can be contacted:

    1. By correspondence at: ul. Targowa 9A, 90-042, Łódź, Poland

    2. By email at: office@riversideaparthotel.com

  3. Service User – a natural person visiting the page/pages presenting the Offer and enabling the conclusion of a lodging rental agreement or using the services or functionalities described in this Privacy and Cookies Policy.

  4. Service Provider – EPOL HOLDING SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, 7282749467, ul. Targowa 9A, 90-042, Łódź, Poland.

  5. Offer – accommodation offered by the Service Provider for the purpose of concluding a lodging rental agreement through the Service.

  6. Guest – a natural person with full legal capacity, a legal entity, or an organizational unit referred to in Article 331 of the Civil Code, entering into a lodging rental agreement with the Service Provider.

  7. Service – presentation of the Service Provider’s Offer online, enabling the conclusion of an online lodging rental agreement.

  8. Newsletter – information, including commercial information within the meaning of the Act of 18 July 2002 on the provision of electronic services (Journal of Laws of 2020, item 344), sent by the Service Provider to the Guest/User electronically; receiving it is voluntary and requires the Guest/User’s consent.

  9. Account – a collection of data stored in the Service and in the Service Provider’s IT system regarding a specific Guest/User and their bookings and concluded agreements, through which the Guest/User can place orders and enter agreements.

  10. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

II. Purposes, Legal Basis, and Data Retention Period

  1. To fulfill a remote lodging rental agreement, the Service Provider processes:

    1. Information about the User’s device to ensure proper functioning of services: computer IP address, information contained in cookies or other similar technologies, session data, browser data, device data, activity on the Site, including specific subpages.

    2. Geolocation information, if the Guest/User has given consent for the Service Provider to access geolocation. Geolocation information is used to provide more tailored product and service offers.

    3. Personal data of Users: first and last name, registered office address, correspondence address, email address, phone number, tax ID (NIP), bank account number, or other personal data required to complete the purchase, as requested during the booking process by the Controller.

  2. This information does not include data directly identifying Guests/Users but may constitute personal data when combined with other information; therefore, the Controller provides full protection under the GDPR.

  3. The data is processed under Article 6(1)(b) GDPR for service execution, i.e., a contract for electronic services according to the Terms and Conditions, and under Article 6(1)(a) GDPR based on consent for certain cookies or similar technologies, given through browser settings or for geolocation purposes. Data is processed until the Guest/User stops using the Service.

  4. The Controller undertakes all measures required under Article 32 GDPR, considering technical knowledge, implementation costs, nature, scope, purposes of processing, and risk, to implement appropriate technical and organizational measures ensuring security proportional to the risk.

III. Marketing Activities of the Controller
The Controller may display marketing information about its products or services on the Service pages. This is based on Article 6(1)(f) GDPR, i.e., the Controller’s legitimate interest in publishing content related to its services and promotional activities. This does not violate Guests’/Users’ rights or freedoms; they expect and may even seek such content when visiting the Service.

IV. Recipients of User Data
The Controller discloses personal data only to entities processing data under contracts to provide services for the Controller, e.g., hosting, IT services, marketing, and PR.

V. Transfer of Personal Data to Third Countries
Personal data will not be processed in third countries.

VI. Rights of Data Subjects

  1. Every data subject has the right to:

    1. Access (Art. 15 GDPR) – confirmation whether their personal data is processed and, if so, access to it and information about processing purposes, data categories, recipients, storage period, right to rectification, deletion, restriction, and objection.

    2. Receive a copy of data (Art. 15(3) GDPR) – the first copy free, additional copies may incur a reasonable administrative fee.

    3. Rectification (Art. 16 GDPR) – request correction of inaccurate or incomplete personal data.

    4. Erasure (Art. 17 GDPR) – request deletion if there is no legal basis for processing or data is no longer needed.

    5. Restriction of processing (Art. 18 GDPR) – request restriction if accuracy is contested, processing is unlawful, data is no longer needed by the Controller, or objection to processing is pending.

    6. Data portability (Art. 20 GDPR) – receive structured, machine-readable data and request transfer to another controller.

    7. Objection (Art. 21 GDPR) – object to processing for legitimate interests, including profiling. The Controller will assess if their legitimate interests override the data subject’s interests.

    8. Withdraw consent at any time without affecting lawfulness of prior processing.

  2. To exercise these rights, contact the Data Controller using the details in Section I, point 2.

VII. President of the Personal Data Protection Office
Data subjects may file a complaint with the supervisory authority in Poland: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, via:

  1. Mail: ul. Stawki 2, 00-193 Warsaw

  2. Electronic contact form: https://www.uodo.gov.pl/pl/p/kontakt

  3. Hotline: 606-950-0000

VIII. Data Protection Officer
Data subjects may contact the Controller’s DPO via email or in writing at the address in Section I, point 2.

IX. Changes to the Privacy Policy
The Privacy and Cookies Policy may be updated to reflect current needs and ensure accurate information for Guests/Users.

X. Cookies

  1. The Service collects information about Guests/Users as follows:

    1. Voluntarily provided in forms;

    2. Via cookies stored on devices;

    3. Through web server logs collected by the hosting operator.

  2. Cookies are text files stored on the User’s device containing site name, storage time, and a unique number.

  3. Cookies are used only with the Guest/User’s prior consent. Consent is given by clicking “I agree, go to site” or closing the cookie notice.

  4. Consent may cover selected cookies using the “Cookie Settings” option. Disabling essential cookies may impair Service functionality.

  5. Without consent, Users may select “I do not agree” or change browser settings, which may affect functionality.

  6. Instructions for managing cookies depend on browser/device: Internet Explorer, Chrome, Safari, Firefox, Opera, Android, iOS Safari, Windows Phone.

  7. Legal basis: legitimate interests of the Controller in providing high-quality, secure services.

  8. Cookies include session and persistent types.

  9. Purposes: statistics, session maintenance, user profiling for recommendations and advertising networks (especially Google).

  10. Browsers allow cookie management and deletion; blocking cookies may affect some functionality.

  11. Cookies may be used by advertising partners and networks for targeted ads. Users can review preferences at https://www.google.com/ads/preferences/.

  12. Plugins may share data with providers like Facebook or Google.

  13. Online payment systems may process data to execute bookings.

XI. Newsletter

  1. Users may consent to receive commercial information via email during registration or later.

  2. Users can unsubscribe anytime via account settings, newsletter links, or Customer Service.

XII. Account

  1. Users cannot provide unlawful content.

  2. Access to the Account requires registration.

  3. Registration requires providing account type/gender, name, company name, NIP, billing info, email, and password. Users confirm accuracy and acceptance of Terms and Conditions.

  4. Access creates a perpetual electronic services agreement for the Account.

  5. Registration on one Service page allows access to all Service pages.

  6. Users can terminate the agreement at any time by email or written notice.

  7. The Service Provider may terminate the agreement for inactivity (6 months), violations, or transfer of service, with seven days’ notice. Re-registration may require permission.