PRIVACY POLICY

GENERAL INFORMATION

This Privacy Policy sets out the rules for processing and protecting the personal data of users of the Scandinavia Resort website (hereinafter: the Website).

The Data Controller (DC) is Hotellabs Zator Sp. z o.o., registered in Krakow, ul. Bociana 22A/18A, Tax ID (NIP): 9452315540. The Controller can be contacted by e-mail at: administration@ascendscandinaviaresort.pl.

The Controller informs that it has not appointed a Data Protection Officer (DPO). For all matters relating to the processing of personal data and the exercise of your rights, please contact the Controller directly.

LEGAL BASES AND PURPOSES OF PROCESSING

Personal data are processed in accordance with the GDPR for the following purposes:

  1. Handling enquiries: Responding to messages submitted via the contact form (Art. 6(1)(f) GDPR – legitimate interest of the Controller).
  2. Service reservations: Processing online bookings through the integrated reservation system (Art. 6(1)(b) GDPR – performance of a contract).
  3. Direct marketing: Sending commercial communications (newsletter) where the user has given voluntary consent (Art. 6(1)(a) GDPR).
  4. Analytics and statistics: Analysing user behaviour on the Website in order to optimise its performance (Art. 6(1)(f) GDPR – legitimate interest of the Controller in improving the quality and functionality of the Website). The analytics tool (Google Analytics 4) is activated only after the user has given explicit consent in the cookie management panel; until consent is given, only aggregated, anonymous data necessary for the technical operation of the Website are collected.
  5. Behavioural advertising and remarketing: Tailoring advertising content to user preferences (Art. 6(1)(a) GDPR – marketing consent).

DATA RETENTION PERIOD

Personal data are retained for the entire duration of the user's use of the Website's services and remain in the Controller's possession until the user submits a request for their deletion. Upon receipt of a valid deletion request, data will be erased without undue delay, unless there are grounds justifying continued processing (e.g. a legal obligation incumbent on the Controller). Deletion requests may be submitted to: administration@ascendscandinaviaresort.pl.

COOKIES AND TRACKING TECHNOLOGIES

The Website uses cookies and tracking technologies. A consent management mechanism (ConsentMode) has been implemented on the Website, allowing users to choose the scope of tracking.

Tools used:

  1. Google Analytics 4 (GA4): Analysis of traffic and user behaviour on the basis of the Controller's legitimate interest. The tool is activated only after the user has given explicit consent in the cookie panel. Data are anonymised.
  2. Google Ads: Conversion tracking and remarketing – measuring the effectiveness of advertisements and displaying offers to users who have visited the Website. Activated only after marketing consent has been given.
  3. Facebook Pixel: A tool provided by Meta Platforms Ireland Ltd. ("Meta") that enables the measurement of advertising campaign effectiveness and the creation of personalised audience groups. The Controller informs that Meta Platforms Ireland Ltd. acts as a joint controller of personal data collected via this tool, in accordance with the judgment of the Court of Justice of the EU in Case C-40/17. Users may exercise their rights both against the Controller and directly against Meta. The Pixel is activated only after marketing consent has been given.
  4. Google Tag Manager: A script management system that facilitates correct implementation of user consents.

Consent management: Upon entering the Website, users may accept all cookies, reject optional cookies, or configure them individually (categories: necessary, analytical and marketing). Users may change their preferences at any time by clearing cookies in their browser or by reopening the settings panel on the Website.

RECIPIENTS OF DATA AND TRANSFERS OUTSIDE THE EEA

Data may be shared with entities supporting the Controller: IT system providers, accounting and marketing service providers, and the provider of the Online Reservation System.

Profitroom S.A. – the provider of the online reservation system – acts as a data processor on behalf of the Controller, under an appropriate data processing agreement. Profitroom S.A. is an entity established within the European Economic Area (EEA); therefore, transfers of data to this entity do not require the application of additional safeguards applicable to transfers outside the EEA.

In connection with the use of Google and Meta (Facebook) tools, data may be transferred to servers located in the United States. These entities ensure an adequate level of data protection through the application of Standard Contractual Clauses (SCCs) and participation in the Data Privacy Framework (DPF).

6. PROFILING AND AUTOMATED DECISION-MAKING

The Controller may use tracking technologies for profiling for marketing purposes (e.g. displaying hotel advertisements to users who have browsed room offers). Such profiling is based on the voluntary consent of the user given in the cookie panel.

The Controller informs that the profiling carried out on the Website does not lead to automated decision-making that would produce legal effects concerning the user or similarly significantly affect them (Art. 22 GDPR). Decisions affecting users are not made solely by automated means.

Users have the right to object to profiling for marketing purposes at any time, without providing a reason.

7. USER RIGHTS

Every user has the right to:

  1. Access their data and receive a copy thereof.
  2. Rectification of data.
  3. Erasure of data (the "right to be forgotten") – users have the right to request the erasure of their personal data. This right is not absolute: the Controller may refuse or limit its exercise where continued processing is necessary for the performance of a contract, compliance with a legal obligation incumbent on the Controller, the establishment, exercise or defence of legal claims, or other grounds set out in Art. 17(3) GDPR. The Controller will inform the user in writing of any refusal or limitation of the exercise of this right.
  4. Restriction of processing.
  5. Data portability.
  6. Objection to processing (including profiling).
  7. Withdrawal of consent at any time – without affecting the lawfulness of processing carried out on the basis of consent prior to its withdrawal.
  8. Lodging a complaint with the President of the Personal Data Protection Office (UODO) if the user considers that the processing of their data infringes the provisions of the GDPR.

PRIVACY CONTACT

To exercise your rights or obtain information about the processing of your personal data, please contact us at: administration@ascendscandinaviaresort.pl.

CHANGES TO THIS POLICY

The Controller reserves the right to update this Privacy Policy. The latest version is always available at: https://www.scandinaviaresort.pl/prywatnosc.