Privacy
CHAPTER I
GENERAL PROVISIONS
§1. Purpose of the Privacy Policy
1. This Privacy Policy defines the principles of personal data processing of persons using the website www.luvarostay.com, services provided under the LUVARO STAY brand, contact forms, the reservation system, and other communication channels managed by the Administrator.
2. The document was prepared to ensure transparency of personal data processing principles and fulfillment of information obligations resulting from applicable laws, in particular the Regulation of the European Parliament and Council (EU) 2016/679 ("GDPR").
3. The Administrator exercises due diligence to ensure that personal data is processed according to the principles of:
a) legality,
b) fairness,
c) transparency,
d) data minimization,
e) accuracy,
f) purpose limitation,
g) storage limitation,
h) integrity and confidentiality.
4. The Administrator applies appropriate technical and organizational measures to protect personal data against loss, destruction, unauthorized disclosure, or access by unauthorized persons.
5. The Privacy Policy applies to all persons whose personal data is processed by the Administrator, in particular:
- website users,
- persons making reservations,
- apartment guests,
- persons contacting the Administrator,
- newsletter subscribers, and persons whose data is provided in connection with the reservation process.
§2. Legal basis
1. The Administrator processes personal data in accordance with:
- The Regulation of the European Parliament and Council (EU) 2016/679 of 27 April 2016 (GDPR);
- The Act of May 10, 2018 on the protection of personal data;
- The Act of July 12, 2024 – Electronic Communication Law;
- The Act of July 18, 2002 on providing services by electronic means – to the extent applicable;
- Other applicable legal regulations.
2. The Administrator processes data only to the extent necessary to achieve specific purposes and according to the appropriate legal basis under Art. 6 or – if applicable – Art. 9 of the GDPR.
CHAPTER II
PERSONAL DATA ADMINISTRATOR
§3. Administrator
1. The personal data administrator is:
LUVARO GROUP Spółka z ograniczoną odpowiedzialnością
Rynek Główny 29
31-010 Kraków
KRS: 0001223359
NIP: 6762712972
REGON: 543967339
phone: +48 505 20 20 30
e-mail: info@luvaro.pl
2. The Administrator is responsible for lawful processing of personal data and the exercise of rights of the persons concerned.
3. The Administrator conducts activities including short-term accommodation services, apartment management, and reservation process handling.
CHAPTER III
CONTACT DETAILS
§4. Contact regarding data protection
1. For all matters concerning personal data processing, one can contact the Administrator at:
e-mail: info@luvaro.pl
phone: +48 505 20 20 30
correspondence address:
LUVARO GROUP Sp. z o.o.
Rynek Główny 29
31-010 Kraków
2. The Administrator responds to requests related to the exercise of data subject rights without undue delay and within the time limits set by applicable law.
3. If the Administrator appoints a Data Protection Officer, contact details will be published on the Administrator’s website.
CHAPTER IV
DATA PROCESSING PRINCIPLES
§5. General principles
1. The Administrator processes only personal data necessary for achieving specified purposes.
2. Personal data is not sold or shared with third parties for their own marketing purposes.
3. Access to data is given only to authorized persons and entities cooperating with the Administrator under relevant agreements and only to the extent necessary to provide services.
4. The Administrator has implemented appropriate organizational and technical measures to ensure the security of processed data, considering the nature, scope, purposes, and risks of violating rights and freedoms of natural persons.
5. The Administrator regularly analyzes the security measures and takes actions to adjust them to current threats and legal requirements.
CHAPTER V
PURPOSES AND BASIS OF PERSONAL DATA PROCESSING
§6. Purposes of data processing
1. The Administrator processes personal data only to the extent necessary to achieve specific goals and in compliance with applicable law.
2. Personal data may be processed for the following purposes in particular:
Purpose of processing Legal basis (GDPR)
Conclusion and performance of an accommodation service contract Art. 6(1)(b)
Handling the reservation process Art. 6(1)(b)
Contact with the Guest before, during, and after the stay Art. 6(1)(b) and (f)
Handling inquiries submitted via contact form Art. 6(1)(f)
Fulfillment of tax and accounting obligations Art. 6(1)(c)
Issuing invoices Art. 6(1)(c)
Complaint handling Art. 6(1)(b) and (c)
Pursuing or defending claims Art. 6(1)(f)
Ensuring safety of persons and property Art. 6(1)(f)
Newsletter management (if user consented) Art. 6(1)(a)
Compliance with legal obligations Art. 6(1)(c)
3. The Administrator does not process personal data in a way incompatible with the purpose for which they were collected.
§7. Data minimization
1. The Administrator collects only data necessary to achieve the specified purpose.
2. The scope of processed data depends on the type of service provided and the method of contact with the Administrator.
3. The Administrator does not require data that is not necessary for providing the service, unless obtaining such data is mandated by law.
CHAPTER VI
CATEGORIES OF PROCESSED DATA
§8. Data scope
Depending on the processing purpose, the Administrator may process:
Identification Data
- first name,
- last name,
- citizenship (if required by law),
- date of birth (if necessary to provide the service).
Contact Data
- email address,
- phone number,
- correspondence address.
Billing Data
- invoice data,
- tax identification number (NIP),
- business name,
- business address.
Stay-related Data
- stay dates,
- number of Guests,
- selected apartment,
- reservation history,
- information about lodged complaints,
- information about additional services.
Technical Data
While using the website, technical data may also be processed, such as:
- IP address,
- device type,
- browser type,
- operating system,
- date and time of connection,
- system logs.
CHAPTER VII
DATA SOURCES
§9. Where do the data come from?
The Administrator obtains personal data:
1. directly from the data subject,
2. during the booking process,
3. via contact forms,
4. via the Profitroom reservation system,
5. via telephone contact,
6. via e-mail contact,
7. from newsletter sign-ups,
8. from booking portals if the reservation was made through them and data transfer is necessary to provide the service.
CHAPTER VIII
DATA RECIPIENTS
§10. To whom data may be transferred?
1. The Administrator may transfer personal data only to cooperating entities if necessary to provide the services or required by law.
2. Data recipients may include in particular:
- reservation system provider Profitroom,
- payment operator Przelewy24 (PayPro S.A.),
- hosting service providers,
- email service providers,
- IT service providers,
- accounting office,
- law firm,
- entities providing accounting and tax services,
- service companies,
- telecommunication operators,
- entities authorized under legal provisions (e.g. courts, police, public administration authorities).
3. The Administrator transfers data only to the extent necessary to achieve the given purpose.
4. Each entity processing data on behalf of the Administrator is obligated to ensure appropriate data protection levels.
CHAPTER IX
TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
§11.
1. As a rule, the Administrator processes personal data within the European Economic Area.
2. If, due to the use of certain services, personal data is transferred outside the European Economic Area, the Administrator will ensure appropriate safeguards required by the GDPR, in particular by applying the European Commission's standard contractual clauses or other mechanisms provided by law.
3. Information regarding possible data transfers outside the EEA may be provided upon request by the data subject.
CHAPTER X
DATA RETENTION PERIOD
§12.
Personal data is stored only for the period necessary to achieve the purpose for which they were collected, and then for the period required by applicable laws or necessary to assert or defend claims.
Type of data Retention period
Reservation-related data for the duration of the contract and statutory limitation periods for claims
Accounting documents and invoices for the period required by tax and accounting laws
Contact form until correspondence ends or longer if necessary for claim defense
Newsletter until consent is withdrawn or effective objection is raised
Data processed for complaints for the necessary period to resolve complaints and potential claims
Monitoring (if used) for the duration necessary to fulfill monitoring purposes under applicable laws
CHAPTER XI
RIGHTS OF DATA SUBJECTS
§13. Users' rights
1. Every person whose personal data is processed by the Administrator has rights under the Regulation of the European Parliament and Council (EU) 2016/679 (GDPR).
2. Within the limits prescribed by law, a data subject has the right to:
a) access their personal data,
b) rectify inaccurate data or complete incomplete data,
c) erase data ("right to be forgotten") if grounds specified in Art. 17 GDPR apply,
d) restrict data processing,
e) data portability to another administrator if processing is based on consent or contract and carried out by automated means,
f) object to processing based on the Administrator’s legitimate interests,
g) withdraw consent at any time if processing is based on consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
3. To exercise the rights, one can contact the Administrator using the contact details provided in this Privacy Policy.
4. The data subject also has the right to lodge a complaint with the President of the Personal Data Protection Office if they believe their data processing breaches the law.
CHAPTER XII
DATA SECURITY
§14. Security measures
1. The Administrator applies appropriate technical and organizational measures to protect personal data against loss, destruction, modification, disclosure, or unauthorized access.
2. In particular, the Administrator applies:
- data transmission encryption using SSL/TLS protocols,
- access control to IT systems,
- server security and backups,
- procedures for granting and revoking authorizations,
- regular software updates,
- organizational measures ensuring confidentiality of processed data.
3. Only authorized persons or entities processing data under relevant agreements have access to personal data.
CHAPTER XIII
CONTACT FORM
§15. Contacting the Administrator
1. By using the contact form, the user provides the Administrator with data necessary to respond to their inquiry.
2. The scope of processed data may include:
- first and last name,
- email address,
- phone number (if provided),
- message content.
3. Providing data is voluntary, but failure to provide it may prevent answering the inquiry.
4. Data is processed for the period necessary to conduct correspondence and for as long as necessary to assert or defend claims.
CHAPTER XIV
ONLINE RESERVATIONS
§16. Reservation system
1. The Administrator enables reservations via the Profitroom reservation system.
2. To execute the reservation process, the following data may be processed in particular:
- first and last name,
- email address,
- phone number,
- stay-related data,
- data for invoice issuance,
- payment information.
3. Data is transferred only to the extent necessary to complete the reservation and perform the contract.
4. Detailed data processing rules by the reservation system provider are defined in that entity’s privacy policy.
CHAPTER XV
NEWSLETTER
§17. Newsletter
1. Persons who have consented to receive commercial information electronically can receive a newsletter containing information about services, promotions, and offers of the Administrator.
2. The legal basis for data processing is the consent given by the person subscribing to the newsletter.
3. Consent can be withdrawn at any time by:
- clicking the unsubscribe link in the email,
- contacting the Administrator.
4. Withdrawal of consent does not affect the lawfulness of processing before its withdrawal.
CHAPTER XVI
MONITORING
§18. Video monitoring 1.
In selected buildings where apartments managed by the Administrator are located, common areas may be monitored by video surveillance.
2. Monitoring is conducted only for the purpose of:
- ensuring the safety of persons,
- protecting property,
- preventing events threatening safety,
- asserting or defending claims.
3. Monitoring does not cover apartment interiors or other spaces where guest privacy may be violated.
4. Recordings are stored for the period necessary to achieve the monitoring purpose or until the conclusion of proceedings conducted by authorized authorities if the recording is evidence.
CHAPTER XVII
FINAL PROVISIONS
§19. Changes to the Privacy Policy
1. The Administrator reserves the right to change this Privacy Policy in the event of:
- changes in the law,
- changes in service provision,
- implementation of new technological solutions,
- changes in the scope of personal data processing.
2. Changes to the Privacy Policy do not affect the legality of data processing carried out before the new version of the document comes into effect.
3. The current version of the Privacy Policy is published on the website www.luvarostay.com.
4. The Privacy Policy comes into force on the day of its publication.