Tremonti Karpacz

Privacy

PRIVACY POLICY

Dear Sir or Madam,
We ensure to protect the personal data collected by us in accordance with national regulations and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119 of 04.05.2016, p. 1, as amended by OJ EU L 127 of 23.05.2018, p. 2), (hereinafter: "GDPR").

We present to you our Privacy Policy so that every person with whom we establish a relationship is aware:

  • who is the controller or joint controller of their personal data,
  • to what extent, for what purposes, and on what legal bases we process data, and to whom we disclose it,
  • what rights they have in connection with data processing, in accordance with Articles 13 and 14 GDPR.

The privacy policy may be complemented by information provided during the collection of personal data (e.g., in booking, contact, or newsletter registration forms) or within a reasonable period – no later than one month – in the case of collecting data from indirect sources, i.e., not directly from the persons whom the data concern.

I.PERSONAL DATA CONTROLLER
1. The personal data controller is Tremonti sp. z o.o. based in Warsaw, ul. Wioślarska 8, 00-411 Warsaw, registered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, 12th Commercial Division of the National Court Register under KRS number 0000751396, share capital of PLN 5,000.00, having REGON 381466387, NIP 7010871131.
2. In certain cases, we may also process data as recipients, joint controllers, or processors.

II.JOINT CONTROLLERS OF PERSONAL DATA FORMING THE CONDO.PL HOTEL GROUP
1. If the data subject gives consent by ticking the appropriate checkbox (e.g., next to the consent clause) or providing an email address in the relevant form (e.g., for the newsletter, for contacting us), and activating it (e.g., by clicking "send message"), their personal data will be processed to receive commercial information by email about news, events, and promotions from the joint controllers forming the Condo.pl Hotel Group (Art. 6(1)(a) GDPR).
2. The Condo.pl Hotel Group is a commercial initiative created by the following joint controllers:
a. Orkan Real Estate sp. z o.o. based in Warsaw at ul. Mińska 25, 03-808 Warsaw, registered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court Register under KRS number 0000737396, having REGON 380574867, NIP 1132977442, represented by the general partner Oak Real Estate sp. z o.o. headquartered at ul. Mińska 25, 03-808 Warsaw, registered under KRS 0000740375, share capital PLN 5,000.00, REGON 380749255, NIP 1132978967,
b. Oak Property sp. z o.o. based in Warsaw at ul. Wioślarska 8, 00-411 Warsaw, registered under KRS 0000543907, share capital PLN 5,000.00, REGON 360816754, NIP 7010468263,
c. Apartamenty Na Wydmach sp. z o.o. based in Warsaw at ul. Wioślarska 8, 00-411 Warsaw, registered under KRS 0000816696, share capital PLN 5,000.00, REGON 384989453, NIP 7010957938,
d. House Cloud sp. z o.o. based in Warsaw at ul. Wioślarska 8, 00-411 Warsaw, registered under KRS 0000544057, share capital PLN 5,000.00, REGON 360823620, NIP 7010468493,
e. HP Szklarska sp. z o.o. based in Warsaw at ul. Wioślarska 8, 00-411 Warsaw, registered under KRS 0000887951, share capital PLN 5,000.00, REGON 388388199, NIP 7011024048,
f. Piemonte sp. z o.o. based in Warsaw at ul. Wioślarska 8, 00-411 Warsaw, registered under KRS 0000877696, share capital PLN 5,000.00, REGON 387925689, NIP 7011013205,
g. Tremonti sp. z o.o. based in Warsaw at ul. Wioślarska 8, 00-411 Warsaw, registered under KRS 0000751396, share capital PLN 5,000.00, REGON 381466387, NIP 7010871131.
3. The purpose of the Condo.pl Hotel Group is to provide up-to-date commercial information about news, events, and promotions of the joint controllers under the Condo.pl brand.

III.DATA PROTECTION OFFICER (DPO)
1. To supervise issues related to personal data protection and provide detailed information, we have appointed, as controller or joint controller, a Data Protection Officer (DPO), who is Maciej Strycharz.
2. You can contact the DPO by email at iod@condo.pl or in writing at our registered office address.

IV.DATA SUBJECTS
1. Bookers or buyers
a. As a controller, we process personal data for concluding and/or performing a contract (Art. 6(1)(b) GDPR) concerning the provision of hotel, accommodation, room rental, and event organization services (business meetings, conferences, training, banquets, integration events, receptions, and special occasions). This also includes related or additional gastronomy, entertainment, care, sports, cosmetic, grooming, relaxation, parking, and gift services. Furthermore, data are processed to achieve the purposes arising from legitimate interests (Art. 6(1)(f) GDPR), such as communication, answering inquiries, sales analyses (analytical profiling: sales or marketing related to booked or ordered services), and establishing, defending, and pursuing claims.
b. Categories of processed data may include: identification data such as name and surname; contact and address data such as email address, telephone number, and address.
c. Data will be stored for at least 5 years from the end of the calendar year in which the tax payment deadline expired. After our relationship ends, data will be archived for the standard period of 6 years ending on the last day of that calendar year unless legal provisions state otherwise. In case of ongoing disputes or proceedings, the archiving period counts from the day of final conclusion of the last of them. If law provides for a longer data storage or statute of limitations period, the longer period applies.
d. The booker has the right to access data, rectify, delete, restrict data processing, and object to data processing. They also have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw). Detailed information about rights is included later in the Privacy Policy.
e. Personal data may be processed in the form of analytical, sales, and marketing profiling.
2. Guests
a. As a controller, we process personal data for concluding and/or performing contracts (Art. 6(1)(b) GDPR) concerning hotel, accommodation services, room rental, and event organization (business meetings, conferences, training, banquets, integration, receptions, and special events). This also includes related or additional gastronomy, entertainment, care, sports, cosmetic, grooming, relaxation, parking, and gift services. Additionally, data are processed for legitimate interests (Art. 6(1)(f) GDPR), such as sales analyses (analytical, sales, and marketing profiling), establishing, defending and pursuing claims, and video monitoring to ensure safety of persons and property in our facility. Moreover, based on separate consent (Art. 6(1)(a) GDPR), we may send commercial information to the provided email address. Consent can be withdrawn anytime without affecting the lawfulness of processing before withdrawal.
b. Categories of data processed may include: identification data such as first and last name, PESEL or identity document number; contact and address data such as email, phone number, and residential address; as well as additional information for persons conducting business activity.
c. Data will be stored a minimum of 5 years from the end of the calendar year in which the tax payment deadline expired. After our relationship ends, data will be archived for a standard period of 6 years until the end of the last day of the calendar year unless law provides otherwise. During ongoing disputes or proceedings, the archiving period counts from the day of legally binding conclusion. If law provides a longer retention or limitation period, that longer one applies.
d. Guests have rights to access, rectify, delete, restrict processing, object to processing, and lodge complaints with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw). Detailed rights information is included later in the Privacy Policy.
e. Personal data may be processed as analytical, sales, and marketing profiling.
3. Recipients of commercial information, including newsletters subscribers of the controller
a. As a controller, we process personal data based on voluntary consent (Art. 6(1)(a) GDPR). Consent may be given by checking the appropriate box or a tacit act such as providing an email in the form. We process data to send commercial information, particularly about news, events, and promotions. Consent can be withdrawn anytime by clicking the link in the message or sending a notification to iod@condo.pl. Withdrawal does not affect lawful processing before it.
b. Processed data may include identification data such as name and surname and contact data such as email.
c. Data will be stored until consent withdrawal.
d. Recipients of commercial info, including newsletter subscribers, have rights to withdraw consent, access, rectify, restrict processing, object, and lodge complaints with the President of the Data Protection Office (ul. Stawki 2, 00-193 Warsaw). Detailed rights info follows in the policy.
4. Recipients of commercial information, including newsletter subscribers of the joint controllers of Condo.pl Hotel Group
a. As joint controllers, we process data based on voluntary consent (Art. 6(1)(a) GDPR); consent may be expressed by checking the box or tacitly by providing email in a form. Data are processed to send commercial info about news, events, and promotions. Consent can be withdrawn any time via link or email iod@condo.pl. Withdrawal doesn’t affect lawful processing before it.
b. Data processed include identification data such as name and surname and contact data such as email.
c. Data stored until consent is withdrawn.
d. Recipients of info including newsletter subscribers have rights to withdraw consent, access, rectify, restrict processing, object, and lodge complaints with the Data Protection Office (ul. Stawki 2, 00-193 Warsaw). Details are in the privacy policy.
5. Suppliers of goods and services, contractors, and partners
a. As controller, we process data to perform contracts or take steps before contracting (Art. 6(1)(b) GDPR) and for legitimate interests (Art. 6(1)(f) GDPR).
b. Data categories include identification data such as name, PESEL, NIP, REGON, KRS; contact and business address data such as email, phone number, business premises address, position or function.
c. Data are stored at least 5 years from the end of the calendar year when the tax deadline expired; after the relationship ends, data are archived for 6 years ending last calendar day unless law says otherwise. In disputes or proceedings, archiving counted from final resolution date. Longer periods by law apply.
d. Suppliers, contractors, or partners have rights to access, rectify, erase, restrict processing, object, and complain to the Data Protection Office. Details later in policy.
e. Providing personal data is contractual requirement. Failure may prevent contract conclusion or execution.
6. Persons using online forms
a. We process data for legitimate interests (communication and answering queries) and, in certain cases, based on consent via user action (form completion and use of “send” button) under Art. 6(1)(a) GDPR.
b. Processed data include identification data such as name and surname; contact or address data such as email and phone.
c. Data stored as long as necessary to respond to inquiries.
d. Form users have rights to access, rectify, delete, restrict, object, and lodge complaints to the Data Protection Office. Details in privacy policy.

V.RECIPIENTS OF PERSONAL DATA
1. Recipients may be independent controllers, joint controllers, or processors under Art. 28 GDPR, such as providers of booking, communication, marketing, and hosting services.
2. Any partner entrusted with data processing (processor) or to whom data are disclosed (separate controller) will process data according to applicable law, agreements, and for performing contracts, agreements, or cooperation. Such processing is in line with law and our internal policies, procedures, and standards.
3. Public authorities may also access personal data as required by applicable law.

VI.TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)
1. As a rule, personal data are processed locally within Poland or the European Economic Area. This also applies to partners whose services we use or will use in the future.
2. When transferring data outside the EEA, we will ensure appropriate safeguards as per Articles 44-49 GDPR.

VII.RIGHTS RELATED TO PERSONAL DATA PROCESSING

1. Right to withdraw consent at any time (Art. 7(3) GDPR).

If data are processed based on voluntary consent, it can be withdrawn at any time. Then we will promptly stop processing data for the purpose for which consent was given. However, withdrawal does not affect processing legality before withdrawal.

2. Right of access to personal data and to obtain a copy (Art. 15 GDPR).

You may obtain information about data processing and a copy of the data, provided in a common file format. The first copy is free; subsequent copies may incur a fee according to GDPR rules.

3. Right to rectify data (Art. 16 GDPR).

We must ensure data accuracy. You may request correcting or deleting inaccurate, incomplete, or unlawfully collected data. The burden of proof lies with the data subject.

4. Right to erasure, including the “right to be forgotten” (Art. 17 GDPR).

On request, we must erase data when:
a. The purposes for which data were collected have been fulfilled.
b. The only legal basis was consent which has been withdrawn and there is no other legal basis for further processing.
c. The only legal basis was consent given by someone under age 13.
d. Processing has been objected to in accordance with Art. 21 GDPR, and no overriding legitimate grounds exist.
e. Data have been unlawfully processed, i.e., for unlawful purposes or without any basis.

5. The "right to be forgotten" as a special form of erasure right.

If data have been published (e.g., on this website) and the erasure right applies, we must delete all copies and links to that data. We must also take steps to ensure other entities processing such data also delete them. This right is not absolute – its application considers available technology and costs, which may limit its scope.

6. Right to restrict processing (Art. 18 GDPR).

We must limit data processing upon request, suspending operations except storage. If you doubt data accuracy, processing is restricted while verifying. Also, if you object to processing, we restrict it.

7. Right to data portability (Art. 20 GDPR).

You have the right to receive personal data and transmit them to another chosen controller where processing is based on consent (Art. 6(1)(a) GDPR) or contract (Art. 6(1)(b) GDPR), and processing is automated without human intervention.

8. Right to object (Art. 21 GDPR).

You may request stopping personal data processing, especially for reasons related to your particular situation. The objection does not apply if processing is based on consent; withdrawal of consent applies then. You cannot object if:
a. Processing is necessary to perform a contract (Art. 6(1)(b) GDPR);
b. Processing is necessary to fulfill a legal obligation (Art. 6(1)(c) GDPR);
c. Processing is necessary to protect vital interests of the data subject or another person (Art. 6(1)(d) GDPR).

9. Right not to be subject to automated individual decision-making, including profiling (Art. 22 GDPR).

You have the right not to be subject to decisions based solely on automated processing, including profiling, if such decisions have legal or similarly significant effects on you. Automated processing is permitted if:
a. Necessary for contract conclusion or performance;
b. Allowed by EU or member state law with adequate safeguards;c. Based on explicit (not presumed) consent.

10. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

If you believe our data processing violates your rights, you may file a complaint with the supervisory authority monitoring GDPR application. In Poland, this is the President of the Personal Data Protection Office. Contact can be made:
a. By correspondence: ul. Stawki 2, 00-193 Warsaw;
b. Electronically via the ePUAP mailbox of the Personal Data Protection Office: /UODO/SkrytkaESP;c. By phone at 606 950 000.

11. The above rights may be limited in some situations, e.g., when we demonstrate legal obligation to process data. To exercise rights, send a request using the contact details in this Privacy Policy.

VIII.COLLECTION OF PERSONAL DATA
1. Personal data generally come directly from data subjects (see section IV). In some cases, data may be sourced from:
a. Booker – data of guests other than the booker can be obtained directly from the person making the reservation.
b. Third parties – data may be obtained from third parties, e.g., when a supplier, contractor, or partner is recommended by a known and trusted person.
c. Other business partners – data may be shared by business partners cooperating in contracts, projects, or sales actions (e.g., Booksy.com or Booking.com operators).
2. Whenever sourcing data from other sources, we ensure data are transferred in compliance with the law and that data subjects are adequately informed about processing.
IX.TYPES AND PURPOSES OF COOKIES USED
1. The controller uses the following types of cookies for:
a. Proper functioning and security of the website. These are essential cookies enabling browsing offers, reservations, authentication, and abuse detection. They are used without asking user consent.
b. Collecting information about website usage and user activity, optimizing content and functions, and tailoring the site to user preferences. These are analytical cookies, used with user consent.
c. Displaying marketing content personalized to user preferences and sending marketing notifications matching user interests (ad personalization and marketing campaign performance analysis), including info about user activity and products/services of the controller and third parties. These are marketing cookies, used with user consent.
2. Users may limit or disable cookies on their devices.

X.COOKIE SETTINGS
1. Users may choose which cookies to accept on their first visit, excluding essential cookies as per section IX 1a.
2. Users may change cookie settings anytime via browser settings, except essential cookies per IX 1a.
3. Users can delete cookies anytime except essential ones per IX 1a using browser features.

XI.CHANGES TO THE POLICY1. We reserve the right to update the Privacy Policy in cases such as:
a. Need to comply with applicable law;
b. Changes in legal interpretation;
c. Need to align with court rulings, decisions, recommendations, or authorities;
d. Need to correct errors or typos;
e. Changes in identification or contact data;
f. Changes in services provided or data collection channels.
2. All changes are published on our websites and take effect immediately after posting. Last update: September 2, 2024.