Privacy

Name: Hotel Amax
Address: Aleja Spacerowa 7, Mikołajki, 11-730, PL
Telephone: +48 87 421 90 00

Hotel AMAX Limited Liability Company

Data Controller Information We kindly inform you that the controller of your personal data is Hotel AMAX Ltd. with its registered office in Mikołajki, Al. Spacerowa 7, 11-730 Mikołajki, using the tax identification number NIP 7422017587, hereinafter referred to as the "Controller." Contact with the Controller regarding personal data protection is possible via email at: amax@hotel-amax.pl

Purposes and Legal Bases for Processing Personal Data To provide you with services in accordance with the scope of our activities, the Controller processes your personal data — for various purposes, but always in accordance with the law. Below you will find specified purposes for processing personal data along with legal bases.

For the purpose of making a reservation, we process personal data such as:

first and last name,
email address,
phone number,
payment card number.

The legal basis for such data processing is Article 6(1)(b) of the GDPR, which allows the processing of personal data when processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;

For the purpose of hotel check-in, we process personal data such as:

first and last name,
PESEL number / or ID card number / or passport number,
country of origin,
residential address
vehicle registration number,
phone number,
email address
payment card number.

For the purpose of issuing a receipt/VAT invoice for the service, we process personal data such as:

first and last name / company name,
residential address / company address,
tax identification number (NIP).

The legal basis for such data processing is Article 6(1)(c) of the GDPR, which allows the processing of personal data when processing is necessary for compliance with a legal obligation to which the Controller is subject;

For the purpose of using SPA services by you, we process personal data such as:

first and last name,
health data.

The legal basis for such data processing is Article 9(2)(a) of the GDPR, which allows the processing of personal data if the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, unless Union or Member State law provides that the data subject may not withdraw consent with regard to the prohibition referred to in paragraph 1;

For marketing purposes, we process personal data such as:

first and last name / company name,
phone number,
email address.

The legal basis for such data processing is Article 6(1)(a) of the GDPR, which allows processing personal data if the data subject has consented to the processing of his or her personal data for one or more specified purposes;

For the purpose of the newsletter service, we process personal data such as:

email address.

For issuing invoices and fulfilling other obligations arising from tax law provisions, such as storing accounting documentation for 5 years, we process personal data such as:

first and last name,
company,
residential address or registered office address,
tax identification number (NIP).

The legal basis for such data processing is Article 6(1)(c) of the GDPR, which allows processing personal data when such processing is necessary for the Controller to comply with legal obligations;

For creating records and registers related to the GDPR, including e.g. a register of clients who have objected in accordance with the GDPR, we process personal data such as:

first name,
email address.

Firstly, because GDPR imposes specific documentation obligations on us to demonstrate compliance and accountability, and secondly, if you submit an objection e.g. against processing your personal data for marketing purposes, we need to know against whom not to apply direct marketing because they do not wish so.

The legal basis for such data processing is firstly Article 6(1)(c) of the GDPR, which allows processing personal data when the Controller needs to comply with legal obligations; secondly, Article 6(1)(f) of the GDPR, which allows processing personal data if the Controller is pursuing its legitimate interest (in this case the interest of the Company is to have knowledge about persons exercising their rights under the GDPR);

For the purpose of establishing, pursuing or defending claims, we process personal data such as:

first and last name (if provided) or possibly the company name,
residential address (if provided),
PESEL number or tax identification number (NIP) (if provided),
email address,
IP address.

The legal basis for such data processing is Article 6(1)(f) of the GDPR, which allows processing personal data if the Controller is pursuing its legitimate interest (in this case the interest of the Company is to hold personal data which allow establishing, pursuing or defending claims, including claims of clients and third parties);

For archival and evidential purposes, we process personal data such as:

first and last name (if provided),
email address.

For the purpose of securing information that may serve to demonstrate facts of legal importance. The legal basis for such data processing is Article 6(1)(f) of the GDPR, which allows processing personal data if the Controller is pursuing its legitimate interest (in this case the interest of the Company is to have personal data allowing to prove certain facts related to service provision, e.g. when requested by a public authority);

For analytical purposes, i.e. examining and analyzing activity on the Company's website, we process personal data such as:

date and time of website visits,
type of operating system,
approximate location, type and name of the device from which the website was accessed,
type of web browser used to browse the website,
time spent on the website,
visited subpages,
subpage where a contact form was filled out.

For the purpose of using cookies on the website, we process such textual information (cookies are described in a separate section).

The legal basis for such processing is Article 6(1)(a) of the GDPR, which allows processing personal data based on voluntarily given consent (upon first entering the website, a consent request for the use of cookies appears);

For website administration purposes, we process personal data such as:

IP address,
server date and time,
information about the web browser,
information about the operating system.

These data are automatically saved in so-called server logs each time someone uses the Company's website. Administering the website without the use of a server and without this automatic saving would not be possible. The legal basis for such processing is Article 6(1)(f) of the GDPR, which allows processing personal data if the Controller is pursuing its legitimate interest (in this case the interest of the Company is website administration);

Cookies
The Controller uses, like many others, so-called cookies on its website, which are small text files saved on a user’s computer, phone, tablet, or other device. They can be read by our system as well as by systems of third parties whose services we use (e.g., Facebook, Google).
Cookies perform many useful functions on the website, which we try to describe below (if the information is insufficient, please contact us):
- ensuring security — cookies are used to authenticate users and prevent unauthorized access to the client area. They therefore serve to protect user personal data from unauthorized access;
- impact on processes and performance of website usage — cookies help ensure the site functions properly and allow use of available functions, partly by remembering settings between visits, enabling smooth navigation on the site and its subpages;
- session state — cookies often store info on how visitors use the website, e.g., which subpages are most frequently viewed. They also help identify errors shown on some subpages. Cookies saving the so-called "session state" help improve services and increase browsing comfort;
- maintaining session state — if a client logs into their panel, cookies allow maintaining the session, so they do not have to enter login and password on every subpage, which enhances user comfort;
- statistics creation — cookies are used to analyze how users use the website (how many open the site, how long they stay, which content attracts the most interest, etc.). This allows continuous improvement of the website and adaptation to users’ preferences. For activity tracking and statistics, we use tools like Google Analytics; besides reporting site usage statistics, Google Analytics pixel may also serve, along with some cookies described above, to help show more relevant content to users in Google services (e.g., Google search) and across the web;
- using social functions — the website includes Facebook, Instagram, and YouTube Pixels, which allow "liking" our fan pages on these platforms during website usage. However, this is possible only by using cookies provided by these portals.
Importantly, many cookies are anonymous — without additional information, they cannot be used to identify you.
Your web browser by default allows cookie usage on your device, so you are asked for consent to using cookies at first visit. If you do not wish to accept cookies while browsing, you can change your browser settings to block cookies entirely or require notification for every cookie stored. Settings can be changed at any time.
Respecting the autonomy of all website users, we must warn that disabling or restricting cookies may cause significant difficulties in using the website, such as having to log in on each subpage, longer loading times, functional restrictions, inability to "like" the Facebook page, etc.

Right to withdraw consent

If data processing is based on consent, you may withdraw this consent at any time — at your discretion.
If you want to withdraw consent to personal data processing, you can simply:
- send an email directly to the Controller at amax@hotel-amax.pl or to the address: Hotel AMAX, Al. Spacerowa 7, 11-730 Mikołajki — with the note "personal data"
- click the link included at the end of an email message or
- delete a comment under an article or
- delete a review about services
If your personal data processing was based on consent, withdrawing it does not make the previous processing unlawful. In other words, until consent is withdrawn, we have the right to process your personal data and withdrawal does not affect the lawfulness of processing before that.
Requirement to provide personal data • Providing any personal data is voluntary and depends on your decision. However, in some cases, providing certain personal data is necessary to meet your expectations regarding services provided by the Controller.
To make a reservation, providing first and last name, phone number, and/or email address is mandatory — without these, we cannot reserve services for you. • To use hotel services, providing first and last name, PESEL number or other identity document, and citizenship is mandatory — without these, we cannot provide services.
To receive an invoice for services, providing all data required by tax law is mandatory, including first and last name or company name, residential or business address, and tax identification number (NIP) — without this, issuing a correct invoice is impossible.
To contact you by phone about services, providing a phone number is required — without this, we cannot initiate phone contact.
To receive information about future service promotions, providing an email address is required — without this, we cannot send marketing messages or newsletters.

Automated decision-making and profiling

We inform you that we do not carry out automated decision-making, including profiling. The content of inquiries sent via the contact form is not evaluated by any automated IT system. The proposed price for services is not the result of any IT system evaluation.

Recipients of personal data

Like most businesses, we use the assistance of other entities, which often involves transferring personal data. Therefore, when necessary, we share your data with cooperating reservation services, accounting firms, lawyers providing services, companies handling fast payments, hosting providers, newsletter sending companies, and insurance companies (in case of damage compensation).
Additionally, it may happen that based on applicable law or decision of a competent authority, we must provide your personal data to other entities, whether public or private. It is therefore difficult to predict who may request data disclosure. Nevertheless, we ensure that every request for personal data disclosure is analyzed carefully to avoid accidental disclosure to unauthorized persons.

Transfer of personal data to third countries

Like most businesses, we use various popular services and technologies offered by entities such as Facebook, Instagram, Microsoft, Google, or Zendesk. These companies have headquarters outside the European Union and thus, under the GDPR, are considered third countries.
The GDPR imposes restrictions on transferring personal data to third countries because the European data protection laws generally do not apply there, potentially resulting in insufficient protection of EU citizens’ personal data. Therefore, every data controller must establish a legal basis for such data transfers.
We assure you that when using services and technologies, we only transfer personal data to entities located in the United States that participate in the Privacy Shield program, based on the European Commission’s decision dated 12 July 2016 — more information can be found on the European Commission's website at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_pl. Entities participating in the Privacy Shield guarantee compliance with high data protection standards applicable in the EU; therefore, using their services and technologies in data processing is lawful.
We will provide you with additional explanations regarding data transfers at any time, especially if you have concerns.
You have the right at any time to obtain copies of personal data transferred to third countries. • Data retention periods
In accordance with applicable law, we do not process your personal data "indefinitely" but only as long as necessary to achieve the specified purpose. After this period, your personal data will be irreversibly deleted or destroyed.
Where no further operations are needed on your personal data than storage (e.g., keeping order content for claims defense), before permanent deletion or destruction, we additionally secure data by pseudonymization. Pseudonymization encrypts personal data or datasets such that without an additional key, they cannot be read and thus become useless to unauthorized persons.
Regarding specific retention periods, we inform you that we process personal data for the following durations: a. duration of the contract — for data processed to conclude and execute the contract;
- 3 years or 10 years + 1 year — for data processed to establish, pursue or defend claims (the length depends on whether both parties are entrepreneurs or not);
- 12 months — for data collected when intending to use SPA services but not realized;
- 5 years — for data linked to fulfilling tax law obligations;
- until consent withdrawal or achievement of the purpose, but not longer than 5 years — for data processed based on consent;
- until effective objection or achievement of purpose, but not longer than 5 years — for data processed based on the Controller's legitimate interest or for marketing;
- until data becomes outdated or useless, but not longer than 3 years — for data processed mainly for analytical purposes, cookie usage, and website administration.
We count years from the end of the year we started processing your personal data to facilitate data deletion or destruction. Separate counting for each contract would involve considerable organizational, technical, and financial burden, so setting one deletion date allows more efficient management. Naturally, exercising the right to be forgotten is handled individually.
The additional year related to data processing for contract execution is due to the possibility of you hypothetically filing a claim shortly before the limitation period expires, delayed delivery of a claim, or mistakenly calculating the limitation period.

Rights of data subjects

We kindly inform you that you have the right to:
- access your personal data;
- rectify personal data;
- delete personal data;
- restrict processing of personal data;
- object to the processing of personal data;
- data portability.
We respect your data protection rights and strive to facilitate their exercise to the highest degree possible;
Please note these rights are not absolute, and in some cases, we may lawfully refuse to fulfill your request. However, any refusal is made after thorough analysis and only when necessary;
Regarding the right to object, you may at any time object to the processing of personal data based on the Controller’s legitimate interest (listed in section III) due to your specific situation. However, you must remember that according to law, we may refuse to honor an objection if we can demonstrate that:
- there are legally justified grounds for processing that override your interests, rights, and freedoms, or
- there are grounds for establishing, pursuing, or defending claims.
Also, you may object at any time to processing your data for marketing purposes. Upon receiving the objection, processing will cease for that purpose.
You can exercise your rights by:
- sending an email directly to the Controller at amax@hotel-amax.pl or to Aleja Spacerowa 7, 11-730 Mikołajki,

Right to lodge a complaint

If you believe your personal data is processed unlawfully, you may lodge a complaint with the President of the Personal Data Protection Office.

Final provisions

Matters not regulated by this Privacy Policy are subject to personal data protection laws.
You will be notified electronically of any changes to this Privacy Policy by posting the updated Policy on the Controller’s website at www.hotel-amax.pl

This Privacy Policy is effective from 25 May 2018.