Privacy Policy

1. This Privacy Policy defines the principles of processing and protecting personal data provided by users in connection with their use of services offered by the website GREEN MOUNTAIN HOTEL***** - www.green-mountain.pl (hereinafter: the Website), and describes the principles of personal data processing by Osada Śnieżka Operator spółka z ograniczoną odpowiedzialnością [limited liability company] with its registered office in Warsaw. The Policy applies to the personal data of users using the Website, in particular those making online bookings, using the contact form, and other functionalities available on the Website.

2. The controller of personal data processed within the Website is Osada Śnieżka Operator spółka z ograniczoną odpowiedzialnością, Warszawa 00-023, ul. Widok 8, entered into the Register of Entrepreneurs under KRS number: 0000502497, NIP: 7010415841 (hereinafter: the Controller).

3. In the interest of the security of the entrusted personal data, the Controller operates on the basis of internal procedures and recommendations consistent with the relevant legal acts regarding personal data protection, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – hereinafter: GDPR).

4. The Controller exercises special diligence to protect the interests of data subjects, and in particular ensures that personal data are:

a. processed lawfully,

b. collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes,

c. factually correct and adequate in relation to the purposes for which they are processed,

d. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing.

5. The Controller performs functions of obtaining information about users and their behavior through voluntary submission of information by users in forms, for the purpose of:

a. responding to user inquiries submitted via the contact form (the basis for processing is the legitimate interest of the Controller consisting in managing correspondence and providing answers – Article 6(1)(f) of the GDPR),

b. accepting bookings via the online booking system (the basis for processing is the necessity for the conclusion and performance of a contract – Article 6(1)(b) of the GDPR),

c. providing services rendered by the Controller (the basis for processing is the necessity for the conclusion and performance of a contract – Article 6(1)(b) of the GDPR),

d. direct marketing of GREEN MOUNTAIN HOTEL***** products and services, including sending commercial information and marketing offers to the e-mail address and via SMS messages to the provided telephone number, whereby:

1) the basis for processing personal data (in particular the e-mail address and telephone number) for direct marketing purposes is the legitimate interest of the Controller consisting in promoting its own services (Article 6(1)(f) of the GDPR), with the right to object at any time to the processing of data for direct marketing purposes;

2) the use by the Controller of the user's e-mail address or telephone number to send commercial information and marketing offers via electronic communication means (including SMS messages) requires the prior, separate consent of the user for the use of a given communication channel, granted in accordance with Article 398 of the Act of July 12, 2024 – Electronic Communications Law. This consent is voluntary. Failure to grant consent for the use of a given communication channel (e-mail, SMS) does not affect the possibility of using the Controller's services, but it may prevent receiving commercial information and marketing offers via this channel. Consent may be withdrawn at any time, which will result in stopping the delivery of commercial information through the given communication channel, without affecting the lawfulness of processing based on consent before its withdrawal.

e. pursuing the legitimate interest of the Controller, e.g., debt collection, defense against claims (the basis for processing is the legitimate interest of the Controller – Article 6(1)(f) of the GDPR).

6. For the purpose of sending marketing offers and commercial information via SMS messages, the Controller processes in particular the mobile phone number provided by the user, as well as the user's identification data necessary for the proper targeting of the offer (e.g., first name, last name). Providing a phone number for SMS marketing purposes is voluntary but necessary for the user to receive marketing content via SMS.

7. Upon the first visit to the Website, the user is informed about the use of cookies and has the opportunity to choose which categories of cookies they accept. The user can accept all cookies, reject them, or make a detailed selection, with the exception of cookies necessary for the proper functioning of the Website.

8. The change in cookie settings will take effect after restarting or refreshing the session on the Controller's website.

9. The installation of "cookies necessary for the basic functionality of the Website" is required for its proper operation, in particular required for authorization.

10. Cookies necessary for the operation of the website can be modified by changing the browser settings, bearing in mind that changing the settings may cause the website to malfunction.

11. More information about cookies can be found in the "Help" section of the user's web browser menu.

12. Users who, after reading the information available on the Website, do not want cookies to remain stored in their device's web browser should delete them from their browser after finishing their visit to the Website. The following types of cookies are used within the Website: a. session cookies - remain in the browser until it is turned off or until logging out of the Website, b. persistent cookies - remain in the device's web browser until deleted by the user or for a predetermined time specified in the cookie file parameters.

13. In terms of functionality, individual cookies can be divided into:

a. analytical cookies, which help improve the website experience by understanding how users use and convert on it,

b. marketing cookies, used to personalize advertising content, properly target and analyze the performance of marketing and sales channels,

c. necessary cookies, which are fundamental to the basic functionality of the Website.

14. Necessary cookies are installed based on the legitimate interest of the Controller consisting in ensuring the proper functioning of the Website (Article 6(1)(f) of the GDPR). Analytical and marketing cookies are used solely based on the user's consent (Article 6(1)(a) of the GDPR and relevant provisions of the Electronic Communications Law Act).

15. The cookies used by the Controller allow for the development of the Website.

16. Some cookies may be placed by the provider of the Online Booking System solely for the purpose of:

a. improving and supporting the booking process,

b. analyzing and collecting statistical data regarding the use of the website and the online booking system in order to improve them,

c. the Online Booking System provider informs about the cookies being installed in the user interface of that system.

17. The Controller may use automated decision-making, including profiling, for marketing purposes (including automated matching of advertisements to your interests and measuring their effectiveness) and adjusting the offer on the basis of Article 6(1)(a) of the GDPR, i.e., based on the user's consent. Profiling may consist in particular in analyzing booking history, visited subpages of the Website, and clicked offers in order to tailor marketing content to the user's interests and measure the effectiveness of marketing activities. The Controller does not make decisions based on profiling that produce legal effects concerning the user or similarly significantly affect them.

18. The recipients of personal data may be authorities, institutions, and entities authorized under the law, as well as entities providing services to the Controller (e.g., legal, IT, marketing, and accounting support, an entity performing bulk email and SMS delivery on behalf of the Controller or providing tools for such delivery, and other entities involved in the performance of the ordered service).

19. The Controller uses the following analytical tools: Google Analytics, for the purpose of keeping statistics on the use of the Website and its optimization. In connection with the use of these tools, user data may, in certain cases, be transferred to third countries. In such a case, the Controller applies appropriate safeguards required by the GDPR, in particular basing the transfer on an adequacy decision of the European Commission or on standard contractual clauses. Detailed information in this regard can be obtained by contacting the Controller.

20. Personal data processed for the purpose of sending commercial information and marketing offers, in particular via SMS, will be processed until the user withdraws consent or objects to data processing for marketing purposes, after which they may be stored to demonstrate compliance with regulations or for defense against claims, but no longer than the limitation period for potential claims related to the Controller's marketing activities.

21. Personal data processed in connection with the conclusion and performance of contracts regarding services provided by the Controller, including hotel service bookings, will be stored for the duration of the contract, and thereafter for the limitation period for claims resulting from this contract and for the time required by law, in particular tax and accounting regulations.

22. Personal data processed for the purpose of managing correspondence sent via the contact form or other communication channels will be stored for the period necessary to respond and conduct correspondence, and thereafter for a period not exceeding 24 months from the date of conclusion of the correspondence, for the purpose of potential defense against claims.

23. The Website user has the right to: request access to their data, their rectification, erasure, restriction of processing, data portability, to object to processing, including objecting to data processing for direct marketing purposes, and the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

24. In order to exercise their rights indicated above, the Website user may contact the Controller directly using the details provided in the Policy or the Data Protection Officer designated by the Controller at the following address: rodo@osada-sniezka.pl.

25. The Website user has the right to withdraw any consent granted (including consent to use the e-mail address and telephone number to send commercial information and marketing offers via SMS messages) at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal. Consent may be withdrawn in particular by:

a. clicking the appropriate unsubscribe link in the received e-mail,

b. contacting the Controller or the Data Protection Officer designated by them at the correspondence address or e-mail: rodo@osada-sniezka.pl.

26. In the case of technologies utilizing cookies, the user may withdraw consent by changing their web browser settings. The user may also change their cookie choices at any time via the consent management panel available on the Website, without the need to change browser settings.

27. Every Website user may lodge a complaint with the supervisory authority – the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych) – if they find that their personal data are processed in violation of the regulations.

28. The Website may contain links to other websites that operate independently of the Website and are not supervised by the Website in any way. These sites may have their own privacy policies and regulations, which the Controller recommends reading carefully.

29. The Controller reserves the right to make changes to the website's privacy policy, which may be caused by the development of internet technology, potential changes in personal data protection law, and the development of the Website.