Privacy policy

1. Data controller

Anais Chalet, 10 Nicolae Bălcescu Street, Câmpulung Moldovenesc, Suceava county, Romania. GDPR contact: [email protected].

2. What data we collect

• Booking data: name, phone, email (optional), stay dates, number of adults / children, special requests.
• Payment data: processed exclusively via PCI-DSS providers (Stripe). We do not store card details.
• Technical data: IP address, user-agent, server logs — only for security and debugging.

3. Why we collect it (legal basis)

• Contract performance (Art. 6(1)(b) GDPR) — to confirm and manage your stay.
• Legal obligation (Art. 6(1)(c)) — invoicing, tax records, guest registry under Romanian law.
• Legitimate interest (Art. 6(1)(f)) — site security, fraud prevention.

4. How long we keep it

• Confirmed booking data: 10 years (fiscal obligation).
• Contact / WhatsApp data: 3 years from last interaction.
• Server logs: 90 days.

5. Who we share it with

Strictly with providers necessary for operations: payment processor (Stripe), hosting (Invent Evolution / OVH), WhatsApp Business for confirmations. We never sell data to third parties. We do not transfer data outside the EU/EEA without GDPR safeguards (standard contractual clauses).

6. Your rights

Under GDPR, you have the right to:

• Access your data;
• Rectification (correction);
• Erasure ("right to be forgotten");
• Restriction of processing;
• Data portability (structured format);
• Object to processing;
• Withdraw consent (when processing is consent-based).

Send your request to [email protected] — we reply within 30 days.

7. Cookies

We only use strictly necessary technical cookies (session, language preference, CSRF). No marketing or tracking cookies. Cloudflare may set security cookies (`__cf_bm`, `cf_clearance`) for bot protection.

8. Complaints

If you believe your GDPR rights have been violated, you may complain to the Romanian Data Protection Authority (ANSPDCP) — dataprotection.ro.