Privacy Policy

www.over10daysscostablanca.com

§ 1 General provisions

  1. The administrator of personal data of users of the website located under the domain www.over10daysscostablanca.com is P a u l a S a rn e c ka, as part of an unregistered economic activity, with its registered office at: ul . E m i l i i P l a t e r 1 a / 3 0 , P i a s e c z n o , Poland (hereinafter referred to as the “Administrator”).
  2. The Controller has designated an electronic contact point for direct communication with Member State authorities, the Commission, and the Digital Services Council: over10dayscostablanca@gmail.com. This same contact point can be used by each Client to communicate directly and quickly with the Controller. The Controller can also be contacted in writing at the address indicated above, as well as by telephone: +34 600 499 213 (including via WhatsApp, calls are accepted on business days between 8:00 a.m. and 4:00 p.m CET, charges apply according to the Client’s operator’s tariff). Communication can be conducted in Polish and English.
  3. The purpose of the Policy is to define actions taken in the scope of personal data collected via the Controller’s website and related services and tools used by its users and partners.
  4. If necessary, the provisions of this Policy may be changed. Any changes will be communicated to users and partners through the announcement of the new Privacy Policy version. In the case of database users who have consented to data processing via email or provided email data in the performance of contracts, they will also be notified of the change via email.

§ 2 Basis for processing, purposes and storage of personal data

  1. The personal data of users and partners are processed in accordance with the General Data Protection Regulation, the Personal Data Protection Act, the Personal Data Protection Act of 10 May 2018 and the Act on the provision of electronic services of 18 July 2002, as amended.
  2. The Administrator may collect the following data for the following purposes:
Purpose of data processingLegal basis processing and data storage periodData storage periodScope of processed data
Execution of the contract with the Client or taking action at the request of the data subject before concluding the above-mentioned contractsArticle 6(1)(b) of the GDPR (performance of a contract).for the duration of the above-mentioned agreement until the expiry of the legal obligation related to accounting the data will be processed until the expiry of the period in which claims can be pursuedname and surname(s) of all guests; e-mail address of all guests and the partner mobile and landline phone numbers of all guests and the partner; address (street, house number, apartment number, postal code, city, country) of all guests and the partner, company name and details (address, telephone numbers, Tax Identification Number) payment methods, bank account or payment card number, gender of all guests, date of birth of all guests, nationality of all guests, type and number of personal document (including Soporte number for Spanish citizens) of all guests, number of guests information regarding the guests’ relationships (if they are underage)
Making a refundPerformance of the Contract or taking steps at the request of the data subject before concluding the Contract (Article 6(1)(b) of the GDPR).5 years after the end of the business relationship with the Clientname and surname; e-mail address; phone number; bank account or payment card number, address (street, house number, apartment number, postal code, city, country), company details (name, address, Tax Identification Number).
Determining, pursuing or defending claims that may be raised by the Administrator or that may be raised against the AdministratorArticle 6(1)(f) of the GDPR Regulationdata is stored for the duration of our legitimate interest, but no longer than the limitation period for claims against the data subject arising from the business activity conducted.name and surname; e-mail address; phone number; address (street, house number, apartment number, postal code, city, country), Tax Identification Number; company name;
Issuing an offer for partner accommodation and making payment of the amount after deducting the Service Provider’s commission
Article 6(1)(f) of the GDPR Regulation
5 years after the end of the business relationship with the supplier
10 words of short information advertising the accommodation, name of accommodation future rental dates booked additional costs that occur apart from rental costs gross prices per night exact address of the accommodation, including the apartment number if applicable, postal code, city number of bedrooms and bed types (number of single and double beds), maximum number of guests, NRA and SES numbers, private owner (name, surname, gender, address, e-mail address, type of ID document and ID document number, citizenship, telephone number(s) company (company details including telephone number and e-mail address), information whether internet connection is available in the accommodation, from 3 to 6 photos of the object, bank account details for euro currency, number of calendar days free for preparing the facility between reservations, How many calendar days in advance to make a rental reservation from the current dates link to iCAL calendar of other platforms for synchronization distance from the sea total accommodation area size m2

Customer account registration		Performance of the Contract or taking steps at the request of the data subject before entering into the Contract (Article 6(1)(b) of the GDPR)5 years after the end of the business relationship with the Clientname and surname; e-mail address; User ID.
Providing customer servicePerformance of the Contract or taking steps at the request of the data subject before concluding the Contract (Article 6(1)(b) of the GDPR)5 years after the end of the business relationship with the Client 2 years after the last update of the customer inquiryname and surname; User ID. e-mail address; phone number; address (street, house number, apartment number, postal code, city, country), business entity data,
Correct functioning of the websiteMaintaining the efficiency of the Website and improving it (Article 6(1)(f) of the GDPR)5 years after the end of the business relationship with the ClientAs in the cell above, Information about activities performed on the website (button clicks, duration of visits, notifications read, other information depending on the specific business case).
Comment handlingProtection and security of the website, customer interests, ensuring customer safety (Article 6, paragraph 1, letter f) of the GDPR)5 years after the end of the business relationship with the Clientname and surname; e-mail address; phone number; address (street, house number, apartment number, postal code, city, country), User ID. business entity data,
Enabling the Customer to reset their passwordProtection and security of the website, customer interests, ensuring customer safety (Article 6, paragraph 1, letter f) of the GDPR)5 years after the end of the business relationship with the Clientname and surname; e-mail address; User ID.
Supervising compliance with regulations, contracts, and privacy policiesProtection and security of the website, customer interests, ensuring customer safety (Article 6, paragraph 1, letter f) of the GDPR)5 years after the end of the business relationship with the Clienttransaction data, data of the economic entity.
Processing requests regarding personal data,Article 6(1)(c) of the GDPRThe period of existence of the Controller’s legitimate interest, but no longer than the limitation period for claims against the data subject arising from the business activity conducted.name and surname; e-mail address; phone number; address (street, house number, apartment number, postal code, city, country), Tax Identification Number; company name.
Providing information to law enforcement authorities and other state institutions,Article 6(1)(c) of the GDPRThe period of existence of the Controller’s legitimate interest, but no longer than the limitation period for claims against the data subject arising from the business activity conducted.
name and surname of all guests and partner; email address of all guests; mobile and landline phone numbers of all guests; address (street, house number, apartment number, postal code, city, country) of all guests, company name, Tax Identification Number, payment methods, bank account or payment card number, gender of all guests, date of birth of all guests, nationality of all guests, type and number of personal document (including Soporte number for Spanish citizens) of all guests, number of guests information regarding the guests’ relationships (if they are underage) partner’s NRA and SES numbers, the exact address of the partner’s rental accommodation, including the apartment number if applicable, postal code, city
  1. To the extent necessary for the proper functioning of the website and its functionality, the website may, when the User uses it, collect other information, including, but not limited to:
  1. IP address;
  2. information about the device, hardware and software,
  3. type of platform,
  4. settings and components,
  5. data about your web browser, including browser type and preferred language;
  6. Taking into account the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity of violations of the rights and freedoms of natural persons, the Controller implements appropriate technical and organizational measures to ensure that processing is carried out in accordance with the Regulation and to be able to demonstrate this. These measures are reviewed and updated as necessary. The Controller employs technical measures to prevent unauthorized access and modification of personal data transmitted electronically.

§ 3 Data Sharing

  1. The Administrator ensures that all personal data collected is used to fulfill obligations towards users and third parties. This information will not be shared with third parties except in the following circumstances:
    1. the persons concerned have given their prior express consent to such action, or
    2. if the obligation to provide such data results or will result from applicable legal provisions, e.g. to law enforcement authorities.
  2. Additionally, personal data ,of service recipients’ partners and customers may be transferred to the following recipients or categories of recipients:

a) service providers supplying the Controller with technical, IT and organizational solutions enabling the Controller to conduct its business, including the website and electronic services provided via it (in particular computer software providers, marketing agencies, e-mail and hosting providers, providers of software for company management and providing technical support to the Controller) – the Controller makes the collected personal data of the Customer available to a selected supplier, partner acting on its behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.The Partner is an independent data controller and is responsible for processing your data for their own purposes, in accordance with their own privacy policy.

b) providers of accounting, legal and advisory services providing the Controller with accounting, legal or advisory support (in particular an accounting office, law firm or debt collection company) – the Controller makes the collected personal data of the Client available to a selected supplier acting on its behalf only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.

c) Service Users and Customers who make a reservation for a stay – The Administrator makes the collected personal data of Partners available to selected Service Users and Customers who have made a reservation only in the case and to the extent necessary to achieve a given purpose of data processing in accordance with this privacy policy.

  1. The Controller may share anonymized data (i.e., data that does not identify specific Users) with external service providers to better understand the attractiveness of advertisements and services for users. In this respect, due to the location of the software providers, data may be transferred – while maintaining the principles of data protection – to third countries that provide standard contractual provisions approved by the European Commission regarding the processing of personal data or have appropriate authorizations to do so based on bilateral data processing agreements between the European Union and a given third country that is not a member of the European Economic Area. In the case of the Controller, these entities are:
  • Hostinger International Ltd., Cyprus private limited company, 61 Lordou Vironos str., 6023 Larnaca, Cyprus. Tax Identification Number (NIP): 10301365E, National Business Registry Number (REGON): 301365 for the purpose of storing data on the server, operating the website, storing data and general IT infrastructure on which the website is installed or for storing data on the server and for the purpose of providing IT and technical support for the website.
  • Pietom spółka zoo Marsz. Józefa Piłsudskiego 74 / 320, 50-020 Wrocław, Poland, NIP 8971881792, REGON 386746097, KRS 0000850676 – for the purpose of IT support and technical support of the website,
  • inFakt Sp. z o. o. ul. Szlak 49, 31-153 Kraków, Poland NIP 945-212-16-81, REGON120874766, KRS0000325203 – in order to use the system within which invoices are generated and sent to Customers documenting purchases made via the website and in order to keep accounting and HR documentation or in order to fulfill the obligation of tax settlements and accounting or in order to keep accounting records of the business activity of the owner of the Online Store,
  • Automattic Inc. 60 29th Street #343 San Francisco, CA 94110, United States of America Registration number: 3946446, EIN: 20-2602536 with an office in Europe Aut O’Mattic A8C Ireland Ltd. Grand Canal Dock, 25 Herbert Place, Dublin, D02 AY86, Ireland Registration number: 538982, VAT Number: 3255131SH – for the purpose of operating the website, i.e. software, including sales and payment management plugins.
  • WP Media SAS – 4 rue de la République, 69001 Lyon, France SIRET number 800 260 648 00046; VAT number: FR43800260648 – for the operation of the website, providing software and tools supporting the functionality of the website, including the creation of backup copies
  • MotoPress 525 NE 14 Avenue, Fort Lauderdale, FL 33301, United States of America EIN 42-1774657 for the purpose of operating the website, providing software and tools supporting the functionality of the website
  • LiteSpeed Technologies, Inc., room 18 Campus Blvd. Suite 100, Newtown Square, Pennsylvania, 19073, US EIN for the operation of the website, providing software and tools that support the functionality of the website
  • Brainstorm Force 2093 Philadelphia Pike, #3090, Claymont, Delaware, USA, 19703 for the purpose of operating the website, providing software and tools supporting the functionality of the website
  • Google LLC for the purpose of operating the Online Store website EIN 770493581 for the purpose of handling sales supporting the sending of e-mails
  • Fernleaf Systems Limited 55-59 Adelaide St. BT2 8FE Belfast, Ireland Registration Number NI621879 VAT:L GB 188110018 for the purpose of operating the website, providing software and tools to support the functionality of the website .
  1. The Administrator conducts ongoing risk analysis to ensure that personal data is processed securely – ensuring, above all, that only authorized individuals have access to the data and only to the extent necessary for the tasks they perform. The Administrator ensures that all operations on personal data are recorded and performed only by authorized employees and associates.
  2. The Controller shall take all necessary measures to ensure that its subcontractors and other cooperating entities also guarantee the application of appropriate security measures whenever they process personal data on behalf of the Controller.
  3. When sharing data with third parties, the Controller makes every effort to ensure that this is done only to entities that meet the criteria and requirements specified in Articles 46 or 49 of the GDPR. Where appropriate, the Controller will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA. In accordance with the decision of the Court of Justice of the European Union of July 16, 2020, the Controller continues to assess the legal systems of the countries to which data are transferred and, where necessary, updates measures to ensure adequate levels of protection.
  4. In the scope of data transferred to the United States, the Administrator, when making data available to third parties, makes every effort to ensure that this is done, in accordance with the decision of the European Commission of 10 July 2023, only to entities and organizations in the US that ensure compliance with the new EU-US Data Privacy Framework. The list of these organizations has been published by the US Department of Commerce. Transfers of personal data from the EEA to organizations that have joined the EU-US Data Privacy Framework and are on this list are possible without the need to obtain additional consents or use legal instruments such as standard contractual clauses or binding corporate rules. However, if a given data importer in the US has not joined the EU-US Data Privacy Framework, transfers of personal data to them are possible and will take place after meeting the conditions set out in Articles 46 or 49 of the GDPR. In such cases, the Controller will rely on EU standard contractual clauses and other safeguards to enable transfers outside the EEA. A copy of the safeguards applied to the transfer of personal data outside the EEA may be obtained by contacting the Administrator at over10dayscostablanca@gmail.com.

§ 4 User and Partner Rights

  1. The User and Partner whose personal data are processed has the right to:
  1. Access, rectification, restriction, erasure, or transfer – the data subject has the right to request from the Controller access to their personal data, rectification, erasure (“right to be forgotten”), or restriction of processing, and has the right to object to processing, as well as the right to transfer their data. Detailed conditions for exercising the above-mentioned rights are set out in Articles 15-21 of the GDPR.
  2. withdrawal of consent at any time – a person whose data is processed by the Controller on the basis of expressed consent (pursuant to Article 6 paragraph 1 letter a) or Article 9 paragraph 2 letter a) of the GDPR Regulation), has the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  3. File a complaint with a supervisory authority – the person whose data is processed by the Controller has the right to file a complaint with a supervisory authority in the manner and procedure specified in the provisions of the GDPR Regulation and Polish law, in particular the Personal Data Protection Act. The supervisory authority in Poland is the President of the Personal Data Protection Office in Warsaw.
  4. Objection – the data subject has the right to object at any time – on grounds relating to their particular situation – to the processing of personal data concerning them based on Article 6(1)(e) (public interest or tasks) or (f) (legitimate interest of the controller), including profiling based on these provisions. In such a case, the controller is no longer permitted to process the personal data, unless they demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject, or grounds for the establishment, exercise or defence of legal claims.
  5. objection to direct marketing – if the user’s personal data are processed for direct marketing purposes (based on the legitimate interest of the Controller, not on the basis of the data subject’s consent), the data subject has the right to object at any time to the processing of his or her personal data for such marketing purposes, including profiling, to the extent that the processing is related to such direct marketing.
  1. The above rights are exercised upon a request from the user or partner sent to the email address over10daysscostablanca@gmail.com. Such a request should include the user’s name and surname or the partner’s details.
  2. The User and Partner guarantee that the data they provide or publish on the website is accurate. Failure to provide accurate data or misleading the Administrator will result in the consequences described in the Terms and Conditions.

§ 5 Cookies

  1. Cookies are IT data, particularly text files, stored on end-user devices (typically on a computer’s hard drive or mobile device) used by the user’s browser to save specific settings and data for use with websites. These files allow the user’s device to be recognized and the website to be displayed appropriately, ensuring comfortable use. Storing cookies enables the website and its offerings to be tailored to user preferences – the server recognizes the user and remembers preferences such as visits, clicks, and previous actions.Consent for non-essential cookies is obtained through a banner displayed when the user first visits the website. The banner allows the user to accept all, reject all, or customize cookie preferences.You can withdraw your cookie consent at any time by clicking the floating button on the website.
  2. Cookies contain, in particular, the domain name of the website from which they originate, their storage time on the end device and a unique number used to identify the browser from which the website is connected.
  3. Cookies are used for the following purposes:
  1. adapting the content of websites to user preferences and optimizing the use of websites,
  2. creating anonymous statistics that help determine how users use websites and enable the improvement of their structure and content,
  3. providing website users with advertising content tailored to their interests.

Cookies are not used to identify the user and their identity is not determined on their basis.

  1. The basic division of cookies is their distinction into:
  1. Essential cookies are absolutely essential for the proper functioning of the website or the functionality you wish to use. Without them, we would not be able to provide many of the services we offer. Some of them also ensure the security of the services we provide electronically.
  2. Functional cookies are important for the operation of the website due to the fact that:

– they serve to enhance the functionality of websites; without them the website will function properly, but will not be adapted to the user’s preferences,

– they are used to ensure a high level of functionality of websites; without them, the functionality of the website may be reduced, but their absence should not prevent you from using it completely,

– they serve most of the functionalities of websites; blocking them will result in selected functions not working properly.

  1. Business cookies enable the business model underlying the website; blocking them will not result in the unavailability of all functionality, but may reduce the level of service provided due to the website owner’s inability to generate revenue to subsidize its operation. Advertising cookies, for example, fall into this category.
  2. Cookies used to configure websites – they enable the setting of functions and services on websites.
  3. Cookies used to ensure the security and reliability of websites – they enable authenticity verification and optimization of website performance.
  4. Session state cookies enable the recording of information about how users use the website. These cookies may include the most frequently visited pages or any error messages displayed on certain pages. Session state cookies help improve services and enhance the browsing experience.
  1. Using cookies to tailor website content to user preferences generally does not involve collecting any information that identifies the user, although this information may sometimes constitute personal data, meaning data that allows for attributing certain behaviors to a specific user. Personal data collected using cookies may be collected solely to perform specific functions for the user. Such data is encrypted to prevent unauthorized access.
  2. Detailed information on changing cookie settings and deleting them yourself in the most popular web browsers is available in the help section of your web browser and on the following websites (just click on the link):
  1. Google Chrome
  2. Mozilla Firefox
  3. Microsoft Edge
  4. Opera
  5. Safari macOS
  6. Safari iOS/iPad OS
  7. Detailed information about managing cookies on a mobile phone or other mobile device should be included in the user manual of the mobile device.