Privacy Policy
Last Updated: Jul 24, 2025
1. General Provisions
Welcome to Карпати hotel (hereinafter - "we", "our hotel", "Controller") respects your privacy and is committed to protecting your personal data in accordance with:
- Ukrainian Law "On Personal Data Protection" № 2297-VI
- European Union General Data Protection Regulation (GDPR)
- Ukrainian Law "On Electronic Commerce"
- Other applicable Ukrainian legislation
This Privacy Policy describes how we collect, use, store and protect your personal data when providing hotel services and using our website.
2. Data Controller Identification
Full Name: Welcome to Карпати
Legal Address: Ukraine, Lviv Oblast, Skole
Contact Email: info@welcometocarpathians.com
Phone: +380 XX XXX XX XX
Data Protection Email: privacy@welcometocarpathians.com
3. Categories of Personal Data We Process
3.1 Data you provide voluntarily:
- Identification data: first name, last name, middle name
- Contact details: phone number, email address, postal address
- Documents: ID document number (during registration)
- Booking data: check-in/check-out dates, number of guests, special requests
- Payment information: payment processing data (processed through secure payment gateways)
- Feedback data: reviews, complaints, suggestions
3.2 Automatically collected data:
- Technical data: IP address, browser type, operating system, browser version
- Usage data: pages visited, session duration, referral source
- Geolocation data: approximate location based on IP address
- Cookies: for website functionality and analytics
4. Purposes and Legal Bases for Personal Data Processing
| Processing Purpose |
Legal Basis |
Retention Period |
| Booking processing |
Contract performance |
3 years after service completion |
| Hotel service provision |
Contract performance |
Until service completion |
| Guest registration |
Legal obligation compliance |
According to legal requirements (3 years) |
| Financial accounting |
Legal obligation compliance |
5 years (tax legislation) |
| Marketing communications |
Data subject consent |
Until consent withdrawal |
| Service quality improvement |
Legitimate interests |
2 years |
5. Personal Data Sharing with Third Parties
5.1 Categories of recipients:
- Payment systems: for payment processing (WayForPay, LiqPay, Portmone)
- Government authorities: according to Ukrainian legislation requirements
- IT service providers: for technical maintenance (under non-disclosure agreements)
- Accounting services: for financial reporting
- Delivery services: for document shipping (when necessary)
5.2 International transfers:
When transferring data outside Ukraine, we ensure appropriate protection through:
- European Commission adequacy decisions
- Standard contractual clauses approved by the European Commission
- International standards compliance certification
- Codes of conduct and certification mechanisms
Important: We never sell, rent, or transfer your personal data to third parties for commercial purposes without your explicit consent.
6. Personal Data Retention Periods
- Guest registration data: 3 years (according to Ukrainian Tourism Law)
- Financial documents: 5 years (Ukrainian Tax Code)
- Booking data: 3 years after service completion
- Marketing data: until consent withdrawal or 2 years of inactivity
- Website logs: 12 months
- Security camera recordings: 30 days (if applicable)
7. Technical and Organizational Security Measures
7.1 Technical measures:
- Encryption: SSL/TLS certificates for data transmission protection
- Database encryption: AES-256 for sensitive data storage
- Firewalls: multi-level network protection
- Antivirus protection: regular scanning and updates
- Backup: daily backup creation
- Monitoring: 24/7 security system control
7.2 Organizational measures:
- Staff training: regular data protection training
- Access control: restricted access to personal data
- Documentation: approved data processing procedures
- Security audit: regular security measures review
- Contractor agreements: data protection agreements with all suppliers
8. Your Rights as a Data Subject
According to Ukrainian legislation and GDPR, you have the following rights:
8.1 Right to information:
Right to receive understandable information about how your data is processed.
8.2 Right of access:
Right to obtain confirmation of your data processing and a copy of this data.
8.3 Right to rectification:
Right to demand correction of inaccurate or incomplete personal data.
8.4 Right to erasure ("right to be forgotten"):
Right to demand deletion of your personal data under certain conditions.
8.5 Right to restriction of processing:
Right to demand temporary restriction of your data processing.
8.6 Right to data portability:
Right to receive your data in a structured, commonly used format.
8.7 Right to object:
Right to object to processing of your data under certain circumstances.
8.8 Right to withdraw consent:
Right to withdraw previously given consent for personal data processing.
8.9 Right to lodge a complaint:
Right to contact a supervisory authority with a complaint about your data processing.
9. Cookies and Tracking Technologies
9.1 Types of cookies we use:
- Essential cookies: necessary for website functionality
- Functional cookies: for remembering your preferences
- Analytics cookies: for website usage analysis (Google Analytics)
- Marketing cookies: for personalized advertising (only with consent)
9.2 Cookie management:
You can manage cookie usage through your browser settings. Note that disabling certain cookies may affect website functionality.
10. Protection of Minors' Personal Data
We do not knowingly collect personal data from children under 16 without parental or legal guardian consent. If we become aware of such collection, we will immediately delete it. Parents have the right to:
- Review their child's personal data
- Demand its correction or deletion
- Prohibit further processing
11. Automated Decision-Making and Profiling
We do not use automated decision-making systems or profiling that could significantly affect your rights and interests. All service provision decisions are made by humans.
12. Personal Data Breach
In case of detecting a personal data breach that may result in high risk to your rights and freedoms, we will:
- Notify the supervisory authority within 72 hours
- Notify you without undue delay
- Take all necessary measures to minimize consequences
- Conduct investigation and eliminate breach causes
13. Privacy Policy Changes
We reserve the right to update this Privacy Policy. We will notify you of significant changes through:
- Notice on the website homepage
- Email notification (if we have your address)
- Push notifications in mobile app (if applicable)
- Other available communication channels
Continued use of our services after changes means your agreement with the updated Policy.
14. Procedure for Exercising Your Rights
14.1 Submitting a request:
To exercise your rights, send a request to: privacy@welcometocarpathians.com
14.2 Identity verification:
To protect your data, we may request documents confirming your identity.
14.3 Response timeframes:
- Standard requests: up to 30 days
- Complex requests: up to 60 days (with extension notification)
- Urgent requests: within 72 hours
15. Contact Information and Complaints
15.1 Our contacts:
Address: Ukraine, Lviv Oblast, Skole
General inquiries email: info@welcometocarpathians.com
Data protection email: privacy@welcometocarpathians.com
Phone: +380 XX XXX XX XX
Business hours: Mon-Sun 9:00-21:00
15.2 Where to file complaints:
- Ukrainian Parliament Commissioner for Human Rights
Email: hotline@ombudsman.gov.ua
Phone: 0 800 50 17 20
- State Service for Cybersecurity and Information Protection
Email: info@scip.gov.ua
- For EU citizens: relevant supervisory authority of your residence country
16. Final Provisions
This Privacy Policy is an integral part of our Terms of Service. In case of conflicts between documents, this Privacy Policy takes priority regarding personal data protection.
Effective date: Jul 24, 2025
Document version: 2.0
