Privacy policy

1. The Personal Data Controller of the online service available at www.bed-booking.com, as well as the system and mobile application referred to as BedBooking, is BedBooking Sp. z o.o., located at Esperantystów 17, 58-100 Świdnica, registered in the business registry of the District Court for Wrocław-Fabryczna in Wrocław, IX Commercial Division of the National Court Register, under KRS number: 0000699738, NIP: 8842785023, REGON: 36853616100000, hereinafter referred to as the Personal Data Controller.

2. All inquiries, requests, and complaints concerning the processing of personal data by the Personal Data Controller, hereinafter referred to as Submissions, should be directed to the following email address: [email protected] or in writing to Esperantystów 17, 58-100 Świdnica. The content of the Submission should clearly specify:
a) the data of the person or persons concerned by the Submission,
b) the event that is the reason for the Submission,
c) present your demands and the legal basis for these de
mands, d) indicate the expected manner of handling the matter.

3. In our Internet Service, we collect the following personal data:
a) First and last name – may be processed when you, as a user of BedBooking, provide it via email, during telephone contact, through the contact form available on our website, or by traditional means,
b) Phone number – may be processed in the case of telephone contact, as well as when you provide it via email, through the contact form available on our website, or by traditional mail. Additionally, it may be used for purposes such as local identification of hotel guest reservations, during incoming calls, and providing technical support services,
c) Address – within BedBooking, we may process the address of the accommodation facility but also a business or personal address, if it corresponds to the address of the accommodation facility or the business address,
d) Email address – may be processed when you, as a user of BedBooking, provide it via email, through the contact form available on our website, by traditional mail, during telephone contacts, or when using the BedBooking system or mobile application. Furthermore, if the user has consented to receive marketing content and has subscribed to our newsletter, we will also send them commercial and marketing information several times a month,
e) IP address of the device and potential personal data contained in Cookies – information derived from general principles of Internet connections, such as IP address (and other information contained in system logs), are used for technical and statistical purposes, particularly for collecting general demographic information (e.g., about the region from which the connection originates). This type of data is also used for marketing and analytical purposes if consent is given under Article 173(1) of the Telecommunications Law.
f) Social media account identifiers (e.g., Facebook) – you will be asked to log into your social media account. Through the OAuth 2.0 protocol from your social media account, we will read your email address, which will be used for registration purposes, registration authorization, contacting you, and other purposes related to your use of BedBooking in accordance with the provisions of the Privacy Policy,
g) Third-party service account identifiers (e.g., Google, Microsoft, Apple) – you will be asked to log into your account with the provider. Through the OAuth 2.0 protocol from your provider’s account, we will read your email address, which will be used for registration purposes, registration authorization, contacting you, and other purposes related to your use of BedBooking in accordance with the provisions of the Privacy Policy,
h) User identifier on Meta platforms – may be processed to provide to Meta platform and create custom audience groups based on a customer list and for directing advertisements and marketing content,
i) Tax Identification Number (NIP) and company name – data necessary for issuing all invoices and other documents related to the use of BedBooking,
j) Other data may be collected in the course of specific matters or may be provided by BedBooking users via email, the contact form available on the website, traditional mail, or during telephone contact.

4. Every person using BedBooking has the option to choose whether and to what extent they wish to use our services and provide information and data about themselves, as specified by the content of this Privacy Policy.

5. Purpose of data processing:
a) Contract execution (Art. 6(1)(b) GDPR) – in this context, data will cease to be processed once the particular contract is fulfilled.
b) Management of individual user accounts (Art. 6(1)(b) GDPR) – in this context, personal data will cease to be processed once the account is deleted by the user,
c) Fulfillment of legal obligations by the Personal Data Controller, especially maintaining documentation, issuing invoices, etc. (Art. 6(1)(c) GDPR) – in this context, personal data will be deleted after fulfilling specified legal obligations,
d) Directing marketing content regarding the Administrator, transmission to the Meta platform, and creating custom audience groups and directing advertisements, as well as website analytics in connection with the use of cookies (Art. 6(1)(a) GDPR) – in this context, personal data are processed until the end of the session or deletion of cookies by the user, withdrawal of consent, or until an effective objection to processing in this regard is registered,
e) Website operation (Art. 6(1)(f) GDPR in conjunction with Art. 173(1) of the Telecommunications Law) – in this context, personal data will cease to be processed upon the expiration of the Cookie, deletion of cookies, or, as appropriate, at the end of the relevant session,
f) Ongoing communication related to the operation of the website (Art. 6(1)(f) GDPR, i.e., the legitimate interest of the Personal Data Controller) – in this context, your personal data will cease to be processed once the question or questions have been answered,
g) Establishment and pursuit of claims or defense against such claims (Art. 6(1)(f) GDPR, i.e., the legitimate interest of the Personal Data Controller) – in this context, personal data will be deleted upon the expiration of these claims, generally after a 3-year limitation period,
h) Provision of the newsletter subscription service (Art. 6(1)(a) GDPR) – in this context, the provided personal data will be deleted upon withdrawal of consent and removal from the newsletter subscriber list,

6. The source of the Personal Data processed by the Controller is the data subjects.

7. The User of BedBooking may also, via the service or mobile application, provide personal data of its employees, i.e. name, email address and phone number, for the purpose of granting them permissions to use the User’s account on the service or mobile application, in the area specified by the User. The User is obliged to familiarize the employee with the Privacy Policy.

8. In cases where a button or function acts as a link to an external service, application, or social media, there exists a co-administration relationship between the administrator of this website and the administrator of the external site. Co-administration is limited solely to the data necessary for operations related to the functioning of the given button or function. The Administrator is not responsible for policies regarding the further processing of personal data by other entities and organizations or social service providers. Our Co-Administrators within this website include:
a) Meta Platforms Ireland Ltd. (Facebook, Messenger, Instagram) located at: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland,
b) Google Ireland Ltd. (YouTube, Google Maps) located at: Google Building Gordon House, 4 Barrow St, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland,
c) Apple Inc (Apple) located at: One Apple Park Way Cupertino, 95014, United States,
d) Microsoft Ireland Operations Limited (Microsoft) located at: South County Business Park, One Microsoft Place, Carmanhall And Leopardstown, Dublin, D18 P521, Ireland,
e) Potentially others.

9. The Administrator uses tools from AWS (Amazon Web Services), WordPress, Google Ireland Ltd (Google Workspace, Google Analytics, Google Ads, Google Firebase, Google Cloud), Meta Platforms Ireland Ltd. (Facebook, Facebook Pixel), Mixpanel Inc., Cloudflare Inc., LogRocket, and Grafana Cloud. Generally, data processed using these tools are hosted on servers located within the European Economic Area (EEA). However, the entities providing these tools may be required to disclose data to third parties if such an obligation is imposed on them by legal provisions or is necessary due to the nature of the services provided (SaaS, hosting, etc.). The scope of personal data transferred in this context refers to the personal data specified in section 3 of this Privacy Policy. The legal bases for processing the personal data mentioned in the preceding sentence are outlined in section 5 points d and e of this Policy. The transfer of personal data to the United States is based on the European Commission’s decision of 10 July 2023, which ensures an adequate level of protection through the EU-US Data Privacy Framework (Art. 45(1) GDPR). Our data-importing entities, such as Google LLC, Microsoft Corporation, Meta Platforms, Inc., Mixpanel Inc., Cloudflare, Inc., Amazon. Com, Inc., LogRocket, which meet the criteria of the decision and participate in the Data Protection Framework program, are listed at: https://www.dataprivacyframework.gov/s/participant-search. Entities like Hotjar Ltd., Raintank, Inc. (Grafana Cloud), may transfer data to third countries based on the Standard Contractual Clauses adopted by these entities.

10. No personal data is disclosed to third parties without the explicit consent of the person concerned. Personal data may be disclosed to public law entities, such as authorities and administration bodies (e.g., tax authorities, law enforcement agencies, and other entities empowered under universally applicable legal provisions), only without the consent of the person concerned.

11. Personal data may be entrusted to processors who process such data on our behalf as the Personal Data Controller. In such cases, as the Personal Data Controller, we enter into a personal data processing entrustment agreement with the processor. The processor processes the entrusted personal data solely for the needs, within the scope, and for the purposes specified in the entrustment agreement referred to in the preceding sentence. Without entrusting the processing of personal data, we would not be able to operate our website. As the Personal Data Controller, we entrust personal data for processing particularly to the following entities:
a) Providing hosting services for the website on which our online service operates,
b) Newsletter service providers,
c) CRM management.

12. Personal data is not subject to profiling by us as the Personal Data Controller within themeaning of the GDPR regulations.

13. In accordance with the GDPR provisions, every individual whose personal data we process as the Personal Data Controller has the right to:
a) Access their personal data, as stated in Article 15 of the GDPR,
b) Be informed about the processing of personal data, as stated in Article 12 of the GDPR,
c) Rectify, supplement, update, and correct personal data, as stated in Article 16 of the GDPR,
d) Withdraw consent at any time, as stated in Article 7(3) of the GDPR,
e) Erase data (the right to be forgotten), as stated in Article 17 of the GDPR,
f) Restrict processing, as stated in Article 18 of the GDPR,
g) Data portability, as stated in Article 20 of the GDPR,
h) Object to the processing of personal data, as stated in Article 21 of the GDPR,
i) In cases where the legal basis is consent – the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal,
j) Not be subject to profiling, as stated in Article 22 in conjunction with Article 4(4) of the GDPR,
k) Lodge a complaint with a supervisory authority (i.e., the President of the Personal Data Protection Office), as stated in Article 77 of the GDPR.

14. If you wish to exercise your rights as mentioned in the preceding point, please send a message via email or in written form to the correspondence address mentioned in section 2 above.

15. Each confirmed case of a security breach is documented, and if one of the situations specified in the GDPR or the Act occurs, the individuals concerned and – if applicable – the Personal Data Protection Office are informed about such a breach of data protection regulations.

16. The Cookie Policy is a separate document located at: https://bed-booking.com/cookies-policy/

17. For matters not regulated by this Privacy Policy, the relevant provisions of universally applicable law shall apply. In case of any inconsistency between the provisions of this Privacy Policy and the aforementioned regulations, the latter shall prevail.

18. The Privacy Policy shall come into effect on July 30, 2024.


The Privacy Policy 30.06.2022-29.07.2024