Terms and conditions
Ayurveda Clinic Bansko processes your personal data in order to provide its guests with better and more diverse services. Data security is important for the success of our business and for our public image as a first-class hotel.
That is why we strive to protect your data by applying all appropriate technical and organizational means at our disposal to prevent unauthorized access, unauthorized or malicious use, loss or premature deletion of information.
How and why we use your personal data
We collect and process your personal data and other data in order to fulfill obligations assigned to us under a normative act, such as the Tourism Act.
We collect and process your personal data and other data in order to fully provide the services you have requested and want to use with us, as well as to fulfill our contractual obligations to you.
The personal data we collect includes:
- EGN/PIN (personal identification number), names, gender, citizenship and permanent address.
- Emails, letters, information about your troubleshooting requests, complaints, requests and grievances.
- Other feedback we get from you.
- Video recordings made to improve security.
- Preferences for the services we provide.
- Data provided through the hotel’s website.
- IP address when visiting our website.
- Demographics and household information when you agree to participate in our surveys, prize draws or other feedback you provide to us about the services you use.
- Credit or debit card information, bank account number or other bank and payment information in connection with payments made to the hotel – when paying for a product or service in the reservation system on the hotel website.
Security of card payments
The user does not provide Tourist Management EOOD data from bank / credit cards. Payment by bank card is made through the Virtual POS terminal of the Bank, where the data from the bank card are entered directly into the secure platform of the bank.
In this way the data from the User’s bank card are maximally protected and do not become available to Tourist Management EOOD. To prevent fraud when paying with your Visa or MasterCard, we apply the best practices recommended by international card organizations:
- Security when entering and transferring card data is ensured by using SSL protocol to encrypt the connection between our server and the payment page of our servicing bank.
- The authenticity of your card is verified by entering a security code (CVV2).
- In addition, to identify you as a cardholder, the payment server for e-commerce of our servicing bank supports the authentication schemes of international card organizations – Verified by VISA and MasterCard Secure Code, in case you are registered to use them.
For what purposes do we process the received data?
The data collected from the list above are processed for the purposes of:
- Establishing the identity of the client upon check-in at the hotel.
- Manage and execute your service requests.
- Prepare and send an invoice for the services you use with us.
- Providing the necessary comprehensive service, as well as collecting the amounts due for the services used.
- Analysis of the customer history and creation of a user profile in order to determine a suitable future offer for you.
- Research and analysis of customer consumption of our services, based on anonymous or personalized information, to identify key trends, improve our understanding of our customer behavior and work with third parties to develop new services for our customers.
- Data processing by the data processor when concluding a contract, awarding, reporting, accepting or paying.
With your consent
In some cases, we process your personal data only with your prior written consent. Consent is a separate basis for the processing of your personal data and the purpose of the processing is stated in it, and is covered by the purposes listed in this policy.
If you give us the relevant consent and until its withdrawal, we will prepare suitable for you proposals for programs and services offered by the hotel.
Concessions granted may be withdrawn at any time. Withdrawal of consent will affect the provision of the relevant services for the provision of the relevant programs.
We have a large portfolio of programs and services. When you give us consent to data processing, that consent applies to all programs and services you use.
In order to withdraw your consent, you only need to use our website or just our contact details.
Who do we share your personal information with?
We process your identification data and other personal data in order to comply with obligations provided for in a regulatory act, such as:
- Providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act.
- Providing information to the Commission for Personal Data Protection in connection with obligations provided for in the legislation on personal data protection – Personal Data Protection Act, Regulation (EU) 2016/679 of 27 April 2016, etc.
- Obligations provided for in the Accounting Act and the Tax and Social Security Procedure Code and other related normative acts in connection with the maintenance of proper and lawful accounting.
- Providing information to the court and third parties, in court proceedings, in accordance with the requirements of the procedural and substantive legal acts applicable to the proceedings.
- Verification of payment for online registrations.
How we protect your personal information?
To ensure adequate data protection of the company and its customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and bylaws on its implementation.
The company has appointed a Data Protection Officer to assist in the protection and security of your data.
In order to ensure maximum security in the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.
When do we delete your personal data?
As a rule, we terminate the use of your personal data for the purposes of the contractual relationship after the termination of the contract, but we do not delete them before the expiration of one year from the termination of the contract or until the final settlement of all financial obligations for data storage, such as:
- Obligations under the Accounting Act for storage and processing of accounting data (5 years);
- Expiration of the statute of limitations for filing claims (5 years) specified in the Law on Obligations and Contracts.
- Obligations to provide information to the court, competent state authorities and other grounds provided for in the current legislation (5 years).
Please note that we will not delete or anonymize your personal data if it is necessary for pending court, administrative or pending proceedings before us.
Your data can also be anonymized. Anonymization is an alternative to deleting data. Upon anonymization, all personally identifiable items (elements that allow you to be identified) are irrevocably deleted.
There are no legal obligations for anonymized data, as they do not constitute personal data.
Your rights in connection with the processing of your personal data
Right to information
You have the right to request:
- Information on whether data relating to you are processed, information on the purposes of such processing, on the categories of data and on the recipients or categories of recipients to whom the data are disclosed;
- A message in an understandable form containing your personal data that is being processed, as well as any available information about their source;
- Information on the logic of any automated processing of personal data concerning you, at least in the case of automated solutions.
Right of correction
In the event that we process incomplete or erroneous / incorrect data, you have the right, at any time, to request:
- Delete, correct or block your personal data, the processing of which does not meet the requirements of the law;
- To inform the third parties to whom the personal data have been disclosed of any deletion, correction or blocking, except in cases where this is impossible or involves excessive effort.
Right of deletion (right “to be forgotten”)
You have the right to request the deletion of personal data processed by us at any time, if:
- Personal data are not required for the purposes for which they were collected and processed;
- Withdraw your consent and there is no other legal basis for their processing;
- Personal data has been processed illegally
Right to object
At any time you have the right to:
- Objections to the processing of your personal data if there is a legal basis for it; where the objection is justified, the personal data of the individual concerned may no longer be processed;
- Objections to the processing of your personal data for the purposes of direct marketing.
Right to limit processing
You can request a restriction on the custom data being processed if:
- You are disputing the accuracy of the data for the period in which we have to check its accuracy;
- The processing of data is without legal basis, but instead of deleting it, you want its limited processing;
- We no longer need this data (for the specified purpose), but you need it to establish, exercise or defend legal claims;
- You have objected to the processing of the data, pending verification that the controller’s grounds are lawful.
Right to data portability
You can ask us to provide the personal data that you have entrusted to our care in an organized, orderly, structured, generally accepted electronic format if:
- We process the data according to the contract and based on the declaration of consent, which can be withdrawn or on a contractual obligation
- Processing is performed automatically.
Right of appeal
In case you believe that we are violating the applicable regulations, please contact us to clarify the issue. Of course, you have the right to lodge a complaint with the Data Protection Commission. After 25 May 2018, you will also be able to lodge a complaint with a regulatory body within the EU.
Applications for access to information or for correction are submitted personally or by a person expressly authorized by you, through a notarized power of attorney. An application may also be submitted electronically, in accordance with the Electronic Document and Electronic Signature Act.
We will respond to your request within 14 days of its submission. If a longer period is objectively necessary – in order to collect all the requested data and if this seriously hinders our activities – this period can be extended to 30 days.
By our decision, we grant or deny access and / or the information requested by the applicant, but we always motivate our response.
Relevance and policy changes