Privacy policy
DATA CONTROLLER
The Controller, i.e. the entity that decides on the purposes and means of the processing of personal data, is Sante sp. z o.o. (formerly: Sante A. Kowalski Sp. j.) seated in Warsaw (03-301) at ul. Jagiellońska 55A – owner of Hotel Sante. For matters relating to the processing of your personal data, you can also contact us by e-mail at the following address: iod@sante.pl.
Sante sp. z o.o. attaches particular importance to the protection of personal data and has therefore appointed a Data protection officer (DPO) who can be contacted at the e-mail address iod@sante.pl or at the Controller’s seat address. The Controller encourages you to contact the DPO in relation to any concerns regarding the processing of your personal data.
ACQUISITION OF DATA AND PURPOSE OF PROCESSING
Sante sp. z o.o. processes your data for the following purposes:
- E-mail and postal correspondence
| Purpose of processing and legal basis | Period of data retention | Where data is collected other than from you – the source of the data and the categories of personal data.
|
| For correspondence and to ensure the circulation and archiving of documents, which is a legitimate interest of the Controller (art. 6(1)(f) of the GDPR). For the purpose of the processing of the data contained in the correspondence and the related legal basis, please refer to the other parts of the information clause (depending on what the correspondence concerns) | As a general rule, the data is processed for the periods provided for by the law and, if no such periods are indicated for certain documents, for the time that its retention falls within the legitimate purpose of the Controller regulated by the time of possible redress. However, the retention period of the data constituting the content of the correspondence depends on the purpose of the processing to which the correspondence relates (if there are other time limits for the deletion of data, this is indicated in a separate information clause) | As a general rule, we process the data provided by you |
- Newsletter subscribers and recipients of marketing activities
| Purpose of processing and legal basis | Period of data retention | Where data is collected other than from you – the source of the data and the categories of personal data |
| We process your data in order to pursue the Controller’s legitimate interest (art. 6(1)(f) of the GDPR) in marketing its own products and services using the following forms of communication: – newsletter (sending a newsletter), – sending commercial information (e-mail messages) – sending commercial information (sending text message) – sending promotional materials by post in order to fulfil legal obligations (art. 6(1)(c) of the GDPR) Also in connection with the fulfilment of the Controller’s other legitimate interests (art. 6(1)(f) of the GDPR): – to establish, assert and defend claims – for statistical purposes, related to the improvement of work efficiency, the quality of the services provided and their adaptation to the recipients |
Your personal data will be stored until you withdraw your consent or make a legitimate objection, i.e. show us in any way that you do not wish to stay in contact with us and receive information about the actions we take. After withdrawal of the consent or lodging an objection, the personal data may be retained for the purpose of demonstrating the correctness of the fulfilment of legal obligations incumbent on the Controller and related claims | If we did not obtain the personal data directly from you, the source is the entity that obtained your consent to provide it to the Controller or had another valid legal basis. In this case, the personal data obtained includes data necessary for the type of marketing activities in question (typically full name, e-mail address, telephone number and/or correspondence address) |
- Users of the Hotel Sante website (www.hotelsante.pl)
| Purpose of processing and legal basis | Period of data retention | Where data is collected other than from you – the source of the data and the categories of personal data |
| In order to provide the basic functions of our website. If you have given the relevant (voluntary) consent, your data will also be processed in order to provide you with services, offers and communications tailored to your preferences and to analyse website traffic and provide social features (depending on the preferences you have indicated) (art. 6(1)(f) of the GDPR); for details on the use of cookies, see Cookies
We also process personal data in connection with the pursuit of other legitimate interests of the Controller on the basis of art. 6(1)(f) of the GDPR: |
Your personal data will be stored until you withdraw your consent or make a legitimate objection, i.e. show us in any way that you do not wish to stay in contact with us and receive information about the actions we take. After withdrawal of the consent or lodging an objection, personal data may be retained for the purpose of demonstrating the correctness of the fulfilment of legal obligations incumbent on the Controller or until the expiry of the limitation periods for claims, whichever is longer. If you enter into a contract with the Controller (e.g. for the provision of electronic services), your personal data will be processed for the duration of the contract and, after the end of the contract, until the expiry of the limitation periods for claims arising from it. | As a general rule, we process the data provided by you. |
- Booking of rooms and additional services
| Purpose of processing and legal basis | Period of data retention | Where data is collected other than from you – the source of the data and the categories of personal data |
| For the purpose of fulfilling contracts with guests of the Hotel by enabling the booking of rooms and additional services (art. 6(1)(b) of the GDPR)
If applicable – for billing, accounting and financial reporting purposes (art. 6(1)(c) of the GDPR) We also process personal data in connection with the pursuit of other legitimate interests of the Controller on the basis of art. 6(1)(f) of the GDPR: |
Your personal data may be stored for the purpose of demonstrating the correct fulfilment of legal obligations incumbent on the Controller or until the expiry of the limitation periods for claims, whichever is longer. In the case of conclusion of a contract with the Controller (e.g. for the provision of electronic services or the use of a booking system), your personal data will be processed for the duration of the contract and, after the end of the contract, until the expiry of the limitation period for claims arising therefrom
As a general rule, data processed for the purposes of pursuing the legitimate interests of the Controller is processed until an effective objection is lodged |
If you make a booking via external booking platform (e.g. Booking.com), we receive your data from that platform. The scope of the data received is: full name, number of accompanying persons, date of stay, preferences, additional services, booking number, booking subject, other data provided by you during the booking |
- Provision of a hotel service
| Purpose of processing and legal basis | Period of data retention | Where data is collected other than from you – the source of the data and the categories of personal data |
| The data of guests of Hotel Sante is processed for the following purposes: – for the purpose of concluding and performing the contract for hotel services, including the handling of complaints (art. 6(1)(b) of the GDPR); – for the purpose of providing additional services at your request, such as: Spa & Wellness, treatments, massages, concierge services, luggage storage, transportation of persons, catering services and sale of goods and other services provided in accordance with the current offer of Hotel Sante (art. 6(1)(b) of the GDPR); – for the fulfilment of legal obligations related to accounting, invoicing, taxes, fees, including resort taxes, implementation of travel vouchers and the fulfilment of statistical obligations towards the Central Statistical Office (art. 6(1)(c) of the GDPR) and also for purposes constituting our legitimate interest (art. 6(1)(f) of the GDPR); i.e.: – establishing, asserting and defending claims, in particular in relation to the contract for hotel services and the Hotel’s liability for items brought in by a guest; – providing security for guests and hotel staff by means of security and video surveillance; – direct marketing of Sante’s goods and services after prior consent has been given for the respective communication channel; – handling enquiries from guests and persons interested in a stay on the basis of your possible consent (art. 6(1)(a) of the GDPR) for: – customising your experience at the hotel, e.g. adapting your room to the circumstances of your engagement, anniversary etc.; – taking into account your sport or leisure preferences |
If you have given your consent to the processing of health personal data, your personal data may be stored for a period of 10 years from the date of treatment. In addition, your personal data may be retained for the purpose of demonstrating the correctness of the fulfilment of legal obligations incumbent on the Controller or until the expiry of the limitation periods for claims, whichever is longer. If you enter into a contract with the Controller (e.g. for the provision of electronic services or using the booking system), your personal data will be processed for the duration of the contract and, after the end of the contract, until the expiry of the limitation periods for claims arising from it.
As a general rule, data processed for the purposes of pursuing the legitimate interests of the Controller is processed until an effective objection is lodged, and the data processed on the basis of consent is processed until it is withdrawn, which may be done at any time, except that the withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of consent prior to its withdrawal. |
As a general rule, we process the data provided by you. However, it may be that the booking was made by someone acting on your behalf (e.g. your employer, event organiser). In such a case, we receive the data necessary for the booking: full name.
If you make a booking via external booking platform (e.g. Booking.com), we receive your data from that platform. The scope of the data received is: full name, number of accompanying persons, date of stay, preferences, additional services, booking number, booking subject, other data provided by you during the booking. |
DETAILED INFORMATION ON PERSONAL DATA PROCESSING AT WWW.HOTELSANTE.PL
Social media
On our website you can find links to our profiles on social media sites. To the extent that we manage these profiles, we are controllers or – depending on the service in question – co-controllers of the personal data together with the respective social network owner, and therefore we process the personal data of visitors to our social media profiles (Facebook, LinkedIn, Twitter). This data is only processed for the purposes of:
a) maintaining our profile (posting information about promotions, offers, Sante’s activities);
b) obtaining anonymised analytical and statistical data, obtained by the service concerned on the basis of predetermined parameters based on the nature of our clientele, as well as our promotional and marketing purposes;
c) direct marketing,
d) communicating with our clients through the tools made available by the service concerned
And also:
a) to establish, assert and defend claims,
b) for statistical purposes, related to the improvement of work efficiency, the quality of the services provided and their adaptation to the recipients
The legal basis for our processing of your personal data for the aforementioned purposes is our legitimate interest (art. 6(1)(f) of the GDPR).
In the case of Facebook, the controller or co-controllers (e.g. for Facebook Page Insights) of your personal data is Meta Platforms Ireland Ltd. based in Dublin (address: 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland). The co-controlling agreement can be consulted at this address: https://www.facebook.com/legal/controller_addendum.
Facebook has its own applicable regulations and privacy policies. To read Facebook’s privacy policy, please visit: https://www.facebook.com/privacy/explanation.
Your personal data will be stored until the relevant application has been processed and the limitation periods for claims have expired.
As a general rule, we process the data provided by you. If you did not provide us with your data, the source is the person who provided your data in the application. We obtain personal data to the extent necessary to handle the request, the most common being full name, e-mail address, telephone number, correspondence address, the circumstances related to the application.
Facebook Lead Ads
As part of Facebook, the Controller uses lead ads, which allow you to provide contact details and pass them on to the Controller. Until such time as the User’s personal data is submitted via the contact advertising form, the Facebook owner Meta Platforms Inc. is the controller of the User’s personal data. When you submit personal data via the contact advertising form, the Controller becomes the controller of the User’s personal data to the extent specified. The User’s personal data, depending on the content of the lead ad in question, may be processed for the following purposes:
- a) to respond to the User’s enquiry submitted via the contact advertising form
b) in the case of granting consent for sending commercial information – to promote the Controller’s goods and services, including via telephone or e-mail
c) in the case of granting consent for sending commercial information – to send the Controller’s newsletter to the e-mail address provided by the User
– which constitutes a legitimate interest of the Controller (art. 6(1)(f) of the GDPR).
The Controller receives the User’s personal data provided in the form (full name, e-mail and telephone number) from Facebook (Meta Platforms Inc.).
The User’s personal data is stored until the consent is withdrawn or an objection is lodged. After withdrawal of the consent or lodging an objection, personal data may be retained for the purpose of demonstrating the correctness of the fulfilment of legal obligations incumbent on the Controller and related claims.
In case of a contact initiated by a lead ad, the Controller does not make decisions by automated means, including profiling.
Otherwise, the provisions indicated in this Policy apply.
Cookies
- Introduction
We are pleased that you are using the Hotel Sante website. We want you to feel secure, which is why we have prepared this information on cookies for you. Among other things, you will find out:
a) What the cookies are
b) Which cookies we use and why
c) How they affect your privacy
d) What are your rights under the GDPR and the Telecommunications law
- What are the cookies?
1. In the simplest terms, cookies are small text files stored on your computer or smartphone when you view our website. There are different types of cookies. We divided them into four groups: - a) Cookies necessary to use our website;
b) Cookies concerning your preferences;
c) Analytical cookies;
d) Marketing cookies. - Cookies, which are essential for the use of our website, are used, among other things, to ensure the stability of the website (they measure traffic, protecting us against traffic congestion), to remember your selected privacy preferences, to fill in online forms provided by us, to save the contents of your shopping cart and to monitor your login status. We use these cookies by default, i.e. we store them on your computer or smartphone when you access our website (pursuant to art. 173(3) of the Telecommunications law).
- We only use other cookies if you have given your consent. You can read more about them in the next section of our Policy.
- Cookies we use
Below you will find a list of the cookies used on the Hotel Sante website. The purpose and type of cookies can also be viewed at any time at our website via the cookies banner and by selecting “Show details”. Once you have selected your preferences, you can return to the cookies banner at any time by clicking the black and white “paperclip” icon in the bottom left-hand corner of the website.
| Essential cookies – they ensure the proper functioning of our website and its basic functions. Without them, you will not be able to use our online services properly. These cookies are exempt from the requirement to obtain your consent (art. 173 (3) of the Telecommunications law). | ||||
| Name | Supplier | Purpose | Expiration date | Type |
| _grecaptcha | www.gstatic.com | This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to produce correct reports on its use. | Permanent | HTML Local Storage |
| _GRECAPTCHA | www.google.com | This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to produce correct reports on its use. | 179 days | HTTP Cookie |
| api/err.gif | app2.salesmanago.pl | This cookie is used to detect errors on the website – this information is sent to the website support staff in order to optimise the visitor’s experience on the website. | Session | Pixel Tracker |
| CONSENT [x2] |
play.google.com youtube.com |
It is used to detect whether a visitor has accepted a marketing category on the cookies banner. This cookie is essential for the website to comply with the GDPR. | 2 years | HTTP Cookie |
| CookieConsent | cookiebot.com | It stores the status of the user’s cookies consent for the current domain. | 1 year | HTTP Cookie |
| rc::a | google.com | This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to produce correct reports on its use. | Permanent | HTML Local Storage |
| rc::b | www.google.com | This cookie is used to distinguish between humans and bots. | Session | HTML Local Storage |
| rc::c | google.com | This cookie is used to distinguish between humans and bots. | Session | HTML Local Storage |
| SERVERID | app2.salesmanago.pl | This cookie is used to assign the visitor to a specific server – this function is essential for the operation of the website. | Session | HTTP Cookie |
| Analytical cookies – our website uses cookies provided by Google, Tawk.to, SalesManago. Analytical cookies allow us to track the number and sources of visits so that we can measure and improve the performance of our website. This type of cookies helps us to understand which sub-pages are most or least frequently visited and how visitors navigate our website. If you refuse to save analytical cookies on your computer or smartphone, your visit will not be included in our statistics, but at the same time it will not restrict any functionality on our website for you. |
| Name | Supplier | Purpose | Expiration date | Type |
| _ga | www.googletagmanager.com | It registers a unique identifier used to generate statistical data about how the visitor uses the website. | 399 days | HTTP Cookie |
| _ga_# | www.googletagmanager.com | They are used by Google Analytics to collect data on how many times a user has visited the website and the dates of the first and last visit. | 399 days | HTTP Cookie |
| _smvs | app2.salesmanago.pl | It records data on the behaviour of website visitors. It is used for internal website analysis and optimisation. | Permanent | HTML Local Storage |
| _smvs | app2.salesmanago.pl | It records data on the behaviour of website visitors. It is used for internal website analysis and optimisation. | 1 day | HTTP Cookie |
| Marketing cookies – we use these cookies to personalise the content displayed to you. Marketing cookies may be used in our advertising campaigns conducted via third-party websites. If you consent to the use of marketing cookies, you may receive information about the websites of our trusted partners where you have responded to our advertisements. If you opt out of marketing cookies, you will be shown generic and non-personalised advertisements. Just as with analytical cookies, if you refuse to save marketing cookies on your computer or smartphone, this will not restrict any functionality on our website for you. |
| Name | Supplier | Purpose | Expiration date | Type |
| _smvc | app2.salesmanago.pl | It implements the advertising displayed on the website. | Permanent | HTML Local Storage |
| api/r.gif | app2.salesmanago.pl | It presents the user with relevant content and advertising. The service is provided by third-party advertising centres that facilitate real-time bidding by advertisers. | Session | Pixel Tracker |
| smg | app2.salesmanago.pl | This cookie records the information about the visitor. The information is used to optimise the relevance of the advertising. | 10 years | HTTP Cookie |
| smuuid | app2.salesmanago.pl | It tracks individual sessions on the website, allowing the website to collect statistical data from multiple visits. The data can also be used to create leads for marketing purposes. | 399 days | HTTP Cookie |
| smuuid | app2.salesmanago.pl | It tracks individual sessions on the website, allowing the website to collect statistical data from multiple visits. The data can also be used to create leads for marketing purposes. | Permanent | HTML Local Storage |
| smvr | app2.salesmanago.pl | It collects information about user preferences and/or interaction with online campaign content – this is used on the CRM-campaign-platform used by website owners to promote events or products. | Permanent | HTML Local Storage |
| smvr | app2.salesmanago.pl | It collects information about user preferences and/or interaction with online campaign content – this is used on the CRM-campaign-platform used by website owners to promote events or products. | 399 days | HTTP Cookie |
| VISITOR_INFO1_LIVE | youtube.com | It attempts to estimate user throughput on websites with integrated YouTube videos. | 179 days | HTTP Cookie |
| YSC | youtube.com | It records ID to keep statistics on what YouTube videos the user has watched. | Session | HTTP Cookie |
| ytidb::LAST_RESULT_ENTRY_KEY | youtube.com | It stores the user’s video player preferences using an embedded YouTube video. | Permanent | HTML Local Storage |
- Consent for the installation of cookies
- During your visit to our website, a banner will be displayed to inform you that it uses cookies. If you select the “Accept all” option, this will mean that you accept all cookies placed on our website and confirm that you have read the information on cookies and the purposes for which they are used, as well as when data collected with the help of cookies is transferred to our partners.
- Please note that consent is not required for essential cookies, as cookies of this kind ensure the full and uninterrupted functioning of our website. These cookies are exempt from the requirement to obtain your consent pursuant to art. 173(3) of the Telecommunications law.
- Lack of consent to the installation of cookies
If you do not want our cookies to be stored on your device, you can select the “Reject” option. By selecting this option, you will reject all but the technically necessary cookies used on our website.
- Modifying your cookie settings
You can manage your cookie preferences in detail by selecting a cookie category and the “Allow selection” box on the cookies banner displayed to you. - Contact details
As some of the cookies we use constitute or collect personal data, we remind you that:
- a) the Controller of your personal data, i.e. the entity that decides on the purposes and means of processing, is Sante sp. z o.o. (formerly: Sante A. Kowalski Sp. j.) seated in Warsaw (03-301) at ul. Jagiellońska 55A,
b) your personal data will be processed to provide the basic functions of our website. If you have given the relevant (voluntary) consent, your data will also be processed in order to provide you with services, offers and communications tailored to your preferences and to analyse website traffic and provide social features (depending on the preferences you chose).
c) Please refer to this Privacy policy for more information on the principles of personal data processing and your rights. - Withdrawal of consent
You can manage your consents at any time by clicking the black and white “paperclip” icon located in the bottom left-hand corner of our website. Any withdrawal of the consent given will not affect the lawfulness of processing carried out before the withdrawal.
- Server logs
- The use of the Website implies sending queries to the server hosting the Website.
- Each query sent to the server is saved in its logs. The logs include, for example, the User’s IP address, server’s date and time or data of the User’s browser and operating system.
- Logs are recorded and stored on the server.
- The data saved in the server logs is not linked to any specific persons using the Website and the Controller does not use it to identify the User.
- Server logs are only auxiliary materials used to manage the Website, and their contents are not disclosed to anyone except the persons authorised to manage the server.
DATA RECIPIENTS
As part of the operation of Hotel Sante and the websites related to the Hotel, the Controller will disclose your personal data to the following entities:
- a) state authorities or other entities entitled on the basis of regulations – when necessary to fulfil legal obligations,
b) entities supporting us in our activities on our behalf, in particular: providers of external ICT systems supporting our activities, subcontractors, entities auditing our activities or experts, whereby such entities will process the data on the basis of a contract with the Controller and only in accordance with the Controller’s instructions,
c) entities providing accounting, HR or legal services – to the extent necessary to ensure the fulfilment of legal obligations or to establish, assert and defend claims,
d) companies that dispose of or archive documents and other media – to the extent that the data is stored in hard copy or on such media,
e) companies that provide courier and postal services,
f) companies that carry out marketing activities,
g) platforms that mediate accommodation bookings,
h) providers of IT and analytical tools used on the website of Hotel Sante, in particular tools for collecting consent for cookies, providers of cookies.
RIGHTS RELATED TO DATA PROCESSING
Every person whose data is processed by the Controller (data subject) has the right to:
- a) access their personal data,
b) rectify their personal data,
c) have their personal data erased,
d) restrict the processing of their personal data,
e) object to the processing of their personal data (pursuant to art. 21(1) of the GDPR, when lodging an objection, you must indicate reasons related to your particular situation),
f) to have their personal data transferred.
In addition, you have the right to lodge a complaint with the supervisory authority, i.e. the President of the Office for the Protection of Personal Data, more information at: https://uodo.gov.pl/pl/p/skargi.
In the event that consent has been given for the processing of personal data or the sending of commercial information via a designated communication channel, please be advised that you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal.
In case of the newsletter, withdrawal of consent is possible via the footer in our marketing correspondence or by contacting us at: iod@sante.pl.
VOLUNTARY NATURE OF DATA PROVISION
The provision of data is necessary for the conclusion of contracts and the settlement of the business and for the Controller to comply with legal requirements. For the remaining scope (in particular regarding the processing of data for marketing purposes by the Controller), the provision of data is voluntary.
TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
Your data will be transferred outside the European Economic Area. As part of our IT infrastructure and the tools used in connection with the Hotel’s website, your personal data will be sent specifically to the USA.
For recipients in the territory of countries not covered by the European Commission’s decision, such as the USA, in order to ensure an adequate level of this protection, the Controller concludes agreements with the recipients of your personal data, based on the standard contractual clauses issued by the European Commission in accordance with art. 46(2)(c) of the GDPR.
A copy of the standard contractual clauses can be obtained from the Controller using the contact details given above. The method of securing your data applied by the Controller is consistent with the principles provided for in Chapter V of the GDPR. You may request further information on the safeguards in place in this respect, obtain a copy of these safeguards and information on where they are available.
PROCESSING OF PERSONAL DATA BY AUTOMATED MEANS
As part of the collection of statistical and analytical data and as part of contextual and behavioural advertising, profiling takes place, but without significant consequences, including legal consequences.
Profiling occurs through the collection and processing of your data by means of automated analyses of your behaviour when using social networks and our Hotel’s website in order to continuously improve its functioning and the services we provide.
