Dear guests,

We aim to offer you an unforgettable experience at REZIDENT and, to this end, we have established a set of principles and rules which we respectfully ask you to observe both during and after the conclusion of your stay. These Terms and Conditions apply to all guests, who accept them by the mere fact of their accommodation in the apartments and are required to comply with them without limitation or reservation.

Reservation

Reservations may be made directly on the website www.rezident.ro, by e-mail at hello@rezident.ro , or by telephone at +40 723 385 089. Guests who have booked their stay through a partner agent are required to comply with the rules set out below. Reservations shall be held, guaranteed and cancelled depending on the booking channel and the adopted payment policy. Rezident customers shall refer to the payment policy displayed on the booking platform, to the regulations available on www.rezident.ro, or to the contracts signed with direct partners for the applicable conditions.

Cancellation of reservation

Any cancellation of a room reservation must be submitted in writing to hello@rezident.ro . The refund of the reservation amount shall be made in accordance with the payment policy under which the Rezident apartment was purchased.

Rates

REZIDENT rates vary depending on the selected apartment type, availability, day and season, as well as on the number of persons accommodated in the apartment (for further details, please refer to the booking page).
For more information, please consult our website www.rezident.ro.

Arrival and departure

Rezident Bălcescu, Eminescu and Predeal

• Check-in: from 15:00
• Check-out: before 11:00

Rezident Corbu, Tomis Marina, Eforie Nord and Villa Eforie

• Check-in: from 16:00
• Check-out: before 10:00

If, on the first day of the stay, guests request access to the apartment prior to the established check-in time, such requests shall be honoured subject to availability. Where this is not possible, a secure luggage storage space will be provided until check-in.

If, on the last day of the stay, guests request a late check-out beyond the established check-out time, such requests shall be honoured strictly subject to availability.

If guests’ luggage remains in the apartment after the established check-out time, an additional room usage fee of RON 500 shall be charged.

Where the apartment is not vacated by the check-out time and another guest is due to check in at the established check-in time, we reserve the right to collect the guests’ belongings from the apartment and store them in a secured area. In such circumstances, the guest is deemed to have given consent for their belongings to be collected and stored and may not subsequently raise any claims whatsoever regarding the disappearance/loss of luggage or personal belongings or any alleged breach of privacy arising from this action. An additional fee of RON 500 for failure to comply with the check-out time shall apply.

Guests who vacate the apartment by the maximum check-out time may leave their luggage in a designated storage area for up to 24 hours, free of charge, where such service is available at the relevant Rezident location.
For luggage stored for more than 24 hours, storage fees shall apply.

All requests for check-in or check-out at times other than those specified above shall be reviewed and honoured only insofar as no firm bookings exist for the relevant accommodation units.

A stay of less than 24 hours shall be charged at the rate of a full day.

Accommodation of children aged 0–2

Accommodation for children aged between 0 and 2 years is provided free of charge, using the existing beds, up to a maximum of two children per apartment (with the exception of Rezident Corbu, where the limit is two adults plus one child per room, and the child’s age may range from 0 to 18 years).

Please note that baby cots may be provided in apartments at Rezident Bălcescu, Rezident Eforie Nord and Rezident Tomis Marina, subject to availability. Children over the age of 2 must use one of the existing sleeping places in the apartment, either a bed or a sofa bed, and shall be considered adults. Rezident cannot provide additional beds. Accommodation of groups exceeding the maximum capacity of the apartment is not permitted, even if the reservation has been paid in full.

Accommodation of minors

A minor is a person who has not reached the age of 18.
Rezident does not accept accommodation of unaccompanied minors, except for those participating in hiking trips, camps, excursions, competitions or similar activities, accompanied by teachers, coaches or guides.

Accommodation rules

Guests acknowledge and undertake to comply with the following rules:

• not to damage the furnishings or items within the apartment; otherwise, they shall owe Rezident an amount equal to the purchase or replacement value of the damaged item, together with the related labour costs;
• not to remove any property belonging to Rezident upon departure;
• to maintain quietness so as not to disturb other guests;
• not to use towels or bed linen for purposes such as wiping dyed hair, removing make-up, cleaning footwear, suitcases, floors, etc.; towels are to be used solely for personal hygiene. Any towels or bed linen found to be damaged due to improper use shall be charged as damages and paid by the responsible guest. Failing this, Rezident reserves the right to cancel the guest’s reservation and evict the guest without refund of the services paid;
• not to enter other rooms or areas designated exclusively for Rezident staff without permission;
• to notify Rezident of any visitors who are not accommodated in Rezident apartments; such visitors may enter the apartments only after identification and registration via the Rezident contact number;
• to limit the number of occupants to the maximum capacity of the apartment (children over the age of 7 being considered adults). Accommodation of groups exceeding the apartment capacity is not permitted;
• not to leave children unattended in any of the Rezident premises; any accident resulting from lack of supervision of children within the Rezident premises shall be the responsibility of the persons accompanying and supervising them, not of Rezident;
• to notify Rezident as soon as possible of any malfunction of appliances, installations or other technical non-conformities or furniture issues within the apartments;
• any accident resulting from improper use of the provided items or from use of Rezident facilities without observing the applicable safety rules shall not be our responsibility;
• after use and before leaving the apartment, to unplug chargers for electrical/electronic devices (laptops, mobile phones, cameras, etc.) from the power sockets;
• the introduction into Rezident apartments of firearms, bladed weapons or tear gas substances is strictly prohibited. Under Romanian law, the consumption or sale of hallucinogenic or psychotropic substances is prohibited and punishable;
• not to dispose of objects in the toilet that could damage the waste collection system;
• nudism or any form of exhibitionism within the Rezident premises is not permitted;
• waste and household refuse must be placed in the bins provided in the apartment; prior to check-out, guests must dispose of the waste at the location indicated by the Rezident team upon check-in;
• it is not permitted to bring into the Rezident premises any items or goods emitting a persistent and disturbing odour;
• parents, guardians or accompanying persons are responsible for the actions of minors and undertake to ensure that they behave in a civil manner and do not disturb other guests;
• guests are kindly requested to inform Rezident staff of any allergies or intolerances of any kind;
• running or practising any sport in the lobby or corridors of Rezident is not permitted;
• our unit provides accommodation services only; the use of the premises for commercial purposes—such as, but not limited to, organising photo or video shoots—is not permitted without prior written consent, which may be requested at hello@rezident.ro . Such additional services may involve extra costs.

Dress code

Rezident does not impose a specific dress code; however, we recommend decency and respect towards both other guests and our staff.

Methods of payment

For the payment of Rezident services, we accept credit cards (Visa, Mastercard, Maestro), cash payments (RON), and bank transfers (for invoicing purposes, please present the bank-endorsed payment order upon check-in). Rezident apartments also accept holiday vouchers issued by Sodexo, Up Romania and Edenred (when payment is made using holiday vouchers, the reservation is confirmed only upon receipt and validation of the vouchers’ validity; please note that vouchers must not be punched, glued, folded or stapled and must have an intact barcode in order to be valid).

Except for contracts already concluded and reservations paid in advance, payment or card pre-authorisation is mandatory at the time of check-in.

The fiscal invoice is issued at the client’s request and no later than the date on which the reservation amount is collected. After this date, the issuance or amendment of the invoice is no longer possible, in accordance with legal provisions. Fiscal invoices for private individuals are issued only in the name of the reservation holder.

For reservations made through third-party platforms (e.g. Booking.com), the date of collection varies depending on the rate policy chosen by the guest.

Please note that the amount invoiced for reservations made through third-party platforms corresponds to the amount actually received by the service provider, which may differ from the amount paid by the beneficiary to the platform.

Refunds may be made only in RON or EUR.

Gratuities and service charges

Gratuities for hotel staff are entirely at the discretion of the guests.

Smoking

Traditional smoking and the use of electronic cigarettes are not permitted within the Rezident premises, in accordance with applicable legislation in force.

Rezident has designated outdoor smoking areas (in the inner courtyard of the building) at the Rezident locations on Bulevardul Bălcescu no. 26 and on the balconies of the apartments in Eforie Nord, Apolonia complex. At Rezident Corbu, smoking is permitted in the outdoor courtyard and on terraces, while at Rezident Tomis Marina smoking is permitted on apartment balconies and in specially designated terrace areas.

Rezident offers exclusively non-smoking apartments; smoking inside the apartments is strictly prohibited. Failure to comply with these rules and smoking inside the apartment will result in a charge of RON 500, representing cleaning and sanitisation services.

Pets

The rules applicable to Rezident Bălcescu, Tomis Marina and Eminescu do not allow the accommodation of guests accompanied by animals or birds.

An exception applies to apartment no. 59 at Rezident Eforie Nord, which allows accommodation with pets, and to Rezident Corbu, where the entire property allows access and accommodation in all rooms for guests together with their pets.

Airport transfers

Rezident provides paid car transfer services, either shared or private. For further details and booking confirmation, please contact us at +40 723 385 089.

Parking

Parking is not available at the following properties: Rezident Eminescu, Rezident Bălcescu, Rezident Predeal.

At Rezident Eforie Nord and Rezident Tomis Marina, parking spaces are available only for a limited number of apartments. The parking serving Rezident Tomis Marina is public, located very close to the property in the Plaja Modern area, and is administered by the municipality.

The public parking regime in Zone 0 (Plaja Modern) is as follows:

• The first 30 minutes are free of charge;
• Off-season (1 September – 31 May): charging applies Monday to Friday, 08:00–20:00; parking is free on weekends and public holidays;
• Season (1 June – 31 August): charging applies daily, 08:00–24:00.

Payment may be made via the Constanța Parking application, by SMS to 7475, or at the parking meter. Please note that, as the parking is public, spaces cannot be reserved, and Rezident assumes no responsibility for any damage to parked or passing vehicles.

At Rezident Corbu, parking is available for guests.

Safety of personal belongings

Rezident is equipped with certified electronic systems for monitoring access to rooms.
We assume no responsibility whatsoever for items forgotten, lost or allegedly stolen within the Rezident premises.

Special assistance

Our intention is to ensure the best possible conditions for persons with disabilities.

Most areas of the property are accessible, with no level differences within the apartments or corridors, and access to upper floors is provided by lift (with the exception of Rezident Predeal, where access to apartments is exclusively via stairs). Please note that at the entrance to certain locations there are steps and no access ramp (with the exception of Rezident Eforie Nord and Tomis Marina, where a ramp is available at the building entrance).

Rezident Corbu is located in a natural area with surroundings unaltered by human intervention; access is via an inclined unpaved road, the inner courtyard includes pathways alternating between gravel and wooden decking, and access to rooms and bathrooms involves level changes. Please take these less desirable aspects into consideration.

If you require any form of special assistance, please inform us in advance so that we may offer you the most pleasant stay possible.

Confidentiality of information

If you contact us by e-mail, fax or via websites, we reserve the right to process the data relating to you for direct marketing purposes.

We will never use your name or other personal information without first obtaining your consent. You will have the opportunity to inform us whether you wish to receive such information in the future.

Processing of personal data

In accordance with Regulation (EU) 2016/679 regarding the processing of personal data and the free movement of such data, HARAS S.R.L. (the company owning the registered trademark Rezident) and PARALIA MANAGEMENT S.R.L. are obliged to manage, in safe conditions and solely for determined, explicit and legitimate purposes, the personal data and representative images provided by individual clients.

HARAS S.R.L. and PARALIA MANAGEMENT S.R.L. process personal data for the purpose of providing accommodation services, for the following purposes:

• Room reservations and other tourist services; personal data processing is based on a legal obligation;
• Confirmation of reservations and card pre-authorisation, based on the legitimate interest of the company;
• Invoicing of tourist accommodation services, based on legal obligations;
• Communication with you for various purposes, such as obtaining feedback regarding our services, resolving complaints, or providing personalised services in a timely manner, electronically or by telephone, based on the legitimate interest of the company;
• Providing information by e-mail regarding special offers, events and/or other forms of advertising, based on consent;
• Providing information by e-mail or telephone regarding forgotten items, receipt of parcels or messages, based on legitimate interest.

Rezident clients provide the data requested by HARAS S.R.L./PARALIA MANAGEMENT S.R.L. for the purpose of initiating or carrying out legal relationships with the companies, in compliance with applicable legal provisions.

Refusal by individuals to provide such data results in the company’s inability to provide the requested services, making it impossible to comply with specific regulations in the hotel and fiscal fields.

Consent regarding the processing of personal data (telephone number, e-mail address) is granted voluntarily and may be withdrawn at any time, with future effect, by means of a free notification to HARAS S.R.L. The notification of withdrawal of consent may be made, for example, by e-mail to hello@rezident.ro . Please note that withdrawal of consent does not affect the lawfulness of data processing carried out prior to the withdrawal (the notification has no retroactive effect). Where consent is not granted or has been withdrawn, we will be unable to provide the requested services, and personal data will not be used for communication, marketing or feedback purposes by Haras S.R.L. in general, please do not hesitate to contact our Data Protection Officer at the following e-mail address: hello@rezident.ro .

If you have any questions regarding this consent statement or data protection in accordance with Regulation (EU) 2016/679, individuals benefit from the following rights: the right to receive information regarding the processing of personal data and a copy of the processed data, the right to intervene, the right to object, the right to rectification, the right to withdraw consent at any time, the right to request erasure of data, the right not to be subject to an individual decision, and the right to lodge a complaint with a supervisory authority.

For the exercise of these rights, you may contact our Data Protection Officer at any time at hello@rezident.ro , by means of a written, dated and signed request, indicating the data in respect of which the relevant right is requested.

For more information, please consult the Personal Data Protection Regulation available at hello@rezident.ro .

Haras S.R.L. is registered with the National Supervisory Authority for Personal Data Processing, General Register Number: 22447.
PARALIA MANAGEMENT S.R.L. is registered with the National Supervisory Authority for Personal Data Processing, General Register Number: 11636.

The personal data of Rezident clients are processed in good faith and in accordance with the applicable legal provisions. They are collected solely for specified, explicit and legitimate purposes, and any subsequent processing shall not be incompatible with those purposes.

Personal data are processed in compliance with the rights of the data subject. Individuals whose data are processed have the right to obtain from Haras S.R.L./PARALIA MANAGEMENT S.R.L., upon request and free of charge, the rectification, updating, blocking or erasure thereof, insofar as the processing is not in compliance with Regulation (EU) 2016/679 or the data are incomplete or inaccurate.

The data subject has the right to object at any time, on justified and legitimate grounds, to the processing of data concerning them, subject to the exceptions provided by law. In the event of a justified objection, data processing may no longer concern the data in question. The data subject also has the right to object, at any time and free of charge, without any justification, to the processing of data concerning them for direct marketing purposes, in the name of the Operator or a third party, or to the disclosure of such data to third parties. For this purpose, the data subject shall submit a written, dated and signed request, and the measures taken by the Operator shall be communicated within 15 days from the date of the request.

Environmental protection policy

Environmental protection is a constant concern for us; therefore, we promote a responsible attitude in this regard.

The detergents used by our partners for washing and sterilising bed linen, towels, tablecloths and bathrobes are biodegradable, and reducing their use contributes to better conservation of the environment.

Towels are changed halfway through stays longer than 4 days. Bed linen is changed together with the intermediate cleaning service and is provided to guests staying more than 7 days, every 7 days of accommodation. Access to towel changes, linen changes and additional cleaning services may be requested at an extra cost, subject to availability.

Disputes and complaints

We reserve the right to charge our guests’ cards, irrespective of their consent, at least in the following cases:

• they have left the Rezident premises without paying for the services they have used;
• they have caused damage or destruction;
• they have taken items that do not belong to them and have not paid their value;
• they have failed to cancel the reservation within the specified deadline.

Any controversy, dispute or complaint that may arise as a result of the application of these Terms and Conditions shall be attempted to be resolved amicably. Where this is not possible, the matter shall fall under the jurisdiction of the courts.

Programme for the removal of undesirable guests

The guest must comply with Rezident standards and practices. The guest must respect quietness, as well as the rules of social coexistence and moral standards.

Furthermore, the Rezident guest must take care of the goods and property of Rezident made available for their use during the accommodation period.

Any breach of hotel practices or of moral and social coexistence rules entitles Rezident to immediately terminate the contract/accommodation, without any prior notice.

We reserve the right to refuse accommodation to guests who are intoxicated, impolite or disruptive, who by their conduct harm the image of Rezident or disturb other guests. The value of any destruction or damage to Rezident’s material goods shall be borne by those found at fault for causing such damage.

We reserve the right to evict from the Rezident premises guests displaying inappropriate conduct.

In view of the above, we reserve the right to select our clients.

We do not tolerate: uncivil or aggressive behaviour, obscene physical or verbal acts, inappropriate tone, insults, physical or sexual harassment, or any physical or psychological abuse of any person, whether a guest or any person within the Rezident premises.

Rezident management may cease providing services to those guests who do not comply with the Hotel Regulations.

Services offered

Guests accommodated in Rezident apartments benefit from a preferential offer of free and paid services. For paid services, further information may be obtained via the Rezident contact number (certain services are subject to limited availability).

Coffee: RON 15 / 4 capsules (capsules + sugar)
Water: RON 7 / bottle (1L)
Towels: RON 10 / person – one face towel and one body towel
Bed linen: RON 35 / double bed – sheet, 2 pillowcases, 2 duvet covers
Cleaning:

• RON 75 – one bedroom
• RON 100 – one bedroom + sofa (when the sofa is extended)
• RON 120 – two bedrooms
• RON 150 – two bedrooms + sofa (when the sofa is extended)

For Rezident Tomis Marina, late check-out fees apply as follows:

• between 11:00–13:00 – RON 100
• between 13:00–15:00 – 50% of the value of one night
• after 15:00 – the value of one night

Rezident also offers services such as tours, rent-a-car and massage through authorised partners. For offers relating to services provided by third parties, offers are updated on an ongoing basis and are available upon request via the Rezident contact number.

Final clauses

We consider that any guest, at the time of accessing any service offered by Rezident, has acknowledged the above Terms and Conditions and has tacitly accepted them.

Amendments to the Terms and Conditions

The Terms and Conditions may be amended at any time by Rezident, without prior notice.

Privacy Policy regarding the processing of personal data – HARAS S.R.L./PARALIA MANAGEMENT S.R.L.

Compliance with the right to protection of personal data, as well as the right to private life, is one of the missions fully and consciously assumed by the staff and management of REZIDENT – SC PARALIA MANAGEMENT S.R.L.

Hotel-managed apartments in Bucharest and Predeal are administered by HARAS S.R.L., with registered office in Eforie Sud, Ion Movilă Street no. 21, Constanța County, registered with the Trade Register under no. J13/4702/1994, unique registration code RO 6739127, acting as data controller.

Hotel-managed apartments in Eforie Nord, Eforie Sud, Corbu and Constanța are administered by SC PARALIA MANAGEMENT S.R.L., with registered office in Eforie Sud, N. Filipescu Street no. 26, Constanța County, registered with the Trade Register under no. J13/703/2017, unique registration code 37240215, acting as data controller.

Accordingly, we undertake all necessary steps to process your data personal data in accordance with the principles established by the applicable data protection legislation in Romania, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).

Terms of use of the online platform

By using the online booking and services platform made available by REZIDENT, you expressly accept and undertake to comply with the Terms and Conditions of use published on our website.

The Terms and Conditions, together with the booking or registration forms for the services offered, constitute the contractual agreement between REZIDENT (the Service Provider) and you (the Beneficiary), pursuant to which you acquire the right to temporarily use the account and the related services, subject to payment of the selected services.

We recommend that you read the Terms and Conditions carefully before using the platform. Failure to accept them results in the impossibility of purchasing and using the online hotel services offered.

REZIDENT reserves the right to update or amend the Terms and Conditions without prior notice. Continued use of the platform following such amendments constitutes your express agreement to the new terms.

Any breach of the Terms and Conditions may lead to the suspension or termination of access to the platform and the related services,

Definitions of key terms

For clarity, understanding the following terms is essential:

Personal Data: any information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier (such as name, personal identification number, location data, online identifier) or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. In practice, examples of personal data include: first and last name, address, telephone number, e-mail address, identity document series and number, IP address, cookie identifiers, accommodation preferences, etc.

Processing: any operation or set of operations performed on personal data, whether or not by automated means. This includes, for example: collection, recording, organisation, storage, alteration, consultation, use, transmission, dissemination or otherwise making available, restriction, erasure or destruction of data. In practice, processing covers any action performed on personal data from the moment of collection until their deletion.

Data Subject: the natural person whose personal data are processed by the controller. In the context of REZIDENT’s activities, data subjects may include hotel clients (accommodated guests), persons making reservations or requesting offers, website visitors, newsletter subscribers, etc.
The data subject benefits from the rights and protection provided by the GDPR throughout the processing of their personal data.

Controller: the entity which determines the purposes and means of the processing of personal data. In this case, REZIDENT acts as controller, as it decides why and how the personal data collected from clients and users are processed. The controller is responsible for ensuring that all data processing is carried out in compliance with the GDPR.

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For example, an IT service provider hosting the hotel’s database or an e-mail marketing platform used by the hotel acts as a processor, processing data only in accordance with the controller’s instructions and the contractual arrangements in place.

Supervisory Authority: an independent public authority which, pursuant to law, is responsible for monitoring the application of data protection legislation. In Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP) is the competent supervisory authority. Data subjects may lodge complaints with the ANSPDCP if they consider that their personal data rights have been infringed.

Categories of personal data collected

REZIDENT collects various categories of personal data, either directly from you or automatically through the use of our online services. We do not collect more data than is necessary in relation to the stated purposes. Below we detail the types of data collected.

3.1 Data collected automatically

When you access our website or interact with our online presence, certain data are collected automatically by our IT systems or through cookies and similar technologies:

IP address and online identifiers: the IP address from which you access the website, browser user-agent, unique device identifiers, cookie IDs, session IDs or mobile device IDs. These data are automatically collected by our servers and web analytics services in order to ensure website security and to generate usage statistics.

Cookie data: small files placed on your device (computer, tablet, phone) when you visit our website. These may record browsing preferences (e.g. selected language, services added to the booking basket, sections visited) and may collect information about how you use the website (time spent on pages, pages accessed, actions performed). Details regarding the specific types of cookies we use and their purposes are presented below in the Cookies Section.

Electronic location data: if you visit the website from a mobile device or have location services enabled, we may receive general information about your geographical area (based on IP or GPS, subject to your consent). These data may help us display appropriate content (e.g. the correct language version of the website or local offers).

Logs and usage data: our systems may record technical logs of actions performed on the website or applications (e.g. access times, errors encountered, forced exits). These data are used to monitor the performance of our online services and to detect and prevent potential security or operational issues.

Note: Automatically collected data (such as IP addresses and cookies) are not used for direct identification but may become personal data if associated with other information (for example, if an authenticated user is identified via a cookie). These technical data primarily help us ensure the proper functioning and security of our platforms.

3.2 Data collected directly from you

In our direct interactions with you, we collect only the data necessary for providing hotel services, processing reservations, ensuring effective communication, and fulfilling legal obligations. These data are provided directly by the data subject (for example, when completing a booking form, checking in at the hotel, or subscribing to the newsletter). The main categories include:

Identification data: first and last name, identity document series and number (ID card/passport), personal identification number (CNP) where legally required, citizenship. These data are necessary, for example, at check-in for completing the accommodation registration form in accordance with legal requirements (H.G. 237/2001) and for identity verification upon accommodation.

Contact data: telephone number, e-mail address, postal address (domicile/residence). We use these data to send reservation confirmations, contact you regarding requests or any changes (by phone/e-mail), and for invoicing purposes (address).

Data required for reservation and accommodation: details regarding the intended or completed stay – for example, arrival and departure dates, number of nights, number of persons (adults and children) included in the reservation, type of room or package requested, accommodation preferences (such as preferred floor, non-smoking room, etc.), and history of interaction with the hotel (whether you have stayed with us previously and any preferred rooms). This information helps us manage reservations efficiently and provide personalised services.

Payment and invoicing data: information required for payment processing and issuance of fiscal documents – for example, bank card details (if payment is made online via a secure payment platform), bank account details (for potential refunds), company name and tax identification number (if an invoice is requested in the name of a company), and invoicing history.

Note: REZIDENT does not directly store full bank card details; online payments are processed through certified partners (e.g. Netopia Payments, EuPlatesc) that ensure transaction security. We receive only payment confirmation and the data necessary for issuing invoices.

Data communicated through correspondence: the content of messages sent to us (via e-mail, website contact forms, social media messaging, or chatbot). These may include additional personal data voluntarily provided when requesting information (e.g. dietary preferences communicated for a reservation, estimated arrival time, special anniversary requests, etc.). We process such information solely in order to respond to requests and provide the requested service.

Marketing / optional data: first and last name, e-mail address or telephone number, provided, for example, when voluntarily subscribing to our newsletter, participating in contests, or completing feedback or opinion forms. These data are used, based on your consent, for communicating promotional offers, hotel news, holiday greetings, or satisfaction surveys. You may withdraw your consent at any time (for example, by unsubscribing from the newsletter).

Identity documents / copies of documents: in certain situations, we may take copies of identity documents or passports (for example, at check-in, where legislation requires registration of foreign nationals). Such copies are used exclusively to comply with legal requirements and are stored securely, with restricted access.

3.3 Sensitive data (Special categories)

As a rule, REZIDENT does not collect or process sensitive personal data (as defined by the GDPR – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health, sex life or sexual orientation), unless this is strictly necessary. We do not ordinarily request such information during reservation or accommodation.

However, there may be specific situations in which we process data considered sensitive, always subject to enhanced protection measures and, where applicable, the explicit consent of the data subject:

Health or mobility information: for example, if a guest informs us that they have reduced mobility or a particular disability and requests an adapted room (such as wheelchair access, adapted shower, lower floor, etc.), we will process this health-related information in order to provide appropriate conditions. Similarly, if food allergies or medical restrictions are communicated (for catering services), we will use these data strictly to protect the guest’s health.

Data relating to children/minors: in the context of family reservations, we may collect data about your minor children (name, age/date of birth) in order to calculate applicable rates (children may benefit from free accommodation or discounts depending on age) and to prepare appropriate services (e.g. extra bed, children’s menu). These data are provided by parents/guardians and are used solely for the purpose of providing the requested services. Processing of data relating to children under the age of 16 is carried out only with the consent of parents or legal representatives, in accordance with Article 8 GDPR.

Important: Any sensitive information communicated will be used exclusively for the purpose for which it was provided, in strict compliance with confidentiality requirements. REZIDENT applies enhanced security measures to such data (restricted access, encryption, anonymisation where possible) and will not disclose them to third parties unless this is necessary for service provision (e.g. informing a restaurant of an allergy, with your consent) or where legally required.

4. Purposes and legal bases for the processing of personal data

REZIDENT collects and uses your data solely for legitimate, explicit purposes appropriate to our hotel operations. In this section, we detail the purposes of processing and provide concrete examples, together with the legal basis for each processing activity under the GDPR.

We ensure that each purpose is supported by a valid legal basis (such as performance of a contract, legal obligation, consent, or legitimate interest). We will not use your data for purposes incompatible with those set out below; where new purposes arise, we will inform you and, where required, obtain your prior consent.

4.1 Making and managing reservations (Performance of a Contract)

Description: When you request an accommodation offer or make a reservation with REZIDENT (directly via the website, by telephone, by e-mail, or through travel agencies / online booking platforms), we process the personal data necessary to provide the requested information and to record the reservation.

Data processed: first and last name, contact details (telephone, e-mail), stay details (period, number of persons, requested room type), expressed preferences, and, where applicable, notes indicating prior stays. Where reservations are made through third-party platforms (e.g. Booking.com, travel agencies), we receive these data from the relevant partners, as already provided by you in their systems, in order to honour the reservation.

Specific purposes:

• Providing information and personalised offers: we use the data to send you a price and availability offer tailored to your request (e.g. based on number of guests, children’s ages, requested period).
• Confirmation and guarantee of the reservation: once you accept the offer, the data are used to issue a reservation confirmation, allocate the requested room in your name, and, where applicable, process advance payment or guarantees (via approved payment processors).

Legal basis: Processing of these data is based on the performance of a contract or steps taken at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR) provision of the data is necessary in order to enter into and perform the hotel services agreement (your reservation). If you do not provide us with this essential information, we will be unable to record or confirm the reservation. At the offer request stage (where no contract has yet been concluded), the collection and processing of data take place in the same pre-contractual context, at the request of the data subject to take steps with a view to concluding a contract (a potential reservation).

4.2 Accommodation and provision of hotel services (Contractual and legal purpose)

Description: At the time of accommodation (check-in) and throughout your stay, we process the data necessary to provide the requested services and to comply with our legal obligations regarding the registration of tourists.

Data processed: In addition to the data already provided at the reservation stage, at check-in you will be requested to provide: an identity document for verification and completion of the Arrival and Departure Notification Form (in accordance with Government Decision no. 237/2001, published in the Official Gazette no. 92/2001), citizenship details, date of birth, the guest’s signature, as well as the number of accompanying persons (including children). Furthermore, where advance payment has not been made, we will process data relating to payment for the stay (cash or card). During the stay, other operational data may also arise – e.g. special requests (cleaning times, room service), messages left at reception, notes regarding preferences (preferred pillow, room temperature, etc.).

Specific purposes:

• Guest registration and room allocation: we use identity document data to fulfil legally required accommodation formalities and to register you as a guest in our hotel management system (PMS). This allows us to provide you with access to the room (preparing the key/access card) and included facilities.
• Effective provision of the contracted services: we use the data to ensure everything agreed – from preparing the room according to your requirements, to providing catering services (if you have opted for breakfast, half board or all-inclusive), access to events or facilities (swimming pool, private beach), and responding to requests during the stay. Identification and room data may also be used to issue charges for additional services consumed (e.g. minibar, restaurant charges posted to the room) and to issue the final invoices at check-out.
• Compliance with legal record-keeping and reporting obligations: data completed in the accommodation registration form are, as required by law, reported to the competent authorities (e.g. may be made available to the police or other authorities upon a justified request). In addition, financial data relating to the stay (invoices, payments) are processed for mandatory accounting and fiscal records.
  

Legal basis:

• Performance of the hotel services agreement (Article 6(1)(b) GDPR): processing is necessary in order to accommodate you and provide the requested services (without these data, we could not, for example, grant you access to the room or provide included meals).
• Compliance with a legal obligation (Article 6(1)(c) GDPR): completing and storing the accommodation registration form, verifying identity, and transmitting data to the authorities are processing activities required by legislation specific to the hotel industry and population records. This category also includes accounting/fiscal obligations: retention of data in accounting and fiscal documents (invoices, receipts) for the period required by law. Such processing is mandatory; refusal to provide required data (e.g. refusal to present an identity document at check-in) may prevent service provision, as the hotel cannot legally accommodate you without this information.

4.3 Customer communication and support (Contractual purpose or legitimate interest)

Description: In order to ensure effective communication before, during and after your stay, we use the contact details of clients and of persons who have requested information from us. This includes communication prior to arrival, during the stay and after departure, in matters directly related to the services provided.

Data processed: first and last name, telephone number, e-mail address, the communication channel used (e.g. Facebook Messenger account if you interacted with our chatbot, WhatsApp account if you contact us there), as well as the history of prior communications with you.

Specific purposes:

• Pre-stay confirmations and information: for example, we send reservation confirmations, order confirmations or vouchers by e-mail; we may send instructions on how to reach the property, check-in/check-out times, parking policy, or ask about your estimated arrival time.
• Real-time support: during the stay, we may use your telephone number to contact you urgently if unforeseen situations arise (e.g. a technical issue in your room while you are away which we wish to remedy) or to respond promptly to your requests (if you message us via WhatsApp/Messenger regarding a reception request, we will use your account data to identify you and respond).
• Satisfaction follow-up and issue resolution: after departure, we may contact recent guests to thank them, request feedback (see section 4.5 below), or to provide support regarding forgotten items, required invoices, etc. Where you have submitted a complaint or a post-stay request, we will use your contact details to communicate the status of the resolution.

Legal basis:

• Performance of the contract: many communications (such as reservation confirmations, pre-arrival information, and support during the stay) form an integral part of the service provided and are based on the accommodation contract – we need to communicate with you to ensure the stay runs as expected.
• Legitimate interest of the controller: certain post-stay communications, such as satisfaction follow-up or resolving outstanding administrative matters, are carried out on the basis of our legitimate interest in improving our services and maintaining a positive relationship with clients. We ensure, however, that such communications do not prejudice your rights (for example, we will not misuse contact details to unnecessarily disturb you). You have the right to object to processing based on legitimate interest, under the conditions provided by law (see the section on Data Subject Rights).

4.4 Commercial offers, direct marketing and newsletter (Marketing purpose – consent or legitimate interest)

Description: We wish to keep you informed about REZIDENT offers and news, but only if you wish so. For this purpose, we process data in order to send commercial communications (newsletter by e-mail, SMS with special offers, personalised online advertisements) to customers or subscribers. We may also use your data for profiling at a general level, so as to send you the most relevant offers.

Data processed: first and last name, e-mail address, telephone number (depending on the agreed communication channel), preferred language, history of previous reservations and interactions with the hotel (for offer personalisation), and online browsing data collected through cookies (e.g. if you visited the offers section on our website, we may use a remarketing cookie to display our offer advertisements on other websites). Marketing processing takes place only with your prior consent or on the basis of an existing commercial relationship, in accordance with the law.

Specific purposes:

• Periodic newsletters: if you have voluntarily subscribed to our newsletter (e.g. by entering your e-mail address on the website subscription section or by completing an offer request form), we will occasionally send e-mails with hotel news, promotional packages, seasonal offers and special events. Each message will include an easy unsubscribe option.
• Personalised offers for existing customers: based on your stay history with us, we may make a special offer if you are a loyal customer. We do so on the basis that it is in our legitimate business interest to retain customers, while ensuring you have been provided with an opt-out option. If you have previously been our guest, you may receive such offers within the limits permitted by applicable legislation (Law 506/2004 and the GDPR allow communications to existing customers for similar products/services, with an easy right to object).
• Online promotional campaigns: we use marketing platforms (e.g. Facebook Ads, Google Ads) where hashed e-mail addresses may be uploaded or website visitor cookies may be identified, in order to create advertising audiences. As a result, persons who have interacted with our website or have a profile similar to our clients may see targeted adverts for the hotel (remarketing). These processes comply with the policies of the respective platforms and do not directly disclose your data to other users.

Legal basis:

Consent of the data subject (Article 6(1)(a) GDPR): this is the primary legal basis for sending marketing communications to individuals who are not yet clients or to any person who voluntarily subscribes to the newsletter. We will use your e-mail address or telephone number only after you have clearly expressed your option to receive such messages (for example, by ticking a consent box or confirming the subscription via e-mail). You may withdraw your consent at any time (by unsubscribing or submitting a direct request), and we will immediately cease such communications. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

Legitimate interest (Article 6(1)(f) GDPR): in certain limited cases, such as promoting similar services to our recent clients, we may rely on our commercial interest in building customer loyalty. We do so only after assessing that sending such offers does not adversely affect your rights and expectations—for example, messages will be infrequent and relevant, and we will always respect any objection expressed by you (the right to object to direct marketing).

4.5 Feedback, surveys and complaints handling (Service improvement purpose – legitimate interest or consent)

Description: Your opinion is important to us. After your stay or interactions with us, we may request feedback or invite you to complete satisfaction surveys. We also process data for the purpose of handling any complaints or subsequent requests from clients, in order to improve service quality.

Data processed: first and last name, e-mail address (or other contact details used in communication), impressions and comments you choose to provide, ratings awarded to our services, as well as data from the interaction history (the stay to which the feedback relates, the occupied room, persons in the group, any issues reported). If you post public reviews on external platforms (TripAdvisor, Google, Facebook), this is your choice; we will process such data only insofar as we respond to them or analyse them internally for improvement, in accordance with the terms of the respective platforms.

Complaints and post-stay requests handling: if you contact us subsequently with a complaint or request (e.g. disputing an extra charge, reporting a forgotten item, requesting proof of accommodation for visa purposes), we will use the data available to us (including data from the reservation system relating to your stay) to verify the situation and provide an official response. We may prepare internal reports regarding complaints, including details of the incident, client data and the resolution, for the purpose of preventing similar situations in the future and as records in the event of disputes.

Legal basis:

Legitimate interest of the hotel (Article 6(1)(f) GDPR): for satisfaction surveys addressed to recent clients and for feedback analysis, we consider that we have a legitimate interest in improving our services and maintaining a good relationship with guests. We will contact you in a non-intrusive manner (e.g. a single post-stay e-mail). You may refuse or ignore such surveys or object to processing for this purpose, in which case you will no longer be contacted.

Consent (where applicable): if we wish to publish a testimonial or your feedback for promotional purposes, we will request your prior consent. Likewise, if a person who has not been a client (i.e. has no contractual relationship with us) provides feedback, we will seek consent before using the data in any way (a rare situation). For processing sensitive data that may arise in a complaint (e.g. health-related information linked to an incident), we will apply, as applicable, the legal bases and safeguards provided by the GDPR (Article 9(2)).

4.6 Compliance with legal obligations and legitimate interests (Legal and administrative purposes)

Description: REZIDENT must comply with numerous legal obligations that involve processing personal data. In addition to the purposes set out above, we may process data where necessary for the establishment, exercise or defence of legal claims or for the protection of our legitimate interests (e.g. security of property and persons). In all cases, processing is limited to what is necessary and proportionate.

Examples and legal bases:

Financial and accounting records: we process and store data in invoices, receipts and cash registers in accordance with accounting legislation. For example, data included on fiscal invoices (name, address, personal identification number for individuals or company data) must be retained for 10 years under tax law, irrespective of the client’s request.
Legal basis: legal obligation (Article 6(1)(c) GDPR).

Reporting to public authorities: upon lawful request by authorities (police, tax authorities, health authorities, etc.), we may provide personal data from our systems. For instance, during investigations or inspections, we may be required to provide lists of guests accommodated during a certain period. We disclose such data only on the basis of a clear legal obligation or lawful request.
Legal basis: legal obligation or public interest (Article 6(1)(c) or (e) GDPR, as applicable).
In addition to the above, we do not use your data for automated decision-making or profiling that produces significant legal effects concerning you. Any automated processing (e.g. sending a birthday e-mail) involves human intervention or does not significantly affect your rights.

5. Legal bases for processing

As outlined above, REZIDENT relies on one or more legal bases for each personal data processing activity. Below we summarise the relevant legal bases provided by Article 6 GDPR and how we apply them:

• Performance of a contract or pre-contractual steps (Article 6(1)(b) GDPR): applicable where processing is necessary to provide the requested service. Examples: processing a reservation request, concluding and performing the accommodation contract, providing agreed hotel services. Most data you provide are processed to fulfil our obligations to you as a client. Without such processing, we could not properly deliver the services.
• Legal obligation (Article 6(1)(c) GDPR): where the law requires us to process certain data. Examples: requesting and storing identity data at check-in (required by population records regulations), retaining financial documents (required by accounting law), providing data upon request by competent authorities. In these cases, processing is mandatory, not optional—we strictly comply with applicable legal requirements.
• Consent (Article 6(1)(a) GDPR): used for voluntary processing where you have a choice whether to provide data and agree to their use for a specific purpose. Examples: newsletter subscription and receipt of promotional offers by e-mail, communication of special preferences or information (e.g. health status for dedicated services), use of certain analytics and marketing cookies on the website (which require consent). Where consent is the legal basis, you may withdraw it at any time, and we will cease future processing of the relevant data.
• Legitimate interest of the controller (Article 6(1)(f) GDPR): used where processing is necessary for REZIDENT’s legitimate interests (or those of a third party), provided that the interests or fundamental rights and freedoms of the data subject do not prevail. We rely on legitimate interest only after a careful assessment (the balancing test) demonstrating proportionality and minimal impact on privacy. Examples: ensuring on-premises security (CCTV), improving services based on customer feedback, retaining client contact data for moderate follow-up communications (such as loyalty discounts), preventing fraud or non-payment, and legal defence. In all such cases, you have the right to object; you may request that we cease processing if you believe it infringes your rights, and we will review the request diligently.
• Public interest / vital interest: ordinarily, our hotel does not process data on the basis of public interest or to protect vital interests. Such bases could apply only in exceptional situations (e.g. communicating a guest’s medical data to emergency services in the event of an accident—vital interest). These are rare cases and will be handled strictly in accordance with the law and specific circumstances.

Clarification: Whenever we rely on consent or legitimate interest, we will inform you clearly (e.g. in forms or at the time of data collection) and provide you with the ability to exercise your rights (withdrawal of consent, objection). Legal bases are documented internally, and upon request we can provide additional details regarding the legitimate interest assessment, where applicable.

6. Data Retention Period

We do not retain personal data for longer than is necessary for the purposes for which they were collected. Retention periods vary depending on the nature of the data and the applicable legal obligations or operational needs of the controller. Below we outline the main categories of data and the periods for which they are retained, after which they are securely deleted or anonymised:

Reservation data (individuals requesting offers who do not become clients):
If you have contacted us to request an offer or initiated a reservation but did not complete the accommodation (for example, you requested information but did not proceed, or the reservation was not finalised), we will retain your contact details and related communications for approximately 5 years. We consider this period useful in case you return with a new request or for analysing interest in our services. After 5 years, the data will be deleted, unless you have consented to continue receiving offers (e.g. by subscribing to the newsletter—in which case the marketing retention period applies).

Client data (individuals who have stayed / become clients):
Basic client information and reservation history are retained for up to 10 years from the last significant interaction. This extended period is justified by:
(i) Legal obligations – for example, accommodation registration forms and guest registers may be requested by authorities and must be retained for a number of years under tourism regulations;
(ii) Legitimate commercial interest – many clients return after several years, and retaining history helps us recognise preferences, offer loyalty benefits, and efficiently handle future requests.
Data are not stored statically: they are periodically updated, and if a client has had no interaction with us for 10 years, their data will be deleted or anonymised, except for data that must be retained longer by law (see below).

Financial and accounting data:
Any information contained in financial and accounting documents (accounting records, invoices, receipts, fiscal reports) is retained in accordance with fiscal legal obligations, currently 10 years from the end of the financial year in which the documents were issued. For example, an invoice issued in 2025 containing your name and address will be archived until no later than the end of 2035. After the statutory period, such documents are destroyed in accordance with internal procedures, unless the law provides otherwise.

Marketing data (newsletter and commercial offers):
These data are processed either until you unsubscribe/withdraw consent or, if no such action occurs, for 5 years from your last interaction with us. We consider that a person who has not opened or interacted with our messages for 5 years is likely no longer interested and will be removed from marketing lists (or reconfirmed, where appropriate). If you unsubscribe earlier, we will immediately stop communications and delete or anonymise your contact data from marketing databases.

Complaints and post-service correspondence:
Data related to a formal complaint or dispute are retained at least for the duration necessary to resolve it. After resolution, relevant documentation is archived for 3 years (the general limitation period for civil claims in Romania) or up to 5 years in certain cases, to preserve evidence should the matter later escalate legally. Where complaints involve financial/accounting aspects (e.g. refunds, invoice corrections), the 10-year accounting retention period also applies.

Anonymised or aggregated data:
After the above periods expire, certain personal data may be transformed into anonymised data (no longer identifying you) for internal statistical purposes (e.g. occupancy rates by year, percentage of returning clients). Such statistics contain no personal data and may be retained indefinitely, as individuals can no longer be identified.

In all cases, once the retention period expires or the processing purpose is fulfilled, we will securely delete, destroy or permanently anonymise personal data so that re-identification is no longer possible. Our internal procedures include periodic data reviews to ensure we do not retain unnecessary or outdated information. Additionally, if you request deletion in a specific context (e.g. exercising the right to be forgotten) and legal conditions are met, we will act promptly to erase the data—even if the standard retention period has not elapsed—while ensuring compliance with any mandatory legal retention obligations.

7. Data Recipients – disclosure and sharing with third parties

REZIDENT does not sell or disclose your personal data to third parties for independent marketing purposes. Data are shared only where necessary for service provision, compliance with legal obligations, or our legitimate interests, as outlined below. Any third party receiving data acts either as a processor (processing data strictly on our behalf and under our instructions) or as an independent controller (e.g. public authorities) with their own legal responsibilities. We ensure that all recipients provide an adequate level of data protection.

The main categories of third parties with whom we may share personal data include:

IT and hosting service providers:
We contract specialised companies to provide IT infrastructure (e.g. website and e-mail hosting, maintenance of reservation software—Property Management System (PMS), backup services). For example, we use hotel management software (such as Oracle Fidelio or a similar PMS) in which client identification data and reservation details are stored. This software may be hosted on secure servers, sometimes in the cloud, including outside Romania (see the section on International Data Transfers). IT providers act as processors and are contractually bound to confidentiality and to process data solely for purposes determined by us. Web hosting services may also log visits (including IP addresses) for security purposes; such logs may be accessed by technical teams where necessary (e.g. cyberattacks, error diagnostics).

Payment processors and financial services providers:
For online card payments, we work with secure platforms such as Netopia Payments (MobilPay) or EuPlătesc. When you enter card details on the reservation payment form, this information is transmitted directly to the payment processor, which secures it and returns to us only a token or payment confirmation. The payment processor acts as an independent controller regarding your financial data (with its own GDPR obligations). We store only the transaction reference and, where applicable, the last four digits of the card for records. For bank transfers, banking details are visible in our financial systems and to our bank. All such operations are protected by financial institutions’ legal confidentiality obligations.

Marketing and communication service providers:
For newsletters and automated communications, we use dedicated platforms such as Mailchimp, Monday or Revinate (a hotel CRM with e-mail marketing functions). These platforms store your e-mail address and, where applicable, name, solely to dispatch our communications according to subscription preferences. They act as processors with access limited to service provision. Some providers may be located in the USA (e.g. Mailchimp); we ensure lawful data transfers (see the International Transfers section). Each marketing communication includes an unsubscribe option, and marketing databases are securely managed.
We may also use chatbot or automated messaging services (e.g. ManyChat integrated with Facebook Messenger) to respond quickly to online enquiries; such services may process Facebook usernames and message content, acting as our processors.

Travel agencies and booking platforms:
If you made a reservation via a travel agency, tour operator or online booking platform (Booking.com, Expedia, etc.), these entities act as data controllers that initially collected your information. They transmit to us the data necessary to honour the reservation (name, contact details, stay details), which we process in accordance with this policy. We may also provide certain information back to the agency/platform regarding stay status (e.g. no-show, completed stay, penalties), as required under our contracts (e.g. for commission invoicing). Each platform has its own privacy policy accepted at booking; we recommend reviewing those policies as well.

Partners for additional services:
Depending on your requests, we may share data with third parties necessary to provide extra services. Such sharing occurs only with your implicit consent (derived from requesting the service), and we ensure partners are legally obliged to protect your data (including GDPR clauses in collaboration contracts).

Public Authorities

Where we are legally obliged to do so or where a duly justified request is made, we may disclose personal data to public authorities such as the Police, Gendarmerie, Public Prosecutor’s Office, courts of law, ANAF (Tax Authority), ANSPDCP (Data Protection Authority) or other supervisory bodies.

Examples: providing accommodation data of a specific individual upon a police request in connection with an investigation; transmitting guest registers at the request of authorities; statistical reports requested by the Ministry of Tourism (where applicable).

In all such cases, we will verify the legal basis of the request and will disclose strictly the data necessary to fulfil the requested purpose (data minimisation principle). These authorities act as independent data controllers in respect of the disclosed data and are subsequently responsible for their processing.

Professional advisers and legal assistance

In the event of audits, financial reviews or legal disputes, your data may be disclosed to our advisers (e.g. accounting/audit firms, the hotel’s legal counsel, debt recovery companies), insofar as necessary to obtain professional advice or representation. Such third parties are themselves subject to confidentiality obligations (either professional secrecy—e.g. lawyers—or confidentiality agreements—e.g. auditors). We will disclose only data strictly relevant to the matter for which advice is sought (for example, reservation details of a client disputing a transaction, in order to obtain legal advice).

Confidentiality commitments

With all partners and suppliers who process personal data on our behalf (processors), REZIDENT has entered into written agreements containing data protection clauses in accordance with Article 28 GDPR. These contracts impose, inter alia, obligations on the processor to process data solely for the specified purpose, to ensure adequate protection, to promptly notify any security incident, and to return or delete data upon completion of the service. We monitor compliance with these obligations and carefully select collaborators who meet GDPR standards.

We will not disclose your personal data to unauthorised third parties. In particular, we will never sell or transfer client lists, nor allow unjustified access to data by any partner beyond what is described above. Any additional data transfer outside the above situations will be carried out only after informing you and, where required, obtaining your consent.

8. International data transfers and appropriate safeguards

REZIDENT operates in Romania, and our primary data storage servers are, as far as possible, located within the European Economic Area (EEA). However, certain data may be transferred to or accessed by entities outside the EEA, for example when we use cloud services or technology providers based in the United States of America (e.g. e-mail marketing platforms, hotel CRM systems, web analytics services). The GDPR imposes strict conditions on such international data transfers to ensure that the level of data protection is maintained in the destination third country.

Situations involving international transfers

• Use of cloud/IT services with servers located outside the EU (e.g. storage of client data in cloud infrastructures located in the USA or another country);
• Transmission of data to marketing/automation platforms located in the USA (such as Mailchimp, ManyChat, Revinate, etc.);
• Communication via social networks or messaging applications (e.g. Facebook Messenger) involving storage of messages on international servers;
• Exceptional situations: transmission of tourist data to a non-EU tour operator where the reservation was made through that operator (rare cases, based on the contractual relationship with you).
  

Safeguards applied

In all such cases, we will not transfer personal data outside the EEA unless one or more of the following safeguards are implemented in accordance with Chapter V GDPR:

• Adequacy decisions: where data are transferred to a country for which the European Commission has adopted an adequacy decision (e.g. Canada, Switzerland, Japan, the United Kingdom), transfers are based on such decisions and data benefit from protection equivalent to that within the EU.
• Standard contractual clauses (SCCs): for partners in countries without an adequacy decision (e.g. the USA), we conclude Standard Contractual Clauses approved by the European Commission. These contractual provisions impose strict confidentiality and security obligations on recipients and grant enforceable rights to data subjects. SCCs are a primary compliance mechanism for international transfers.
• Additional security measures: where necessary, in addition to SCCs, we implement technical safeguards (strong encryption of data in transit and at rest, pseudonymisation) so that, even if data were intercepted or accessed unlawfully in the third country, they would be unintelligible without decryption keys held exclusively by us.
• Certification frameworks: where possible, we ensure that our US-based partners are subject to recognised legal frameworks. While the EU–US Privacy Shield was invalidated by the CJEU in 2020, reputable providers have since implemented the new EU–US Data Privacy Framework adopted in 2023 and/or hold recognised international security certifications (ISO 27001, SOC 2, etc.). Where applicable, we rely on adherence to these updated principles and certifications.
• Explicit consent or special derogations: in exceptional circumstances only, where none of the above safeguards can be applied, we may rely on limited GDPR derogations, such as the data subject’s explicit consent to the transfer, necessity for contract performance (e.g. booking at a partner hotel outside the EU at your request), or for the establishment, exercise or defence of legal claims. Such cases are rare and used only as a last resort.                                                                                                                                                                                                                          

 Examples of external providers and locations

• FIDELIO – Property Management System (PMS) used for hotel management, storing identification data of all clients (individuals, companies, agencies or tour operators) requesting offers and/or reservations. Hosted in London. Further details are available at Home – Fidelio (fideliopartners.com); the privacy policy is available on the official website.
• REVINATE.COM – platform interfaced with Fidelio, storing client data and used for periodic notifications and informational e-mails. Headquartered in the United States. More information is available at Software | Revinate, and its privacy policy is available on the official website.
• Mailchimp.com – marketing automation and e-mail marketing platform, primarily hosted in the USA (Atlanta). Further details are available on the official website.
• ManyChat – software application automating conversations and interactions via platforms such as Facebook Messenger (chatbot), hosted in the United States. Detailed information is available on the official website.
• Monday.com – CRM platform with integrations from ManyChat and automation features, hosted in the United States. Details are available on the official website.
• EuPlătesc – online transaction platform with secure payment links, hosted in Romania. More information is available at EuPlătesc – plăți online, and its privacy policy is available on the EuPlătesc website.
• While(1)voice (Romania) – telephone call management service, with data stored in the Netherlands. Further information is available at While1 Software (Global); privacy policy details are available on the official website.
• Integromat (Czech Republic) – application integration platform connecting ManyChat and Monday.com (similar to Zapier). Originates from the United States. Further details are available on the official website.
• Mailtrack.io – e-mail tracking service for Gmail. Privacy information is available at Mailtrack Privacy Policy.
• ClickFunnels.com – marketing platform used for promotional activities. Details are available at ClickFunnels™ – Marketing Funnels Made Easy, and the privacy notice can be accessed under Privacy Policy Notice – ClickFunnels.
• Google Accounts (Gmail, Drive, Calendar, etc.) – hosted in the United States and the European Union, used for internal communication and document storage. Google previously relied on Privacy Shield certification and currently applies GDPR-compliant standards for international data transfers through Standard Contractual Clauses (SCCs).
• Instagram and Facebook – platforms owned by Meta Platforms, Inc., hosted in the United States, used for public communications, promotion and administration of commercial campaigns. Meta implements GDPR-compliant measures, including SCCs for transfers of data outside the EU.
• TikTok – social platform operated by TikTok Ltd., used for the promotion of services. TikTok states that it aligns with GDPR requirements, and data may be transferred outside the EU under standard data protection clauses.
• WhatsApp Business – application operated by Meta Platforms, used for direct communication with clients. Data transfers are carried out in compliance with the GDPR using SCCs and technical protection measures.
• Brise CRM – local or cloud-hosted application used for customer relationship management. Data processing is carried out within the EU, in accordance with the GDPR.
• Webflow – US-hosted web development platform used for managing content on the official website. Webflow applies Standard Contractual Clauses for transfers of data outside the EU, in line with the GDPR.
• SendSMS – platform for sending commercial messages, used for notifications and information campaigns. Data are processed in secure environments, and any international transfer is carried out in accordance with GDPR requirements.
• Aidoo Analyser – application used to analyse equipment performance and energy consumption; data are processed locally or within GDPR-compliant cloud infrastructures.
• Maintenance application – digital system used to manage technical and operational requests. Collected data are stored locally or on EU-based servers, in accordance with European data protection standards.
• Leadpages.net – landing page creation. No personal data are stored.
• Elementor – landing page and website creation. No personal data are stored.
• WordPress – WordPress.com website and blog platform (Automattic). Privacy policy applies.
• Platphorma – accounting software; further information is available at Acasa | Platphorma SQL.
• Express soft – used for stock management, networks and product entry; further information is available at Soluții software și sisteme POS – Expressoft.

We reiterate that data security is a priority for us, including where data cross borders. We monitor legislative developments (e.g. CJEU decisions on transfers) and supervisory authority recommendations to continuously adapt our practices to the latest requirements.

9. Technical and organisational data security measures

REZIDENT implements a range of technical and organisational security measures to protect personal data against loss, theft, unauthorised access, disclosure, alteration or destruction. In particular, we have adopted at least the following measures and internal policies:

Network and IT systems security: Customer electronic data are stored in systems protected by strong passwords and restricted access. We use up-to-date firewall and antivirus/anti-malware solutions to prevent unauthorised access and cyberattacks. Access to databases is permitted only via the secured internal network or via encrypted remote connections (VPN), by authorised personnel. Any suspicious or failed access attempts are logged and investigated.

Encryption and pseudonymisation: Transmission of sensitive data over the internet (for example, when you complete a reservation form or submit payment data) is encrypted using HTTPS/TLS protocols. Information is thus encoded in transit, preventing interception. For certain stored data, we apply database-level encryption (e.g. passwords, authentication tokens, card details where applicable—although we avoid storing them). Where possible, we also use pseudonymisation—for example, in marketing analyses we may use unique identifiers instead of real names so that individuals are not directly identifiable.

Access control and staff training: Access to clients’ personal data is granted only to employees who need such information to perform their duties (need-to-know principle). Reception staff have access to the reservation system, but not to marketing databases, which may be accessed only by the marketing department. Each employee has individual access credentials and receives periodic training regarding data confidentiality and the importance of data protection. We have implemented confidentiality clauses in employment contracts and internal policies, so employees processing data have a legal obligation to maintain secrecy. Any disciplinary breach in this respect is sanctioned.

Back-ups and disaster recovery: We perform periodic backups of important data, stored securely (encrypted), and we test data recovery procedures so that information can be restored rapidly in the event of incidents (e.g. hardware failures, ransomware). This ensures data integrity and availability even in unforeseen situations. Backups are subject to the same restricted access policies.

Audit and monitoring: We carry out periodic checks of our systems to detect security vulnerabilities. We use access and audit logs to monitor who accesses sensitive data and when. Periodically, we may engage external experts for security audits (network penetration testing, server configuration reviews, etc.) to ensure measures remain current and effective.

Physical security measures: Offices and rooms where physical documents or servers are stored are locked and accessible only to authorised personnel. We use alarm systems and video surveillance in sensitive areas (without affecting private areas) to deter unauthorised access. Paper documents containing personal data (e.g. accommodation registration forms, printed reports) are kept in secure cabinets with restricted access, and are confidentially destroyed (shredded) once no longer needed.

Data minimisation: We have an internal procedure to collect only strictly necessary data for each purpose (data minimisation principle) and to delete data once no longer required. This reduces the risk of unnecessary exposure. For example, if a client changes their address or e-mail, we update the system and delete the old information if no longer relevant; or, as noted, if someone does not become a client, we delete their data after a limited period.

Incident response plan: While we hope it never occurs, we maintain an internal incident response plan. This sets out the steps to be followed in the event of a data breach: rapid identification of the incident, isolation of the issue, impact assessment, remediation, timely notification of affected individuals and authorities (where applicable), and measures to prevent recurrence. Staff are trained to immediately report any suspected incident to management/DPO for assessment.

Through these measures (and other confidential measures not detailed publicly for security reasons), we strive to ensure that your data are safe within our infrastructure and processes. However, no system is 100% invulnerable; we nonetheless ensure a level of protection aligned with industry standards and legal requirements. We continuously monitor new technologies and improve security as emerging risks arise. If you have specific questions regarding data security at REZIDENT, you may contact us at any time for further clarification.

10. Cookies and similar technologies

The REZIDENT website uses cookies and similar technologies (such as tracking pixels and social media plugins) to provide users with the best possible experience and to help us understand how the website is used. This section explains what cookies are, what types we use, for what purposes, and how you can manage your preferences.

10.1 What are cookies?

Cookies are small files made up of letters and numbers that our website may store in your browser or on your device (computer, mobile phone, tablet) when you visit us. A cookie is installed via a request issued by our server to your browser (e.g. Internet Explorer, Chrome, Firefox) and is completely “passive”—it does not contain software programs, viruses or spyware and cannot access information on the user’s hard drive. Cookies enable the website to recognise the user’s device on a subsequent visit by retaining certain actions or preferences from previous sessions.

In addition to cookies, the website may use similar technologies:

• Tracking pixels / pixel tags: small code fragments placed on a web page or in e-mails which, when triggered, transmit certain information (e.g. that a user viewed certain content). Pixels are often used with cookies to monitor browser activity on a website (e.g. a Facebook pixel helps measure visitors who later see ads on Facebook).
• Local Storage and device identifiers: technologies enabling web applications to store data directly on the user’s device, similar to cookies but with greater capacity or different use methods (e.g. HTML5 local storage, which may retain offline preferences).

10.2 What types of cookies do we use and for what purposes

Cookies may be classified by duration and by source/function. Depending on lifespan, we use session cookies (deleted automatically when you close your browser) and persistent cookies (remain on your device after the browser is closed for a defined period or until deleted). By source, we use first-party cookies (set by rezident.ro) and third-party cookies (set by external services integrated into the website, e.g. Google, Facebook). By purpose/function, we use the following main categories:

Strictly necessary cookies: essential for proper website operation and cannot be disabled, as the website would not function without them. They are usually set only in response to actions made by you that amount to a service request, such as setting privacy preferences, logging in (if applicable), completing a form, or progressing through a reservation process. Examples: retaining the booking basket content during browsing, managing the authentication session for a client area. These cookies do not store personally identifying information and do not require consent (legally exempt as strictly technical).

Preference cookies (functionality): enable the website to remember your choices (such as preferred language, region, text size) and provide enhanced personalised features. For example, a cookie may remember that you closed the cookie policy notice so it does not reappear on every page, or store your language preference to display the website in that language on your next visit. Information collected may be anonymised and does not track browsing across other websites. Where such cookies are not strictly necessary, we will request consent for them.

Analytics and performance cookies: used to understand how visitors interact with the website to improve content and structure. We use analytics services such as Google Analytics. These cookies collect information such as: most visited pages, average visit duration, errors encountered, traffic sources. Data are aggregated and anonymised and do not identify individual users directly. We will request consent for these analytics cookies, as they are not strictly necessary, even if privacy impact is minimal. You may refuse them and the website will still function.

Marketing and advertising targeting cookies: may be set via our website by advertising partners or social networks. Their purpose is to build an interest profile and display relevant ads on other websites. For example, visiting our offers section may be recorded by a Facebook cookie and you may later see an ad on Facebook. These cookies uniquely identify your browser/device and may track browsing across multiple websites. Examples include Facebook Pixel and Google Ads/DoubleClick cookies. Data are pseudonymised (we do not see your name, only an internal platform ID) but still constitute protected personal data. We will load such cookies only if we have your explicit consent at first visit (via the cookie banner). Refusing these cookies does not reduce website functionality; it only means ads may be less personalised.

10.3 Cookie management and consent

On your first visit, a cookie banner will be displayed, offering the option to accept or refuse non-essential cookies (analytics and marketing). We encourage you to express your preference. If you continue browsing without interacting with the banner, this will be treated as implicit consent only for necessary cookies, with other cookies blocked by default, in line with privacy-by-default practices. You can change your options at any time by deleting cookies from your browser.

Browser settings: Most browsers allow you to control cookies via settings. You can block third-party cookies or all cookies, or delete them automatically on browser close. Note that blocking strictly necessary cookies may cause parts of the website not to function (e.g. inability to complete an online booking). More details can be found in your browser help section.

Google Analytics opt-out: If you do not wish to be tracked by Google Analytics on any website, Google provides a browser add-on (Google Analytics Opt-out Browser Add-on), which prevents execution of GA code on websites using it.

Opt-out from personalised advertising: Major advertising platforms (Google, Facebook) also provide control options. For example, you can adjust advertising preferences in your Google account (Ads Settings) or Facebook account (Ad Preferences) to limit targeting. In addition, the website www.youronlinechoices.com enables you to opt out at a general level from many behavioural advertising cookies.

REZIDENT respects your cookie preferences. You may revisit and review your initial choice at any time. If you have any questions regarding our use of cookies, you may contact us and we will clarify any concerns.

11. Rights of data subjects

Under the GDPR, as a data subject whose data we process, you benefit from a range of legal rights in relation to the protection of your personal data. REZIDENT fully respects these rights and undertakes to facilitate their exercise. Below we detail each right and how you can exercise it in practice:

Right of access: You have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed and, where that is the case, access to those data and information on how they are processed. In practice, you may request: a copy of the personal data we hold about you, as well as details of the processing purposes, the categories of data, the recipients to whom the data have been disclosed, the retention period, and the source of the data (if not provided directly by you). We will provide this information free of charge, in an intelligible format (generally electronically, unless you request otherwise). For additional copies or manifestly unfounded/excessive requests, we may charge a reasonable fee in accordance with the GDPR.

Right to rectification: You have the right to request that we correct or complete inaccurate or incomplete personal data we hold about you. For example, if you discover that your name is misspelt, your address has changed, or any other information is incorrect, please inform us and we will rectify it without undue delay. It is in our mutual interest that data remain accurate and up to date. You may also request that we add a supplementary statement to your record if you consider this necessary to clarify certain data.

Right to erasure (“right to be forgotten”): In certain situations, you have the right to obtain the erasure of your personal data. This right is not absolute, but it applies, for example, where: the data are no longer necessary for the purposes for which they were collected; you withdraw consent and there is no other legal basis for processing; you object to processing based on legitimate interests and there are no overriding legitimate grounds; processing was unlawful; or there is a legal obligation to erase. If you request erasure, we will assess the request against our obligations (e.g. we cannot delete data that the law requires us to retain for a certain period, such as accounting records). Where we cannot comply immediately for legal reasons, we will inform you and will erase what can be erased. We will also notify relevant third parties (processors) holding your data to erase them as well.

Right to restriction of processing: This right allows you, in certain cases, to request temporary suspension of processing (other than storage). You may obtain restriction where: you contest the accuracy of the data (for the period required to verify and rectify); processing is unlawful but you prefer restriction over erasure; we no longer need the data but you require them for the establishment, exercise or defence of legal claims; or you have objected to processing (legitimate interests) pending verification of whether our legitimate grounds override yours. During restriction, we will store the data but will not otherwise use them (except for storage and for the defence of our rights). If restriction is later lifted, we will inform you before resuming processing.

Right to data portability: You have the right to receive personal data that you have provided to us in a structured, commonly used and machine-readable format (e.g. CSV, XML, JSON) and to transmit those data to another controller, where our processing is based on your consent or on a contract and is carried out by automated means. This right enables you to “port” your data from one provider to another. Where technically feasible and at your request, we may transmit the data directly to another controller indicated by you (for example, if you wish another hotel to take over your client profile). Data portability does not automatically imply erasure of your data from our systems (this may be requested separately). Portability applies only to data provided by the data subject (not to our internal analyses or derived data).

Right to object: You may object at any time, on grounds relating to your particular situation, to processing based on our legitimate interests or carried out in the public interest. We will comply with the objection and cease the relevant processing unless we can demonstrate compelling legitimate grounds overriding your interests, rights and freedoms, or where processing is for the establishment, exercise or defence of legal claims.
Important: You have an absolute right to object at any time to processing of personal data for direct marketing purposes (including profiling related to marketing). If you inform us that you no longer wish us to use your data to send offers, we will comply unconditionally, regardless of the reason, and you will no longer receive such communications.

Right not to be subject to automated individual decision-making, including profiling: The GDPR protects you against decisions based solely on automated processing (without human intervention) that significantly affect you. REZIDENT does not take such automated decisions producing legal or similarly significant effects concerning you. Any profiling we may carry out (such as segmenting clients by preferences to send offers) does not produce legal effects and involves human oversight (the final decision to send an offer is calibrated by our marketing team). If we were ever to implement such automated decision-making processes, we would inform you and provide the option to request human intervention, express your point of view and contest the decision.

Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal takes effect only for the future—prior processing remains lawful. There are no negative consequences or costs for withdrawal; the only result is that we will no longer process the relevant data for the purpose for which consent was given. For example, you may withdraw consent for the newsletter and you will no longer receive marketing e-mails from us.

Right to lodge a complaint with a supervisory authority: If you consider that we have infringed your data protection rights or that we process data unlawfully, you have the right to lodge a complaint with the Romanian supervisory authority: the National Supervisory Authority for Personal Data Processing (ANSPDCP). ANSPDCP contact details: 28–30 General Gheorghe Magheru Boulevard, Bucharest, Romania; website: www.dataprotection.ro; e-mail: anspdcp@dataprotection.ro ; tel: +40 318 059 211. The authority will inform you of the progress and outcome of your complaint. Regardless of a complaint to the authority, you also have the right to bring proceedings before the competent courts to defend your rights.

How to exercise your rights

To exercise any of the rights above (except the complaint to the authority), you may contact us at any time by submitting a request:

• By e-mail: hello@rezident.ro  (to the Data Protection Officer / DPO);
• By post: to our registered office address (as stated in Section 1), marked on the envelope: “For the attention of the Data Protection Officer – GDPR request”;
• In person: at the hotel reception, where your request will be forwarded to the responsible department.

Please specify clearly what your request concerns, what data or action you are requesting, and confirm your identity (to ensure we do not disclose data to anyone else). We will respond to requests as soon as possible and, in principle, within one month of receipt, as provided by the GDPR. In complex cases or where we receive a large number of requests, this period may be extended by up to two additional months; we will inform you of the extension and the reasons.

Exercising your rights is free of charge. Only where requests are manifestly unfounded or excessive (e.g. repetitive) we reserve the right, in accordance with the law, either to charge a reasonable administrative fee or to refuse the request; in such case we will justify our decision.

REZIDENT treats your rights with the utmost seriousness and ensures you can exercise them without discrimination or adverse treatment. We aim for your experience with us to be positive in terms of privacy as well as hospitality services.

12. Controller liability and data breach notification

REZIDENT assumes responsibility for the protection of personal data and adheres to the GDPR accountability principle (Article 5(2)). This means we not only implement security measures and privacy policies, but can also demonstrate compliance with the Regulation at any time. In the unfortunate event of a security incident affecting personal data (a “personal data breach”), we have procedures in place for prompt response:

Definition of a security incident: This may include accidental or unlawful loss, destruction, unauthorised alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Examples: a cyberattack extracting customer data; loss of a laptop containing unencrypted personal data; erroneous sending of an e-mail with data to the wrong recipient, etc.

Immediate actions in the event of an incident: We have an internal team (including the DPO and technical staff) responsible for incident management. As soon as an incident is identified or reported, we will work to isolate and remedy the issue: for example, in a cyberattack we disconnect affected systems, change passwords, apply patches; in a human error (e.g. misdirected e-mail) we request deletion by the recipient and implement preventive measures for the future. We will also assess the impact—what data types were affected, how many individuals, and what consequences may arise for data subjects (identity theft, inconvenience, material damage, reputational harm, etc.). This assessment helps determine next steps.

Notification of data subjects: Under Article 34 GDPR, where a personal data breach is likely to result in a high risk to your rights and freedoms (e.g. leakage of financial data or authentication data exposing you to fraud), we will inform you directly and without undue delay. We will communicate in clear language the nature of the breach, the affected data, the likely consequences, and recommended protective measures (e.g. password changes, vigilance against phishing). Where we have implemented effective protective measures (e.g. strong encryption rendering data unintelligible) or have promptly mitigated the risk such that it is no longer likely to materialise, direct notification to data subjects may not be required; such decisions will be taken in accordance with the law and, where applicable, in consultation with the supervisory authority.

Consequences and remediation: After immediate containment, we will analyse the root cause and implement preventive measures for the future: enhanced technical security, additional staff training, procedural changes, etc., to minimise the likelihood of recurrence. We assume full responsibility for any negligence on our part and will cooperate with authorities during any investigation. Where a failure to comply with legal obligations is identified, we may be subject to sanctions by ANSPDCP (under GDPR, fines may reach up to EUR 10 or 20 million, or a percentage of turnover, depending on severity).

Liability towards clients: To the extent that a security incident causes you direct damage and this resulted from our negligence in protecting data, we express our sincere regret and will consider appropriate compensation where legally and factually justified. Our primary objective remains prevention through maximum diligence.

By being transparent on these matters, we aim to assure you that we treat data security seriously and accept the responsibilities associated with our role as controller. To date, REZIDENT has not recorded major security incidents and we will do everything possible to maintain this record.

13. Processing of minors data (Under 18)

REZIDENT services (accommodation, leisure, events) are primarily intended for adults (over 18) and their families. In principle, we do not collect or process minors’ personal data without the consent of parents or legal representatives. However, minors’ data may enter our systems in certain cases; this section clarifies how we treat them:

Reservations and stays involving minors: Where you stay with your children, we will process minors’ data only to the extent necessary to provide services to the family. For example, at reservation or check-in we may record the child’s first name and age (to apply child tariffs, confirm eligibility, arrange extra beds, etc.). Such data are provided by parents/guardians on behalf of the child. We consider that, where a parent provides a minor’s data to us, they implicitly consent to processing for accommodation and related services. We will not request information directly from the child, nor process unnecessary data (we will not request a personal identification number for children under 14, for example, although for 14–17-year-olds it may appear in an identity document presented at reception). All confidentiality rules in this policy also apply to minors’ data, and parents may exercise GDPR rights on behalf of their children.

Marketing to minors: REZIDENT does not target or send direct marketing communications to minors. Newsletters, offers and promotional materials are intended for adults (clients or subscribers aged at least 18). We do not encourage minors to subscribe, and if we discover that an e-mail address belongs to a person under 18, we will remove it from our database. Our website does not contain content inappropriate for minors, but it is not specifically designed for children. We recommend that parents supervise children’s internet use and communications with service providers.

Consent for information society services (Article 8 GDPR): The GDPR provides that processing of personal data of children under 16 in relation to information society services (such as online services) is lawful only where the child is at least 16 or where consent is given/authorised by the parent or guardian. Accordingly, we do not knowingly collect data from children under 16 without verifiable parental consent. For example, we will not accept newsletter subscriptions from a person identified as under 16 without parental approval, and we will not enter into online transactions directly with minors.

Deletion of minors’ data: If, by mistake or without knowledge, we have collected data about a child under 16 without parental consent, the parent/guardian should contact us immediately. We will act promptly to delete such data from our systems. Likewise, where a parent/guardian requests access to, rectification or erasure of their child’s data (e.g. to check what information was recorded during a stay), we will process the request under the same conditions as for the parent’s own data, while verifying the identity and capacity of the requester.

Conclusion: We want parents to have confidence that children’s data are protected. We encourage legal guardians to supervise how minors use our services and provide data to the hotel. REZIDENT will always handle minors’ data with heightened care and in compliance with the law, prioritising the child’s best interests and safety.

14. Amendment and update of the Privacy Policy

Acceptance of this Privacy Policy and of the Terms and Conditions is deemed to constitute a contract between the Beneficiary and REZIDENT regarding the provision of hotel services and use of our online platform.

REZIDENT reserves the right to send administrative notifications, updates or promotional materials to the e-mail address provided by the Beneficiary, insofar as such communications are necessary for the proper performance of services or may present a justified interest for the Beneficiary.

We reserve the right to amend or update this Policy and commercial terms without prior notice. The latest version will be permanently available on our official website, indicating the date of the last update.

If you encounter any issues regarding platform functionality or the exercise of your data protection rights, you may contact us using the contact details displayed on our website.

This Privacy Policy is governed by the applicable laws of Romania and European rules on personal data protection (GDPR). For any matters not expressly provided for, the applicable legal provisions will apply.

If you have any questions, concerns or require any clarification regarding the content of this Policy or how REZIDENT processes your personal data, please contact us using the information in Section 1.

We are available to provide any additional information you may need and we wish you to have full confidence in our commitment to data protection.

Thank you for reading this Policy and for the trust you place in our services.

Last update of this Policy: December 2025.