Hotels and Dreams OOD
Identification Number by the Law on VAT: BG205368289
Our main focus when working with personal data
LuckyFit processes your personal data in order to provide its guests with better, higher quality and more diverse services. In view of this, data security is important for the success of our business and for our public image as a first-class hotel. Therefore, we strive to protect your data by applying all appropriate technical and organizational means at our disposal to prevent unauthorized access, unauthorized or malicious use, loss or premature deletion of information.
How and why we use your personal information
To fulfill regulatory obligations and under contract
We collect and process your personal data and other personal data in order to fulfill obligations assigned to us under a normative act, such as the Tourism Act.
We collect and process your personal data and other personal data in order to fully provide the services you have requested and wish to use with us, as well as to fulfill our contractual obligations to you.
- PIN, names, gender, citizenship, permanent address
- Email, letters, information about your troubleshooting requests, complaints, requests, grievances;
- Other feedback we receive from you;
- videos that are made to improve security
- preferences for the services we provide;
- credit or debit card information, bank account number or other bank and payment information in connection with payments made to the hotel – when paying for a product or service in the reservation system on the hotel website The user does not provides Tourist Management Ltd. data from bank / credit cards. Payment by bank card is made through a Virtual POS terminal of the Bank, whereby the data from the bank card are entered directly into the Secure platform of the bank. In this way the data from the bank card of the User are maximally protected and do not become available to Tourist Management EOOD. To prevent abuse when paying with your Visa or MasterCard, we apply the best practices recommended by international card organizations:
- Security when entering and transferring card data is provided by using SSL protocol to encrypt the connection between our server and the payment page of our servicing bank
- Your card is authenticated by entering a security code (CVV2)
- In addition, to identify you as a cardholder, the payment server for e-commerce of our servicing bank supports the authentication schemes of international card organizations – Verified by VISA and MasterCard SecureCode, in case you are registered to use them. “</ li>
Other information such as:
- data provided through the hotel’s website;
- IP address when visiting our website;
- Demographics, household information when you agree to participate in our surveys, prize draws or other feedback you provide to us in connection with the services you use;
The processing is performed in order to:
- establishing the identity of the client upon check-in at the hotel;
- manage and execute your service requests;
- prepare and send an invoice for the services you use with us;
- to provide you with the comprehensive service you need, as well as to collect the amounts due for the services used;
- analysis of customer history and preparation of a user profile in order to determine a suitable offer for you;
- We research and analyze customer usage of our services, based on anonymous or personalized information, to identify key trends, improve our understanding of our customer behavior, and work with third parties to develop new services for our customers. customers;
- processing by the data processor at the conclusion of a contract, assignment, reporting, acceptance, payment;
With your consent
In some cases, we process your personal data only with your prior written consent. Consent is a separate basis for the processing of your personal data and the purpose of the processing is stated in it, and is covered by the purposes listed in this policy. If you give us the relevant consent until its withdrawal:
- We prepare suitable proposals for programs and services offered by the hotel;
Concessions granted may be withdrawn at any time. Withdrawal of consent will have an impact on the provision of the relevant services for the provision of the relevant programs.
We have a large portfolio of programs and services. When you give us consent to data processing, that consent applies to all programs and services you use.
To withdraw your consent you only need to use our site or just our contact information.
To whom we provide your personal information:
We process your identification data and other personal data in order to comply with obligations stipulated in a regulatory act, such as:
- providing information to the Consumer Protection Commission or third parties provided for in the Consumer Protection Act;
- providing information to the Commission for Personal Data Protection in connection with obligations provided for in the legislation on personal data protection – Personal Data Protection Act, Regulation (EU) 2016/679 of 27 April 2016, etc. ;
- obligations provided for in the Accounting Act and the Tax and Social Security Procedure Code and other related regulations in connection with the maintenance of proper and lawful accounting;
- providing information to the court and third parties, in court proceedings, in accordance with the requirements of the procedural and substantive legal regulations applicable to the proceedings;
- Online payment verification.
How we protect your personal information
To ensure adequate data protection of the company and its customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and regulations on its implementation.
The company has appointed a Data Protection Officer to support the processes of protecting and securing your data.
For maximum security in the processing, transmission and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization and more.
When we delete your personal information
As a rule, we terminate the use of your personal data for contractual purposes after the termination of the contract, but we do not delete them before the expiration of one year from the termination of the contract or until the final settlement of all financial obligations and expiration of statutory obligations. for data storage, such as obligations under the Accounting Act for storage and processing of accounting data (5 years), expiration of the statute of limitations for filing claims (5 years) specified in the Obligations and Contracts Act, obligations for providing information to the court , competent state authorities, etc. grounds provided for in the current legislation (5 years). Please note that we will not delete or anonymize your personal data if it is necessary for pending court, administrative or pending proceedings before us.
Your data can also be anonymized. Anonymization is an alternative to deleting data. Upon anonymization, all personally identifiable items / items that allow your identification are permanently deleted. There are no legal obligations for anonymized data, as they do not constitute personal data.
Your rights regarding the processing of your personal data
Right to information:
You have the right to request:
- information on whether data relating to you are processed, information on the purposes of such processing, on the categories of data and on the recipients or categories of recipients to whom the data are disclosed;
- a message in an understandable form containing your personal data being processed, as well as any available information about their source;
- Information on the logic of any automated processing of personal data concerning you, at least in the case of automated solutions.
Right of correction:
In the event that we process incomplete or erroneous / erroneous data, you have the right, at any time, to request:
- delete, correct or block your personal data, the processing of which does not meet the requirements of the law;
- notify third parties to whom his personal data have been disclosed of any deletion, rectification or blocking, except where this is not possible or involves excessive effort.
Right to delete / the right to be “forgotten”:
You have the right to request the deletion of the personal data we process at any time if:
- personal data is not necessary for the purposes for which it was collected and processed;
- withdraw your consent and there is no other legal basis for processing them;
- Personal data has been processed illegally
Right to object:
At any time you have the right to:
- objections to the processing of your personal data if there is a legal basis for doing so; where the objection is justified, the personal data of the individual concerned may no longer be processed;
- Objections to the processing of your personal data for direct marketing purposes.
Right to restrict processing *:
You can request a restriction on the personalized data being processed if:
- you dispute the accuracy of the data, for the period in which we have to check its accuracy; or
- The processing of the data has no legal basis, but instead of deleting it, you want its limited processing; or
- we no longer need this data (for the specified purpose), but you need it to establish, exercise or defend legal claims; or
- You have objected to the processing of the data, pending verification that the administrator’s grounds are lawful.
Right to Data Portability *:
You can ask us to provide the personal data that you have entrusted to our care in an organized, orderly, structured, generally accepted electronic format if:
- we process the data according to the contract and based on the declaration of consent, which can be withdrawn or on a contractual obligation, and
- Processing is done automatically
Right to appeal:
In case you believe that we are violating the applicable regulations, please contact us to clarify the issue. Of course, you have the right to lodge a complaint with the Data Protection Commission. After 25 May 2018, you will also be able to lodge a complaint with a regulatory body within the EU.
Applications for access to information or for correction are submitted personally or by a person expressly authorized by you, through a notarized power of attorney. An application may also be submitted electronically, in accordance with the Electronic Document and Electronic Signature Act.
We will rule on your request within 14 days of its submission. In case of an objectively necessary longer term – in order to collect all the requested data and this seriously complicates our activity, this term can be extended up to 30 days. With our decision we give or deny access and / or the information requested by the applicant, but we always motivate our answer.
Updates and policy changes