Privacy Policy Hotel and Restaurant Aviator, Silesia Ring Complex

Content

I. General Information

II. Data Protection Officer

III. Purposes, Legal Bases, and Scope of Data Processing

IV. Data Retention Period

V. Recipients of Personal Data

VI. Data Transfers Outside the EEA

VII. Rights of Data Subjects

VIII. Cookies and Third-Party Technologies

IX. Final Provisions

I. General Information

The controller of your personal data is SILESIA RING Sp. z o.o. Sp. k., with its registered office at Lotnicza 5–7, 47-325 Kamień Śląski, entered into the Register of Entrepreneurs of the National Court Register under KRS no. 0000738530, NIP: 8942765250, REGON: 932930766. The Controller operates the Aviator Hotel and Restaurant within the Silesia Ring complex (hereinafter referred to as the "Controller" or the "Hotel").

This Privacy Policy sets out the principles for the processing of personal data of users of the website https://aviatorsilesiaring.pl (hereinafter referred to as the "Website") and of Hotel guests, in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

II. Data Protection Officer

The Controller has appointed a Data Protection Officer (DPO). For matters related to the processing of personal data and exercising your rights, you may contact the DPO via email at: iod@silesiaring.pl.  

III. Purposes, Legal Bases, and Scope of Data Processing

The Controller processes only the personal data voluntarily provided by users in connection with the use of the Website or the Hotel’s services. Depending on the type of activity, data may be processed for the following purposes, scopes, and on the following legal grounds:

• Contact via contact form: The Website includes a contact form that allows you to submit inquiries. Data that may be processed includes your name, email address, phone number, and the content of your message. This data is processed to respond to your inquiry and to conduct further correspondence related to the Controller’s business operations. Providing this data is voluntary but necessary in order for us to contact you. The legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in responding to messages. If your inquiry is aimed at entering into a contract (e.g., booking a stay or service), the legal basis may also be taking steps prior to entering into a contract (Article 6(1)(b) GDPR).
• Room booking (HOTRES system): The Website offers the option to book hotel rooms online, which is handled by an external booking system – Hotres.pl. To complete a booking, you are required to provide personal data necessary for making the reservation, including: name, surname, email address, phone number, dates of stay, number of guests, and data necessary for invoicing (e.g., home or business address, VAT ID), as well as payment data for online payments. Providing this data is voluntary but required for completing a booking – without it, a reservation contract cannot be concluded. The data is processed for the purpose of entering into and performing a hotel service contract (booking and stay) – the legal basis is contract performance (Article 6(1)(b) GDPR). In addition, this data may be processed to fulfill legal obligations imposed on the Controller (e.g., tax and accounting obligations) – legal basis: compliance with a legal obligation (Article 6(1)(c) GDPR), and for the establishment, exercise, or defense of legal claims – legal basis: the Controller’s legitimate interest (Article 6(1)(f) GDPR).
• Data collected automatically while using the Website: When visiting our Website, certain data may be collected automatically by the IT system – e.g., IP address, browser type, operating system type, visit time, and subpages viewed. This data may be stored in server logs or via cookies (more information in Section VIII below). This data is not linked to specific individuals using the Website and is used to administer the site, ensure its security, and for statistical and analytical purposes. To the extent necessary for the functioning and security of the Website (e.g., log files, essential cookies), the legal basis for processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR) in maintaining and securing the Website. If data is collected for analytical or marketing purposes via third-party cookies (e.g., Google Analytics, Meta Pixel), the legal basis is the user’s consent (Article 6(1)(a) GDPR), provided through cookie settings (see Section VIII).
• Social media: The Website includes links (icons) to our social media profiles on Facebook and Instagram. Clicking such a link redirects you to an external platform (Facebook or Instagram) that is independent of the Controller and operates its own privacy policy. The Controller does not automatically transfer any personal data to these platforms – however, if you visit our profiles or share content from our Website, your data may be processed by the operators of those platforms in accordance with their own policies. We encourage you to review the privacy policies of Facebook and Instagram before using these links

The Controller does not process special categories of personal data (so-called sensitive data) via the Website. Personal data is also not used for automated decision-making that produces legal effects on the user (no profiling as defined by Article 22 GDPR) – with the exception of analytical or marketing activities described above (e.g., personalized ads on Facebook using cookies), which are conducted only with your explicit consent and do not result in legal effects.

IV. Data Retention Period

Your personal data will be retained no longer than necessary to fulfill the purposes for which it was collected, taking into account legal requirements and the applicable limitation periods for potential claims. Specifically:

• Data submitted via the contact form – will be stored for as long as necessary to respond to your inquiry and conduct any related correspondence. Once the exchange is complete, the data may be archived for up to 12 months for internal purposes (e.g., as evidence, in case of follow-up inquiries, or for defense against claims), unless the content of the correspondence requires continued processing (e.g., entering into a contract). If a claim is filed, the data may be stored until the expiration of the applicable limitation period.
• Data provided when booking a hotel stay – will be retained for the duration necessary to fulfill the booking and accommodation agreement. After your stay, basic transaction data will be stored for the period required by tax and accounting regulations (e.g., 5 years from the end of the tax year in which the invoice was issued). Data related to the reservation itself (e.g., stay details) may be retained for the duration of the civil law limitation period applicable to the agreement (typically 3 years, or up to 6 years for consumer-related claims). If a reservation was made but no agreement was finalized (e.g., cancellation prior to arrival), reservation data may be retained for up to 1 year from the cancellation date for administrative and business analysis purposes—unless you request its deletion earlier and applicable laws do not require further retention.
• Automatically collected technical and statistical data (logs, cookies) – server logs are retained for up to 2 years for security and service administration purposes. Cookies used for analytical and marketing purposes are stored according to their designated expiration periods (details in Section VIII); for example, Google Analytics cookies may remain on a user's device for up to 14 months or longer (depending on the settings), unless deleted sooner or consent is withdrawn. Data collected by third-party tools (e.g., Google, Meta) is stored by us only in aggregated form (statistics) for as long as needed for analysis. However, these third parties may retain data in accordance with their own privacy policies (we recommend reviewing Google and Meta’s privacy policies – see Section VIII).

After the specified retention periods expire, your personal data will be deleted or anonymized, unless legal regulations require further storage. For data processed based on consent, such data will be deleted or anonymized immediately after consent is withdrawn (unless another legal basis for continued processing applies, such as a legal obligation or a legitimate interest in retaining proof of prior consent).

V. Recipients of Personal Data

In the course of our business operations and service provision, your personal data may be disclosed or entrusted to the following categories of recipients:

• Authorized employees and associates of the Controller – only individuals authorized to process your data as part of their job duties have access (e.g., front desk staff handling reservations, administrative staff responding to contact form inquiries). All such individuals are bound by confidentiality obligations.
• Entities processing data on behalf of the Controller (processors): This particularly includes companies that provide IT services and tools. For example, online bookings are managed via the external system Hotres.pl, provided by HOTRES Sp. z o.o., located in Jelenia Góra (58-500), ul. Osiedle Robotnicze 10/4, KRS: 0000947675, which processes personal data on behalf of the Controller. Hotres implements appropriate technical and organizational safeguards (e.g., SSL encryption, secure servers). We also work with other IT service providers, such as hosting companies, IT system maintenance providers, website administrators, and online payment system providers (when reservations are paid electronically, payment data may be processed by an external payment operator, such as a bank or card processing company). All such processors operate under data processing agreements and are obligated to comply with GDPR and our instructions.
• Analytical and marketing service providers: We use tools provided by third parties as part of our website operations. These parties may receive certain information about users (mainly through cookies or similar technologies – see Section VIII). These include, among others, Google (Google Analytics and reCAPTCHA) and Meta Platforms (Facebook/Instagram via the Facebook Pixel). These entities may process data as independent controllers (e.g., for their own purposes such as service improvement or marketing) or as our processors, depending on the nature of the service. Please note:
  • Google Analytics is a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics collects information about your use of our website (e.g., pages visited, time spent on the site, approximate location, IP address – we use IP anonymization when available). This data is transferred to Google and used to generate aggregate reports on user activity. Under our data processing agreement with Google, the data is not used to identify individuals and serves only to provide us with statistics. However, Google may use the collected data for its own purposes (e.g., service improvement, benchmarking) in accordance with its privacy policy.
  • Meta (Facebook) Pixel is a tool provided by Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland), which allows us to measure the effectiveness of our Facebook/Instagram ads and deliver personalized ads to users on these platforms. The Facebook Pixel may collect data about your activity on our site (e.g., bookings, visited pages) and transmit it to Meta. If you have consented to marketing cookies, we may use this data to show you targeted hotel ads on Facebook that may be of interest. The data collected by the Pixel is processed by Meta in accordance with Facebook’s privacy policy and may be combined with other information Meta holds about you (e.g., from your profile, if you are logged in). Please note that we only receive statistical, anonymized reports from Meta, not personal data of individual users.
  • Google reCAPTCHA – we use Google reCAPTCHA (provided by Google Ireland Ltd.) on our forms to prevent spam and automated submissions. reCAPTCHA analyzes user behavior (e.g., mouse movements, IP address) to determine whether activity resembles that of a bot. The plugin may collect certain information about your device and software and transmit it to Google. This data is used solely to enhance spam protection and is processed in accordance with Google’s privacy policy. By using reCAPTCHA-protected forms, you consent to this verification. The mechanism may place necessary cookies on your device (e.g., in the google.com domain) – these are used only for security purposes, not for advertising.
• Public authorities and legally authorized recipients: In legally justified cases, we may be required to disclose your data to public authorities or other entities authorized under the law (e.g., police, prosecutors, courts, tax authorities, or data protection regulators) – but only within the limits of applicable regulations. Additionally, if necessary for the defense of our rights or the pursuit of claims, your data may be shared with entities assisting us in these matters (e.g., law firms, debt collection agencies). In such cases, the legal basis for disclosure will be the Controller’s legitimate interest or a legal obligation.

We assure you that your data will not be sold or disclosed to unauthorized third parties. Each data recipient processes your information only to the extent necessary for their role (e.g., the online reservation provider processes data solely to manage bookings, while a public authority will only receive your data when specifically required by law).

VI. Data Transfers Outside the EEA

As a rule, the Controller does not intend to transfer the collected personal data to third countries (outside the European Economic Area) or to international organizations, unless it is necessary and appropriate safeguards are in place. The servers used by the Controller (including those of the Hotres reservation system) are located within the territory of the EEA (European Economic Area) or in countries recognized as providing an adequate level of data protection.

However, please note that certain external tools used on the website may result in data being transferred to third countries. This applies in particular to services provided by international companies such as Google and Meta (Facebook). When using Google Analytics or Google reCAPTCHA, some information (e.g., IP address, cookie identifiers) may be transferred to Google LLC, based in the USA. Similarly, the use of Facebook Pixel may involve transferring data to Meta Platforms, Inc. in the USA.
Any such transfer is carried out based on appropriate legal mechanisms ensuring data protection, in accordance with Chapter V of the GDPR. Google and Meta apply Standard Contractual Clauses (SCCs) approved by the European Commission, which require data recipients in the U.S. to protect personal data at a level required under EU law. Additionally, the Controller has concluded data processing agreements with these providers (where they act as processors), obligating them to comply with GDPR in relation to user data from the EU.

If data is transferred outside the EEA, users have the right to obtain a copy of the safeguards in place – please contact the Controller or the Data Protection Officer (DPO) to request this. Please note that clicking on links to external services (e.g., Facebook, Instagram) will redirect you to those platforms – any further data processing will then occur outside the Controller’s control and may involve data transfers to third countries by those services (please refer to their respective privacy policies for more details).
The Controller makes every effort to protect users’ and customers’ personal data, regardless of where it is processed. If you do not consent to the possible transfer of your data to the USA in connection with Google Analytics or Facebook Pixel, please do not consent to analytical/marketing cookies in our cookie banner settings (or withdraw any previously given consent) – in such cases, these tools will not be activated.

VII. Rights of Data Subjects

In accordance with the GDPR, you have a number of rights related to the processing of your personal data by the Controller. You may exercise these rights by submitting a relevant request to the Controller or the Data Protection Officer (as indicated at the beginning of this Policy). These rights include:

• Right of access – You have the right to obtain confirmation as to whether we process your personal data, and if so, access to that data and information about, among other things, the purposes, scope, and methods of processing, the data recipients, and the planned retention period. Upon request, the Controller will provide a copy of the personal data being processed (the first copy is free of charge).
• Right to rectification – You have the right to request the immediate correction of any inaccurate personal data concerning you, or to have incomplete data completed (considering the purposes of processing).
• Right to erasure (“right to be forgotten”) – In cases provided for by law (Art. 17 GDPR), you have the right to request the deletion of your personal data. You may request erasure if, for example: (a) the data is no longer necessary for the purposes for which it was collected; (b) you have withdrawn your consent (if the processing was based on consent) and there is no other legal basis for processing; (c) you have successfully objected to the processing (see below); (d) the data was processed unlawfully; or (e) there is a legal obligation to delete the data. Note: this right may be limited if the data is needed to fulfill a legal obligation or to establish, pursue, or defend legal claims.
• Right to restrict processing – This means the right to request that we temporarily suspend the processing of your data (other than storage), in the following cases: if you contest the accuracy of the data (for the time needed to verify it); if the processing is unlawful but you oppose deletion and instead request restriction; if the Controller no longer needs the data, but you need it to establish, pursue, or defend claims; or if you have objected to processing – pending verification whether the Controller’s legitimate grounds override your objection.
• Right to data portability – To the extent your data is processed based on your consent (Art. 6(1)(a) GDPR) or a contract (Art. 6(1)(b) GDPR), and the processing is carried out by automated means – you have the right to receive your personal data, which you provided to us, in a structured, commonly used, machine-readable format (e.g., CSV, JSON, XML). You may transmit this data to another controller or request that we transfer it directly to another controller (where technically feasible). This right does not apply to non-automated data (e.g., paper records) or data processed on legal bases other than consent or contract.
• Right to object – You have the right to object, at any time, to the processing of your personal data based on the legitimate interests of the Controller (Art. 6(1)(f) GDPR), on grounds relating to your particular situation. In such cases, we must cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the grounds for establishing, exercising, or defending claims. However, if your data is processed for direct marketing purposes, including profiling (e.g., using data for targeted advertising), your objection is absolute – once submitted, we will stop processing your data for such purposes without being able to invoke any overriding grounds. In practice: you have the right to object, for example, to data processed automatically for analytics or marketing purposes – this can be done, among other ways, by changing your cookie settings (which we treat as a withdrawal of consent/objection to further processing) or by contacting us.
• Right to withdraw consent – If your data is being processed based on consent (Art. 6(1)(a) GDPR), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing (i.e., processing based on consent before it was withdrawn remains lawful). You can withdraw your consent in the same way it was given (e.g., through our cookie settings, by unchecking a consent box on a form, or by contacting us). For example, if you have consented to analytical or marketing cookies, you may withdraw your consent at any time by updating your cookie preferences on our website (via the “Customize” button on the cookie banner) or by deleting cookies from your browser. If you consented to the publication of a review, you may withdraw your consent by requesting that the published review be removed.
• Right to lodge a complaint with a supervisory authority – If you believe that your personal data is being processed in violation of data protection regulations, you have the right to file a complaint with the supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO), address: ul. Stawki 2, 00-193 Warsaw. However, we encourage you to contact the Controller or DPO first – we will do our best to clarify any concerns and resolve the matter amicably.

To exercise your rights, you can contact us by mail (to the Controller’s registered address) or by email (e.g., by writing to the DPO’s address). We will respond to your request without undue delay – no later than within one month. If the request is complex, this period may be extended by an additional two months (we will inform you of the extension and provide the reasons).
Exercising most rights is free of charge; fees may apply only in the case of excessive, repeated requests (as per Art. 12(5) GDPR).

Providing personal data in the cases described above (contact form, review, reservation) is always voluntary but may be necessary to use a particular functionality or service. Failure to provide the required data may prevent us from fulfilling the intended purpose (e.g., sending an inquiry, making a reservation, or publishing a review).

VIII. Cookies and Third-Party Technologies

Our website uses cookies and similar technologies to ensure the proper functioning of the Website, analyze traffic, and conduct marketing activities. Cookies are small text files saved on the user's device (e.g., computer, smartphone) while browsing websites. Cookies typically contain the domain name of their origin, the time they are stored on the device, and a unique identifier.

Our Website includes a cookie consent management mechanism that allows users to choose which categories of cookies they consent to (excluding essential cookies, which are required for the Website to function). Upon first visit, a cookie banner is displayed with information and options to accept all cookies, reject non-essential cookies, or customize preferences. Users can change their cookie settings at any time by using the "Customize" link/icon or a similar option available on the site (usually located at the bottom of the page).

Categories of Cookies Used on the Website:

• Essential Cookies – These are technical cookies necessary for the proper functioning of the Website and its available features. Without these cookies, the Website would not function correctly, and therefore, we do not require user consent for them. This category includes, for example:
  • Session cookies from our CMS system, such as the october_session file, which maintains the user's session (e.g., remembers cart contents or administrator login status, if applicable). These expire at the end of the session (when the browser is closed) or after a defined period of inactivity.
  • Consent management cookies, such as the oc-cookie-consent file (and related cookies), which store information about the user’s choices regarding cookie categories. This prevents the cookie banner from being displayed on every visit and allows the Website to remember your preferences. This cookie may be stored for an extended period (e.g., 1 year).
  • Hotres.pl cookies – If you use the online booking widget provided in our Website, which is operated by the external Hotres system, cookies from the hotres.pl domain may be used to support the booking process (e.g., the standard PHP session cookie PHPSESSID used to maintain continuity of the booking process). These are considered essential for the booking function and are used only for the duration of the booking session.
  • Security cookies, such as those from the Google reCAPTCHA service used in forms to distinguish users from bots. These cookies (e.g., NID or others set by Google domains) help prevent abuse and are necessary for form security.
• Analytical (Statistical) Cookies – These cookies collect information about how users interact with the Website, which subpages they visit, how long they stay, whether they encounter errors, etc. We use them to improve the performance of our site, understand user preferences, and generate viewership statistics. On our site, analytical cookies mainly come from Google Analytics. Examples include:
  • \_ga – A Google Analytics cookie used to distinguish unique users by assigning a randomly generated identifier. Storage period: 2 years.
  • \_gid – A Google Analytics cookie used to distinguish users (different ID); storage period: 24 hours.
  • \_gat – A Google Analytics cookie used to limit request rates (throttling); storage period: 1 minute.

The data collected by these cookies (e.g., IP address, device information, activity data) is transmitted to Google and processed to generate reports and statistics for the Data Controller. Please note that analytical cookies are activated only after you give your consent via the cookie banner. Users can block these cookies from the start or deactivate them later. Blocking analytical cookies does not affect the basic functions of the Website.

• Marketing (Advertising) Cookies – These cookies are used to track user activity both on and off the Website and to display personalized advertising content. On our site, this category primarily includes cookies related to the Facebook Pixel (Meta Pixel). These cookies collect data about your activity (e.g., completed bookings, viewed subpages) and link it to your Facebook/Instagram profile (if you have one and are logged in), allowing us to display targeted ads that match your interest in our services. Examples of marketing cookies include:
  • \_fbp – A Facebook Pixel cookie (set by our domain or facebook.com), used to identify the user's browser for ad delivery (e.g., retargeting); storage period: 3 months.
  • Facebook cookies set by the facebook.com or metrika.net domains related to the same function (may have various names, e.g., fr, etc.).

Google cookies may also be used for marketing purposes if we integrate our website with Google advertising services (e.g., Google Ads) in the future. Currently, however, we focus on Meta tools. Marketing cookies are only installed with your consent. Blocking them will prevent us from conducting personalized advertising campaigns targeting you, but this does not mean you will stop seeing ads altogether – you will receive general ads that are not based on your preferences.

Managing Cookies: During your first visit to the Website, we ask you to select your cookie preferences. You can change these settings at any time – for example, by clicking the "Preferences" or "Customize" button/link available in the footer of the page (if provided), and then adjusting and saving your preferences. Additionally, most web browsers by default allow automatic acceptance of cookies but also offer cookie management features. You can block cookies for all or selected sites, delete previously saved cookies, or set notifications when a cookie is being saved. However, please note that disabling all cookies (especially essential ones) may cause our Website (like many others) to malfunction. For information on managing cookie settings in specific browsers, please visit the respective browser’s support page.

Third-Party Technologies: In addition to cookies, our Website may use other tracking technologies from our partners – such as tracking pixels (invisible code snippets placed on the site that work similarly to cookies), device identifiers, or so-called Local Storage. These technologies serve the same purpose as the cookies described above (analytics, marketing) and, like cookies, are only used to the extent you have consented to.

The full list of cookies and similar technologies used on our site may change as the Website evolves or as we update our technology partners. We will update this policy accordingly to reflect such changes.

IX. Final Provisions

This Privacy Policy is reviewed on an ongoing basis and updated as necessary to reflect current data processing practices and applicable legal regulations. Any future changes to the Policy will be published on this page (at https://aviatorsilesiaring.pl, in the footer under “Privacy Policy”). We recommend regularly reviewing the Policy content, especially before using any new features of the Website.

For matters not covered by this Policy, the provisions of the GDPR and other relevant data protection laws applicable in the Republic of Poland shall apply.

If you have any questions or concerns regarding this Privacy Policy or data protection at our Hotel in general, we encourage you to contact the Data Controller or Data Protection Officer – we will be happy to provide additional information.

Effective Date: This Policy is effective as of May 1, 2025 (last update: May 1, 2025).