Privacy Policy
of the website www.stativa.eu
This Privacy Policy sets out the principles for processing personal data of Users of the website available at www.stativa.eu (hereinafter referred to as the “Website”). This document has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and the applicable Polish personal data protection regulations.
§ 1. Data Controller
The Data Controller is Valery Astrynski Stativa, a sole proprietorship registered at ul. Piaskowa 54, 83-330 Skrzeszewo, Poland, VAT ID (NIP): 5842867222, REGON: 541494820 (hereinafter referred to as the “Controller”).
Correspondence address:
ul. Piaskowa 54A, 83-330 Skrzeszewo Żukowskie, Poland.
Contact person regarding personal data protection:
Piotr Pishchaka
e-mail: office@stativa.eu
The Controller has not appointed a Data Protection Officer (DPO), as there is no legal obligation to do so. Any questions, requests or claims regarding the processing of personal data should be sent to the e-mail address above.
§ 2. Definitions
GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
Personal Data — any information relating to an identified or identifiable natural person.
User — a natural person using the Website or contacting the Controller.
Website — the website available at www.stativa.eu together with all subpages.
Processing — any operation or set of operations performed on personal data (collection, storage, modification, sharing, deletion, etc.).
§ 3. Purposes, Legal Bases and Retention Periods of Data Processing
The Controller processes personal data for the following purposes:
3.1. Handling inquiries sent via contact form or e-mail
Scope of data: name, e-mail address, phone number (optional), message content.
Legal basis: Article 6(1)(b) GDPR — taking steps prior to entering into a contract at the request of the data subject, and Article 6(1)(f) GDPR — the legitimate interest of the Controller consisting in responding to inquiries.
Retention period: until correspondence is completed and the limitation period for potential claims expires, but no longer than 3 years from the last contact.
3.2. Conclusion and performance of booking agreements and accommodation services
Scope of data: full name, e-mail address, phone number, residential address, invoice details (including VAT ID if applicable), number of guests, stay dates.
Legal basis: Article 6(1)(b) GDPR — performance of a contract.
Retention period: for the duration of the contract and the limitation period for claims arising from the contract (generally 6 years under Polish Civil Code provisions).
3.3. Issuing and storing accounting documents
Scope of data: full name, address, VAT ID (if applicable), transaction details.
Legal basis: Article 6(1)(c) GDPR — compliance with legal obligations under accounting and tax regulations.
Retention period: 5 years counted from the end of the calendar year in which the tax payment deadline expired.
3.4. Direct marketing and sending information about new locations (newsletter / early access)
Scope of data: name, e-mail address.
Legal basis: Article 6(1)(a) GDPR — consent of the data subject.
Retention period: until consent is withdrawn or an objection is submitted.
3.5. Website analytics and traffic measurement
Scope of data: IP address, cookie identifiers, device and browser information, visit time, referring address.
Legal basis: Article 6(1)(a) GDPR — consent expressed through the cookie banner.
Retention period: according to the lifespan of cookies described in the Cookies Policy, up to a maximum of 26 months from the last visit.
3.6. Online marketing (Google Ads, remarketing)
Scope of data: cookie identifiers, device identifiers, behavioural data.
Legal basis: Article 6(1)(a) GDPR — consent.
Retention period: until consent is withdrawn, up to a maximum of 13 months.
3.7. Establishment, exercise and defence of legal claims
Scope of data: data resulting from contracts or inquiries.
Legal basis: Article 6(1)(f) GDPR — legitimate interest of the Controller.
Retention period: until limitation periods for claims expire.
§ 4. Voluntary Provision of Data
Providing personal data is voluntary, however in some cases necessary to achieve a specific purpose:
— to conclude a booking agreement — failure to provide data makes it impossible to conclude the agreement;
— to issue an invoice — failure to provide data makes it impossible to fulfil tax obligations;
— to receive newsletters — failure to provide data makes newsletter delivery impossible.
§ 5. Recipients of Personal Data
Users’ personal data may be shared with the following categories of recipients:
— Hosting and CMS provider — Wix.com Ltd. (Israel / EU), under a data processing agreement;
— Analytics and advertising service providers — Google Ireland Limited (Google Analytics, Google Ads), within the scope covered by consent;
— Payment operators — in the case of online payments (e.g. PayU, Przelewy24, Stripe);
— Booking platforms — Booking.com B.V., Airbnb Ireland UC, Lodgify Ltd.;
— Accounting office / accountant — for accounting and tax settlement purposes;
— IT, e-mail and communication service providers — e.g. Google Workspace, cloud infrastructure providers;
— Public authorities — where required by law.
§ 6. Transfer of Data Outside the European Economic Area (EEA)
Some recipients of data (including Google LLC, Meta Platforms Inc., Wix.com Ltd.) may process personal data outside the EEA, including in the United States.
Data transfers are carried out on the basis of:
— the European Commission adequacy decision under the EU-US Data Privacy Framework (DPF);
— Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Article 46(2)(c) GDPR;
— appropriate technical and organisational safeguards.
Copies of the safeguards used may be obtained by contacting the Controller at office@stativa.eu.
§ 7. Rights of Data Subjects
Every person whose data is processed has the following rights:
— Right of access (Article 15 GDPR);
— Right to rectification (Article 16 GDPR);
— Right to erasure (“right to be forgotten”, Article 17 GDPR);
— Right to restriction of processing (Article 18 GDPR);
— Right to data portability (Article 20 GDPR);
— Right to object (Article 21 GDPR), including objection to direct marketing;
— Right to withdraw consent at any time (Article 7(3) GDPR);
— Right to lodge a complaint with the supervisory authority — in Poland, the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl.
Requests regarding the exercise of rights should be sent to: office@stativa.eu. The Controller responds without undue delay, no later than within one month of receiving the request.
§ 8. Profiling and Automated Decision-Making
The Controller does not make decisions based solely on automated processing that produce legal effects or similarly significantly affect Users.
Marketing profiling may occur within analytics and advertising tools (e.g. personalised ads), however it does not produce legal effects.
§ 9. Data Security
The Controller applies appropriate technical and organisational measures to ensure the security of personal data processing, including:
— SSL/TLS encrypted connections;
— limiting access to data exclusively to authorised persons;
— regular backups;
— data processing agreements with service providers;
— software updates and security incident monitoring.
§ 10. Cookies
Detailed rules regarding the use of cookies and other tracking technologies are described in a separate document — the “Cookies Policy” — which forms an integral part of this Privacy Policy.
§ 11. Changes to the Privacy Policy
The Controller reserves the right to introduce changes to this Privacy Policy. Changes become effective upon publication on the Website.
In the event of significant changes, registered Users or newsletter subscribers may be informed electronically.
§ 12. Contact
Any questions regarding this Privacy Policy should be sent to: office@stativa.eu
Last updated: May 2026.
