Last updated: 1.11.2025
This GDPR and Data Protection Policy explains how Nivalis Resort & SPA ("we", "our", "us") complies with the European Union's General Data Protection Regulation (EU Regulation 2016/679 – "GDPR") and applicable local data protection laws.
We are committed to protecting the privacy, confidentiality, and security of all personal data we process.
The data controller responsible for the processing of your personal data is:
Company Name: NIVALIS RESORT S.R.L.
Registered Office: Cluj County, Cluj-Napoca City, SANATORIULUI Street, No 23
Registration Number / Tax ID: registration number J2025084037005, Tax ID 52825701.
Email: admin@nivalisresortandspa.com
Phone: +40 754 885 599
If applicable, our Data Protection Officer (DPO) can be reached at dataprotection@nivalisresortandspa.com.
We process personal data according to the following GDPR principles:
We may process the following types of personal data:
The processing of personal data by NIVALIS Resort&Spa is carried out in accordance with the provisions of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data ("GDPR"), based on the following legal grounds:
Personal data is stored for the duration necessary to achieve the purpose for which it was collected, as described in our Privacy Policy.
After the retention period, data will be securely deleted or anonymized.
Customers' personal data may only be disclosed to the extent necessary to fulfill the purposes for which it was collected and in accordance with applicable law.
The Operator may disclose the data to:
Data will not be transferred to countries outside the European Economic Area (EEA) unless an adequate level of protection is ensured in accordance with European Union standards or if there are appropriate safeguards (such as standard contractual clauses approved by the European Commission).
As a data subject, you have the following rights:
Right to be informed – the data subject has the right to be informed, in a clear and transparent manner, about how their personal data is collected and used.
Right of access – the data subject has the right to obtain confirmation that their data is being processed and to receive a copy of it, as well as information about the purposes of processing, the recipients, and the storage period.
Right to rectification – the data subject may request the correction or completion of inaccurate or incomplete personal data.
Right to erasure ("right to be forgotten") – data may be erased at the request of the data subject if it is no longer necessary for the purposes for which it was collected or if the processing is based on withdrawn consent.
Right to restrict processing – in certain situations, the data subject may request the limitation of data processing (for example, during the verification of data accuracy or in case of an objection).
Right to data portability – the data subject may request the transfer of their personal data in a structured, commonly used, and machine-readable format, either to themselves or to another controller.
Right to object – the data subject may object at any time to the processing of their data for direct marketing purposes or based on the controller's legitimate interest.
Right not to be subject to automated decision-making – the data subject has the right not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects them.
Right to lodge a complaint – the data subject has the right to contact the National Supervisory Authority for Personal Data Processing (ANSPDCP) if they believe their rights have been violated.
To exercise your rights, please contact us at dataprotection@nivalisresortandspa.com.
The operator implements and maintains appropriate technical and organizational measures, in accordance with applicable standards, to ensure the protection of personal data against unauthorized access, alteration, disclosure, or destruction. These measures are regularly evaluated and updated to maintain an appropriate level of security in accordance with the legal requirements in force, including Regulation (EU) 2016/679 (GDPR).
NIVALIS Resort & Spa does not knowingly collect or process Personal Data from children under the age of 16. In the event that we become aware that Personal Data belonging to a child under 16 has been collected or received without verifiable parental consent, we will promptly take all necessary steps to delete such data from our systems.
If you believe that NIVALIS Resort & Spa may have collected or may be processing Personal Data of a child under the age of 16, please contact us immediately using the email address provided below.
Pursuant to Article 6(1)(f) of the GDPR, and for the purpose of promoting our company, we use social media plug-ins from Facebook, Instagram, and TikTok. Such promotion constitutes a legitimate interest within the meaning of the GDPR. The responsibility for the data processing operations carried out via these advertising tools lies with the respective providers mentioned above.
We integrate these plug-ins using the so-called "double-click" method in order to protect visitors to our website. Once you activate these plug-ins, the respective providers' own privacy and data protection policies will apply.
Certain pages on this website use Google Maps to display interactive maps and to provide navigation guidance. This enables us to offer you maps directly on our website in a convenient and user-friendly manner. Google Maps is a mapping service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin D04 E5W5, Ireland. The use of Google Maps is based on our legitimate interest in providing an intuitive and functional map service and therefore falls within the scope of Article 6(1)(f) GDPR.
When you choose to load this embedded content, your browser establishes a direct connection to Google's servers. Google therefore receives information indicating that you have accessed the corresponding sub-page of our website. This occurs regardless of whether you are logged into a Google user account or whether such an account exists. If you are logged into Google, your information will be directly associated with your account. If you do not wish to be associated with your Google profile, you must log out before activating this feature.
Google stores your data as user profiles and processes them for advertising, market research, and/or the personalised design of its website. Such data processing takes place (including for users who are not logged in), in particular for the purpose of providing personalised advertising and to inform other Google network users of your activities on our website. You have the right to object to the creation of such user profiles; however, this right must be exercised directly with Google.
For further information regarding the purpose and scope of the data collection, the subsequent processing and use of your data by Google, as well as your corresponding rights and available settings to protect your privacy, please refer to Google's Privacy Policy.
The tracking measures described below are implemented pursuant to Article 6(1)(f) GDPR. Through the tracking tools we use, our aim is to ensure that our website is tailored to your needs and continuously optimized. In addition, we use these tools to compile statistical data on website usage and to evaluate such data for the purpose of improving our services. These interests are considered legitimate within the meaning of the aforementioned regulation. The specific purposes and categories of processed data can be found in the descriptions of the tracking tools below.
We use Google Analytics, a web analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google"), to ensure the appropriate design and ongoing optimization of our website. In this context, pseudonymized user profiles are created and cookies are used. The information generated by these cookies includes:
This information is transmitted to a Google server in the United States and stored there. The data is used to evaluate website usage, compile reports on website activity, and provide other services related to website and internet usage for market research and the tailored configuration of our website. This information may also be transmitted to third parties if required by law or if third parties process this data on our behalf.
Under no circumstances will your IP address be combined with other Google data. IP addresses are anonymized (IP masking), meaning that identification is not possible.
You may prevent the installation of cookies by adjusting your browser settings; however, please note that in this case, not all website functions may be fully available.
You may also prevent the collection of data generated by cookies and related to your website usage (including your IP address), as well as the processing of such data by Google, by downloading and installing the browser add-on available at:
https://tools.google.com/dlpage/gaoptout?hl=de
As an alternative to the browser add-on—particularly for mobile device browsers—you can prevent Google Analytics from collecting data by clicking on an opt-out link (if implemented on your site). This will store an opt-out cookie on your device, preventing future data collection when visiting this website. The opt-out cookie is valid only in this browser, only for our website, and will be stored on your device. If you delete your browser's cookies, you will need to reinstall the opt-out cookie.
Additional information on data protection in connection with Google Analytics can be found in the Google Analytics Help Center.
To statistically measure the use of our website and evaluate it for the purpose of optimizing your experience, we use Google Conversion Tracking. Google Ads places a cookie on your device when you reach our website through a Google advertisement. These cookies expire after 30 days and are not used for personal identification.
If a user visits certain pages on an Ads client's website and the cookie has not expired, Google and the client can detect that the user clicked on the advertisement and was directed to the respective page. Each Google Ads client receives a unique cookie. Therefore, cookies cannot be tracked across the websites of Ads customers. The information collected using the conversion cookie is used to generate conversion statistics for Ads customers who have enabled conversion tracking. Ads clients receive information on the total number of users who clicked on their advertisement and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that could personally identify users.
If you do not wish to participate in tracking, you may disable the installation of conversion cookies—for example, through a browser setting that disables automatic cookie placement. You can also disable conversion tracking cookies by adjusting your browser settings to block cookies from the domain "www.googleadservices.com"
If you believe your data protection rights have been violated, you may file a complaint with the The National Supervisory Authority for Personal Data Processing – Romania - ANSPDCP, or contact us directly for assistance.
We may update this Data Protection Policy from time to time. The latest version will always be available on our website.
Last updated: 1.11.2025
