Privacy Policy

How we protect your personal information

Privacy Policy

Last updated: 1.11.2025

1. General Provisions

This website (www.nivalisresortandspa.com) is operated by NIVALIS RESORT S.R.L. (hereinafter: "Nivalis Resort & SPA"), with registered office at Cluj County, Cluj-Napoca City, SANATORIULUI Street, No 23, registration number J2025084037005, Tax ID 52825701.

By accessing this website or making a booking with Nivalis Resort & SPA, you confirm that you have read, understood and accepted this Privacy Policy in its entirety.

2. Definitions

  • "Website" – refers to the online platform at www.nivalisresortandspa.com.
  • "Guest" – any person who uses or books accommodation or services via Nivalis Resort & SPA.
  • "Personal Data" – any information regarding an identified or identifiable natural person (for example: name, e-mail address, phone number).
  • "Data Controller" – the entity which determines the purposes and means of processing personal data (in this case Nivalis Resort & SPA).

3. Data Collection & Use

We collect the following categories of personal data: name, contact details (email, phone), booking information (dates, room type), payment details (via our secure provider), device and technical information (IP, browser) and marketing preferences.

We use your personal data to:

  • manage your bookings and accommodation services;
  • communicate with you regarding your stay or requests;
  • send offers and newsletters if you have given consent;
  • fulfil legal obligations (e.g., accounting, tourism registrations).

4. Legal Basis & Retention

We process your personal data based on:

  • performance of a contract (your booking);
  • compliance with legal obligations;
  • your consent (for marketing communications);
  • legitimate interests (improving our services).

The data is kept for as long as necessary to fulfill the above purposes: for example, data from the accommodation form (customer identification data) for 5 years, accounting documents (invoices, receipts, etc.) are kept for 10 years, and data provided for marketing purposes until consent is withdrawn.

5. Data Sharing & Transfers

Customers' personal data may only be disclosed to the extent necessary to fulfill the purposes for which it was collected and in accordance with applicable law.

The Operator may disclose data to:

  • competent public authorities (e.g., Romanian Police, tax authorities), when required by law;
  • service providers (e.g., online booking platforms, IT services, payment processors) acting on behalf of the Operator and complying with GDPR requirements regarding data privacy and security;
  • legal, tax, or audit advisors, if this is necessary to protect the legitimate interests of the Operator.

Data will not be transferred to countries outside the European Economic Area (EEA) unless an adequate level of protection is ensured in accordance with European Union standards or if there are appropriate safeguards (such as standard contractual clauses approved by the European Commission).

6. Your Rights

Right to be informed – the data subject has the right to be informed, in a clear and transparent manner, about how their personal data is collected and used.

Right of access – the data subject has the right to obtain confirmation that their data is being processed and to receive a copy of it, as well as information about the purposes of processing, the recipients, and the storage period.

Right to rectification – the data subject may request the correction or completion of inaccurate or incomplete personal data.

Right to erasure ("right to be forgotten") – data may be erased at the request of the data subject if it is no longer necessary for the purposes for which it was collected or if the processing is based on withdrawn consent.

Right to restrict processing – in certain situations, the data subject may request the limitation of data processing (for example, during the verification of data accuracy or in case of an objection).

Right to data portability – the data subject may request the transfer of their personal data in a structured, commonly used, and machine-readable format, either to themselves or to another controller.

Right to object – the data subject may object at any time to the processing of their data for direct marketing purposes or based on the controller's legitimate interest.

Right not to be subject to automated decision-making – the data subject has the right not to be subject to a decision based solely on automated processing that produces legal effects or significantly affects them.

Right to lodge a complaint – the data subject has the right to contact the National Supervisory Authority for Personal Data Processing (ANSPDCP) if they believe their rights have been violated.

To exercise your rights, please contact us at dataprotection@nivalisresortandspa.com.

7. Security

The organization implements and maintains appropriate technical and organizational measures, in accordance with Article 32 of Regulation (EU) 2016/679 (GDPR), to ensure an adequate level of security and confidentiality of personal data.

These measures are designed to protect the data against unauthorized access, use, alteration, disclosure, or destruction, and include, but are not limited to:

  • controlling physical and electronic access to IT systems and databases;
  • using authentication mechanisms and strong passwords;
  • encrypting and pseudonymizing data, where applicable;
  • implementing backup and incident recovery procedures;
  • continuously monitoring IT systems to detect and prevent security incidents;
  • providing periodic staff training on legal obligations regarding confidentiality and data protection.

The security measures are reviewed and updated periodically, taking into account technological developments, the nature of the processed data, and the risks identified in processing activities.

8. Cookies & Online Tracking

Our website uses cookies and similar technologies to enhance functionality and user experience. For details, please see our Cookie Policy.

9. Updates to This Policy

We may modify this Privacy Policy from time to time. The version published on the website is the effective version. Please check regularly for updates.

Last updated: 1.11.2025

10. Contact

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Email: dataprotection@nivalisresortandspa.com
Phone: +40 754 885 599
Address: Stațiunea Buscat Muntele Bǎișorii 328 M, Cluj 407068, Romania

About Nivalis

At Nivalis Resort & SPA, every stay blends comfort, nature, and authentic experiences. From relaxing in our jacuzzi to ATV rides, skiing on the Buscat and Băișoara slopes, and savoring traditional local meals, we invite you to discover the true essence of mountain living in Cluj County.

Happy guests

Join our growing family of happy guests—contact us today and book your perfect mountain escape at Nivalis Resort & SPA.

© 2025 Nivalis Resort & SPA
Mountain Luxury Since 2025
Alternative Dispute Resolution Online Dispute Resolution