The protection of privacy and the security of personal data of individuals who provide us with their data are important values for us and one of the fundamental standards of our business operations.
This Privacy Policy has been prepared to clearly explain how Vacation Club 2 sp. z o.o. sp. k. processes the personal data of natural persons in connection with its business activities, in particular persons interested in or using our services, making reservations, creating a user account, contacting us through available communication channels, subscribing to the newsletter, submitting an apartment for cooperation, as well as visiting our websites or using our social media profiles.
We encourage you to read this Privacy Policy carefully. It will help you better understand what personal data we collect, for what purposes we process it, on what legal bases we rely, to whom the data may be disclosed, how long we retain it, and what rights are available to the persons whose data is concerned.
The controller of your personal data is Vacation Club 2 sp. z o.o. sp. k., with its registered office in Warsaw, ul. Marszałkowska 72 lok. 17, 00-545 Warsaw, entered in the register of entrepreneurs of the National Court Register under KRS number 0000693165, NIP 7010564630, REGON 364139084 (hereinafter: the “Controller” or “VacationClub”).
You can contact the Controller in the following ways:
As a rule, VacationClub acts as the controller of personal data, independently determining the purposes and means of processing personal data in connection with its business activities, in particular in the scope of reservation handling, maintaining user accounts, contact with clients and business partners, marketing of its own services, operating websites, and communication with users.
At the same time, depending on the nature of a specific service, business relationship, or the way a given process is organized, personal data may also be processed under other models.
In certain cases, personal data may be processed on behalf of VacationClub by processors, i.e. entities acting on the Controller’s behalf and solely in accordance with its instructions. This applies in particular to providers of IT services, hosting, reservation systems, CRM tools, technical support providers, newsletter operators, analytical tools, customer service systems, or other services supporting VacationClub’s operations. In such cases, data is processed on the basis of appropriate data processing agreements and with the required security measures in place.
In certain situations, personal data may be transferred to other entities that process it in their own name and for their own purposes, acting as independent data controllers. This applies in particular where the transfer of data is necessary for the performance of a service, execution of a contract, settlement of a service, organization of a stay, fulfillment of legal obligations, or ensuring security. Such a model may occur, for example, in relations with:
Only in specific cases, where VacationClub and another entity jointly determine the purposes and essential means of processing personal data, joint controllership within the meaning of Article 26 GDPR may arise. This model may apply in particular to certain joint marketing activities or selected aspects of the operation of VacationClub’s social media profiles, insofar as it results from the way a given platform operates or from jointly organized activity.
In relation to the persons whose data is concerned, VacationClub generally remains the primary contact point in matters related to personal data processing, unless separate information has been provided with respect to a specific service, form, campaign, offer, or legal relationship. Detailed information about the role of specific entities in a given processing activity — i.e. whether a given entity acts as a controller, independent controller, processor, or joint controller — is provided each time in the context of the relevant service, form, terms and conditions, offer, communication, or separate privacy notice.
The Controller has appointed a Data Protection Officer. If a Data Protection Officer has been appointed, you may contact them at: iod@vacationclub.pl or in writing at: ul. Marszałkowska 72/17, 00-545 Warsaw, with the note “Data Protection Officer”.
If the Controller has not appointed a Data Protection Officer, in all matters concerning the processing of personal data, including the exercise of the rights of data subjects, you may contact the Controller directly using the contact details indicated in this Privacy Policy.
We inform you that your personal data will be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), for the following purposes:
| PURPOSE OF PROCESSING | LEGAL BASIS | PROCESSING PERIOD |
|---|---|---|
| Conclusion, performance, and settlement of a contract concerning reservation of a stay, provision of accommodation services, additional services, as well as taking steps prior to entering into a contract at the request of the data subject. | Article 6(1)(b) GDPR | For the period necessary to conclude and perform the contract, and thereafter until the expiry of limitation periods for claims. |
| Handling the reservation process, stay confirmation, stay-related communication, Mobile Check-In, collection and settlement of the security deposit, organization of key collection and return, as well as settlement of any receivables, damage, or missing equipment. | Article 6(1)(b) GDPR, and with regard to securing and pursuing claims also Article 6(1)(f) GDPR | For the duration of the service and thereafter for the period necessary to settle the stay and to secure and pursue claims. |
| Maintaining and operating a user account, including enabling login, saving reservation history, managing preferences, and using functionalities available to registered users. | Article 6(1)(b) GDPR and Article 6(1)(f) GDPR (the Controller’s legitimate interest in ensuring proper use of account-related functionalities) | For the period during which the account is maintained, and after its deletion for the period necessary to demonstrate proper performance of the service and defend against claims. |
| Maintaining contact with clients, users, persons interested in the offer, apartment owners, persons contacting us via form, chat, email, telephone, or social media, as well as handling inquiries, requests, and submissions. | Article 6(1)(f) GDPR (the Controller’s legitimate interest in ongoing communication and handling requests) | For the period necessary to handle the matter and thereafter until the expiry of the limitation period for potential claims related to that matter. |
| Performance and handling of business cooperation, including communication with apartment owners, property operators, contractors, persons representing contractors, and persons designated as contacts on the business partner’s side. | Article 6(1)(b) GDPR – if the party is a natural person; Article 6(1)(f) GDPR – in the case of data of representatives, contact persons, or cooperating persons on the contractor’s side | For the duration of the cooperation or preparation for establishing it, and thereafter until the expiry of limitation periods for claims. |
| Presenting an offer of cooperation and commercial contact with persons interested in adding an apartment to the VacationClub offer or establishing business cooperation. | Article 6(1)(b) GDPR – if the actions are taken at the request of the interested person prior to entering into a contract; Article 6(1)(f) GDPR – in the scope of organizing and developing business cooperation | For the period necessary to handle the submission, prepare the offer, and conduct business discussions, and thereafter until the expiry of limitation periods for claims. |
| Carrying out marketing activities concerning VacationClub’s own services, products, and activities, including sending newsletters, commercial information, information about promotions, special campaigns, events, new offers, or services related to VacationClub’s operations. | Article 6(1)(f) GDPR – in the scope of permissible direct marketing carried out based on the Controller’s legitimate interest under separate legal regulations (acts), i.e. to the extent that consent is required, in particular for electronic communication; | Until consent is withdrawn, an effective objection is raised, or the purpose of processing ceases. |
| Conducting business analyses, statistics, internal reporting, operational risk management, service development, improvement of service quality, monitoring the effectiveness of marketing and sales activities, and ensuring the Controller’s accountability. | Article 6(1)(f) GDPR (the Controller’s legitimate interest in conducting analyses, statistics, service development, and ensuring the organization of processes) | Until an effective objection is raised or until the purpose of processing ceases, but no longer than until the expiry of limitation periods for claims, if the analyses remain related to such claims. |
| Fulfilling legal obligations incumbent on the Controller, in particular tax, accounting, reporting, consumer, complaint-handling obligations, obligations related to payment security, provision of services by electronic means, or arising from other provisions of law. | Article 6(1)(c) GDPR | For the period required by law, taking into account limitation periods. |
| Defending against claims and pursuing claims related to business operations, contracts entered into, stays, settlements, complaints, business cooperation, use of websites, or violation of terms and conditions. | Article 6(1)(f) GDPR (the Controller’s legitimate interest in protecting its rights) | Until the expiry of the relevant limitation periods for claims, and in the event of legal proceedings – until their final conclusion. |
| Conducting recruitment processes and contact with candidates for employment or cooperation. | Article 6(1)(b) GDPR – with regard to data necessary to take steps prior to entering into a contract; Article 6(1)(c) GDPR – with regard to obligations arising from law; Article 6(1)(a) GDPR – with regard to additional data or participation in future recruitment processes | Until the end of the recruitment process, and in the case of separate consent for participation in future recruitment processes – until its withdrawal or the expiry of the indicated period. |
| Managing cookies and similar technologies, ensuring the proper functioning of the website, analyzing the way the service is used, improving its functionality, personalizing content, measuring campaign effectiveness, and carrying out advertising and remarketing activities. | Article 6(1)(f) GDPR – with regard to necessary files; Article 6(1)(a) GDPR – with regard to cookies and similar technologies requiring the user’s consent | Until consent is withdrawn, settings are changed, or the purpose of processing ceases. |
| Maintaining social media profiles, including communication with users, publishing information about services and offers, building a community, increasing brand recognition, and carrying out promotional activities. | Article 6(1)(f) GDPR | Until an effective objection is raised or the Controller’s legitimate interest ceases. |
| Determining the source of data, supplementing contact details, and conducting communication in the case of data obtained indirectly, e.g. from a business partner, apartment owner, operator, contractor’s associate, or from publicly available sources. | Article 6(1)(f) GDPR | For the period necessary to achieve the purpose, and thereafter until the expiry of limitation periods for claims. |
As a rule, we obtain personal data directly from the person whose data is concerned. This may occur in particular during:
In some cases, personal data may also be obtained indirectly, i.e. not directly from the person whose data is concerned. This may happen in particular when:
In the case of data obtained indirectly, we generally process identification data, contact data, business-related data, data concerning the performed function, conducted activity, or the scope of cooperation.
We inform you that under the GDPR you are entitled to the following rights:
| RIGHTS OF THE DATA SUBJECT | WHAT THE GIVEN RIGHT MEANS |
|---|---|
| right of access to personal data – Article 15 GDPR | You may obtain information on whether and how we process your personal data, as well as receive a copy of the data. |
| right to rectification of personal data – Article 16 GDPR | You may request correction of inaccurate data and completion of incomplete data. |
| right to erasure of personal data (“right to be forgotten”) – Article 17 GDPR | You may request deletion of data in cases provided for by law, e.g. when the data is no longer necessary for the purposes for which it was collected, consent has been withdrawn, or the processing is unlawful. This right is not absolute. |
| right to restriction of processing – Article 18 GDPR | You may request temporary restriction of operations on data, e.g. for the time needed to verify the accuracy of the data or the legitimacy of an objection. |
| right to data portability – Article 20 GDPR | In cases provided for by law, you may receive your data in a structured format or request that it be transferred to another controller. |
| right to object – Article 21 GDPR | You may object to processing based on Article 6(1)(f) GDPR on grounds relating to your particular situation. In the case of direct marketing, the right to object applies at any time. |
| right to withdraw consent | If processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out before its withdrawal. |
| right to lodge a complaint with a supervisory authority – Article 77 GDPR | If you believe that the data is being processed unlawfully, you may lodge a complaint with the President of the Personal Data Protection Office. |
To exercise the above rights, please contact the Controller or the Data Protection Officer using the contact details indicated in this Privacy Policy.
In connection with the conducted business activity and the implementation of the indicated processing purposes, personal data may be disclosed only to authorized recipients, i.e. entities that support the Controller in conducting business, performing services, fulfilling legal obligations, or protecting its rights. The Controller may disclose personal data to the following categories of recipients:
As a rule, the Controller processes personal data within the European Economic Area. However, in connection with the use of certain IT, analytical, advertising, marketing, or social media services, personal data may be transferred outside the European Economic Area, in particular to countries where providers of such tools store data or maintain their technical infrastructure. This applies in particular to tools related to online advertising, analytics, social media, or marketing automation.
In each case, transfers of data outside the EEA are carried out with appropriate safeguards required by the GDPR, in particular on the basis of:
Each recipient of the data is obliged to ensure an appropriate level of security and to process the data solely to the extent resulting from the purpose of transfer, the concluded agreement, or a legal obligation.
Providing personal data is generally voluntary; however, in many cases it is necessary to achieve specific processing purposes. Failure to provide data may make it impossible to achieve the given purpose, conclude a contract, receive a response, or use a specific functionality. In particular:
The Controller may conduct profiling to a limited extent, understood as the analysis of selected information about users, clients, or persons contacting the Controller, in order to better tailor content, offers, communications, and marketing activities to their potential preferences and interests. Profiling may include in particular:
Based on such data, the Controller may present the user with more tailored content or offers, such as:
Profiling is carried out only within the limits permitted by law and does not lead to decisions being made with regard to the person that produce legal effects concerning them or similarly significantly affect them within the meaning of Article 22 GDPR. The data subject has the right to object to profiling carried out on the basis of Article 6(1)(f) GDPR, under the rules set out in Article 21 GDPR.
The Controller’s websites use cookies and other similar technologies that support the proper functioning of the website, enable the use of its functionalities, help analyze how the service is used, personalize content, and carry out advertising and marketing activities.
Cookies are small text files stored on the user’s device in connection with the use of a website. They enable, among other things, recognition of the user’s browser, maintenance of the session, remembering settings and preferences, analyzing website traffic, and measuring the effectiveness of marketing activities.
With regard to the purposes for which they are used, we distinguish the following categories of cookies:
These are cookies and similar technologies that are necessary for the proper operation of the website and to ensure the basic functionalities of the service. Without them, using the website or selected services available through it could be impossible or significantly hindered. These files are used in particular for the purpose of:
The use of strictly necessary cookies does not require the user’s consent, as they are necessary for the provision of electronic services or to ensure the proper functioning of the service and the performance of functions expressly requested by the user.
Analytical cookies are used to collect information about how users use the service. Thanks to them, we may determine, among other things, how users arrive at the website, which subpages they visit most often, how much time they spend on the service, what devices and browsers they use, whether they encounter technical issues, and which elements of the website require improvement. These files are used in particular for the purpose of:
Data collected through analytical cookies is generally not used for direct identification of the user, but allows us to better understand how the service is used and to improve it accordingly. The use of this category of cookies requires the user’s prior consent.
Functional cookies make it possible to remember settings and choices made by the user, making the use of the website more convenient, personalized, and tailored to individual preferences. These files may be used in particular for the purpose of:
If the user does not consent to the use of functional cookies, some elements of the website may operate in a less personalized or less convenient way. The use of this category of cookies requires the user’s prior consent.
Advertising and marketing cookies are used to carry out promotional activities and to present users with advertising and marketing content that may be more tailored to their potential interests, activity, or preferences. These files may be used in particular for the purpose of:
These cookies may be set both by the Controller and by third parties providing marketing, advertising, analytical, or social media services. On their basis, the user may be shown more tailored advertising content within the service or outside it. The use of advertising and marketing cookies requires the user’s prior consent.
Both session cookies and persistent cookies may be used on the website. Session cookies are stored on the user’s device only for the duration of the browser session and are deleted after it is closed. Persistent cookies remain on the user’s device for a specified period of time or until they are deleted earlier by the user. Their retention period depends on the purpose for which they are used and on the settings of the specific tool or technology provider.
Cookies other than strictly necessary ones, in particular analytical, functional, advertising, and marketing cookies, are used only after the user’s prior consent has been obtained through the appropriate consent management mechanism available on the website. Failure to consent to the use of specific categories of cookies does not, as a rule, prevent the use of the website, but may affect the limitation of certain additional functionalities, the level of content personalization, or the matching of marketing communications.
The user may manage cookie settings and change previously granted consents at any time. This can be done in particular:
However, it should be remembered that restricting the use of certain cookies, in particular necessary cookies, may affect the proper functioning of the website or the availability of some of its features.
The user may withdraw consent at any time to the use of those categories of cookies that are used on the basis of consent. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.
In connection with marketing activities, the Controller’s presence on social media, and traffic analysis on the service, tools provided by third parties may be used on the website, in particular those related to advertising, analytics, and social media services. The use of such tools may involve the processing of user data by the providers of these services in accordance with their rules and — where applicable — the transfer of data outside the EEA.
To the extent not regulated by this Policy, the provisions of the GDPR and other applicable provisions of Polish and EU law concerning the protection of personal data, electronic communications, and the provision of electronic services shall apply.
Date of last update of the Policy: 17.04.2026