Skip to content
← Dworek Osiecki

Privacy Policy

This privacy policy describes how we process information about you, including personal data and cookies, in connection with your use of the dworekosiecki.pl website, telephone contact, the contact form, the location map and the embedded booking widget, through which data is passed directly to the booking system provider (see section 5).

1. General information and the data controller

  1. The controller of your personal data is: Dworek Osiecki Spółka Cywilna, ul. Parkowa 42, 76-004 Osieki (NIP: 4990669588, REGON: 369270699).
  2. Email contact address for general matters: biuro@dworekosiecki.pl or recepcja@dworekosiecki.pl.
  3. For all matters concerning the protection of personal data and to exercise your rights under the GDPR (RODO), please contact us at our dedicated address: privacy@dworekosiecki.pl.
  4. Personal data is processed in accordance with the General Data Protection Regulation (GDPR (RODO) — Regulation 2016/679).
  5. We do not sell personal data. We share it only with the processors identified in this policy (including our hosting and email providers), and only to the extent necessary to provide our services.

2. Infrastructure and hosting

  1. The website is hosted and delivered through Cloudflare infrastructure (the Cloudflare Workers platform and the edge/CDN network). The service is operated by Cloudflare, Inc., with its registered office at 101 Townsend Street, San Francisco, CA 94107, United States. Cloudflare, Inc. acts as a processor within the meaning of art. 28 GDPR and processes data solely on our behalf, under a data processing agreement (Data Processing Addendum) incorporated by reference into the accepted Cloudflare terms of service.
  2. For technical and security purposes (including protection against attacks, traffic balancing and content delivery), Cloudflare processes standard technical data such as the IP address, the request timestamp, HTTP headers and browser information (User-Agent). The legal basis is the controller’s legitimate interest (art. 6(1)(f) GDPR) — ensuring the security, availability and performance of the website.
  3. Transfer to a third country (USA): Because Cloudflare, Inc. is established in the United States, some technical data may be processed outside the European Economic Area. This transfer takes place on the basis of Cloudflare, Inc.’s certification under the EU-U.S. Data Privacy Framework, and is additionally safeguarded by Standard Contractual Clauses (SCC) approved by the European Commission, together with supplementary measures. Cloudflare handles traffic across a network of points of presence located, among other places, within the European Economic Area (including Poland), with the aim of minimising data transfers outside the EEA.

3. Telephone contact

  1. To handle telephone calls we use an internet telephony (SIP) service provided by Spikon.
  2. Telephone conversations are not recorded or otherwise retained.
  3. If you contact us by telephone, we process your phone number and the content of the conversation solely to handle your enquiry — on the basis of art. 6(1)(b) GDPR (steps taken prior to entering into a contract) or art. 6(1)(f) GDPR (maintaining ongoing contact).

4. Contact form and transactional email

  1. Purpose and legal basis: The contact form is used to handle enquiries about accommodation and about hosting events (weddings, family celebrations, corporate events and others). We process the data you provide in the form in order to deal with your enquiry and to take steps at your request before any contract is entered into — on the basis of art. 6(1)(b) GDPR.
  2. Scope of data collected: first name, surname, email address, phone number (optional), type of event (wedding / family celebration / corporate event / other) and event details (dates, number of guests, accommodation, type of celebration, company name and additional information — up to 2000 characters).
  3. Voluntariness (art. 13(2)(e) GDPR): Providing the data is voluntary, but necessary in order to handle your enquiry and to take steps before entering into a contract — without it we will not be able to respond.
  4. The “I have read the Privacy Policy” checkbox is purely informational (it operates on the browser side). It does not constitute consent within the meaning of the GDPR and is not recorded — the server neither receives nor stores its state.
  5. How processing works (the data flow): browser → Cloudflare edge network (WAF application firewall, rate limiting, Turnstile verification) → application worker (POST /api/contact request) → email provider’s API (EmailLabs) → the operator’s mailbox (recepcja@dworekosiecki.pl). The website server does not store form data — the only permanent place it is saved is the operator’s mailbox.
  6. Infrastructure handling the form: Before the form data reaches the email provider, it passes through the edge network and runtime environment (worker) of Cloudflare, Inc., which acts as a processor (art. 28 GDPR) — details, and information about the transfer of technical data to the USA, can be found in section 2.
  7. Spam protection (Cloudflare Turnstile): Submitting the form is preceded by server-side verification of a Turnstile token. This mechanism does not use tracking cookies — it relies solely on short-lived validation tokens. The legal basis for Turnstile verification is the controller’s legitimate interest (art. 6(1)(f) GDPR) — protecting the website and the form against abuse and spam. The processing of the enquiry content itself takes place on the basis of art. 6(1)(b) GDPR (see point 1).
  8. Transactional email provider (EmailLabs): To deliver messages from the form we use the EmailLabs service (emaillabs.io), operated by Vercom S.A., with its registered office in Poznań. Vercom S.A. acts as a processor within the meaning of art. 28 GDPR, under a signed data processing agreement.
    • Data is processed in Poland (within the EEA). No transfer to a third country takes place — the DPF / SCC mechanisms are neither required nor applied here.
    • The service holds the ISO 27001, ISO 27018 and ISO 22301 certifications. Encrypted backups are kept for 2 years, exclusively within the EEA.
    • Sub-processors used by EmailLabs — all located within the EEA (as at the date of publication of this policy):
      • Beyond Solutions sp. z o.o. — Poznań, Poland — data centre / backups (colocation),
      • NTT Global Data Centers EMEA GmbH — Hattersheim, Germany — data centre / backups,
      • Cyber_Folks S.A. — Poznań, Poland — hosting,
      • Amazon Web Services EMEA SARL — Luxembourg (EU) — off-site backups only.
  9. Retention period: We keep correspondence arising from an enquiry in the operator’s mailbox for as long as is necessary to handle that enquiry and — where a contract is entered into — for the duration of its performance and the limitation period for any related claims, after which the correspondence is deleted. If an enquiry does not lead to a contract, we delete the correspondence once contact on the matter has ceased.

5. Analytics and third-party tools

To maintain and optimise the functionality of the website, we use the following tools:

  1. Cloudflare Web Analytics: An analytics tool that does not use cookies, does not track individual users between sessions and does not transfer data outside the European Economic Area. Only aggregated traffic information is collected (number of page views, country of origin, device type, page load time) in order to maintain the quality of the website. Legal basis: the data controller’s legitimate interest (art. 6(1)(f) GDPR). We do not carry out profiling, retargeting or behaviour-based advertising.
  2. Cloudflare (edge infrastructure / CDN): All communication between your browser and our server passes through the Cloudflare network, which acts as a network firewall, reverse proxy and CDN. Cloudflare processes technical logs (IP address, User-Agent, HTTP headers) for security purposes and in accordance with its own privacy policy.
  3. Cloudflare Turnstile: a mechanism that protects the form against abuse; it does not set tracking cookies and uses only short-lived validation tokens (see also section 4).
  4. Google Maps: An interactive map to make it easier to find your way to the Dworek. It is loaded only after you have given your consent by clicking the accept button in the notice — until then the map runs no Google scripts. The legal basis is your consent (art. 6(1)(a) GDPR). With regard to data collected via the map, Google acts as an independent controller (rather than as our processor within the meaning of art. 28 GDPR). The processing is governed by Google’s own terms and privacy policy. In respect of data processed by Google in connection with the map, you exercise your rights (including access and erasure) directly with Google, on the terms set out in its privacy policy; our address privacy@dworekosiecki.pl handles data processed by the Controller.
  5. RoomAdmin (booking widget): On the accommodation page (“Accommodation”) we embed an iframe of the RoomAdmin (roomadmin.pl) booking system, operated by Polcern Sp. z o.o., with its registered office in Kraków, ul. Jacka Malczewskiego 47A. Submitting a booking through it passes the guest’s data — first name, surname, email address, phone number, dates of stay and, where applicable, payment data — directly to RoomAdmin. The legal basis is art. 6(1)(b) GDPR (booking and pre-contractual activities). Under a signed data processing agreement, Polcern Sp. z o.o. processes this data solely to provide the roomadmin.pl booking service and acts as our processor within the meaning of art. 28 GDPR; in doing so it may use sub-processors bound by the same data protection obligations. The data is processed for the duration of the service — once the data processing agreement ends, the processor returns the entrusted data to us and deletes all copies of it, unless an obligation to retain it further arises from the law.

What is NOT used on the website:

  • Google Analytics — not used
  • Meta Pixel / Facebook Pixel — not used
  • Hotjar, Smartlook, FullStory and other session-recording tools — not used
  • Retargeting-based advertising — not used
  • Profiling of user behaviour — not carried out

6. Your rights (GDPR)

Under the GDPR, you have the right to:

  1. Access your data and obtain a copy of it.
  2. Rectify (correct) your data.
  3. Erase your data (“the right to be forgotten”).
  4. Restrict the processing of your data.
  5. Object to processing (e.g. for marketing purposes).
  6. Data portability.
  7. Withdraw your consent at any time — to the extent that processing is based on your consent (e.g. loading the Google Maps map), under art. 7(3) GDPR (see also art. 13(2)(c) GDPR). Withdrawing consent does not affect the lawfulness of processing carried out on the basis of that consent before its withdrawal.
  8. Lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warszawa — where you consider that the processing of your personal data infringes the GDPR.

To exercise your rights, please contact us at: privacy@dworekosiecki.pl.

7. Cookies

  1. The website seeks to minimise its use of cookies. The analytics tool (Cloudflare Web Analytics) does not use any cookies.
  2. Cookies set by Google Maps are loaded only after you have given your consent via the notice on the page. If you do not consent, the map is not loaded and no Google cookies are set.
  3. Cloudflare Turnstile (protection for the contact form) does not set tracking cookies — it uses only short-lived validation tokens.
  4. Using the embedded RoomAdmin booking widget (a third-party iframe) may result in RoomAdmin setting its own cookies (e.g. a session cookie), governed by the RoomAdmin privacy policy.
  5. Our own technical preference marker (_do_site_pref) is saved in your browser’s local storage (localStorage) in order to remember your decision about loading the map. It is not a cookie and is not sent to any external servers.
  6. You can always manage cookies and your browser’s local storage, deleting or blocking them in your browser settings.

Last updated: May 2026