Privacy Policy
Last updated: 2026-04-22 — v2.0
This policy is drawn up in accordance with Regulation (EU) 2016/679 (GDPR), Law no. 190/2018 on implementing GDPR in Romania, Law no. 506/2004 on personal data processing and privacy in electronic communications, and any subsequent applicable amendments.
1. Data Controller
DPA TECH SOLUTIONS SRL
[REDACTED], [REDACTED], [REDACTED], România
CUI: 54485223 | Reg. Com.: J2026024656007
EUID: ROONRC.J2026024656007 | Established: 2026-04-15
Email: contact@sezlong.online
Phone: +40750443490
Web: https://sunbed.online
2. Data Protection Officer (DPO)
The company has appointed a Data Protection Officer. For any questions, requests or exercise of your rights, please contact the DPO at the address below.
[REDACTED] — [REDACTED]
3. Personal Data We Collect
3.1 Data you provide directly
- Identification: full name
- Contact: email address, phone number (optional)
- Booking: beach location, sunbed type, booking date, number of guests
- User account: encrypted password, account preferences
3.2 Data collected automatically
- Technical: IP address, device type, operating system, browser used, screen resolution
- Behavioural: pages visited, session duration, traffic source, actions performed on the platform
- Cookies: detailed in Cookie Policy
3.3 Transaction data
- Booking information (booking ID, amount, payment status, payment method)
- We do not store full card data — these are processed exclusively by the authorised payment processor
3.4 Data received from third parties
- Authentication data provided by OAuth providers (if you use third-party login)
4. Purposes of Processing and Legal Basis (Art. 6 GDPR)
| Purpose | GDPR Legal Basis | Details |
|---|---|---|
| Account creation and management | Art. 6(1)(b) | Necessary for use of the service |
| Booking processing | Art. 6(1)(b) | Confirmation and management of bookings |
| Payment processing | Art. 6(1)(b) | Transmission to payment processor |
| Legal obligations (invoicing, tax) | Art. 6(1)(c) | Romanian tax and accounting legislation |
| Fraud prevention and security | Art. 6(1)(f) | Protecting the platform and users |
| Direct marketing (newsletter) | Art. 6(1)(a) | Only if you have given your consent |
5. Data Recipients
Your data may be shared with the following recipients, only to the extent strictly necessary:
5.1 Beach Operators (Tenants)
Beach operators registered on the platform receive only the data necessary for fulfilling your booking: name, booking date, type of sunbed reserved, number of guests and, where applicable, phone number. They act as independent data controllers and are contractually obliged to comply with GDPR.
5.2 Data Processors (Sub-processors)
| Provider | Role | Location |
|---|---|---|
| Supabase Inc. | Database and authentication | UE/SUA (SCCs) |
| Vercel Inc. | Hosting and infrastructure | SUA (SCCs) |
| Stripe | Payment processing | UE/SUA |
| Twilio Inc. | SMS notifications | SUA (SCCs) |
| Resend | Transactional email | UE/SUA (SCCs) |
5.3 Public Authorities
We may disclose data to competent authorities (tax authority, consumer protection authority, courts) when legally required to do so.
6. International Data Transfers
Some of our processors are established outside the European Economic Area (EEA). In such cases, we ensure that the transfer is carried out with adequate safeguards pursuant to Art. 46 GDPR, primarily through Standard Contractual Clauses (SCCs) adopted by the European Commission and adequacy decisions where applicable. You may obtain a copy of the applicable safeguards by contacting our DPO.
7. Data Retention Period
| Data category | Retention period | Basis |
|---|---|---|
| Active account data | For the lifetime of the account + 30 days after deletion | Contract |
| Booking data | 30 days after booking date (operational data) | Contract |
| Financial/tax documents | 10 years from issuance (Law 82/1991) | Legal obligation |
| Anonymised analytics data | 13 months | Legitimate interest |
| Support correspondence | 3 years from last interaction | Legitimate interest |
| Marketing data (with consent) | Until consent withdrawal or 3 years of inactivity | Consent |
| Security logs | 12 months | Legitimate interest |
We use Web Push notifications (with your explicit browser permission) to send you booking updates and, with your consent, promotional messages from Beach Operators. Your push subscription data (endpoint and encryption keys) is stored server-side linked to your account. You can revoke permission at any time via your browser settings.
If you have consented to push marketing, Beach Operators may send targeted campaigns based on your booking behaviour (visit frequency, recent activity). You can withdraw consent at any time from your profile or by revoking push permission in your browser.
8. Your Rights (Art. 15–22 GDPR)
- a) Right of access (Art. 15) — You may request a copy of the personal data we hold about you.
- b) Right to rectification (Art. 16) — You may request the correction of inaccurate data or the completion of incomplete data.
- c) Right to erasure / "right to be forgotten" (Art. 17) — You may request the deletion of your data where there is no legal obligation to retain it.
- d) Right to restriction of processing (Art. 18) — You may request the limitation of processing in certain circumstances (e.g. you contest the accuracy of the data).
- e) Right to data portability (Art. 20) — You may request your data in a structured, commonly used and machine-readable format.
- f) Right to object (Art. 21) — You may object to processing based on legitimate interest or direct marketing.
- g) Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.
If you book as a guest (without a registered account), we process your data (name, phone, email if provided) solely under Art. 6(1)(b) GDPR to confirm and fulfil your booking. This data is retained for 30 days from the booking date.
How to exercise your rights
Send a written request to [REDACTED]. We respond within 30 calendar days. In complex cases, the deadline may be extended by a further 60 days, with prior notification to you. The request is free of charge.
9. Automated Decisions and Profiling
We do not make automated decisions that produce legal effects or similarly significant effects upon you within the meaning of Art. 22 GDPR. We use limited profiling techniques solely for personalising the display of geographically relevant beach offers. This profiling produces no legal effects and can be deactivated at any time by contacting the DPO.
If you use the Platform as a Beach Operator, staff member, or supplier, your professional data (name, email, assigned role and beach) is processed under Art. 6(1)(b) GDPR for the performance of your SaaS subscription contract with DPA Tech Solutions SRL, and Art. 6(1)(f) GDPR for platform security.
10. Data of Minors
The platform is intended exclusively for persons aged at least 18 years or minors with the consent and under the supervision of a legal guardian. We do not intentionally collect data from children under 16 without verifiable parental consent. If we learn that we have collected such data, we will delete it immediately. Reports may be sent to paul.d@sezlong.online.
11. Data Security
We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Role-based access control (RBAC)
- Multi-factor authentication for administrative access
- Continuous monitoring of access and anomalies
- Periodic testing of security measures
12. Security Breach Notification (Data Breach)
- ANSPDCP: notified within 72 hours of becoming aware (Art. 33 GDPR)
- You will be notified without undue delay if the breach poses a high risk (Art. 34 GDPR), via email to the address associated with your account.
13. Cookies
We use cookies and similar technologies. Full details in our Cookie Policy.
14. Right to Lodge a Complaint
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
Bd. G-ral Gheorghe Magheru 28–30, Sector 1, 010336, Bucharest, Romania
Email: anspdcp@dataprotection.ro
Web: dataprotection.ro
You also have the right to bring proceedings before a competent court.
15. Policy Changes
We reserve the right to update this policy periodically. Substantial changes will be communicated by email to the address registered in your account, at least 30 days before they take effect, and via a visible notice on the platform. Continued use of the platform after the notification period constitutes acceptance of the changes.
16. Contact
DPA TECH SOLUTIONS SRL
[REDACTED], [REDACTED], [REDACTED], România
CUI: 54485223 | Reg. Com.: J2026024656007
Email: contact@sezlong.online
Phone: +40750443490
DPO: [REDACTED] — [REDACTED]
This information notice is compliant with Regulation (EU) 2016/679 (GDPR), Law no. 190/2018 on implementing GDPR in Romania, Law no. 506/2004, and applicable Romanian law.