Privacy Policy
Last updated: 2026-03-15
This information notice is provided pursuant to Art. 13 and Art. 14 of Regulation (EU) 2016/679 (GDPR) and applicable Romanian law. Please read it carefully.
1. Data Controller
The data controller is [REDACTED], registered at [REDACTED], [REDACTED], [REDACTED], Romania, trade register no. [REDACTED], tax ID [REDACTED].
Data Protection Officer (DPO): [REDACTED] — [REDACTED]
2. Personal Data Collected
Data you provide directly:
- Full name
- Email address
- Phone number (optional)
- Account password (stored encrypted via bcrypt)
- Booking details (date, location, number of sunbeds/umbrellas)
Data collected automatically:
- IP address (anonymised after 30 days)
- Browser type and operating system
- Date and time of access
- Interface preferences (language, theme)
Data we do not collect:
- Special category data (Art. 9 GDPR): health, racial origin, political opinions, etc.
- Data of minors under 16 without parental/guardian consent
- Payment card data (processed directly by PCI-DSS certified providers)
3. Purpose of Processing and Legal Basis
| Purpose | Legal basis | GDPR Article |
|---|---|---|
| Account creation and management | Performance of contract | Art. 6(1)(b) |
| Booking processing and confirmation | Performance of contract | Art. 6(1)(b) |
| Service communications (confirmations, QR code) | Performance of contract | Art. 6(1)(b) |
| Platform security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Tax and legal compliance | Legal obligation | Art. 6(1)(c) |
| Marketing communications (future) | Explicit consent | Art. 6(1)(a) |
4. Data Retention
- Account data: until account deletion + 30-day grace period
- Booking data: 3 years from booking date (tax obligation per Law 227/2015)
- Billing data: 10 years (Art. 25 of Accounting Law no. 82/1991)
- Security logs (IP): 6 months
- Consent records: for the lifetime of the account + 3 years after deletion (burden of proof)
5. Data Recipients
We do not sell your personal data. Data may be transferred to:
- Partner Beach Operators — only data necessary for booking execution (name, contact, booking details), under a processing agreement per Art. 28 GDPR
- Technical service providers: Supabase Inc. (hosting, database, authentication) — with adequate safeguards per Art. 46 GDPR
- Transactional email providers — solely for sending booking confirmations
- Competent public authorities — when expressly required by law (tax authority, law enforcement, etc.)
6. Transfers Outside the EU/EEA
Your data is primarily processed within the European Union/EEA. Supabase's primary infrastructure is in the EU (Frankfurt). For any transfers to third countries, we ensure adequate safeguards are in place in accordance with Chapter V GDPR (European Commission adequacy decisions, standard contractual clauses - SCC).
7. Your Rights (Art. 15-22 GDPR)
- Right of access (Art. 15) — obtain a copy of your data being processed
- Right to rectification (Art. 16) — correction of inaccurate or incomplete data
- Right to erasure / "right to be forgotten" (Art. 17) — deletion of data when no longer necessary or when you withdraw consent
- Right to restriction of processing (Art. 18) — limiting processing in certain circumstances
- Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest or for direct marketing
- Right not to be subject to automated decision-making (Art. 22) — we do not make fully automated decisions with significant effect on you
- Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal
To exercise any right, contact our DPO at [REDACTED]. We will respond within 30 days (which may be extended by a further 60 days for complex requests).
8. Data Security
We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR, including:
- Encryption in transit (TLS 1.2+)
- Password hashing with bcrypt
- 2-factor authentication (2FA/OTP) available
- Role-based access control (RBAC)
- Row-Level Security (RLS) policies in the database
- Audit logging of privileged access
In the event of a personal data breach posing a high risk to your rights and freedoms, we will notify ANSPDCP within 72 hours (Art. 33 GDPR) and inform you directly without undue delay (Art. 34 GDPR).
9. Cookies
We use only essential cookies for platform operation. See our Cookie Policy for full details.
10. Automated Decisions and Profiling
We do not use automated decision-making (including profiling) within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you.
11. Protection of Minors
Our service is intended for persons aged at least 16. Under Art. 8 GDPR and Law 190/2018 (Romania), processing data of minors under 16 requires parental or legal guardian consent. If we discover we have collected data from a minor without appropriate consent, we will delete it immediately.
12. Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority if you believe your data processing violates GDPR:
Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)
Bd. G-ral Gheorghe Magheru 28-30, Sector 1, 010336, Bucharest, Romania
Email: anspdcp@dataprotection.ro
Web: dataprotection.ro
13. Policy Changes
We reserve the right to update this privacy policy periodically. Substantial changes will be communicated via email or platform notification at least 30 days before taking effect. Continued use of the platform after notification constitutes acceptance of the changes.
14. Contact
[REDACTED]
[REDACTED], [REDACTED], jud. [REDACTED], Romania
CUI: [REDACTED] | Reg. Com.: [REDACTED]
Email: contact@sezlong.online
Phone: +40750443490
DPO: [REDACTED] — [REDACTED]
This information notice is compliant with Regulation (EU) 2016/679 (GDPR), Law no. 190/2018 on implementing GDPR measures in Romania, and applicable Romanian law.