Weiss Central Boutique Logo

WEISS

Central Boutique

HomeRoomsFacilitiesLocationFAQBlog
Book now

Privacy Policy

Last updated: January 17, 2026

1) Who we are

Controller: TEODOR TATARU PERSOANĂ FIZICĂ AUTORIZATĂ (“we”, “us”).
Website: https://www.weisscentralboutique.com
Email: info@weisscentralboutique.com
Postal address: Erou Mircea Marinescu 5, Voluntari, Ilfov 077190, Romania

2) Scope of this notice

This notice explains how we process personal data when you browse our website or contact us. Bookings and payments are handled on Airbnb; when you click “Book now,” Airbnb’s own privacy policy applies.

3) Guest Data Processing (Tourist Check-in)

As an authorised tourist accommodation operator in Romania, we are legally required to collect and process guests' identification data at the time of check-in, through our digital registration form.

Data collected:

  • Full name

  • Date of birth

  • Place of birth

  • Nationality

  • Country of residence

  • County / Region (optional)

  • City

  • Street and street number

  • Date of arrival and date of departure

  • Purpose of travel

  • Identity document type, series and number

  • Personal Numeric Code (CNP) — only for Romanian identity card holders

  • Phone number (for booking management and emergency contact)

  • Email address (for booking management and access code delivery)

  • Electronic signature and timestamp

Note: phone number and email address are collected on the basis of performance of a contract (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR), specifically for booking management, delivery of access codes, and emergency communication.

Legal basis:

  • OPANAF Order no. 381/2026 (Official Gazette no. 250/31.03.2026) — Accommodation Occupancy Register, submitted to the National Tax Authority (ANAF) — Legal obligation (Art. 6(1)(c) GDPR).

  • Government Decision no. 237/2001 (republished in the Official Gazette no. 649/12.09.2008) — Tourist Arrival and Departure Form, submitted to the Romanian Police — Legal obligation (Art. 6(1)(c) GDPR).

Data recipients:

Data is transmitted exclusively to the National Tax Administration Agency (ANAF) and the territorial Police units, in accordance with legal obligations. It is not shared with any other third party and is not used for commercial purposes.

Retention period:

In accordance with Government Decision no. 237/2001, data is retained for 5 years from the date of the stay, after which it is permanently deleted.

Note: the right to erasure does not apply to this data during the mandatory legal retention period, pursuant to Art. 17(3)(b) GDPR.

Security:

Guest check-in data is stored securely in Supabase, a GDPR-compliant database platform acting strictly as a Data Processor under a Data Processing Agreement (DPA). The check-in form is hosted on Vercel, also operating as a Data Processor under a DPA. Both providers store data within the European Union and are bound by GDPR confidentiality obligations. Data is transmitted exclusively via encrypted connections (HTTPS) and is not shared with any unauthorised third parties.

4) What data we process

A. Data you provide directly

  • Messages you send us by email or via any contact method we publish (plus the contact details you include).

  • We do not intentionally collect special/sensitive categories of data.

B. Data collected automatically when you browse

  • Technical and usage data such as IP address, device/browser type, pages viewed, timestamps, referrers, and performance metrics.

  • Analytics data: We use Google Analytics 4 to understand visitor behavior (anonymized metrics on sessions, bounce rates, and location).

  • Map tiles: to show the interactive map, your browser requests tiles from CARTO’s tile CDN (cartocdn.com). Your IP address and user-agent are processed to deliver those tiles.

5) Tools & service providers (processors)

  • Vercel Inc. — website hosting/deployment, Vercel Web Analytics, Speed Insights, and hosting of the check-in form and serverless functions.

  • Google Ireland Ltd. — Google Analytics 4 (visitor statistics).

  • CookieYes Ltd. — Consent Management Platform (manages your cookie preferences).

  • CARTO — basemap tiles for Leaflet (© OpenStreetMap contributors; tiles via cartocdn.com).

  • Email provider (e.g., Google/Gmail) — to receive and reply to your messages.

  • Supabase Inc. — secure database storage of guest check-in data. Supabase acts strictly as a Data Processor and cannot access or use guest data independently. Data is stored on servers within the European Union.

We have appropriate data protection terms in place with these providers.

6) Purposes & legal bases (GDPR Art. 6)

  • Site operation, performance, security, and map delivery — Legitimate interests.

  • Analytics & Statistics (Google Analytics) — Consent (Article 6(1)(a)). We only process this data if you click “Accept” on our banner.

  • Responding to your inquiries — Legitimate interests or performance of a contract (if applicable).

  • Legal compliance (e.g., responding to lawful requests) — Legal obligation.

7) Cookies

We use both essential (functional) and non-essential (analytics) cookies. Essential cookies help the site work (e.g., language settings). Analytics cookies (Google Analytics) are blocked by default until you give consent. For a complete list and to manage your preferences, please view our Cookie Policy.

8) Sharing & disclosures

We share personal data with our processors listed above and with authorities where required by law. We do not sell personal data.

9) International transfers

Some providers (like Google or Vercel) may process data outside the EEA/UK. Where this occurs, we rely on appropriate safeguards (e.g., the EU-US Data Privacy Framework or Standard Contractual Clauses) offered by those providers.

10) Retention

  • Server/edge logs: retained for 30–90 days for security and performance troubleshooting.

  • Google Analytics data: retained for 14 months.

  • Contact emails: retained for 12 months after our last exchange, then deleted.

  • Cookie consent records: retained for 12 months.

  • Guest check-in data: retained for 5 years from the date of stay, as required by Government Decision no. 237/2001, after which it is permanently deleted.

We keep personal data only as long as necessary for the purposes above and to meet legal obligations.

11) Security

We implement reasonable technical and organizational measures to protect personal data. No system is 100% secure; we work to prevent unauthorized access, use, or disclosure.

12) Your rights (EEA/UK/CH)

Subject to law, you may have the right to access, rectify, erase, restrict or object to processing, and data portability. Where we rely on consent (e.g., for Analytics), you may withdraw consent at any time. To exercise your rights, email info@weisscentralboutique.com. We will respond within one month as required by GDPR.

You may also lodge a complaint with the Romanian data protection authority (ANSPDCP): https://www.dataprotection.ro.

13) Targeted advertising

We do not currently run paid targeted ads. However, Google Analytics features are enabled to support future analysis. If we launch ad campaigns (e.g., Google Ads), we will update this policy.

14) Children

This site is intended for adults. We do not knowingly collect data from children under 18.

15) EEA/UK representative

Not applicable. We are established in the EEA (Romania) and do not require an Article 27 representative.

16) Changes to this notice

We may update this notice from time to time. The “Last updated” date at the top reflects the latest version.

17) Contact

For privacy questions or requests: info@weisscentralboutique.com
Postal: Erou Mircea Marinescu 5, Voluntari, Ilfov 077190, Romania

Privacy Policy | Weiss Central Boutique Brașov