Make a reservation from our mobile app for Android or iOS and you will receive back 10% of the paid amount. find out more »

Personal Data Protection Policy
/ for users of "Grabo Media" AD platform /

I. INTRODUCTION

This Personal Data Protection Policy of "Grabo Media" AD describes how we use, store and protect your private data, provided by you in connection with utilization of our services. This policy is an integral part of the General Terms and Conditions for using the website.

If you have any questions or comments related to this Policy, you may find information on the Contacts page how to contact us or to write to us directly.

Please read carefully this Policy before using our services. It is written in the most accurate and clear way, as much as possible, to ease you at reading and understanding it.

It is important to know that:

By registering in our platform, you agree with the Policy and explicitly confirm accepting it.

If you don't want us to process your Personal data in the manner described in the Policy, please do not provide them to us. Providing Personal data is voluntary with regards to the usage of our platform services or providing access to them. Your eventual rejection to provide the necessary data for usage of the services of our platform would mean rejection to use the respective services or to access them.

In certain cases your explicit consent for processing your Personal data may not be necessary, if another legal ground is present, for example: complying with the legal obligations of the Administrator; necessity for execution of a contract, etc.

The inspection body related to the Personal data protection is: Commission for Personal Data Protection.

II. TERMS

THE COMPANY or THE ADMINSTRATOR: "Grabo Media" AD, EIK 203412406, with registered and head office Bulgaria, Plovdiv, bul. Iztochen 94, fl.6.

PERSONAL DATA: Any information related to a natural person who is identified or may be identified directly or indirectly by identification number or by one or more specific features.

PROCESSING OF PERSONAL DATA: Any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by supply, dissemination, update or combination, blocking, erasure or destruction of data.

PERSONAL DATA SUBJECT: Any natural person whose Personal data are being processed.

THE PLATFORM: The internet site Nastani.bg and all of its services.

Additional terms are clarified in General Terms of Website Use.

III. PERSONAL DATA

1. Types of Personal Data Subjects, Categories of processed data, Processing purposes, Storage period

Depending on the manner how persons use our Platform and the services it delivers, they are categorized in several subsections listed below. According to them, subject data is processed in separate Personal Data Registers, where in each of them the processing may include different categories of data, purposes and reasons, storage periods, safety measures and others.

One and the same person may be listed simultaneously in more than one of the subsections shown. For example, every Registered user is also a visitor; every User-buyer is also a Registered user and a Visitor.

a. Visitors

A Visitor is any person who loads in his web browser a page part of the Platform, or who visits its different sections or pages (irrespectively whether via direct entering of the electronic address in the browser or via a link from another internet site or resource).

Categories of data that may be processed: Online identificators, saved on local cookies on the visitor's device/browser; Location data, selected by the visitor; Country/City Data, based on the IP address of the user device, which is an integral part of the information received by every web site; Information about performed actions by the user in the Platform; Subject Preferences related to the specific aspects and settings of platform functionalities; Information about the type of the used browser/device.

Purposes of processing: Delivering main and secondary functions, necessary for correct and complete Platform functioning; Visit count in the Platform; Providing necessary conditions for application of services on marketing platforms .

Storage period: Until the expiration of validity of each cookie (up to 1 year from the moment of saving it), carrier of the respective information, or until its deletion by the subject, in whose device/browser it is saved.

Legal grounds for processing: Given consent for Cookie Policy.

b. E-mail subscribers

An e-mail subscriber is any user who has subscribed for an automotive electronic email newsletter in the Platform for receiving letters via email, which contain different units of information from the Platform, commercial offers and others. The electronic newsletter is sent directly by the Administrator, without using external intermediary services.

Data categories that may be processed: Names, email address, location data, an integral part of service delivering, subscriber's Preferences about the subject of his subscription (interested in cities and locations, categories and others.; days set for receiving the letters and other settings), Information about used browser/device.

Processing purposes: Enabling and servicing of electronic subscriptions (email newsletters), which visitors subscribe for, for receiving via email different units of information from the Platform, commercial offers and others.

Storage period: Up to 1 year after termination of subscription by the subscriber or by the Administrator.

Legal grounds for processing: Given consent to be included in a recipient list (subscription to email newsletter).

c. Registered users

A Registered user is every user who executed his own registration in the Platform via entering email address (and/or username) and password, by which action he creats his own so called profile or account.

Data categories that may be processed: Main mandatory data: Names, Email addresses, IP addresses; Non-mandatory data entered by the user: Residential address, Telephone number, Gender, Age, Photo/avatar, Facebook profile, Google profile; Other data: Information about performed actions on the Platform by the subject, Information about the used browser/device.

Processing purposes: Maintenance and enabling the user to register own account which allows usage of services on the Platform as: concluding distance contracts for purchases/reservations and publishing of reviews.

Storage period: 2 years after termination of registration by the user or by the Administrator, if there are purchases/reservations or orders done. If no such – after termination of the profile, which in this case is considered as withdrawal of consent.

Legal grounds for processing: Consent to General Terms at the time of profile registration.

d. User-buyers (Tourists)

User-buyer is every Visitor and/or Registered User who, through the technical tools of the Platform executes (or requests the execution of) Reservation / Sales Purchase Contract with a certain Trader-seller for the purpose of reserving/distance buying of offered by the latter service/goods on the Platform (or similar action).

Data categories that may be processed: Names, Address, Telephone number, E-mail address, IP addresses, Information about completed purchases, Information about actions performed by the Subject on the Platform.

Processing purposes: Enabling purchases via the Platform, by conclusion of distance contracts with Traders-sellers; Providing information to the respectiveTraders-sellers about purchases occurred in this respect and about buyers, which information is necessary for the execution of the contracts concluded and for delivering the respective purchased services.

Storage period: 10 years after the last completed purchase by the user-buyer.

Legal grounds for processing: Execution of contract with the respective trader-seller, concluded through the Platform.

e. Тraders-buyers (Хотелиери)

Trader-buyer is every person who offers his services/goods through the Platform for sales towards Users-buyers through conclusion of distance contracts. In the context of this policy, these may be: Natural persons, operating in their role as traders (sole proprietors, freelancers and others), as well as Natural persons - managers or proxies of companies which work with the Platform as traders

Data categories that may be processed: Names, Personal Identification Number/ID number, Address, Telephone number, E-mail address.

Processing purposes: Establishing and maintainingcommercial relations between the Administrator and the Traders-Sellers; Conclusion of contracts; Business communication; Enabling offer publishing on the Platform, their servicing and maintenance.

Storage period: 10 years after termination of legal relationship between the Company and the respective Trader-seller.

Legal grounds for processing: Execution of contract between the Company and the respective Trader-seller.

2. Your rights

In case we process your personal data, you have the following rights which you may exercise by sending a declaration to the Company's addess quoted above, or online - to info@nastani.bg, or via the webpage Contacts:

• Right of access to your personal data: You have the right to receive a confirmation from us whether your personal data is being processed and if this is the case, you have the right to access your personal data and information.

• Right to access your personal data: If you find out that the personal data which we process for you are inaccurate, you have the right to request from us correction of these personal data.

• Right of deletion of personal data (right to be forgotten): In certain circumstances, for example if your personal data are being unlawfully processed or you have withdrawn your consent (in case data processing is consent based) and there is no reason to continue their processing, you have the right to request deletion of your personal data from our side.

• Right to restriction of data processing: In certain circumstances, for example if you doubt your personal data accuracy or if you have our objected our legitimate purpose of processing your personal data, you have the right to request from us restriction of your data processing until a solution is found.

• Right to object against processing: In certain circumstances, for example if you doubt our legitimate interest in processing your data, you have the right to object for reasons, related to your specific situation, against such processing.

• Right to data portability: If your personal data are being processed with automotive tools with your consent or for the purpose of execution of our contract relations, you have the right to request from us to provide you with your personal data in a machine-readable format for transferring to another data controller.

• Right to file a complaint to a controlling institution: You have the right to file a complaint in relation the processing of your data by us to the respective controlling institution – Commission for Personal Data Protection, or to the court.

3. Personal Data Co-administrators (for data of Tourists/Users-buyers)

When making Reservation /Purchase Sale between the User-buyer and the Trader-seller/, by conclusion of a distance contract, this action creates legal relationships directly between the two parties. In the context of these relationships and for the purpose of execution of the contract, the Trader-seller (the Hotel Operator) receives from the Platform partial data about the User-buyer (the Tourist) - Names, also sometimes Telephone number, Address, E-mail address – depending on the specifics of the particular purchased service and its peculiarities. By this, the Trader / Hotel Operator has the statute of Co-administrator of these data, within the meaning of the legislation in force. As such, he has all accompanying obligations and responsibilities. The Company has explicitly informed the Trader about them and has confirmed his consent by means of a separate document.

4. Providing personal data to third parties

The Company does not provide data to third parties except for the following cases:

a. All described in the previous article;

b. In case we have a legal obligation to disclose or share data;

c. In case we have received the consent of the respective Personal Data Subject;

d. Digitally pseudonymised data about Visitors, Users and Subscribers of the Platform may be provided automatically to external services of our suppliers, which are integrated in the Platform for the purpose of visits count of our website or advertising. More information about these external services you may find in Cookie policy, as well as settings for opting out from individual types of services. Such opt out may be performed also through external tools (for Google Analytics – here; for Google advertising platforms – here; for Facebook Advertising platforms – here; for other platforms – here and here);

e. In certain circumstances, for the purpose of sending out informative SMS messages to users by the Platform, GSM numbers are provided via a technical channel to external services of our SMS messages suppliers, in order to execute the actual sending. Such circumstances are, for example: If you made a payment request with a deadline - to remind you about the approaching deadline; In case you use the option "Send via SMS", available for some functionalities on our website; If it is necessary to notify you about important information, related to a purchase, completed by you; If you request from us to send you certain information via SMS. We do not send SMS notifications for advertising purposes;

f. If a user-buyer has executed a payment and consequently this payment is being inspected by a banking or payment institution or by a legal authority due to suspicions for fraudulent or unidentified payment, or in case of investigation for abuses, the Administrator may present data of the User-buyer to the respective banking or payment institution or legal authority.

5. Data safety

We have taken the necessary technical and organizational measures, in order to guarantee the safety of your Personal Data against unlawful access or disclosure, occasional or illegal destruction or change.

The information in electronic form is stored on protected servers on the territory of the European Union, installed within professionally equipped and technically maintained facility for collocation of telecommunication equipment. Data transfer between servers and client device/browser is encrypted, via HTTPS.

6. Minor's personal data

The services provided by the Platform are intended for persons at the age of 18 and up.

If you are a minor, you are not allowed to use our services, without providing the Administrator with an explicit written permission by a parent or a guardian. If you use our Platform without such a permission, you are suppressing important information from us and mislead us. In this case, the Company is not liable for any circumstances whatsoever, which occur as consequences of this mislead from your side.

As a Data Administrator, we do not collect personal data from minors which may result in their identification.

7. IP addresses

Whenever the Company stores IP addresses of data subjects, this is being done for the purpose of providing an adequate cooperation to the users, when necessary, in different circumstances (for example: forgotten accounts, doubled registrations, purchases/reservations not found, statements about the status of purchases/payments, etc.). IP addresses are stored for up to 1 year (this period is customized to correspond to the behavior of part of the Platform audience in respect of frequency of purchases and other activities). IP addresses are not provided to third parties in any circumstances, except the described exempts in Chapter III, art.4.

IV. Cookies

The Platform, as well as the external services it utilizes, which are delivered by third parties, use cookies for temporary storage of tiny bits of information for the purpose of proper functioning and delivering of best services possible. Detailed information about cookie types used, also settings, deletion and others, you may find in the following document - Cookie policy.

V. CLARIFICATION OF CERTAIN PROCESSES AND TECHNICAL STEPS

1. During registration in the Platform through external tools (“Log in with Facebook login”, “Log in with Google”)

Whenever a User, for the purpose of registration (or consequently after registering) uses the tools for creating a link between his account in the Platform and his account in Facebook or Google, with this particular action he authorizes the Administrator to receive his partial data from his profile in the respective external service, allowed to be shared by the User via his settings in the respective external service, during which:

a) The Administrator may receive data of the User like Names, Gender, Age, Resident Address, Photo/Avatar, which data are added to the account created for the User in the Platform.

b) The Administrator may receive data of the User about interconnections with other users (online friendships), which data are added to the User data in the Platform (transferring of online friendships).

c) The Administrator may be given the possibility, through the respective external service, to send notifications to the User, sent within the scope of the respective external service, for communication or marketing purposes (for example: private notifications in Facebook).

The information, which the Administrator may receive through automatic technical means and which he processes according to the described manner, is absolutely determined by the User – through his settings within the scope of the respective external service (Facebook, Google), where he has an account and which account he decided to connect with his account in the Platform. Registering the User to these external services is considered as consent for processing of the data, delivered through them.

2. During reservation process (conclusion of a Distance Sales Purchase Contract)

By declaring the execution of a distance purchase, every user agrees that:

a) The action of concluding a distance contract with a certain Trader-Seller incurs legal relations directly between the User-buyer and the Trader-seller, in which legal relations the Administrator is not a party;

b) By this, aiming execution of the contract and according to the described in Chapter III, art.1/c and art.3, the Trader-seller receives from the Platform partial Personal data about the User-buyer, where the Trader has the statute of a Co-administrator of these data.

3. When publishing user reviews

In certain cases the TOURIST (User-buyer) has the possibility to publish his review and rating about the HOTEL OPERATOR (Trader-seller), in connection with the purchased service via concluded distance contract (hotel accommodation). Thus, the review published by the User becomes publicly accessible and visible on the Platform, including: its Content, Publisher's Name, Photo/Avatar.

4. During subscriptions

Besides the opportunity for email subscription outlined in Chapter III, art.1/b of this Policy, the Platform maintains also alternative technical solutions a certain Visitor to subscribe for receiving information. Such solutions are the so-called Web-push notifications (notifications through the browser) and Notifications via mobile applications.

They operate in the following manner: The browser/device pops-up a dialog box to the Visitor, where he's been asked whether he wants to subscribe for such notifications. If the Visitor confirms his intention, the subscription is being, while a special token is generated within the browser/device, which is sent to the server and through which, consequently, the server is able to send notifications.

At anytime the Visitor has the opportunity to terminate his subscription (to unsubscribe from these notifications) via the settings of his browser/device. It is possible that the Platform provides additional settings to the Registered User via the settings in his account, by which to personalize or regulate the sending of notifications.

5. References to external websites

Separate pages of the Platform may include links/references to other (external) websites. They are part of content published on the Platform by third parties. If you visit an external website via a reference, available in the Platform, the Company is not liable for the content of this external website, for its services and functionalities, as well as for its Personal Data Protection Policy. We advise you always to familiarize yourself with the policies of the visited websites.

VI. FINAL PROVISIONS

1. More information about the manner of operation of the Platform may be found in the General Terms and Conditions for Website Use, of which this Policy is an integral part.

2. Any eventual future changes in this Policy will be published on this webpage.