Terms and conditions

Home > Uncategorized > Terms and conditions

Terms and Conditions

Dear guests,


We wish to offer you an unforgettable experience at Euforia Retreat and Spa and, for this reason, we have established a series of principles and rules which we respectfully ask you to observe both during and after the end of your stay. The regulations apply to all guests, who accept them by the very fact of their accommodation at Euforia and are required to comply with them without limitations or reservations.

Reservation
The reservation can be made directly on the website www.euforia.ro, by e-mail at hello@euforia.ro , or by phone at +40 738 111 155. Guests who have booked their stay through a partner agent are required to comply with the regulations mentioned below. Reservations will be maintained, guaranteed, and cancelled depending on the booking channel and the adopted payment policy. Euforia clients shall refer to the payment regulations displayed on the booking platform, to the regulations available on www.euforia.ro, or to the contracts signed with direct partners for the above-mentioned conditions.

Reservation cancellation
Any cancellation of a room reservation must be sent in writing to the e-mail address hello@euforia.ro . The refund of the reservation amount will be made in accordance with the payment policy under which it was purchased.

Rates
Euforia rates vary depending on the selected room type, availability, day and season, as well as the number of guests (more details are available on the booking page).
For more information, please consult our website www.euforia.ro.

Arrival and departure
Room check-in is available starting from 15:00.
Room check-out must be completed before 11:00.
If, on the first day of the stay, the guest wishes to access the room before the check-in time mentioned above, the request will be honored subject to availability. If the request cannot be honored, we provide a secure place for luggage storage until check-in.
If, on the last day of the stay, the guest wishes to vacate the room after the established check-out time mentioned above, the request will be honored only subject to availability.
In the event that the room is not vacated by the check-out time and another guest must check in to that room starting from the established check-in time, we reserve the right to collect the guests’ belongings from the room and store them in a secured area. In this situation, it is considered that we have the guest’s consent to collect their belongings, and the guest may not subsequently make any claims of any kind regarding the disappearance/loss of luggage/personal belongings or violation of privacy resulting from the fact that their belongings were collected and stored by the staff of Euforia Retreat and Spa.
Guests who vacate the rooms by the maximum check-out time may leave their luggage in a space dedicated to this service for a period of 24 hours free of charge, if this service is available at Euforia Retreat and Spa.
For luggage stored for more than 24 hours, storage fees will be charged.
All requests for check-in and check-out at times other than those provided for herein will be clarified and honored only insofar as we do not have firm confirmations for those accommodation spaces.
A stay of less than 24 hours is charged at the rate of a full day.

Accommodation of children aged 0–2 years
Accommodation for children aged between 0–2 years is free of charge, and baby cots can be provided upon request, subject to availability. The number of children per room may vary depending on the room type, therefore availability must be confirmed at the reception or by phone.
Children over the age of 2 must use one of the accommodation spaces in the room, either a bed or a sofa bed/extra bed. For breakfast, a supplementary cost of RON 50/night will apply for children aged between 2 and 7 years, and a supplementary cost of RON 100 will apply for children aged between 7 and 18 years.
Accommodation of groups larger than the maximum room capacity will not be possible, even if the reservation has been paid.

Accommodation of minors
A minor is a person who has not reached the age of 18.
Euforia does not accept accommodation for minors who are not accompanied by parents or legal guardians, except for those participating in hiking activities, camps, trips, competitions, or other similar activities, accompanied by teachers, coaches, or guides.

Accommodation
Guests acknowledge the following rules and undertake to comply with them:
– not to damage the furnishings or objects within the complex; otherwise, they owe an amount equal to the value of purchasing/installing the damaged object and the related labor costs;
– not to take hotel property upon departure;
– to maintain quiet so as not to disturb other guests;
– not to use towels or bed linen for: wiping dyed hair, removing makeup, cleaning footwear, suitcases, floors, etc. Towels are to be used exclusively for personal hygiene. If towels or bed linen damaged by improper use by the guest are identified, they will be charged as damages and paid by the responsible guest. Otherwise, Euforia Retreat and Spa reserves the right to cancel the guest’s reservation and evict the guest without refunding the value of the paid services;
– not to enter other rooms or areas designated exclusively for staff without the permission of Euforia Retreat and Spa;
– to announce visitors who are not accommodated at Euforia Retreat and Spa; their access to the rooms will only be allowed after identification and registration using the hotel’s contact number;
– to limit the number of accommodated persons to the maximum room capacity. Accommodation of groups larger than the room capacity will not be permitted;
– not to leave children unattended in any of the areas of Euforia Retreat and Spa; any accident resulting from lack of supervision of children on the hotel premises is not our responsibility, but that of the persons accompanying the children and entrusted with their supervision;
– to notify as soon as possible any malfunction of equipment, installations, or other technical/furnishing non-conformities within Euforia;
– any accident resulting from improper use of the provided equipment or from using the hotel facilities without complying with the applicable safety rules is not our responsibility;
– after use and before leaving the room, unplug chargers of electrical/electronic devices (laptop, mobile phone, camera, etc.) from the power outlets;
– it is strictly forbidden to bring firearms, bladed weapons, or tear gas substances into the premises of Euforia Retreat and Spa. According to Romanian law, the consumption or commercialization of hallucinogenic or psychotropic substances is prohibited and punishable;
– do not dispose of objects in the toilet that may cause damage to the waste collection system;
– nudism or any form of exhibitionism is not permitted within the premises of Euforia Retreat and Spa;
– garbage and household waste must be disposed of in the waste bins located in the room;
– it is not permitted to bring into the premises of Euforia Retreat and Spa objects/goods that emit persistent and disturbing odors;
– parents, guardians, or companions are responsible for the actions of minors and undertake to take care of them, ensuring that they behave civilly and do not disturb other guests;
– please inform the staff of Euforia Retreat and Spa about any allergy or food or other intolerance;
– running or practicing any sport in the lobby or hotel hallways is not permitted;
– our unit exclusively provides accommodation services, and the use of the premises for commercial purposes—such as organizing photo or video shoots—is not permitted without prior written consent, which may be requested at the e-mail address hello@euforia.ro. These additional services may involve extra costs.

Dress code
Euforia Retreat and Spa does not enforce a specific dress code, but we recommend decency and respect towards both other guests and staff.

Payment methods
For payment of Euforia Retreat and Spa services, credit cards (Visa, Mastercard, Maestro), cash payment (RON), and bank transfer are accepted (for invoicing purposes, please present the bank-stamped payment order upon arrival). Euforia accepts holiday vouchers issued by Pluxee, Up Romania, and Edenred.
Except for already concluded contracts and prepaid reservations, please note that payment or card pre-authorization is mandatory at check-in.
The fiscal invoice is issued upon the client’s request and no later than the date of collection of the reservation amount. After this date, issuance/modification of the invoice is no longer possible, in accordance with legal provisions. The fiscal invoice for individuals is issued only in the name of the reservation holder.
For reservations made through third-party platforms (e.g. Booking.com), the collection date varies depending on the pricing policy chosen by the guest.
Please note that the invoiced amount for reservations made through third-party platforms corresponds to the amount actually collected by the service provider, which may differ from the amount paid by the beneficiary to the platform.
Refunds can only be made in RON or EURO.

Gratuities and service costs
Gratuities for hotel staff are at the discretion of the guests.

Smoking
Traditional smoking and electronic cigarettes are not permitted inside Euforia Retreat and Spa, in accordance with the legislation in force. Smoking is permitted on terraces and balconies

Euforia provides exclusively non-smoking accommodation spaces; smoking inside the rooms is strictly prohibited. If the provisions of these regulations are not observed and guests smoke inside the room, a fee of RON 1,000 will be applied, representing the cleaning/sanitation services of the room.

Pets
Access to the premises of Euforia Retreat and Spa by guests accompanied by animals or birds is strictly prohibited.

Parking
Both public and private parking spaces are available at Euforia Retreat and Spa. We assume no responsibility for damage to vehicles within the parking area.

Safety of personal belongings
Euforia is equipped with certified electronic systems for monitoring access to rooms.
We assume no responsibility whatsoever for items forgotten, lost, or allegedly stolen within the premises of Euforia.

Special assistance
Our wish is to ensure the best possible conditions for persons with disabilities. As we are located in an interwar building, access to the rooms is possible only via stairs. We do not have ramps or elevators for wheelchairs.
If you require special assistance of any kind, please inform us in advance so that we may offer you the most pleasant stay possible.

Swimming pool / Jacuzzi / Spa center
Access to the swimming pool/jacuzzi/spa center is prohibited for all persons under the influence of alcohol or psychotropic substances, with indecent appearance, or wearing dirty clothing.
Access to the swimming pool/jacuzzi/spa center is prohibited for persons with open wounds, dermatitis, dermatoses, or any other communicable diseases or contagious skin conditions. Hidden or undeclared health conditions exempt the hotel from any liability.
Access to the swimming pool/jacuzzi is permitted only after taking a shower.
Smoking within the swimming pool area, sunbed area, spa center, and jacuzzi is prohibited.
Entry into the swimming pool/jacuzzi is permitted only while wearing a swimsuit; entry into the water in casual clothing or underwear is not allowed. Persons who do not comply with this rule will be denied access to the swimming pool. For persons with long hair, tying the hair and wearing swimming caps is recommended.
Access to the swimming pool with food products or any type of beverages is prohibited (with the exception of products and beverages purchased from Euforia Restobar Restaurant).
Throwing objects into the swimming pool is prohibited.
Nudity or indecent behavior is prohibited.
Access with personal sound systems (wireless speakers, etc.) is prohibited.
Access to the swimming pool/jacuzzi with pets is not permitted.
Access to the swimming pool is allowed only to guests accommodated at Euforia Retreat and Spa Hotel.
Running and reckless games on the edge of the pool are not permitted. Pushing persons into the water from the poolside is prohibited. Jumping into the swimming pool is not permitted. Euforia Retreat and Spa does not assume responsibility for any accidents or health problems caused by these reasons or by any other incident resulting from failure to comply with the rules imposed by the hotel.
Urinating in the swimming pool/jacuzzi water is strictly prohibited.
The use of obscene or inappropriate language, indecent or violent gestures, as well as behavior that affects the comfort and physical integrity of others, guests, or hotel staff, is prohibited.
Children under 12 years of age must be accompanied and permanently supervised by an adult. Children up to the age of 3 must wear special swimming diapers when entering the water and must be carefully supervised by an adult.
In the event of damage or improper use of goods within the swimming pool/jacuzzi/spa center/hotel, the responsible persons shall fully bear the damage caused. Refusal to cover damages caused by improper use of equipment, facilities, spaces, or any other goods provided by Euforia Retreat and Spa entails the consequences provided by applicable regulations and legislation.
In the event of damage to equipment or property of the Spa Center caused by improper use, the person concerned shall bear all costs necessary to restore the affected equipment or property to working condition.
Commissioning, changing parameters, or stopping equipment shall be carried out only by the employed staff of the Spa Center. For any of these actions, guests shall address the Spa Center staff.
Euforia Retreat and Spa assumes no responsibility for the loss or disappearance of personal belongings left or forgotten in the locker rooms, halls, terraces, lobby, swimming pool, sunbeds, etc., as well as for valuables left unattended. Please do not leave valuables visible or unattended.
We recommend undergoing a medical examination before starting to use the Spa Center, as you are obviously and personally the sole person responsible for your health.
Euforia Retreat and Spa assumes no responsibility for the deterioration of your health condition resulting from failure to comply with the rules for using the equipment and facilities offered by the spa center.
Euforia Retreat and Spa assumes no responsibility for damage to your health and/or property caused by the illegal actions of third parties.
When using saunas/jacuzzi, please undergo a specialized medical check to avoid affecting your health. Before starting any procedure, check the contraindications and immediately stop any procedure as soon as you experience discomfort, pain, nausea, dizziness, etc.
If you wish to book and benefit from massage or body wraps (regardless of type and duration), please inform the massage salon staff if you suffer from any condition that may be aggravated during these procedures. The massage salon staff may refuse a client who suffers from certain conditions if they consider that massage procedures could aggravate such conditions.

EUFORIA Retreat and Spa assumes no responsibility in the event of aggravation of conditions resulting from massage or body wrap procedures if the client did not inform the staff of this aspect.

Confidentiality of information
If you contact us by e-mail or through the website, we reserve the right for the data concerning you to be processed for direct marketing purposes.
We will never use your name or other information about you without first obtaining your consent. You will have the possibility to inform us whether you wish to receive such information in the future.

Processing of personal data
In accordance with the provisions of EU Regulation 679/2016 regarding the processing of personal data and the free movement of such data, HARAS S.R.L. (the company that owns the registered trademark Euforia Retreat and Spa) has the obligation to administer personal data and representative images provided by individual clients safely and only for specific, explicit, and legitimate purposes.
HARAS S.R.L. processes personal data for the purpose of providing accommodation services, for the following purposes:
Room reservations and other tourist services; personal data processing is carried out on the basis of a legal obligation;
Confirmation of reservations and card pre-authorization, based on the legitimate interest of the company;
Invoicing of tourist accommodation services, based on legal obligations;
To communicate with you for various purposes such as obtaining your opinions regarding our services, resolving complaints, or offering personalized services in a timely manner, electronically or by phone, based on the legitimate interest of the company;
Providing information by e-mail, special offers, events, and/or other forms of advertising, based on consent;
Providing information by e-mail or phone regarding forgotten items, receipt of parcels or messages, based on legitimate interest.
Euforia Retreat and Spa clients provide the data requested by HARAS S.R.L. for the purpose of carrying out or initiating legal relations with the company, in compliance with legal provisions.
The refusal of individuals to provide these data results in our company’s inability to provide the requested services, making it impossible to comply with the requirements of specific regulations in the hotel and fiscal fields.
Consent regarding the processing of personal data (telephone number, e-mail address) is given voluntarily. This consent may be withdrawn at any time, with future effect, through a free notification to Haras S.R.L. The notification of withdrawal of consent may be made, for example, by e-mail to hello@euforia.ro.
Please note that withdrawal of consent does not affect the lawfulness of data use prior to the withdrawal (the notification does not have retroactive effect). If consent is not given or has been withdrawn, we will be unable to provide the requested services, and personal data will not be used for communication, marketing, or feedback purposes. If you have any questions regarding this consent statement or the protection of data by Haras S.R.L. in general, please do not hesitate to contact our data protection officer at the e-mail address: hello@euforia.ro .
In accordance with the provisions of EU Regulation 679/2016, individuals benefit from the following rights: the right to receive information regarding the processing of personal data and a copy of the processed data, the right to intervention, opposition, rectification, withdrawal of consent at any time, the right to request deletion of data, the right not to be subject to an individual decision, and the right to lodge a complaint with a supervisory authority.
To exercise these rights, you may contact our data protection officer at any time at the e-mail address: hello@euforia.ro, by submitting a written, dated, and signed request specifying the data in respect of which the respective right is requested.

For further information, please consult the Personal Data Protection Regulation available at hello@euforia.ro .

Haras S.R.L. is registered with the National Supervisory Authority for Personal Data Processing, General Register Number: 22447.
The personal data belonging to Euforia Retreat and Spa clients are processed in good faith and in accordance with the legal provisions in force. They are collected only for specific, explicit, and legitimate purposes, and any subsequent processing shall not be incompatible with these purposes.
Personal data are processed in accordance with the rights of the data subject. The persons whose data are processed have the right to obtain from Haras S.R.L., upon request and free of charge, the rectification, updating, blocking, or deletion of such data, insofar as the processing is not compliant with EU Regulation 679/2016 or the data are incomplete or inaccurate.
The data subject has the right to object at any time, on justified and legitimate grounds, to the processing of data relating to him/her, except in cases provided by law. In the event of a justified objection, the processing may no longer concern the respective data. The data subject also has the right to object, at any time and free of charge, without any justification, to the processing of data relating to him/her for direct marketing purposes, on behalf of the Operator or a third party, or to their disclosure to third parties. For this purpose, the data subject shall submit a written, dated, and signed request, and the measures taken by the Operator shall be communicated within 15 days from the date of the request.

Environmental protection policy
Environmental protection represents a permanent concern for us; therefore, we promote a responsible attitude in this regard.
The detergents used by our partners for washing and sterilizing bed linen, towels, tablecloths, and bathrobes are biodegradable, and reducing their use contributes to better conservation of the environment.
In accordance with the standards of a 4-star hotel, bed linen and towels are mandatorily changed upon room release, and during ongoing stays they are changed at regular intervals of no more than 2 days.
In order to encourage responsible consumption and reduce environmental impact, guests may choose to extend the use of towels and bed linen, in accordance with the “Pro Natura” messages displayed in the room.
At the guests’ request, additional towel or linen changes or extra cleaning services may be provided, subject to team availability.

Disputes and complaints
We reserve the right to charge our guests’ cards, independently of their consent, in at least the following cases:
– they have left the premises of Euforia Retreat and Spa without paying for the services they benefited from;
– they have caused damage or destruction;
– they have departed with items that do not belong to them and whose value they have not paid;
– they have not cancelled the reservation within the established deadline.
Any controversy, dispute, or complaint that may arise from the application of these terms and conditions shall be attempted to be resolved amicably. If this is not possible, it shall fall under the jurisdiction of the courts of law.

Program for the removal of undesirable clients
The client must comply with the customs of Euforia Retreat and Spa. The client must respect both quietness and the rules of social coexistence and moral standards.
The client of Euforia Retreat and Spa must also take care of the goods made available for use during the accommodation period.
Any breach of hotel customs or of moral and social coexistence norms entitles Euforia Retreat and Spa to immediately terminate the contract/accommodation, without any prior notice.
We reserve the right to refuse accommodation to guests who are intoxicated, impolite, or disruptive, who through their attitude harm the image of Euforia Retreat and Spa or disturb other guests. The value of any destruction or damage to material goods belonging to Euforia Retreat and Spa shall be borne by those responsible for causing them.
We reserve the right to evict from the hotel premises guests with inappropriate behavior.
Taking into account the above, we reserve the right to select our clients.
We do not tolerate: uncivilized or aggressive behavior, obscene physical or verbal manifestations, inappropriate tone, insults, physical or sexual harassment, or any physical or psychological abuse of a person, guests, or any person within the Euforia Retreat and Spa premises.
The management of Euforia Retreat and Spa may cease providing services to those guests who do not comply with the Hotel Regulations.

Services offered
Guests accommodated at Euforia Retreat and Spa benefit from a preferential offer of free and paid services. Euforia Retreat and Spa guests have free access to the swimming pool, steam sauna, dry sauna, jacuzzi, and physiotherapy room, during operating hours, with the mention that certain services may be subject to prior reservation. For paid services, additional information can be obtained at the Euforia Retreat and Spa contact number or at reception (certain services have limited availability).

Final clauses
We consider that any client, at the moment of accessing any service offered by Euforia Retreat and Spa, has become aware of the above-mentioned terms and conditions and has tacitly accepted them.
HARAS S.R.L. assumes no responsibility for clients’ failure to comply with the Terms and Conditions and shall not grant moral or financial compensation in the event of accidents or loss of personal belongings.

Amendments to terms and conditions
The terms and conditions may be modified at any time by Euforia Retreat and Spa without prior notice.

Privacy policy
Respect for the right to the protection of personal data, as well as the right to private life, is one of the missions fully and consciously assumed by the staff and management of EUFORIA Retreat and Spa – S.C. HARAS SRL., headquartered in Eforie Sud, Ion Movilă Street no. 21, Constanța County, registered with the Trade Register under no. J1994004702134, unique registration code RO 6739127, acting as controller.
Thus, we undertake all necessary steps to process your personal data in accordance with the principles established by the data protection legislation applicable in Romania, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”).

Privacy policy for the processing of personal data – HARAS S.R.L.
Respect for the right to the protection of personal data, as well as the right to private life, is one of the missions fully and consciously assumed by the staff and management of EUFORIA Retreat and Spa – S.C. HARAS SRL.
Thus, we undertake all necessary steps to process your personal data in accordance with the principles established by the data protection legislation applicable in Romania, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”), registered with ANSPDCP, personal data controller no. 22447.

1.General information about the controller

Data controller: HARAS SRL., a company specialized in hotel services (hereinafter referred to as EUFORIA Retreat and Spa) with registered office: Constanța County, Eforie Sud, Ion Movilă Street, no. 21.
Trade Register registration no.: J1994004702134.
Unique Registration Code (CUI): RO 6739127.
Contact details: Telephone: +40 738 111 155, Email: hello@euforia.ro.
Data Protection Officer (DPO): Email: hello@euforia.ro.
HARAS S.R.L. processes personal data in accordance with Regulation (EU) 2016/679 – the General Data Protection Regulation (GDPR) and the applicable national legislation. This policy explains what data we collect, for what purposes we use them, the legal bases, with whom we share them, how long we retain them, and how we ensure their security. We also present the rights of data subjects and how these can be exercised. The document has a formal tone and is updated to date, in accordance with GDPR best practices in the year 2025.

Terms of use of the online platform
By using the booking and online services platform made available by EUFORIA Retreat and Spa, you expressly accept and undertake to comply with the Terms and Conditions of use published on our website.
The Terms and Conditions, together with the booking forms or the registration forms for the offered services, constitute the contractual agreement between EUFORIA Retreat and Spa (Service Provider) and you (Beneficiary), based on which you acquire the right of temporary use of the account and associated services, after paying the value of the selected services.
We recommend that you read the Terms and Conditions carefully before using the platform. Failure to accept them implies the impossibility of purchasing and using the online hotel services offered. EUFORIA Retreat and Spa reserves the right to update or modify the Terms and Conditions without prior notice. Continued use of the platform after the changes represents your express agreement with the new conditions.
Violation of the Terms and Conditions may lead to the suspension or termination of access to the platform and related services.

  1. Definitions of key terms

For clarity, understanding the following terms is essential:
Personal data: any information relating to an identified or identifiable natural person (called the data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier (such as name, personal numerical code, location, online identifier) or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural, or social identity. In practice, examples of personal data include: first and last name, address, telephone number, email address, series and number of the identity document, IP address, cookie identifiers, accommodation preferences, etc.
Processing: any operation or set of operations performed on personal data, whether or not by automated means. This includes, for example: collection, recording, organization, storage, alteration, consultation, use, transmission, dissemination or otherwise making available, restriction, erasure, or destruction of data. In practice, processing covers any action carried out with personal data from the moment of collection until their erasure.
Data subject: the natural person whose personal data are processed by the controller. In the context of EUFORIA activities, data subjects may be hotel clients (accommodated guests), persons who make reservations or request offers, website visitors, persons subscribed to the newsletter, etc.
The data subject benefits from the rights and protection provided by the GDPR throughout the processing of their data.

Controller: the entity that determines the purposes and means of processing personal data. In this case, EUFORIA acts as controller, as it decides why and how the personal data collected from clients and users are processed. The controller has the responsibility to ensure that all data processing is carried out in accordance with the GDPR.
Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. For example, an IT service provider that hosts the hotel’s database or an email marketing platform used by the hotel acts as a processor, processing the data only in accordance with the controller’s instructions and the contract with the controller.
Supervisory authority: an independent public authority which, according to the law, has the competence to supervise compliance with data protection legislation. In Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP) is the responsible supervisory authority. Data subjects may file complaints with ANSPDCP when they consider that their rights regarding personal data have been infringed.

  1. Categories of personal data collected

EUFORIA collects different categories of personal data, either directly from you or automatically through the use of our online services. We do not collect more data than necessary in relation to the specified purposes. We detail below the types of data collected:

3.1 Data collected automatically
When you access our website or interact with our online presence, certain data are collected automatically by our IT systems or through cookies and similar technologies:
IP address and online identifiers: the IP address from which you visit the website, the browser user-agent, unique device identifiers, cookie ID, session IDs or mobile device IDs. These data are collected automatically by our servers and web analytics services in order to ensure the security of the website and for usage statistics.
Cookie-type data: small files placed on your device (computer, tablet, phone) when you visit our website. They can record browsing preferences (for example, selected language, products added to the booking cart, sections visited) and can collect information about how you use the website (time spent on pages, pages accessed, actions performed). Details about the specific types of cookies used by us and their purposes are presented below, in the Cookies Section.
Electronic location data: if you visit the website from a mobile device or have location enabled, we may receive general information about the geographic area where you are located (based on IP or GPS, with your consent). These data may help us display appropriate content (for example, the correct language version of the website or local offers).
Logs and usage data: our systems may record in technical logs the actions performed on the website or applications (e.g., time of access, any errors, forced exits). This information is used to monitor the performance of our online services and to detect and prevent potential security or operational issues.
Note: Automatically collected data (such as IP and cookies) are not used for direct identification, but may become personal data if associated with other information (for example, if an authenticated user is identified through a cookie). These technical data primarily help us ensure the proper functioning and security of our platforms.

3.2 Data collected directly from you
In direct interactions with you, we collect only the data necessary for providing hotel services, processing reservations, effective communication, and fulfilling legal obligations. These data are provided directly by the data subject (for example, when you complete a reservation form, check in at the hotel, or subscribe to the newsletter). The main categories include:
Identification data: first and last name, series and number of the identity document (ID card/passport), personal numerical code (CNP) where legally required, citizenship. These are necessary, for example, at check-in to complete the accommodation registration form in accordance with the legislation (Government Decision H.G. 237/2001) and for identity verification at check-in.
Contact data: phone number, email address, postal address (domicile/residence). We use these data to send you reservation confirmations, contact you regarding requests or possible changes (phone/email), as well as for issuing invoices (address).
Data necessary for reservation and accommodation: details about the desired or completed stay – for example, arrival and departure dates, number of nights, number of persons (adults and children) included in the reservation, the requested room type or package, accommodation preferences (such as preferred floor, non-smoking room, etc.), interaction history with the hotel (if you have stayed with us in the past and any preferred rooms). This information helps us manage the reservation efficiently and offer you personalized services.

Payment and invoicing data: information necessary for processing payments and issuing fiscal documents – for example, bank card details (if you make the online payment through a secure payment platform), bank account (for possible returns/refunds), company name and tax code (if you request the invoice to be issued to a company), the history of issued invoices.
 Note: EUFORIA does not directly store the full details of bank cards; online payments are processed through certified partners (e.g., Netopia Payments, EuPlătesc), which ensure transaction security. We receive only the payment confirmation and the data necessary for issuing the invoice.
 Data communicated in correspondence: the content of the messages sent to us (via email, contact form on the website, messaging on social networks, or chatbot). These may also include other personal data voluntarily provided by you when requesting information (e.g., dietary preferences communicated for a reservation, estimated time of arrival, special anniversary requests, etc.). We will process this information only to respond to requests and provide you with the requested service.
 Marketing/optional data: first and last name, email address or phone number, provided for example upon voluntary subscription to our newsletter, participation in contests, or completion of feedback/opinion forms. These data are used with your consent for the purpose of communicating promotional offers, hotel news, holiday greetings, or satisfaction surveys. You may withdraw your consent at any time (for example, by unsubscribing from the newsletter).
 Identity documents/copies of documents: in certain situations we may make copies of the identity document or passport (for example, at check-in, if legislation requires it for the registration of foreign citizens). These copies are used exclusively for compliance with legal requirements and are stored securely, with restricted access.

3.3 Sensitive data (special category)
 In general, EUFORIA Retreat and Spa does NOT collect or process sensitive personal data (as defined by the GDPR – data concerning racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, data concerning health, sex life or sexual orientation), unless this is absolutely necessary. We do not normally request such information at the time of reservation or accommodation.
 However, there may be specific situations in which we process data considered sensitive, but always with additional protective measures and, where applicable, with the explicit consent of the data subject:
 Health or mobility information: for example, if a guest informs us that they have reduced mobility or a certain disability and requests an adapted room (such as wheelchair access, special shower, lower floor, etc.), we will process this information about their health in order to ensure appropriate conditions. Similarly, if food allergies or medical restrictions are communicated (for meal services), we will use these data strictly to protect the client’s health.
 Data regarding children/minors: in the context of family reservations, we may collect data about your minor children (name, age/date of birth) in order to calculate rates (children may benefit from free accommodation or discounts depending on age) and to prepare appropriate services (e.g., extra bed, children’s menu). These data are provided by parents/guardians and are used only for the purpose of providing the requested services.
 Processing of data of children under 16 years of age will be carried out only with the consent of the parents or legal representatives, in accordance with Art. 8 GDPR.
 Important: Any sensitive information communicated will be used exclusively for the purpose for which it was provided, with strict observance of confidentiality. EUFORIA applies enhanced security measures for such data (restricted access, encryption, anonymization where possible) and will not transmit them to third parties unless it is necessary for the performance of the service (e.g., informing the restaurant about an allergy, with your consent) or if we are legally obliged.

  1. Purposes and legal bases for the processing of personal data
     EUFORIA collects and uses your data only for legitimate, explicit purposes appropriate to our hotel activity. In this section we detail the purposes of processing and provide concrete examples, as well as the legal basis for each processing operation under the GDPR.
     We ensure that for each purpose there is a valid legal basis (such as performance of a contract, legal obligation, consent, or legitimate interest). We will not use your data for other purposes incompatible with those below, and if new processing purposes arise, we will inform you and, if necessary, obtain your prior consent.

4.1 Reservation and reservation management (contractual purpose)
 Description: When you request an accommodation offer or make a reservation at EUFORIA Retreat and Spa (directly on the website, by phone, by email, or through agencies/online booking platforms), we process the personal data necessary to provide you with the requested information and to register the reservation.
 Processed data: first name, last name, contact data (phone, email), stay details (period, number of persons, desired room type), expressed preferences, and any mentions if you have previously been a client. If the reservation is made through a third-party platform (e.g., Booking.com, a travel agency), we will receive from those partners the data already provided by you in their system, in order to be able to honor the reservation.
 Specific purpose:
 Providing information and personalized offers: we use the data to send you a price and availability offer tailored to your request (e.g., depending on the number of persons, the age of children, the requested period).
 Confirming and guaranteeing the reservation: once you accept the offer, the data are used to issue a reservation confirmation, to hold the requested room in your name and, where applicable, to process the payment of the advance or guarantee (through the agreed payment processors).
 Legal basis: The processing of these data is based on the performance of a contract or steps taken prior to entering into a contract (Art. 6(1)(b) GDPR). In practice, providing the data is necessary in order to conclude and perform the hotel services contract (your reservation). If you do not provide us with this essential information, we will not be able to register or confirm the reservation. At the stage of requesting an offer (when a contract has not yet been concluded), the collection and processing of data also take place in this pre-contractual context, at the request of the data subject to take steps to conclude a contract (a possible reservation).

4.2 Accommodation and provision of hotel services (contractual and legal purpose)
 Description: At the time of accommodation at the hotel (check-in) and during your stay, we process the data necessary to provide you with the requested services and to comply with legal obligations regarding the recording of tourists.
 Processed data: In addition to the data already provided at the time of reservation, at check-in you will be requested to provide: the identity document for verification and completion of the Arrival and Departure Notification Form (in accordance with Government Decision no. 237/2001, published in Official Gazette no. 92/2001), data on citizenship, date of birth, the guest’s signature, as well as the number of accompanying persons (including children). Also, if you have not paid in advance, we will process data related to payment for the stay (in cash or by card). During the stay, other operational data may also arise – e.g., special requests (cleaning hours, room service), messages left at reception, notes regarding preferences (preferred pillow, room temperature, etc.).
 Specific purpose:
 Guest registration and room allocation: we use the data from the identity document to complete the accommodation formalities required by law and to register you as a guest in our hotel system (PMS). This enables us to provide you with access to the room (preparing the key/access card) and to the included facilities.
 Actual provision of the contracted services: we use the data to ensure everything that was agreed – from preparing the room according to requirements, to providing meal services (if you opted for breakfast, half board, or all-inclusive), access to events or facilities (swimming pool, private beach), and responding to any requests during the stay. Also, identification data and room may be used to provide you with bills for consumed extra services (e.g., minibar, restaurant consumption charged to the room) and for issuing final invoices at check-out.
 Fulfillment of legal obligations regarding records and reporting: The data completed in the accommodation form are, according to the law, reported to the competent authorities (e.g., may be made available to police bodies or other authorities, upon justified request). Also, financial data regarding the stay (invoices, payments) are processed for mandatory accounting and fiscal records.

Legal basis:
 Performance of the hotel services contract (Art. 6(1)(b) GDPR): the processing of data is necessary in order to accommodate you and provide you with the requested services (without these data, we would not be able, for example, to grant you access to the room or to provide the included meals).
 Compliance with a legal obligation (Art. 6(1)(c) GDPR): the completion and storage of the accommodation form, identity verification and transmission of data to the authorities are processing operations required by the legislation specific to the hotel industry and population records. This category also includes accounting/fiscal obligations: retaining data from financial-accounting documents (invoices, receipts) for the period provided by law. Such processing operations are mandatory; refusal to provide the required data (e.g., refusal to present the identity document at check-in) may prevent the provision of the service, as the hotel cannot legally accommodate you without this information.

4.3 Communication with clients and assistance (contractual purpose or legitimate interest)
 Description: To ensure effective communication before, during, and after the stay, we use the contact details of clients and of persons who have requested information from us. This includes communication before arrival, during the stay, and after departure, on matters directly related to the provided services.
 Processed data: first name, last name, telephone number, email address, possibly the communication channel used (e.g., Facebook Messenger account if you interacted with our chatbot, WhatsApp account if you write to us there), as well as the history of previous communications with you.
 Specific purpose:
 Confirmations and pre-stay information: for example, we send by email the reservation confirmation, the order receipt or voucher, we may send instructions on how to reach the hotel, check-in/check-out times, the parking policy, or we may ask about the estimated time of arrival.
 Real-time assistance: during the stay, we may use the phone number to contact you urgently if unforeseen situations arise (e.g., a technical problem in your room when you are not present, which we wish to remedy) or to respond promptly to your requests (if you write to us on WhatsApp/Messenger with a request to reception, we will use your account data to identify you and respond).
 Satisfaction follow-up and resolution of possible issues: after leaving the hotel, we may contact recent clients to thank them, request feedback (see section 4.5 below) or to provide support regarding possible forgotten items, required invoices, etc. If you have filed a complaint or post-stay request, we will use the contact details to communicate to you the status of the resolution.
 Legal basis:
 Performance of the contract: many communications (such as reservation confirmations, pre-arrival information, support during the stay) are an integral part of the offered service and are based on the accommodation contract – we need to communicate with you to ensure that everything runs according to expectations.
 Legitimate interest of the controller: certain post-stay communications, such as satisfaction follow-up or resolving outstanding administrative matters, are carried out based on our legitimate interest in improving our services and maintaining a positive relationship with clients. However, we ensure that such communications do not prejudice your rights (for example, we will not misuse contact details in order to disturb you unnecessarily). In any case, you have the right to object to these processing operations based on legitimate interest, under the conditions of the law (see the section Rights of Data Subjects).

4.4 Commercial offers, direct marketing and newsletter (marketing purpose – consent or legitimate interest)
 Description: We wish to keep you informed about EUFORIA offers and news, but only if you want this. For this purpose, we process data to send commercial communications (email newsletters, SMS with special offers, personalized online advertisements) to clients or subscribers. We may also use your data to profile preferences at a general level, so as to send you offers that are as relevant as possible.
 Processed data: first name, last name, email address, telephone number (depending on the agreed communication channel), preferred language, history of previous reservations and interactions with the hotel (for offer personalization), online browsing data collected through cookies (e.g., if you visited the offers section on the website, we may use a remarketing cookie to display advertisements for our offers on other websites). The processing of these data for marketing purposes takes place only with your prior consent or based on the existing commercial relationship, in accordance with the law.
 Specific purpose:
 Sending periodic newsletters: if you have voluntarily subscribed to the newsletter (for example, by entering your email address on the website in the subscription section or you completed an offer request form), we will occasionally send emails with hotel news, promotional packages, seasonal offers, special events. Each message sent will include an easy unsubscribe option.
 Personalized offers for existing clients: based on your history with us, we may make a special offer if you have been a loyal client. We do this considering that it is in our legitimate business interest to retain clients, but we also ensure that we have provided you with the possibility to opt out. If you have been our guest, you may receive such offers within the limits permitted by legislation (Law 506/2004 and the GDPR allow communications to existing clients for similar products/services, with an easy right to object).
 Online promotional campaigns: we use marketing platforms (e.g., Facebook Ads, Google Ads) where hashed email addresses may be uploaded or website visitor cookies may be identified, in order to create advertising audiences. Thus, persons who have interacted with our website or have a profile similar to our clients may see targeted advertisements for the hotel (remarketing). These processes comply with the policies of the respective platforms and do not directly disclose your data to other users.
 Legal basis:
 Consent of the data subject (Art. 6(1)(a) GDPR): this is the main basis for sending marketing communications to persons who are not yet clients or to any person who voluntarily subscribes to the newsletter. We will use your email address or phone number only after you have clearly indicated the option to receive such messages (for example, by ticking that you agree or confirming the subscription through an email). You may withdraw your consent at any time (by unsubscribing or direct request), and we will immediately stop such communications. Withdrawal of consent does not affect the lawfulness of prior processing operations.
 Legitimate interest (Art. 6(1)(f) GDPR): in certain limited cases, such as promoting similar services to our recent clients, we may rely on our commercial interest in retaining clients. We do so only after we assess that sending those offers does not negatively affect your rights and expectations – for example, we will send rare and relevant messages, and we will always respect any objection expressed by you (the right to object to direct marketing).

4.5 Feedback, surveys and complaint handling (service improvement purpose – legitimate interest or consent)
 Description: Your opinion is important to us. After your stay or interactions with us, we may request feedback or invite you to complete satisfaction surveys. We also process data for the purpose of managing any complaints or subsequent requests from clients, in order to improve the quality of services.
 Processed data: first name, last name, email address (or other contact details used in communication), impressions and comments you choose to provide to us, ratings given to our services, as well as interaction history data (the stay to which the feedback relates, the occupied room, persons in the group, any issues reported). If you post public reviews on external platforms (TripAdvisor, Google, Facebook), this is your choice; we will process those data only to the extent that we respond to them or analyze them internally for improvement, in accordance with the terms of the respective platforms.
 Specific purpose:
 Collecting clients’ opinions: shortly after check-out, we may send you an email with a satisfaction questionnaire or an invitation to tell us how your experience was. This helps us identify positive aspects (to maintain) and weak points (to correct). Answers are generally anonymized in analyses, but if you disclose specific issues (e.g., insufficient cleanliness on a certain day), we may correlate them with internal data (e.g., the housekeeping team on that day) in order to remedy them. We mention that you may choose not to respond to these requests, without consequences.
 Handling complaints and post-stay requests: if you write to us later with a dissatisfaction or request (e.g., you complain about an overcharge, you forgot an item in the room, you request proof of accommodation for a visa, etc.), we will use the data available to us (including those in the booking system relating to your stay) to verify the situation and respond officially. We may draw up internal reports regarding complaints, which may include details about the incident, client data and the manner of resolution; these reports are used to prevent similar situations in the future and as evidence in the event of disputes.
 Legal basis:
 Legitimate interest of the hotel (Art. 6(1)(f) GDPR): for satisfaction surveys addressed to recent clients and for analyzing feedback, we consider that we have a legitimate interest in improving our services and maintaining a good relationship with guests. We will contact you in a manner that is not intrusive (for example, a single post-stay email). In any case, you have the right to refuse or ignore these surveys, or to object to the processing of data for this purpose, in which case you will no longer be contacted.
 Consent (where applicable): if we wish to publish a testimonial or your feedback for promotional purposes, we will request your prior consent. Also, if a person who has not been a client (does not have a contractual relationship with us) provides feedback (for example, someone who only visited the hotel or restaurant), we will request consent before using the data in any way (a rare situation). For the processing of sensitive data that may appear in a complaint (e.g., health information related to an incident), we will apply, as the case may be, the legal bases and safeguards provided by the GDPR (Art. 9(2)).

4.6 Compliance with legal obligations and legitimate interests (legal and administrative purposes) 

 Description: EUFORIA must comply with numerous legal obligations that involve the processing of personal data. Also, in addition to those mentioned above, we may process data when it is necessary for the establishment, exercise, or defense of a legal claim in court or for protecting our legitimate interests (e.g., the security of goods and persons). In all such cases, we ensure that the processing is limited to what is necessary and proportionate.

Examples of situations and legal bases:
 Financial-accounting records: we process and store data in invoices, receipts, cash registers, in accordance with the Accounting Law. For example, the data on the fiscal invoice (name, address, CNP for a natural person or company data) must be retained for 10 years according to fiscal legislation, independently of the client’s request. Legal basis: legal obligation (Art. 6(1)(c) GDPR).
 Reporting to public authorities: upon the lawful request of authorities (police, fiscal bodies, health authorities, etc.), we may provide personal data from our systems. For example, in the case of investigations or inspections, we may be requested to provide the list of persons accommodated during a certain period. We provide such data only on the basis of a clear legal obligation or a lawful ground for the request. Legal basis: legal obligation or public interest (Art. 6(1)(c) or (e) GDPR, as applicable).
 In addition to the above, we do NOT use your data for automated decision-making or profiling with significant legal effects on you. Any automated processing (e.g., sending a birthday email) involves human intervention or does not significantly affect your rights.

  1. Legal bases for processing
     As also results from the previous section, EUFORIA Retreat and Spa relies on one or more legal bases for each personal data processing activity. We summarize here the relevant legal bases, as provided by Art. 6 GDPR, and how we apply them:
     Performance of a Contract or Pre-contractual Steps (Art. 6(1)(b) GDPR): applicable when processing is necessary to provide you with the requested service. Examples: processing a reservation request, concluding and performing the accommodation contract, providing the agreed hotel services. Most of the data you provide to us are processed in order to fulfill our obligations towards you as a client. Without these processing operations, we would not be able to provide the services correctly.
     Legal Obligation (Art. 6(1)(c) GDPR): when a law obliges us to process certain data. Examples: requesting and storing ID card data at check-in (required by population records regulations), retention of financial documents (required by the Accounting Law), providing data at the request of competent authorities. In these cases, processing is not optional, but mandatory – we strictly comply with the applicable legal requirements.
     Consent (Art. 6(1)(a) GDPR): used for voluntary processing operations, where you can choose whether to provide us with the data and you agree to their use for a specific purpose. Examples: subscribing to the newsletter and receiving promotional offers by email, communicating certain preferences or special information (e.g., health status for dedicated services), using certain analytics and marketing cookies on the website (which require consent). When the legal basis is consent, you have the right to withdraw it at any time, and we will stop processing the respective data in the future.
     Legitimate Interest of the Controller (Art. 6(1)(f) GDPR): used when processing is necessary for the purposes of the legitimate interests pursued by EUFORIA Retreat and Spa (or by a third party), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. We rely on legitimate interest only after a careful assessment (the so-called balancing test) showing that the processing is proportionate and has minimal impact on the person’s private life. Examples: ensuring on-premises security (CCTV), improving services based on clients’ feedback, retaining clients’ contact details for subsequent moderate communications (such as offering a loyalty discount), preventing fraud or non-payments, legal defense. In all these cases, you have the right to object – you may request that we cease processing if you consider it infringes your rights, and we will analyze the request seriously.
     Public Interest/Vital Interest: as a rule, our hotel does not carry out processing in the public interest or for protecting someone’s vital interests. Theoretically, such legal bases could become applicable in exceptional situations (for example, communicating a guest’s medical data to emergency services if the guest has an accident – vital interest), but these are rare cases and we will act then in accordance with the law and the specific circumstances.
     Clarification: whenever we rely on consent or legitimate interest, we will inform you clearly (for example, in forms or at the time of collection) and we will provide you with the possibility to exercise your rights (withdrawal of consent, objection). The legal bases are documented internally, and upon request we can provide additional details about the legitimate interest assessment, where applicable.

 

  1. Data storage period
     We do not keep personal data longer than necessary for the purposes for which they were collected. The retention period differs depending on the nature of the data and the legal obligations or the controller’s needs. Below we present the main categories of data and the period for which they are retained, after which they will be securely deleted or anonymized:
     Reservation data (persons who request offers but do not become clients): If you contacted us for an offer or initiated a reservation, but did not complete the accommodation (for example, you requested information and did not come, or the reservation did not materialize), we will retain your contact data and related communications for approximately 5 years. We consider this period useful in case you may return with a new request or in order to analyze interest in our services. After 5 years, the data will be deleted, except where you have given your consent to continue receiving offers (for example, you subscribed to the newsletter – in which case the period in the marketing category applies).
     Client data (persons who were accommodated / became clients): Basic client information and their reservation history are retained for a period of up to 10 years from the last significant interaction. This extended period has the following reasons: (i) Legal obligations – for example, accommodation forms and guest registers may be requested by authorities and must be retained for a number of years according to tourism regulations; (ii) Legitimate commercial interest – many of our clients return after a few years, and retaining the history helps us recognize their preferences, possibly offer loyalty benefits, and efficiently manage potential future requests. Of course, the data are not stored statically: we update them periodically, and if a client has had no interaction with us for 10 years, we will delete or anonymize their data, except for those we are legally obliged to retain longer (see the next point).
     Financial-accounting data: Any information belonging to financial-accounting documents (accounting registers, invoices, receipts, fiscal reports) will be retained in accordance with fiscal legal obligations, currently 10 years from the end of the financial year in which the documents were drawn up. For example, an invoice issued in 2025 that contains your name and address will be archived no later than the end of 2035. After the legal term is met, these documents are destroyed according to internal procedures, if the law does not provide otherwise for an extended period.
     Marketing data (newsletter and commercial offers): We process these data either until you unsubscribe/withdraw consent, or, if no such action occurs, for a period of 5 years from the last interaction with us. We consider that a person who has not opened or interacted with our messages for 5 years is probably no longer interested, so we will remove them from marketing lists (or reconfirm them, as applicable). If you unsubscribe earlier, we will immediately stop sending communications and we will delete or anonymize your contact data from the marketing databases.
     Complaints and post-service correspondence: Data related to a formal complaint or dispute will be retained at least for the period necessary to resolve it. After resolution, we will archive the relevant documentation for a period of 3 years (the general limitation period for civil actions in Romania) or even up to 5 years in some cases, in order to have evidence in the event that the situation escalates legally later. If the complaint also involves financial-accounting aspects (e.g., refunds, invoice corrections), the 10-year term mentioned above also applies to the respective documents.
     Anonymized or aggregated data: We mention that, after the expiry of the above periods, it is possible to transform certain personal data into anonymous data (which no longer identify you) for internal statistical purposes (for example, statistics regarding occupancy rate by year, percentage of loyal clients, etc.). These statistics no longer contain personal data and may be retained for an unlimited period, as they no longer allow the identification of any person.
     In all cases, once the retention period expires or the purpose of processing has been achieved, we will delete, securely destroy, or definitively anonymize personal data, so that re-identification of the data subject is no longer possible. Our internal procedures provide for periodic reviews of stored data, to ensure that we do not retain unnecessary or outdated information. Also, if you request deletion of data in a certain context (for example, you exercise the right to be forgotten), and the legal conditions are met, we will act immediately to remove the respective data, even if the standard retention term has not been reached, while ensuring that we do not conflict with any legal retention obligation.

 

  1. Data recipients – disclosure and sharing with third parties
     EUFORIA Retreat and Spa does not sell and does not disclose your personal data to third parties for independent marketing purposes, and transmits them to other entities only when necessary for the provision of services, for compliance with legal obligations, or for our legitimate interests, as detailed below. Any third party receiving the data acts either as a processor that processes the data strictly on our behalf and according to our instructions, or as an independent controller (for example, public authorities) with their own legal responsibilities. We ensure that all data recipients provide an adequate level of confidentiality protection.
     The main categories of third parties with whom we may share personal data are:
     IT and hosting service providers: We have contracts with specialized companies that provide us with IT infrastructure (e.g., website and email hosting, maintenance of reservation software systems – Property Management System (PMS), backup services). For example, we use a hotel management software (Oracle Fidelio or another similar PMS) in which we store clients’ identification data and reservation details. This software may be hosted on secure servers, sometimes in the cloud, including outside the country (details in the International data transfer section). IT providers act as processors and are contractually required to keep the data confidential and to process them only for the purpose set by us. Also, our web hosting service may record logs of visits (including IP addresses) for security purposes, and these logs may be accessed by the technical team if necessary (cyberattacks, error diagnosis, etc.).
     Payment processors and financial services: For processing clients’ online card payments, we collaborate with secure platforms such as Netopia Payments (MobilPay) or EuPlatesc. When you enter card data on the booking payment form, this information goes directly to the payment processor, which secures it and returns to us only a token or confirmation of payment. The payment processor acts as an independent controller with respect to your financial data (having its own GDPR obligations), and we store only the transaction reference and possibly the last 4 digits of the card, for record-keeping. Also, if you request payment by bank transfer, banking data will be visible in our financial systems and at our bank. All these operations are protected by the legal confidentiality obligation of financial institutions.
     Marketing and communication service providers: For sending newsletters and automated communications, we use dedicated platforms such as Mailchimp, Monday, or Revinate (a hotel CRM with email marketing functions). These platforms store your email address and possibly your name, and use them to send our bulk messages, following subscription preferences. They act as processors, having access to data only to provide the service requested by us (e.g., Revinate sends the newsletter email to the subscriber list). Such providers may be located in the USA (for example, Mailchimp has servers in the USA); we ensure that data transfers are carried out lawfully (see the next section on international transfers). We mention that each marketing communication also allows unsubscribing, and the marketing database is managed securely.
     In the communication sphere, we may also use chatbot or automated messaging services (e.g., ManyChat integrated with Facebook Messenger) to respond quickly to online questions; this service could process the Facebook username and the sent messages, acting also as our processor.
     Travel agencies and booking platforms: If you made the reservation through a travel agency, tour operator, or an online booking platform (Booking.com, Expedia, etc.), they are in turn data controllers who collected your information. They then transmit to us the data necessary to honor the reservation (name, contact details, stay details). We will use these data in accordance with our policy, as described in this document. In turn, we may transmit to the agency/platform certain information about the stay status (e.g., no-show, completion of accommodation, possible penalties) – these being necessary according to the contracts between us and the agencies (e.g., for invoicing commissions). Each large platform has its own privacy policy that you agreed to when you booked; we recommend that you consult their policies as well.
     Collaborators for additional services: Depending on your requests, we may share data with third parties necessary for providing an extra service. Such sharing is made only with your implicit consent (derived from requesting the service) and we ensure that those partners also have the legal obligation to protect your data (for example, we include GDPR clauses in collaboration contracts).
     Public authorities: If we are legally obliged or justifiably requested, we may disclose personal data to authorities such as the Police, Gendarmerie, Prosecutor’s Office, courts of law, ANAF (Tax Authority), ANSPDCP (Data Protection Authority), or other control bodies. Examples: providing accommodation data of a certain person upon police request regarding an investigation; transmitting tourist registers at the request of authorities; statistical reporting requested by the Ministry of Tourism (if applicable). In all such situations, we will verify the legal basis of the request and will provide strictly the data necessary to fulfill the requested purpose (data minimization principle). These authorities become independent controllers of the respective data, being subsequently responsible for their processing.
     Professional consultants and legal assistance: In the event of audits, financial checks, or legal disputes, your data may be disclosed to our consultants (for example, the accounting/financial audit firm, the hotel’s lawyer, the debt recovery firm) to the extent necessary to receive professional advice or representation. These third parties also have confidentiality obligations (being bound either by professional secrecy – e.g., lawyer, or by confidentiality agreements – e.g., auditor). We will transmit only the data strictly relevant to the case for which they are consulted (for example, the reservation data of a client contesting a transaction, to obtain legal opinion).
     Confidentiality commitments: With all partners and suppliers that process personal data on our behalf (processors), EUFORIA Retreat and Spa has concluded written agreements containing data protection clauses in accordance with Art. 28 GDPR. These contracts impose, among other things, the obligation for the processor to process data only for the indicated purpose, to protect them adequately, to immediately notify any security incident, and to return/delete them after completion of the service. We monitor compliance with these obligations and carefully select collaborators that meet GDPR standards.
     We will not disclose your personal data to other unauthorized third parties. In particular, we will never sell or transfer client lists, nor will we allow unjustified access by any partner to data, outside those described above. Any additional transfer of data beyond those already mentioned will be carried out only with your information and, where applicable, with your consent.

 

  1. International data transfer and appropriate safeguards
     EUFORIA Retreat and Spa carries out its activity in Romania, and the main servers where we store data are, as far as possible, located within the European Economic Area (EEA). However, some data may be transferred or accessible to entities outside the EEA, for example when we use cloud services or technology providers headquartered in the United States of America (e.g., email marketing platforms, hotel CRM, web analytics services). The GDPR imposes strict conditions for such international data transfers, to ensure that the level of data protection is maintained also in the third destination country.
     International transfer situations:
     Use of cloud/IT services with servers outside the EU (for example, storing client data in cloud infrastructures located in the USA or another state).
     Transmission of data to marketing/automation platforms located in the USA, such as those mentioned (Mailchimp, ManyChat, Revinate, etc.).
     Communication through social networks or messaging applications (e.g., Facebook Messenger) that involves storing messages on international servers.
     Exceptional situations: transmission to a tour operator outside the EU of tourists’ data, if the reservation was made through that tour operator (a rarer case and which in any event is based on the contractual relationship with you).
     Applied safeguards: In all cases above, we will not transfer personal data outside the EEA unless one or more safeguards are implemented so that the transfer complies with Chapter V of the GDPR:
     Adequacy decision: If data reach a country for which the European Commission has officially decided that it provides an adequate level of protection (for example, Canada, Switzerland, Japan, the United Kingdom, etc.), the transfer is carried out on the basis of this decision and the data will be protected similarly to the EU.
     Standard Contractual Clauses (SCC): For partners in countries without an adequacy decision (e.g., the USA), we conclude with them Standard Contractual Clauses approved by the European Commission. These are standard contractual provisions that oblige the data recipient in the third country to comply with strict confidentiality and security requirements, offering explicit rights to data subjects. SCCs are a primary compliance mechanism for international transfers.
     Additional security measures: In addition to SCCs, where necessary, we also apply technical measures (strong encryption of data in transit and at rest, pseudonymization) so that, even if data were intercepted or accessed without authorization in the third country, they would be unintelligible without the decryption keys held only by us.
     Certification frameworks: We ensure that our partners in the USA are, where possible, covered by a recognized legal framework. For example, many of them were certified under the Privacy Shield program (EU-US Privacy Shield) – although this scheme was invalidated by the CJEU in 2020, reputable providers have since implemented the new rules of the EU-US Data Privacy Framework adopted in 2023. Where applicable, we rely on providers’ adherence to these updated principles and/or on their certification to international security standards (ISO 27001, SOC 2, etc.).
     Explicit consent or special derogations: In wholly exceptional situations (if none of the above could apply), we could transfer data on the basis of one of the limited GDPR derogations, such as the data subject’s explicit consent for the transfer, the necessity of the transfer for the performance of a contract (e.g., a booking at a partner hotel in another country, at your request), or for the establishment/defense of a legal claim. These cases are rare and will be used only as a last resort.

Examples of external providers and locations:
 FIDELIO – PMS – which is a hotel management program, in which the identification data of all clients (both individuals and companies, agencies, or tour operators) who request offers and/or reservations are stored. This is a platform hosted in London. Information regarding Fidelio’s privacy policy can be found on the website, in the Privacy & Cookie Policy section – Fidelio
 REVINATE.COM – a program that interfaces with Fidelio – in which the data of all clients are stored, a platform through which periodic notifications and informative emails are sent. This platform has its main headquarters in America. More information about it can be found in the Hotel CRM & Email Marketing Software | Revinate section, and its privacy policy can be consulted at Privacy Policy – Revinate.
 Mailchimp.com – a marketing automation platform and an email marketing service. It is hosted primarily in America – Atlanta.

Integrated Marketing Platform for Small Business (mailchimp.com), and its privacy policy can be found on the official website.
ManyChat – a software application that can automate conversations and interaction with persons through various platforms (Facebook, Messenger – Chatbot). It is hosted in the United States of America. Detailed information can be found on the official website.
Monday.com – CRM, management platform with integrations from ManyChat and automations. This platform is hosted in the United States of America.

Network and IT systems security: Clients’ electronic data are stored in systems protected by strong passwords and restricted access. We use updated firewalls and antivirus/antimalware solutions to prevent unauthorized access and cyberattacks. Access to databases is carried out only through the secured internal network or through encrypted remote connections (VPN), by authorized personnel. Any suspicious or failed access is logged and investigated.
Encryption and pseudonymization: The transmission of sensitive data over the internet (for example, when you complete a reservation form or send payment data) is encrypted using the HTTPS/TLS protocol. Thus, the information is encoded in transit, preventing interception. For certain stored data, we apply encryption at database level (e.g., passwords, authentication tokens, card details if applicable – although we avoid storing them). Also, where possible, we use pseudonymization – for example, in marketing analyses we may use unique identifiers instead of real names, so that persons are not directly identifiable.
Access control and staff training: Access to clients’ personal data is allowed only to employees who need this information to perform their duties (the need-to-know principle). Reception staff have access to the reservation system, but not, for example, to marketing databases, to which only the marketing department may have access. Each employee has individual access credentials and is periodically trained on data confidentiality and the importance of protecting it. We have implemented confidentiality clauses in employment contracts and internal regulations, so that employees who process data have the legal obligation to keep them confidential. Any disciplinary breach in this regard is sanctioned.
Back-up and disaster recovery: We perform periodic backups of important data, stored securely (encrypted), and we test data recovery procedures so that we can quickly restore information in case of incidents (e.g., hardware failures, ransomware). This ensures the integrity and availability of data even in unforeseen situations. Backups are also subject to the same restricted access policies.
Audit and monitoring: We perform periodic checks of our systems to detect security vulnerabilities. We use access logs and audit trails to monitor who accesses sensitive data and when. Periodically, we may call on external experts for security audits (network penetration testing, review of server settings, etc.) and to ensure that the implemented measures are current and effective.
Physical security measures: The offices and rooms where physical documents or servers are stored are locked and accessible only to authorized personnel. We have alarm systems and video surveillance in sensitive areas (without affecting private areas), to deter unauthorized access. Paper documents containing personal data (e.g., accommodation forms, printed reports) are kept in secured cabinets, with restricted access for authorized personnel, and at the end of their necessity they are confidentially destroyed (document shredder).
Data minimization: We have established an internal procedure to collect only those data strictly necessary for each purpose (the data minimization principle) and to delete data when they are no longer necessary. Thus, we reduce the risk of unnecessary exposure of sensitive information. For example, if a client changes address or email, we update the system and delete the old information if it is no longer relevant; or, as mentioned, if someone does not become a client, we delete their data after a short period.
Incident response plan: Although we hope it never happens, we have an internal security incident response plan. It provides for the steps to be taken in the event of a data breach: rapid identification of the incident, isolating the problem, assessing the impact, remedying the vulnerability, notifying those affected and the authorities (if applicable) in a timely manner, and measures to prevent similar incidents in the future. Staff know to immediately report any suspected incident to the management/DPO team for assessment.
Through these measures (and other confidential measures which we do not detail publicly for security reasons), we strive to guarantee that your data are safe within our infrastructure and processes. However, no system is 100% invulnerable, but we ensure a level of protection aligned with industry standards and legal requirements. We constantly monitor new technologies and improve our security as emerging risks appear. If you have specific questions about data security at EUFORIA Retreat and Spa, you can contact us at any time for additional clarifications.

  1. Cookies and Similar Technologies
    The EUFORIA Retreat and Spa website uses cookies and similar technologies (such as tracking pixels and social network plugins) to offer users the best possible experience and to help us understand how the website is used. This section explains what cookies are, what types we use, for what purposes, and how you can manage related preferences.

10.1 What are Cookies?
Cookies are small files, made up of letters and numbers, which our website may store in your browser or on your device (computer, mobile phone, tablet) when you visit us. The cookie is installed through a request sent by our server to the browser (for example, Internet Explorer, Chrome, Firefox) and is completely “passive” – it does not contain software programs, viruses, or spyware and it cannot access information on the user’s hard drive. Cookies allow the website to recognize the user’s device at the next visit, retaining certain actions or preferences from previous sessions.
In addition to cookies, the website may also use similar technologies:
Tracking pixel / pixel tags: small code snippets placed on a web page or in emails, which, when triggered, transmit certain information (for example, the fact that a user viewed certain content). Pixels are often used together with cookies to monitor a browser’s activity on a website (e.g., a Facebook pixel on our website helps us count visitors who later see advertisements on Facebook).
Local storage (Local Storage) and device identifiers: technologies that allow web applications to store data directly on the user’s device, similar to cookies, but with greater capacity or different usage modes (e.g., HTML5 local storage, which can retain offline preferences).

10.2 What types of Cookies do we use and for what purposes?
Cookies can be classified by their duration and by their source/function. Depending on their lifespan, we have session cookies (which are automatically deleted when you close the browser) and persistent cookies (which remain on your device even after closing the browser, for a defined period, or until you delete them manually). By source, there are first-party cookies – set by the domain hello@euforia.ro – and third-party cookies – set by external services integrated into the website (e.g., Google, Facebook). By function/purpose, we use the following main categories:
Strictly necessary cookies: These cookies are essential for the proper functioning of the website and cannot be disabled in our systems, because the website could not function without them. They are usually set only in response to actions made by you that amount to a request for services, such as setting privacy preferences, logging in to the website (if there are account sections), completing a form, or progress in a booking process. Examples: retaining the contents of the booking cart during browsing, managing the authentication session for the customer area. These cookies do not store personally identifiable information and do not require consent (they are exempt under the law, as they are strictly technical).
Preference cookies (functionality): These allow the website to remember the choices you make (such as the preferred website language, region, text size) and provide enhanced, more personal features. For example, a cookie may remember that you closed the cookie policy notification so it does not appear on every page. Or it may store your language preference so that the website is presented directly in that language at the next visit. The information collected by these cookies can be anonymized and they do not track your browsing activity on other websites. Although they are sometimes not critical, these cookies make the experience more convenient; we will request consent for them if they are not absolutely necessary.
Analytics and performance cookies: EUFORIA wishes to understand how visitors interact with the website in order to improve its content and structure. For this purpose we use cookies from web analytics services such as Google Analytics. These cookies collect information such as: most visited pages, average visit duration, encountered errors, traffic sources (where the user came from). The data are aggregated and anonymized, so they do not track an individual user in an identifiable manner. For example, Google Analytics will record the IP address (truncated in most cases), a unique cookie ID and browsing events, generating statistical reports for us. These statistics show trends (not who specifically performed an action), so they are aimed at improving the service. We will request consent to enable these analytics cookies, because, although the impact on privacy is minimal, they are not strictly necessary. You can refuse their installation and the website will still function at a basic level.
Marketing and advertising targeting cookies: These cookies may be set through our website by advertising partners or social networks with which we collaborate (third parties). Their purpose is to create a profile of your interests and display relevant advertisements to you on other websites, avoiding, as far as possible, irrelevant advertising. For example, if you visit the offers section on our website, a Facebook cookie may record this fact, and subsequently you may see on Facebook an advertisement for an EUFORIA Retreat and Spa offer. These cookies work by uniquely identifying your browser and device, and they can track your browsing across multiple websites (not only ours). Such cookies include: Facebook Pixel (which allows us to deliver remarketing campaigns on Facebook/Instagram to website visitors), Google Ads/DoubleClick cookies (to see the effectiveness of our ads and to target similar audiences). The data collected through these cookies are pseudonymized – for example, we do not see your name, but only an internal ID in the respective platform – however, they are still considered protected personal data. We will load such cookies only if we have your explicit consent at the first visit (through the cookies banner). Refusing these cookies will not reduce the website’s functionality, only you will see less personalized advertising or our promoters will not know that you visited our website.

10.3 Cookie management and consent
At the first visit to our website, you will be shown a banner/information regarding cookies, which will offer you the option to accept or refuse non-essential cookies (analytics and marketing). We encourage you to express your preference. If you choose to continue browsing without interacting with the banner, it will be considered implicit consent only for necessary cookies, with the others being blocked by default, in accordance with privacy by default practices. You can change your options at any time by deleting cookies from your browser.
Browser settings: Most web browsers allow you to control almost all cookies through their settings. For example, you can configure the browser to block third-party cookies, or even all cookies, or to delete them automatically when closing the browser. However, note that blocking strictly necessary cookies may cause parts of the website not to function (e.g., you will not be able to complete an online reservation). You can find out more about specific settings by accessing your browser’s help section (e.g., Google Chrome – Settings -> Privacy and security -> Cookies; Mozilla Firefox – Options -> Privacy & Security -> Cookies and Site Data; Safari – Preferences -> Privacy).
Opt-out for Google Analytics: If you do not want to be tracked by Google Analytics on any website, Google offers a browser add-on that can be installed (Google Analytics Opt-out Browser Add-on). This will prevent the execution of GA code on websites that use it.
Opt-out for personalized advertising: Major advertising platforms (Google, Facebook) also offer control options. For example, you can adjust ad preferences in your Google account (Ads Settings) or Facebook (Ad Preferences) to limit targeting. Also, the website www.youronlinechoices.com allows you to generally opt out of many behavioral advertising cookies.
EUFORIA Retreat and Spa respects your cookie preferences. At any time, you can revisit your initial choice. If you have questions related to the use of our cookies, you can contact us and we will clarify any uncertainties.

  1. Rights of data subjects
    Under the GDPR, as a data subject whose data we process, you benefit from a series of legal rights regarding the protection of your personal data. EUFORIA Retreat and Spa fully respects these rights and undertakes to facilitate their exercise. We will detail below each right and how you can exercise it concretely:
    Right of access to data: You have the right to obtain from us confirmation as to whether or not we process personal data concerning you and, where that is the case, access to the respective data and information about how they are processed. In practice, you may request: a copy of the personal data we hold about you, as well as details regarding the purposes of processing, categories of data, recipients to whom they have been disclosed, retention period, and the source of the data (if not provided directly by you). We will provide this information free of charge, in an intelligible format (usually electronic, unless you request otherwise). For additional copies or unfounded/excessive requests, we may charge a reasonable fee in accordance with the GDPR.
    Right to rectification of data: You have the right to request that we correct or complete inaccurate or incomplete personal data we hold about you. If, for example, you discover that the name is misspelled, the address has changed or any other information is incorrect, please notify us and we will rectify without undue delay. It is in our common interest that data are up to date and correct. You may even request that we add a supplementary statement to your file, if you consider it necessary, to clarify certain data.
    Right to erasure of data (“right to be forgotten”): In certain situations, you have the right to obtain the deletion of your personal data. This right is not absolute, but applies, for example, if: the data are no longer necessary for the purposes for which they were collected; you withdraw consent and there is no other legal basis for processing; you object to processing based on legitimate interest and there are no overriding legitimate grounds; processing was unlawful; there is a legal obligation to delete. If you request deletion, we will assess the request against our obligations (e.g., we cannot delete data that the law requires us to retain for a certain period, such as financial data). If we cannot comply immediately for legal reasons, we will inform you of this and we will delete everything that can be deleted. We will also notify any third parties (processors) that hold your data to delete them as well.
    Right to restriction of processing: This right allows you, in certain cases, to request the temporary suspension of the processing of data (other than storage).

You may obtain restriction if: you contest the accuracy of the data (for the period of verification and rectification); the processing is unlawful, but you do not want erasure, only limitation of use; we no longer need the data, but you request them for the establishment, exercise or defense of a legal claim; you have objected to the processing (legitimate interest case) and you are verifying whether our legitimate grounds prevail. During restriction periods, we will store the data, but we will no longer use them (except possibly for storage and for the defense of our rights). If the restriction is subsequently lifted, we will inform you before the resumption of processing.
Right to data portability: You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format (e.g., CSV, XML, JSON) and to transmit them to another controller, if our processing is based on your consent or on a contract and is carried out by automated means. In practice, this right allows you to “port” your data from one provider to another. If technically feasible and upon your request, we can transmit the data directly to another controller indicated by you (for example, if you want another hotel to take over your client profile). The right to portability does not also imply the automatic deletion of your data from us (this can be requested separately through the right to erasure). Also, portability refers only to data provided by the data subject (and not to our internal analyses or derived data).
Right to object: You may object at any time, on grounds relating to your particular situation, to processing operations based on our legitimate interest or on a task carried out in the public interest. We will comply with the objection and will cease the processing in question, unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or that the purpose is the establishment, exercise or defense of a legal claim. Very important: You have the absolute right to object at any time to the processing of data for direct marketing purposes (including marketing-related profiling). If you inform us that you no longer want us to use your data to send you offers, we will comply with the request unconditionally, regardless of the reason, and you will no longer receive such communications.
Right not to be subject to an automated individual decision, including profiling: The GDPR protects you against decisions taken solely by automated means (without human intervention) that significantly affect you. EUFORIA Retreat and Spa does not make such automated decisions with legal effect or similarly significant effect on you. Any possible profiling we perform (such as segmenting clients according to preferences to send offers) does not produce legal effects on you and in any case involves human intervention (the final decision to send an offer is calibrated by our marketing team). If, however, we were ever to implement automated decision-making processes of this type, we will inform you and provide you with the possibility to request human intervention, to express your point of view and to contest the decision.
Right to withdraw consent: In situations where data processing is based on your consent, you have the right to revoke this consent at any time. Withdrawal of consent will produce effects only for the future – prior processing remains valid. There are no negative consequences or costs if you withdraw your consent; the only result is that we will no longer be able to process the respective data for the purpose for which the consent was given. For example, you can withdraw consent for the newsletter and you will no longer receive commercial emails from us.
Right to lodge a complaint with the supervisory authority: If you consider that we have infringed your data protection rights or that we process data unlawfully, you have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP). ANSPDCP contact details are: 28-30 General Gheorghe Magheru Boulevard, Bucharest, Romania; website: www.dataprotection.ro; email: anspdcp@dataprotection.ro; tel: +40.318.059.211.
The authority will inform you regarding the course and resolution of the complaint. Also, regardless of the complaint to the authority, you have the right to address the competent courts of law in order to defend your rights.
To exercise any of the above rights (except for the last one, which is up to you), you may contact us at any time by sending a request:
By email to: hello@euforia.ro (to the Data Protection Officer).
By post to our registered office address (mentioned in section 1), with the mention on the envelope “To the attention of the Data Protection Officer – GDPR request”.
Or directly at the hotel reception, where your request will be directed to the responsible department.
Please clearly specify what it is about, possibly what data you want or what action you request, and confirm your identity (to ensure that we do not disclose data to anyone else). We will respond to all requests as soon as possible, and normally within no more than one month from receipt, as provided by the GDPR. In complex cases or if we receive a very high number of requests, the term may be extended by up to two additional months, but we will inform you about this and about the reasons.
Exercising rights is free of charge. Only if the requests are manifestly unfounded or excessive (for example, repetitive) we reserve the right, according to the law, either to charge a reasonable administrative fee or to refuse the request, but in this case we will justify our decision.
EUFORIA Retreat and Spa treats your rights with the utmost seriousness and we assure you that you will be able to exercise these rights without suffering any discrimination or unfavorable treatment from us. We want your experience with us to be positive also from the perspective of confidentiality, not only of hotel services.

  1. Controller’s accountability and notification of security incidents
    EUFORIA Retreat and Spa assumes responsibility for protecting personal data and adheres to the accountability principle provided by the GDPR (Art. 5(2) – accountability). This means that we not only implement security measures and confidentiality policies, but we can also demonstrate compliance with the regulation at any time. In the unfortunate event of a security incident affecting personal data (a “personal data breach”), we have prepared prompt response procedures:
    Definition of a security incident: it may include the accidental or unlawful loss, destruction, unauthorized alteration, disclosure, or unauthorized access to personal data transmitted, stored, or otherwise processed. Examples: a cyberattack that extracts clients’ data, the loss of a laptop containing unencrypted personal data, the erroneous sending of an email containing data to a wrong recipient, etc.
    Immediate actions in the event of an incident: We have an internal team (including the DPO and technical staff) responsible for managing incidents. As soon as an incident is identified or reported, we will work to isolate and remedy the problem: for example, if it is a cyberattack, we disconnect affected systems, change passwords, apply patches; if it is human error (e.g., wrong email), we request deletion of the data by the recipient and take preventive measures for the future. We will also assess the impact of the incident – what type of data it affected, how many people, what consequences may arise for data subjects (identity theft, inconvenience, material damages, reputational harm, etc.). This assessment helps us decide the next steps.
    Informing data subjects: Under Art. 34 GDPR, if the security breach is likely to generate a high risk to your rights and freedoms (for example, leakage of financial data or authentication data that could expose you to fraud or other major harm), we will inform you directly and without undue delay about the incident. We will communicate in clear language the nature of the breach, the affected data, potential consequences, and we will recommend protective measures (e.g., changing passwords, being alert to suspicious communications to avoid phishing, etc.). If we have taken effective protective measures (for example, the data were strongly encrypted and cannot be understood by anyone) or we immediately mitigated the risk so that it is no longer likely to materialize, then direct communication to data subjects may not be necessary, however we will take this decision in agreement with the authority, if applicable.
    Consequences and remediation: After the immediate management of the incident, we will analyze the root cause and implement prevention measures for the future: improving technical security, additional training for staff, changing procedures, etc., so as to minimize the chance of a similar incident. We assume full responsibility for any negligence on our part and we will cooperate with the authorities in investigating the incident. If it is found that we did not comply with legal obligations, we may be subject to sanctions by the ANSPDCP (under the GDPR, fines can reach up to EUR 10 or 20 million or a percentage of turnover, depending on severity).
    Accountability towards clients: To the extent that a security incident has caused you direct damage and this was due to our negligence in protecting the data, we express our sincere regret and we will consider how to provide you compensation, if legally and factually justified. Our primary objective, however, is to prevent such situations through maximum diligence.
    Through transparency on these aspects, we want to assure you that we treat data security seriously and we assume the responsibility required by our role as controller. To date, EUFORIA Retreat and Spa has not recorded major security incidents and we will do everything possible to maintain this record.

 

  1. Processing of data of minors under 18 Years of age
    The services offered by EUFORIA Retreat and Spa (accommodation, leisure, events) are primarily addressed to adults (persons over 18 years of age) and their families. In principle, we do not collect and do not process personal data of minors without the consent of parents or legal representatives. However, there may be situations where the data of children under 18 years of age reach our systems, and this section clarifies how we treat them:
    Reservations and accommodations involving minors: If you stay together with your children at our hotel, we will process children’s data only to the extent necessary to provide the service to the family. For example, at reservation or check-in, we may note the first name and age of the children (to verify eligibility for child rates, extra beds, etc.). These data are provided by parents/guardians on behalf of the children. We consider that, when a parent communicates the minor’s data to us, they implicitly express consent for the processing of those data for the purpose of accommodation and related services. The hotel will not request information directly from the child, nor will it process data that are not necessary (we will not request the CNP of children under 14 years of age, for example, although for those aged 14–17 it may appear on the identity document presented at reception). All confidentiality rules in this policy also apply to minors’ data, and parents can exercise GDPR rights on behalf of their children.
    Marketing towards minors: EUFORIA Retreat and Spa does not target and does not send direct marketing communications to minors. Newsletters, offers and any promotional materials are intended for adults (either clients or subscribers who are at least 18 years old). We do not encourage minors to subscribe to such services and, if we find that an email address belongs to a person under 18 years of age, we would remove it from the database. Our website does not contain content inappropriate for minors, but it is also not specifically designed for children. We recommend that parents supervise children’s internet browsing and their communication with service providers.
    Consent for information society services (Art. 8 GDPR): The regulation provides that the processing of personal data of children under 16 years of age in information society services (such as online services) is lawful only if the minor is at least 16 years of age or if consent is given/authorized by the parent or guardian. Accordingly, we do not knowingly collect data from minors under 16 years of age without verifiable parental consent. For example, we will not accept a newsletter subscription from a person we identify as being under 16 years of age, without parental approval, and we will not conclude online transactions directly with minors.
    Deletion of minors’ data: If, by mistake or lack of knowledge, we have nevertheless collected data about a minor under 16 years of age without parental consent, we ask the parent or guardian to contact us immediately. We will act promptly to delete those data from our systems. Also, if a parent/guardian requests access to, rectification or deletion of their child’s data (for example, wants to verify what information about the child was recorded during a stay), we will comply with the request under the same conditions as if it concerned the parent’s own data, while ensuring, however, the identity and capacity of the requester.
    Conclusion: We want parents to have confidence that children’s data are protected. We encourage the legal guardian to supervise how the child uses our services and communicates data to the hotel. EUFORIA Retreat and Spa will always treat minors’ data with increased care and in compliance with the law, prioritizing the child’s interest and safety.
  2. Amendment and update of the privacy policy
    Acceptance of the provisions of this Privacy Policy and of the Terms and Conditions is equivalent to concluding a contract between the Beneficiary and EUFORIA Retreat and Spa regarding the provision of hotel services and the use of our online platform.
    EUFORIA Retreat and Spa reserves the right to send, to the email address provided by the Beneficiary, notifications, information messages, administrative communications or promotional materials, to the extent that these are necessary for the proper performance of the services or may present a justified interest for the Beneficiary.
    We reserve the right to amend or update this Policy and the commercial conditions without prior notice. The latest version will be permanently available on our official website, also indicating the date of the last update.
    If you encounter problems related to the functioning of the platform or to the exercise of rights regarding personal data protection, you may contact us using our contact details displayed on the website.
    This Privacy Policy is governed by the applicable legislation of Romania and by European rules in the field of personal data protection (GDPR). For any matter not expressly provided, the applicable legal provisions in force shall apply.
    If you have questions, uncertainties or wish any clarification regarding the content of this policy or the way EUFORIA Retreat and Spa processes your personal data, do not hesitate to contact us using the information in Section 1. We are open to provide you with any additional information you need and we want you to have full confidence in our commitment to data protection.
    Thank you for reading this policy and for the trust placed in our services.
    Last update of this policy: December 2025.