Privacy Policy of Zornitza Family Estate Relais & Châteaux

I. Introduction

For us, Zornitza Family Estate Relais & Châteaux, the protection of your personal data is of paramount importance.

This Policy informs you on what legal grounds, for what purposes, for what periods of time, and by what means your personal data are processed when you visit the website www.zornitzaestate.com, as well as when you use our tourism and leisure services.

The activity of Zornitza Family Estate Relais & Châteaux is carried out by Borgo Estates EAD, UIC 208442588, with registered office and management address: Sofia 1618, Vitosha District, Manastirski Livadi Residential Area, Bulgaria Blvd. No. 106, Entrance D, Apartment 9, acting in its capacity as a personal data controller within the meaning of Regulation (EU) 2016/679.
For the purposes of this Policy, Borgo Estates EAD uses its trade name Zornitza Family Estate Relais & Châteaux.

As of 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”) applies directly within the territory of the European Union, including the Republic of Bulgaria. The GDPR grants you enhanced rights with regard to the protection of personal data and introduces corresponding obligations for controllers. More information on these matters is provided below in this Policy.

In this Personal Data Protection Policy, “Zornitza Family Estate Relais & Châteaux”, “the Company”, “we”, “us”, or “our” refers to Borgo Estates EAD, UIC 208442588, while “you”, “your”, and “user” refers to visitors of the website www.zornitzaestate.com, as well as clients of the services we provide.

Please read this Personal Data Protection Policy carefully. By using our website and services, you confirm that you understand and agree with it.

This Policy may be amended in order to comply with legislation or due to changes in our activities. We recommend that you periodically review this page. Any significant change will be published on www.zornitzaestate.com.

II. General Terms Used in This Policy

To make the information below easier to understand, we use the following terms:

Personal Data
Any information through which we can identify you directly or indirectly – such as your name, contact details, online identifiers, or other information relating to you as a natural person.

Data Subject
A natural person who is identified or can be identified directly or indirectly based on the personal data processed by us.

In connection with the tourism and leisure services provided by Zornitza Family Estate Relais & Châteaux, we process personal data of the following categories of persons:
• natural persons who visit the website www.zornitzaestate.com;
• natural persons who make reservations in their own name or on behalf of another natural or legal person through the website;
• natural persons who use the services we offer, including but not limited to hotel accommodation, restaurant services, wellness and spa services, event organization, tastings, and other related activities;
• natural persons who represent or act on behalf of legal entities using our services.

Processing of Personal Data
Any operation performed on your personal data – such as collection, use, storage, analysis, restriction, or deletion – regardless of the means used.

Personal Data Controller
The controller of your personal data is Borgo Estates EAD, UIC 208442588.
We determine the purposes and means of processing personal data, including the channels and technologies used (e.g., web forms, communication channels, video surveillance systems, and other tools necessary for providing our services and fulfilling our legal obligations).
We ensure that your personal data are protected and processed securely in compliance with all applicable legal requirements.

Personal Data Processor
This is a third party that processes your personal data on our behalf and in accordance with our instructions.
We ensure that such parties comply with the requirements of the GDPR.
An example of a processor may be an external agency supporting the management of marketing campaigns.

Personal Data Breach
An incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Digital Assets
The official website www.zornitzaestate.com, as well as all related landing pages maintained by the Company.

III. Who Is Responsible for Your Personal Data and How to Contact Them

If you have questions regarding the processing of your personal data, you may contact us at:
Address: Sofia 1618, Vitosha District, Manastirski Livadi Residential Area, Bulgaria Blvd. No. 106, Entrance D, Apartment 9
E-mail: info@zornitzaestate.com
Our team will ensure that you receive a competent and timely response to any inquiry regarding your rights and the processing of your personal data.

IV. Categories of Personal Data, Purposes, and Legal Grounds for Processing

1. Personal Data Related to Hotel Accommodation

• Identification data: names, date of birth, gender, nationality, Personal Identification Number (EGN) or other identifier, identity document number and validity, issuing country, signature.
• Contact data: telephone, e-mail, address.
• Accommodation information: room number and type, floor, stay dates, duration, tourist package used, special preferences, including dietary and other requirements.
• Payment and invoicing data: payment method, information on completed and due payments, currency, bank details (bank, IBAN, account holder), credit/debit card details (number, validity, CVC code, cardholder), legal entity data where services are requested by a company, VAT number or other identifier, documents or electronic forms confirming authorization for payment.
• Third-party data: where services are requested by a person other than the Data Subject, information on who makes the request, for whom, and who makes the payment.

2. Personal Data Related to the Website and Online Store

• Reservation data: names, email address, telephone number, country, credit/debit card information, number of rooms and guests, special offers or preferences.
• Logs and technical data: date and time of access, IP address, URL, browser and device information, server logs and logs from security devices, as well as cookies and other tracking technologies.
• Online store data: names, telephone number, email address, payment data, including bank accounts or cards, delivery address, invoicing details.
This data is used for the processing and fulfillment of orders, communication regarding orders, provision of delivery services, and management of returns or complaints.
With explicit consent, the data may also be used for marketing purposes and sales analysis.

3. Additional Categories of Personal Data

• Video surveillance data: for the protection of the legal rights, security, and privacy of the controller, its team and partners, as well as for the safety and well-being of guests and the public.
• Marketing and promotional data: with explicit consent, for sending information about services, promotions, and special offers.
• Additional data collection channels: personal meetings and face-to-face conversations, email correspondence, social media, registration for Wi-Fi services.
Such data is processed only for the specific purposes for which it has been provided.
• Data submitted through inquiries and contact with us: when you contact us via the website contact form or by email, we process the contact data you provide and the content of your message solely for the purpose of responding to your inquiry and maintaining further communication.
• Supplier and partner data: information about individuals or representatives of legal entities with whom we maintain business relations or through whom we provide services and goods.
• Marketing and information after the end of the relationship: with explicit consent, retention of contact data for news, promotions, and special offers, including for individuals who are not clients but have subscribed or provided consent.

V. Data Retention Period

Personal data is stored for the periods necessary to achieve the purposes for which it was collected.

Zornitza Family Estate Relais & Châteaux complies with the legal principle of limiting the storage period to the minimum necessary. Once the purpose of processing has been fulfilled, the data is destroyed unless there is a legal basis for a longer retention period.

The Company retains your personal data for the following specific periods:
• when the data is included in accounting documentation and invoices – in accordance with tax regulations and the Company’s legal obligations, the data is retained until the expiration of the legally established retention periods for tax and accounting information;
• when the data is processed on the basis of consent – until you explicitly withdraw your consent;
• when the data is processed for the protection or enforcement of the Company’s rights and interests, which have a justified priority over the interests of individuals – until the right is extinguished and/or the interest ceases to exist;
• images obtained through video surveillance cameras – retained for a period necessary for the purposes of security and protection of guests, employees, and the property of the premises. In the event of an incident or justified necessity, recordings may be retained for the time required to support investigations by competent authorities;
• personal data contained in CVs of candidates who were not selected for the position – for a maximum period of one (1) year, in order to allow consideration for future vacancies. You may request deletion of your data immediately after completion of the current recruitment process.
After the expiration of the above periods, unless another legal basis for processing exists (such as pending court proceedings or protection of legal claims), the data will be deleted or anonymized in a manner that does not allow your subsequent identification.

VI. Will My Personal Data Be Accessible to Third Parties?

Your personal data may be accessible to certain categories of persons who process information on our behalf or as required by law. This includes:

1. Data Processors Acting on Behalf of the Company

• Technical service providers – companies ensuring maintenance, security, and management of IT systems, software, hosting services, and reservation platforms;
• Security companies – companies providing physical security and video surveillance of the premises for the protection of guests, employees, and the property of Zornitza Family Estate Relais & Châteaux;
• Professional consultants – legal, accounting, and tax experts supporting business operations;
• Courier and logistics companies – for delivery of written correspondence, vouchers, or other materials to clients;
• Payment service providers – for processing payments via credit cards;
• Insurance companies – in the event of an insurance claim related to a tourist accommodated at the premises.
All such providers are bound by confidentiality agreements and are required to comply with GDPR requirements. Their activities are strictly monitored by us.

2. Data Recipients for Reservation and Service Performance

• Business partners – travel agencies and their representatives, transport companies and airlines, providers of main and additional tourism services, and other subcontractors with whom we have concluded contracts;
• The data subject – you, when exercising your rights of access or correction;
• Clients or users of the services to whom the data relates (e.g., group reservations).

3. Public Authorities and Institutions

• Ministry of Interior – for guest registration and identity notification;
• Tax Administration (NRA) – for issuing invoices and fulfilling tax obligations;
• Municipality, National Social Security Institute, Consumer Protection Commission, Personal Data Protection Commission, judicial and supervisory authorities – where there is a lawful basis for providing the data.
Your data is shared solely for the purposes of fulfilling contractual and legal obligations and is processed by third parties only to the extent necessary to achieve these purposes.
To ensure the operation of our services and platforms, your personal data may be transferred and processed outside the European Union, including in the United States.
In such cases, we apply appropriate safeguards in accordance with GDPR requirements, including standard contractual clauses, to ensure an adequate level of protection. Please note that the legal framework for data protection in other countries may differ from that within the European Union.

VII. How Do We Protect Your Personal Data?

At Zornitza Family Estate Relais & Châteaux, the protection of your personal data is a priority.
We implement all necessary organizational, technical, and physical measures in accordance with GDPR and applicable national legislation to ensure the security of the information you provide.
For this purpose, we:
• maintain structures to prevent abuse and security breaches;
• have appointed a Data Protection Officer (DPO) who monitors the proper implementation of protective measures;
• apply additional protection mechanisms, including encryption, pseudonymization, and other technologies, where appropriate.

VIII. Your Rights as a Data Subject

As a client or visitor of Zornitza, you have a number of rights under GDPR which you may exercise in relation to your personal data.

Providing data is voluntary, but it is necessary for concluding and performing service contracts. If data is not provided, we cannot process reservations or deliver other services.

We respond to your requests within 30 calendar days. In exceptional cases, this period may be extended by an additional two (2) months, and you will be informed within one (1) month of receiving the request.

Your Rights under GDPR

1. Right to Information
You have the right to receive information about the processing of your personal data, including purposes, legal basis, retention period, categories of recipients, and more. Where automated decision-making or profiling applies, you will be informed of its purposes and consequences.

2. Right of Access
You may request a copy of all personal data we process about you. For additional requests, a reasonable administrative fee may apply.

3. Right to Rectification
You have the right to request correction or completion of incomplete or inaccurate data.

4. Right to Erasure
You may request deletion of personal data if:
• it is no longer necessary for the purposes for which it was collected;
• you withdraw consent and no other legal basis exists;
• you consider the processing unlawful.
Erasure may be restricted where the law requires retention or where legal obligations, pending proceedings, or protection of rights apply.

5. Right to Restriction of Processing
You may request restriction if:
• you contest the accuracy of the data;
• processing is unlawful but you do not want deletion;
• the data is no longer needed by us but is required for your legal claims;
• you object to processing based on legitimate interest.

6. Right to Data Portability
You may receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller when processing is based on consent or contract and carried out by automated means.

7. Right to Object
You may object at any time to processing based on legitimate interest. If you have given consent for marketing, you may withdraw it without providing reasons.

8. Right to Lodge a Complaint
If you believe we have violated applicable personal data protection legislation and affected your rights, please contact us. You also have the right to lodge a complaint with the Personal Data Protection Commission, the supervisory authority in Bulgaria, at: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., tel. +359 2 91 53 518, email: kzld@cpdp.bg.

How Can You Exercise Your Rights?
You may submit a request:
• In person or through an authorized representative (with power of attorney) at:
Sofia 1618, Vitosha District, Manastirski Livadi Residential Area,
106 Bulgaria Blvd., Entrance D, Apt. 9
• By email: info@zornitzaestate.com
• By phone: 0700 20 20 86

Exercising your rights is free of charge, except in rare cases of repeated requests requiring significant resources, where a reasonable administrative fee may apply.
If a request is submitted electronically, we will provide the information electronically unless you request otherwise.
Identification of the person submitting the request is performed by an authorized employee where we have reasonable doubts regarding their identity.
Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. Data may continue to be processed if another legal basis applies.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.