Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller is:
Apartments Lavanda Fiesa
Address: Portorož, Fiesa 51a, 6330 Piran, Slovenia
Telephone: +386 (0)41 338 366
Email: bss@inter.si
The controller is a natural person engaged in the activity of a tourist accommodation provider. The controller is not formally registered in the data processing register.
2. Contact for Personal Data Matters
For all matters relating to the processing of personal data, you may contact us at:
Email: bss@inter.si
Telephone: +386 (0)41 338 366
You will receive a response to your request within 30 days of receipt, in accordance with Article 12 of the General Data Protection Regulation (GDPR).
3. Personal Data Collected
We collect the following personal data, categorised by source:
Reservation Form
Data that you provide when filling out the reservation form on the website:
| Data | Description |
|---|---|
| Name and surname | Your name and surname for communication regarding the reservation |
| Email address | For sending confirmation and communication with you |
| Phone number | For potential telephone communication regarding the reservation |
| Arrival and departure dates | Selected dates of stay |
| Number of guests | Number of adults and children |
| Message | Additional requests or questions |
Website Visit (Automatically Collected Data)
The following technical data is automatically collected when you visit the website:
| Data | Description |
|---|---|
| IP address | Network address of your device |
| Browser type | Name and version of the browser (user agent) |
| Operating system | Operating system of your device |
| Date and time of visit | Timestamp of each request |
| Pages visited | Website pages that you visit |
Geolocation
When submitting the reservation form, your IP address is sent to the freeipapi.com service, which returns the name of the country from which you are accessing the site. The data is used to localise content. The IP address is not stored by freeipapi.com.
We do not intentionally collect data about minors (persons under 16 years of age). No profiling or automated decision-making takes place on this website.
4. Sources of Personal Data
Personal data comes from the following sources:
- Directly from you — data that you enter in the reservation form.
- Automatically upon website visit — technical data collected via server logs, cookies, and external services (reCAPTCHA, Google Maps, Google Fonts).
We do not obtain data from third-party sources and do not purchase data from external providers.
5. Purposes of Processing and Legal Basis
For each processing purpose, we indicate the appropriate legal basis in accordance with the General Data Protection Regulation (GDPR):
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Processing reservations and communication with guests | Contractual reason — data is necessary for the performance of the accommodation contract | Art. 6(1)(b) |
| Responding to enquiries not related to a contract | Consent — data is provided voluntarily | Art. 6(1)(a) |
| Protection against abuse (reCAPTCHA, CSRF protection) | Legitimate interest — protection of the website against spam and malicious attacks | Art. 6(1)(f) |
| Website operation (sessions, CDN, server logs) | Legitimate interest — maintaining secure and stable website operation | Art. 6(1)(f) |
| Storing cookie consent | Legal obligation — in accordance with the Electronic Communications Act (ZEKom-1) | Art. 6(1)(c) |
Legitimate interest means that we have a justified reason for processing data that does not threaten your rights and freedoms. In the case of reCAPTCHA, this means preventing malicious submissions; for sessions and CDN, it means ensuring basic website operation.
6. Recipients of Personal Data
The following third parties may come into contact with your personal data:
| Recipient | Purpose | Data Processed |
|---|---|---|
| Google LLC (reCAPTCHA) | Protection of the form against spam | IP address, browser data, interaction data |
| Google LLC (Google Maps) | Display of the location map | IP address, location data |
| Google LLC (Google Fonts) | Display of fonts on the website | IP address, browser data (user agent) |
| Sirv (image CDN) | Delivery of images on the website | IP address (in access logs) |
| jsDelivr / unpkg (JS/CSS CDN) | Delivery of libraries (Bootstrap, Swiper, AOS, jQuery) | IP address (in access logs) |
| freeipapi.com | Determining the country of access when the form is submitted | IP address (only for conversion to country name, without storage) |
Privacy policies of recipients:
- Google LLC: policies.google.com/privacy
- Sirv: sirv.com/privacy
- jsDelivr: www.jsdelivr.com/privacy-policy-jsdelivr-net
- unpkg: www.jsdelivr.com/privacy-policy-unpkg-com
Personal data is not sold to third parties and is not transferred outside the EU/EEA for advertising or marketing purposes.
7. International Data Transfers
Some recipients process data outside the European Union:
- Google LLC (USA) — data processing in the United States is based on the EU-US Data Privacy Framework, which ensures an adequate level of data protection in accordance with the European Commission's decision.
- Sirv (United Kingdom) — the United Kingdom is recognised as a country with an adequate level of data protection in accordance with the GDPR adequacy decision.
- CDN providers (jsDelivr, unpkg) — may process data in different jurisdictions; where necessary, standard contractual clauses (SCC) are used in accordance with Article 46 of the GDPR.
Details are governed by Articles 44–49 of the General Data Protection Regulation (GDPR).
8. Data Retention
We retain personal data only for as long as necessary for the purpose of processing:
| Data | Retention Period | Reason |
|---|---|---|
| Reservation form | Not stored on the server | Sent directly to the controller's email; remains only in the mailbox |
| PHPSESSID (cookie) | Until browser is closed | Maintaining an active session |
| CSRF token | Until used or end of session | Form protection against attacks |
| _GRECAPTCHA (cookie) | 6 months | Preventing spam |
| cookie_consent_given (localStorage) | Until you manually delete your browser data | Storage of cookie consent (legal obligation) |
| Server logs | Up to 30 days | Security and troubleshooting |
| Admin panel data | Until deleted by the administrator | Operational purposes (prices, reviews) |
Upon your request, we will delete your personal data in accordance with Article 17 of the GDPR (right to erasure), unless their retention is legally required or necessary for the enforcement of legal claims.
9. Data Security
We have implemented the following technical measures to protect your personal data:
- HTTPS encryption — all communication between the browser and the server is encrypted.
- CSRF protection — the form is protected against Cross-Site Request Forgery attacks with a random token.
- reCAPTCHA v3 — protection against automated submissions and malicious attacks.
- Data file protection — JSON files with data (prices, reviews) are protected by rules in
.htaccess. - Session authentication — access to the admin panel is protected by a password stored as a bcrypt hash.
Access to the admin panel is limited to an authorised person only.
We are aware that no system is completely secure. In the event of a security breach that threatens your personal data, we will notify affected individuals within 72 hours in accordance with Article 33 of the GDPR.
10. Automated Decision-Making and Profiling
No automated decision-making or profiling of individuals takes place on this website within the meaning of Article 22 of the GDPR. All decisions regarding reservations and communication with guests are made by a person.
11. Individual Rights
In accordance with the GDPR, you have the following rights regarding your personal data:
1. Right of Access (Art. 15)
You may request confirmation of whether we process your personal data and a copy of all data we hold about you.
2. Right to Rectification (Art. 16)
You may request the correction of inaccurate or incomplete personal data.
3. Right to Erasure (Art. 17)
You may request the deletion of your personal data (the so-called "right to be forgotten"). This right is not absolute — we may retain data if retention is necessary for the fulfilment of legal obligations or the enforcement of legal claims.
4. Right to Restriction of Processing (Art. 18)
You may request the restriction of the processing of your data, for example while verifying the accuracy of the data or while exercising an objection.
5. Right to Data Portability (Art. 20)
You may request to receive your data in a structured, commonly used, and machine-readable format (e.g. JSON or CSV) and to have it transmitted to another controller.
6. Right to Object (Art. 21)
You may object to the processing of your data that is based on legitimate interest. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
7. Right to Withdraw Consent (Art. 7(3))
You may withdraw your consent for data processing at any time without affecting the lawfulness of processing before the withdrawal of consent.
Exercise of Rights
To exercise any of the above rights, send a request to bss@inter.si. You will receive a response within 30 days. The exercise of rights is free of charge, unless the request is manifestly unfounded or excessive.
You also have the right to lodge a complaint with the Information Commissioner (see Section 14).
12. Cookies and Tracking Technologies
For detailed information about the cookies and other tracking technologies we use, please visit the Cookie Policy page.
Summary: we use essential cookies for website operation (PHPSESSID, CSRF token), third-party cookies (reCAPTCHA, Google Maps), and browser storage (localStorage) to record your cookie consent. A consent banner is displayed on the first visit, which is saved in localStorage.
13. Links to Third Parties
The website contains links to external websites, including:
- Booking.com
- Google Maps
- Piran / Portorož Tourism
- Visit Koper
- Istralandia
- KPSS
- Dobre Gostilne
We are not responsible for the privacy practices of these external websites. We recommend that you read their privacy policies before providing any personal data on those sites.
14. Information Commissioner
In the event of questions or complaints regarding the processing of personal data, you may contact the Information Commissioner of the Republic of Slovenia:
Information Commissioner
Dunajska cesta 22, 1000 Ljubljana
Telephone: +386 1 230 97 30
Email: gp.ip@ip-rs.si
Website: www.ip-rs.si
15. Changes to This Policy
We may update this privacy policy from time to time. Significant changes will be published on the website. The date of the last update is indicated at the top of this page.