Who we are (data controller)
This website is operated by Old Town Inn (“we”, “us”, “our”). We are the data controller for personal data processed via this website.
If you have questions about this policy or how we handle your information, contact us using the details above.
What this policy covers
This policy explains how we collect and use personal data when you:
- browse this website;
- contact us via forms, email or telephone;
- enquire about availability and reservations;
- make or manage a booking (including where you are redirected to, or interact with, our booking partners).
It does not cover third-party websites you may reach via links from our site (including booking platforms). Their own privacy notices apply.
Personal data we collect
Depending on how you use the site, we may collect:
Information you provide to us
- Contact and enquiry details: name, email address, phone number, message content, subject and any information you choose to include (e.g. travel dates, preferences).
- Booking-related information: details needed to respond to your enquiry and facilitate a reservation (e.g. dates, number of guests, room type).
- Communications: correspondence with us by email, phone or via the website.
Information collected automatically
- Technical and usage data: IP address, device and browser information, pages viewed, date/time of visits, referrer pages, and similar logs for security and performance.
- Cookie data: identifiers and preferences stored on your device (see Cookie Policy).
We do not intentionally collect special category data (such as health data). Please do not include it in free-text fields unless it is strictly necessary (for example, an accessibility requirement relevant to your stay).
Why we use your data (purposes and legal bases)
We process personal data only where we have a lawful basis under the GDPR.
| Purpose | Typical data | Legal basis |
| Responding to enquiries and requests | Contact details, message content | Legitimate interests (to communicate with prospective guests) or steps prior to a contract |
| Managing reservations and stay administration | Booking details, communications | Contract (performance of a booking) or steps prior to a contract |
| Customer service and guest communications | Communications, contact details | Legitimate interests and/or contract |
| Security, fraud prevention, abuse detection | IP address, logs | Legitimate interests (protecting our website and business) |
| Legal and regulatory compliance | Records relevant to compliance | Legal obligation |
| Improving the website (performance, diagnostics) | Usage/technical data | Legitimate interests (to maintain and improve the service) and, where required, consent via cookies |
Where we rely on consent (typically for non-essential cookies), you can withdraw it at any time (see Cookie Policy).
Who we share your data with
We only share personal data where it is necessary and proportionate, including with:
- Service providers supporting our website (hosting, maintenance, security, email delivery).
- Booking / reservation partners used to process or confirm reservations (for example, where you click “Book now” and are redirected to a booking service).
- Professional advisers (legal, accounting) where required.
- Authorities where we are required to comply with a legal obligation.
All service providers are required to protect personal data and use it only for providing services to us.
International transfers
Some of our suppliers (or their sub-processors) may process data outside the European Economic Area. Where this happens, we use appropriate safeguards (such as EU Standard Contractual Clauses) and assess transfer risks as required.
How long we keep your data
We keep personal data only as long as necessary for the purposes described above:
- Enquiries: typically up to 12 months after last contact (unless you proceed to a booking or there is a dispute).
- Bookings and stay records: typically up to [X years] to support contractual, tax and legal obligations.
- Security logs: typically [30–180 days] unless needed to investigate incidents.
- Cookie data: see Cookie Policy (varies by cookie).
Retention periods may be extended if required to establish, exercise or defend legal claims.
Your rights
Under the GDPR, you may have the right to:
- access your personal data;
- rectify inaccurate data;
- request erasure (in certain circumstances);
- restrict processing;
- object to processing based on legitimate interests;
- data portability (where processing is based on contract or consent and carried out by automated means);
- withdraw consent at any time (where we rely on consent);
- lodge a complaint with your supervisory authority.
If you are in Croatia, you can complain to the Croatian Personal Data Protection Agency (AZOP). You can also contact your local authority in the EU/EEA.
Security
We apply reasonable technical and organisational measures to protect personal data, including access controls, secure hosting and monitoring. No website can be guaranteed 100% secure; if you suspect any issue, please contact us promptly at info@oldtown.rest.
Children
This site is not intended for children and we do not knowingly collect personal data from children.
Links to third parties
Our site may include links to third-party websites (including booking platforms and map services). We are not responsible for their privacy practices. Please review their privacy notices.
Changes to this policy
We may update this policy from time to time.