Privacy policy

1. Who we are (data controller)

SplashVillas is operated by Kopaxgroup Kft., headquartered at 1072 Budapest, Dob utca 20. 3. em. 26. ajtó, Hungary. Registered under company number 01-09-447785 (EU VAT HU32885851). We are the data controller for any personal data collected through this site under Regulation (EU) 2016/679 (the GDPR).

For any GDPR request — access, rectification, erasure, portability, restriction, objection — or any privacy question, write to privacy@splashvillas.com. We do not have a statutory obligation to appoint a Data Protection Officer, but this address reaches the person responsible for data protection. We respond within one month as required by Art. 12 GDPR.

2. What we collect, why, and the legal basis

We deliberately keep this list short. Every entry explains the what, the why, the legal basis (Art. 6 GDPR), and the retention period.

• Account data (name, email address and profile picture from your Google account, where you sign in with Google OAuth). Why: to let you sign in securely, see your bookings and manage your reservations. Legal basis: performance of a contract and taking pre-contractual steps at your request (Art. 6(1)(b)). We never receive your Google password. Retention: for the life of your account, then deleted on request or after a period of inactivity.
• Booking details (lead-guest name, email, guest count, stay dates, property booked, special requests, reservation reference and payment status). Why: to create, confirm and manage your reservation and to meet our accounting and consumer-law obligations. Legal basis: performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for invoicing/tax records. Retention: for the period required by Hungarian accounting and tax law (generally up to 8 years), then deleted.
• Contact messages (your email address and the content of any message you send us about a booking or enquiry). Why: to answer you and keep a record of the conversation. Legal basis: legitimate interest in handling correspondence (Art. 6(1)(f)), or performance of a contract where the message concerns a booking. Retention: as long as needed to resolve the matter, then archived or deleted.
• Analytics (anonymised/truncated IP, country, device, pages viewed). Why: to understand which destinations and pages are useful and improve the site. Legal basis: consent (you opted in via the cookie banner). Retention: up to 14 months.
• Functional preferences (cookie-banner choice, locale, currency, theme, wishlist). Why: to make the site usable. Legal basis: legitimate interest in providing core functionality (recital 30 exempts strictly-functional storage from consent). Stored client-side in your browser. Retention: until you clear browser data.

We do not run remarketing or behavioural ad targeting, do not sell your data, and do not share it with third parties beyond the processors listed below.

3. Payment data

Payments are processed on this site through our supplier's payment service provider (Nuitée / LiteAPI, using Stripe). Your card details are entered into and handled by that PCI-DSS compliant provider; we do not see or store your full card number. We only receive confirmation of whether the payment succeeded and the booking can be confirmed.

4. Processors and third-country transfers

Some processing is delegated to specialised providers. They process data only on our written instructions under Data Processing Agreements (DPAs). Full list:

Transfers to the US providers above rely on the EU Standard Contractual Clauses (SCCs, Commission template 2021/914) combined, where applicable, with the EU-US Data Privacy Framework. We apply technical and organisational safeguards to minimise what each provider sees (anonymisation, minimum-permission API keys).

5. Cookies

Strictly-functional storage (cookie-banner choice, wishlist, locale, currency, theme) is always on; analytics and any marketing categories are opt-in via the on-site consent banner. See the dedicated cookies policy for the per-category breakdown and how to change or withdraw consent.

6. Your rights (Art. 15-22 GDPR)

As a data subject in the EU/UK you have the right to:

• Access the data we hold about you (Art. 15)
• Rectify any inaccurate data (Art. 16)
• Erase your data — right to be forgotten (Art. 17), subject to our legal duty to retain booking and accounting records
• Restrict processing while we investigate a complaint (Art. 18)
• Portability — receive your data in a structured, machine-readable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time (Art. 7(3)) — the cookie banner lets you change your analytics/marketing choice from the cookies page at any time.

Send any of these requests to privacy@splashvillas.com. You can also lodge a complaint with your national data-protection authority. Ours is the Hungarian NAIH.

7. Security

We encrypt traffic in transit (TLS) and rely on provider-managed encryption at rest. We use minimum-permission API keys for every processor and protect operational access with Cloudflare Access. We do not store card data — payment is handled by our supplier's PCI-DSS compliant provider (Nuitée / LiteAPI via Stripe). In the event of a personal-data breach we notify the NAIH within 72 hours and affected users as soon as feasible (Art. 33-34 GDPR).

8. Children's privacy

SplashVillas is not directed at people under 16. We do not knowingly collect data from minors. If you become aware that a minor provided us data, please contact us to delete it.

9. Changes to this policy

We may update this policy as the service evolves. The last-updated date at the top reflects the most recent revision. Material changes will be highlighted on the site.