Meridian

Hotel Meridian

Privacy Policy

We respect your privacy. Below we explain what data we collect, why, and what rights you have.

Effective from
21 May 2026
Last updated
21 May 2026

This Privacy Policy describes how Hotel Meridian processes the personal data of visitors to hotelmeridian.pl and people who contact us. It is prepared in accordance with the EU General Data Protection Regulation 2016/679 (GDPR).

1. Data controller

The controller of your personal data is Hotel Meridian S.C. Konrad Witczuk, Alicja Witczuk, ul. Kaperska 2, 84-120 Chałupy, Poland, Tax ID (NIP): 5871746142, Statistical Number (REGON): 528481077.

For any privacy-related matter, contact us at recepcja@hotelmeridian.pl or by phone: +48 58 674 19 01.

Given the scale and nature of our business, we have not appointed a Data Protection Officer. All privacy-related queries are handled directly by the controller.

2. What data we process

We process data you provide voluntarily as well as data collected automatically when you use the website:

  • Contact and identification data — first and last name, e-mail, phone number, company name (for business inquiries) — provided through the contact and business forms.
  • Correspondence content — messages and inquiries you send us, with metadata (date, time).
  • Technical data — IP address, cookie identifiers, device and browser type, referrer, time spent on site — collected automatically by analytics tools (subject to your consent).
  • Booking-related data — when you book a stay through the reception by phone or e-mail, we process the data needed to enter into and perform the hotel contract (name, contact, dates of stay, billing details).
  • Payment information — for an online booking paid by card or instant bank transfer we receive from the payment operator (Przelewy24 / PayPro S.A.) confirmation of the transaction status (success / failure / refund), the amount, currency and transaction identifier. We do not receive your full card details or bank account number.

3. Purposes and legal bases

We process your data for the following purposes:

  1. Replying to inquiries sent through the contact or business form — basis: Article 6(1)(b) GDPR (pre-contractual steps) or Article 6(1)(f) GDPR (legitimate interest in handling the inquiry).
  2. Conclusion and performance of the hotel contract (booking, check-in, invoicing, payment reconciliation) — basis: Article 6(1)(b) GDPR.
  3. Compliance with legal obligations (accounting, tax, registration, AML — anti-money-laundering and counter-terrorism financing) — basis: Article 6(1)(c) GDPR.
  4. Statistics and website analytics, service optimisation — basis: Article 6(1)(a) GDPR (your consent in the cookie banner).
  5. Marketing of our own services, including remarketing and personalised advertising — basis: Article 6(1)(a) GDPR (consent).
  6. Establishment, exercise or defence of legal claims — basis: Article 6(1)(f) GDPR (legitimate interest).

4. How long we keep data

  • Data from contact inquiries — for the duration of the correspondence and no longer than 2 years from the last contact, unless a longer period is justified by the defence of claims.
  • Booking and accounting data — for the period required by law (5 years from the end of the financial year in which the document was issued).
  • Data processed on the basis of consent — until consent is withdrawn.
  • Technical logs and analytics cookies — for the lifetime of cookies described in the Cookie Policy.
  • Payment transaction information — for the period required by tax and accounting rules (5 years), independently of the retention by the payment operator PayPro S.A. described in Section 6.

5. Recipients of the data

Your data may be shared with trusted processors with whom we have data processing agreements:

  • Resend (Resend, Inc., USA) — provider of transactional e-mail delivery from forms.
  • Cloudflare, Inc. (USA) — Turnstile bot-protection service for forms; infrastructure (DNS, CDN).
  • Sanity.io (Sanity AS, Norway) — content management system (CMS) for the website.
  • Railway Corp. (USA) — web application hosting.
  • PayPro S.A. (Przelewy24), ul. Pastelowa 8, 60-198 Poznań, Poland, KRS 0000347935, Tax ID (NIP) 7792369887 — payment service provider handling transactions made in the booking engine (BLIK, online bank transfers, Visa/Mastercard cards, Apple Pay, Google Pay). PayPro S.A. acts as an independent data controller of payer data for the execution of payment orders — see Section 6 and www.przelewy24.pl/obowiazek-informacyjny-rodo-platnicy.
  • Betasi sp. z o.o. (PremiumStay) — operator of the booking engine available at meridian.premiumhotel.pl. Acts as an independent data controller for the online booking process — see Section 6 and betasi.pl/polityka-prywatnosci-serwisow-chmurowych-betasi.
  • Google Ireland Limited / Google LLC (USA) — Google Analytics 4 and Google Tag Manager (only if you consent to analytics cookies).
  • Meta Platforms Ireland Ltd. / Meta Platforms, Inc. (USA) — Facebook Pixel (only if you consent to marketing cookies).
  • Accounting and law firms — to the extent necessary to keep books and provide legal support.
  • State authorities — only in cases provided for by law (e.g. tax office, court, Polish Financial Supervision Authority (KNF), General Inspector of Financial Information (GIIF)).

6. Online booking and payment system

6.1. Booking flow

Online bookings are processed through an external booking engine, PremiumStay / Betasi, available at meridian.premiumhotel.pl. It is a separate website operated by Betasi sp. z o.o. — an independent data controller for the booking process — with its own privacy policy and terms (betasi.pl/polityka-prywatnosci-serwisow-chmurowych-betasi). When you click "Book" on hotelmeridian.pl you are redirected to meridian.premiumhotel.pl — from that point on the engine operator’s rules also apply.

After the booking is completed, we receive from the engine operator the data we need to deliver the stay (name, contact details, dates, room/package). We process that data under this Policy as the controller of data collected to perform the hotel contract (Article 6(1)(b) GDPR).

6.2. Payment service provider — Przelewy24 (PayPro S.A.)

Online payments for bookings (BLIK, instant bank transfers, Visa/Mastercard cards, Apple Pay, Google Pay, BLIK Pay Later, PayPo) are handled by the Przelewy24 service operated by PayPro Spółka Akcyjna with its registered office in Poznań, ul. Pastelowa 8, 60-198 Poznań, Poland, entered in the register of entrepreneurs of the National Court Register kept by the District Court Poznań — Nowe Miasto i Wilda, 8th Commercial Division, under KRS 0000347935, Tax ID (NIP): 7792369887, Statistical Number (REGON): 301345068, share capital PLN 4,737,100 fully paid up. PayPro S.A. is a national payment institution supervised by the Polish Financial Supervision Authority (KNF), entered in the payment services register under No. IP24/2014.

After selecting a payment method in the booking engine, you are redirected to the Przelewy24 site (secure.przelewy24.pl) or to your bank/operator app. From the moment of that redirect, PayPro S.A. becomes the controller of your payment data — independently of Hotel Meridian. The Hotel does not have access to your full card details, bank account numbers or authentication credentials; it only receives information about the status and outcome of the transaction (success / failure / refund) and the transaction identifier needed for accounting.

Purposes and legal bases of processing by PayPro S.A.:

  • provision of payment services (handling payment orders, authorisation, settlement) — Article 6(1)(f) GDPR,
  • handling complaints and maintaining the related records — Article 6(1)(c) GDPR in connection with the Polish Payment Services Act,
  • fraud prevention and anti–money-laundering / counter-terrorism financing — Article 6(1)(c) and (f) GDPR in connection with the Polish Act of 1 March 2018 on counteracting money laundering and terrorism financing,
  • establishment, exercise and defence of claims arising from payment services — Article 6(1)(f) GDPR.

Retention by PayPro S.A.: for the duration of the payment service and for 13 months from the date the payer’s account is debited, and then — at least 5 years pursuant to the Polish Payment Services Act and AML rules. PayPro S.A. does not transfer the data outside the European Economic Area.

PayPro S.A. controller contact: ado@przelewy24.pl, correspondence address: PayPro S.A., ul. Pastelowa 8, 60-198 Poznań, Poland. Data Protection Officer at PayPro S.A.: iod@przelewy24.pl. Full information clause: www.przelewy24.pl/obowiazek-informacyjny-rodo-platnicy. Service terms: www.przelewy24.pl/regulamin.

Independently of the processing by PayPro S.A., Hotel Meridian processes information about the fact and outcome of the payment in order to perform the hotel contract and settle the booking (Article 6(1)(b) and (c) GDPR) — for as long as necessary to defend claims and as required by tax and accounting rules (5 years from the end of the financial year).

6.3. Other booking documents

Together with the booking process the following documents are made available: Reservation Terms (pub-330ccc76bc86423693d4a045165b626a.r2.dev/regulamin_rezerwacji.pdf) and Cancellation Policy (pub-330ccc76bc86423693d4a045165b626a.r2.dev/polityka_anulacji.pdf). The engine operator also provides a digital accessibility statement (betasi.pl/oswiadczenie-dostepnosci-cyfrowej). Przelewy24 provides the service terms (www.przelewy24.pl/regulamin) and the RODO information clause for payers (www.przelewy24.pl/obowiazek-informacyjny-rodo-platnicy).

7. Data transfer outside the EEA

Some of our providers (Resend, Cloudflare, Google, Meta, Railway) process data on servers in the United States. Transfers are based on Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR) or on the EU–US Data Privacy Framework adequacy decision (2023). The payment operator PayPro S.A. (Przelewy24) and the booking engine operator Betasi sp. z o.o. do not transfer data outside the European Economic Area.

8. Your rights

In connection with the processing of your personal data, you have the following rights:

  • Right of access (Article 15 GDPR).
  • Right to rectification of inaccurate or incomplete data (Article 16 GDPR).
  • Right to erasure — "right to be forgotten" (Article 17 GDPR).
  • Right to restriction of processing (Article 18 GDPR).
  • Right to data portability (Article 20 GDPR).
  • Right to object to processing (Article 21 GDPR).
  • Right to withdraw consent at any time — without affecting the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl) if you consider that the processing infringes the GDPR.

To exercise any of these rights, write to recepcja@hotelmeridian.pl. For data processed by PayPro S.A. (Przelewy24), rights are exercised directly with that controller — via the form at www.przelewy24.pl/zapytanie-o-dane or by e-mail to ado@przelewy24.pl.

9. Cookies

The site uses cookies and similar technologies. The categories of cookies, providers, lifetimes and consent management are described in the separate Cookie Policy. Consent for analytics and marketing cookies is requested before they are set (Consent Mode v2, no pre-selected consents). You can update your consent at any time using the "Cookie settings" button in the footer.

10. Data security

We apply technical and organisational security measures appropriate to the risk — including TLS/HTTPS encryption, access control, regular software updates, restricting data access to authorised persons. Transmission of payment data takes place exclusively within the PayPro S.A. environment (under the PCI DSS standard) — Hotel Meridian does not store card data. Despite the measures taken, no method of transmission or storage on the internet is 100% secure; in case of a breach we will follow the procedure under Articles 33–34 GDPR.

11. Children’s data

The site is not directed at children under 16. We do not knowingly collect personal data from people under that age. If you become aware that a child has provided data without a guardian’s consent, please contact us — we will delete such data without delay.

12. Changes to the Policy

This Policy may be updated — for example due to changes in law, technology, or the scope of services. The current version is always available at hotelmeridian.pl/en/prywatnosc with the effective date shown at the beginning of the document.