This Privacy Policy describes the privacy principles and practices adopted by Dream Stay Apartments and shall apply to all relationships between Dream Stay Apartments and the Client and the Guests related to the use of the Service and Website. Unless defined in this Privacy Policy, the terms used in PrivacyPolicy are used in the meaning given to them in Dream Stay Apartments Terms and Conditions for Dream Stay Apartments Services, available at https://dreamstay.ee/terms and/or in the meaning given to them in Article 4 of theGeneral Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”).

Please read this Privacy Policy document carefully. As Dream Stay Apartments is dedicated to protecting the privacy and personal data of our Clients and Guests, please do not hesitate to contact us, if you have any questions about how we process your Personal Data or if you wish to submit an application for exercising your rights related to processing your Personal Data.

1.             DEFINITIONS

“Apartment” means the apartment booked by the Client by way of using the Service;

“Dream Stay Apartments”, “Dream Stay” or “we”, “us”, “our” means Dream Stay Apartments OÜ, a company  incorporated in Estonia, with the registry code 11257883, address Rataskaevu 16, 10123, Tallinn, Estonia, e-mail address info@dreamstay.ee, or other  entities in the group with Dream Stay Apartments providing the  Services. List of Dream Stay Apartments entities providing the Services is provided in  Section 11;

“Client” means any person who is using the  Services of Dream Stay Apartments who has made the Reservation or has concluded an Agreement with Dream Stay Apartments;

“Cookie Policy” means the cookie policy in Section  8;

“Data Subject” Natural person who uses Dream Stay Apartments Services or whose Personal Data is processed by Dream Stay Apartments;

“Data Controller” or “Controller” natural or legal person, public  authority, agency or other body which, alone or jointly with others,  determines the purposes and means of the processing of Personal Data. For the  purposes of this Privacy Policy, Dream Stay Apartments entity providing the Service in specific jurisdiction is the data controller of its Clients’ Personal Data.

“Data Processor” or “Processor” natural or legal person, public  authority, agency or other body which processes Personal Data on behalf of  the controller; for example, the service providers to Dream Stay Apartments;

“Extra Service” means the extra services ordered  by the Client upon availability in accordance with the Terms and Conditions;

“Service” means the accommodation service  and related services provided to the Client by Dream Stay Apartments;

“OTA” means the online travel agency or other  services provider who has listed Apartments through its services and thereby  mediates the Services by Dream Stay Apartments;

“GDPR” defined in the preamble;

“Guest” or “Guests” mean the person or persons being  provided with the Service;

“Reservation” means a reservation for Service  made by the Client;

“Website” means https://dreamstay.ee/, its subdomains and/or other web  pages used by Dream Stay Apartments;

“Personal Data” any information relating to an  identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in  particular on the basis of such a record as the name, personal identification  code, place of location information or network identifier, or on the basis of  one or more physical, physiological, genetic, mental, economic, cultural or  social identities;

 “Processing” any operation or set of operations  which is performed on Personal Data or on sets of Personal Data, whether or  not by automated means, such as collection, recording, organisation,  structuring, storage, adaptation or alteration, retrieval, consultation, use,  disclosure by transmission, dissemination or otherwise making available,  alignment or combination, restriction, erasure or destruction;

“Terms and Conditions” mean the Terms and Conditions for using Dream Stay Apartments Services, available at https://dreamstay.ee/terms.

“You” means the same as the “Data Subject”.

2.             WHY WE PROCESS PERSONAL DATA AND WHAT PERSONAL DATA DO WE PROCESS?

2.1          When you have opted to use Dream Stay Apartments Services and you are the Client of Dream Stay Apartments or Guest staying at our Apartment, we need to process your Personal Data to enable the Services to you (data subject).

2.2          We process Personal Data that is submitted to us directly by the Client or automatically obtained by Dream Stay Apartments about the Client in the course of using our Services.

2.3          If you have ordered the Service through the OTA, we process Personal Data that is submitted to us by the relevant OTA. In such a case, the privacy terms of the OTA selected by you apply in addition.

2.4          If the Reservation for the Apartment is submitted by the Client for a third person being the Guest or co-Guest(s), we process Personal Data about such Guest or co-Guest(s) as submitted to us by the Client.

2.5          When submitting the Personal Data about a third person, the Client undertakes to ensure that he/she/it has the consent(s) of each Guest or other Data Subject to transfer his/her Personal Data to Dream Stay Apartments.

2.6          We also process Personal Data that is submitted to us when you contact us with a query or question via Website or via any other channel (by sending an e-mail, for example). In such a case we process your Personal Data included in the inquiry to the extent that is necessary to respond to you.

2.7          Personal Data Dream Stay Apartments processes in the course of providing the Services may include following data about you:

2.7.1       general personal information: first name; last name; citizenship, nationality, sex, date of birth; ID document data;

2.7.2       contact details: e-mail address; address; phone number;

2.7.3       data related to the ordered Service: any data disclose to us as through the use of the Service, including, for example, information related to the ordered Extra Services;

2.7.4       payment data: information concerning the payment for the Services, including the credit card details used;

2.7.5       technical data: to ensure smooth provision of the Services, we may process technical data, which may include your device’s Internet Protocol address (IP address), browser information, information about your device’s operating system, settings, language, date of device and other necessary information which may also be acquired through the use of cookies on our Website;

2.7.6       sensor data: Dream Stay Apartments’ Apartments may be installed with certain sensors that process information in the Apartment, such as the temperature, noise level, motions (to automatically switch on/off electricity), humidity, air quality level, etc. Such sensors do not collect personally identifiable information and never record audio, photographs or videos. Please note that as the sensor data cannot usually be linked to any specific natural person, the sensor data is not generally considered as personal data. However, in order to be transparent in all data processing, we have also described in this Privacy Policy the use of sensors.

3.             WHAT IS THE LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA?

3.1          We process Personal Data to provide the Services (please also read Dream Stay Apartments Terms and Conditions). Legal basis for such data processing is GDPR Article 6-1-(b), i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

3.2          In certain situations, we might process your Personal Data when processing is necessary for compliance with a legal obligation to which we are subject, for example for accounting purposes under applicable accounting legislation or applicable tourism legislation. Legal basis for such data processing is GDPR Article 6-1-(c).

3.3          In certain specific situations we might also process your Personal Data where processing your Personal Data is necessary for the purpose of our legitimate interests pursued by us. Legal basis for such data processing isGDPR Article 6-1-(f). In such a case we shall ensure that processing is proportionate and that we have carried out legitimate interest impact assessment. For example, for the purpose of our legitimate interest we analyse how our Services and Website are used by our Clients so we can provide better service; when processing is necessary in connection with an investigation of suspected or actual fraudulent or other illegal activity or in connection with corporate sale, merger, reorganisation, dissolution or similar event.

3.4          In certain specific situations we might also process your Personal Data based on your consent. Legal basis for such data processing is GDPR Article 6-1-(a). In such a case, you have the right to withdraw from your consent at any time. For example, based on your consent we may send you marketing content from receiving of which you may unsubscribe at any time.

3.5          For a more specific overview, please see Section 5 below.

4.             HOW LONG IS YOUR PERSONAL DATA RETAINED?  

4.1          Dream Stay Apartments does not retain Personal Data longer than it is necessary for the purposes of processing Personal Data or pursuant to applicable law.

4.2          Personal Data related to contracts can be retained during the term of the contract and based on our legitimate interest pursuant to Article 6 (1)(f) of the GDPR until the end of the statutory limitation periods under applicable law. Accordingly, as a general rule Dream Stay Apartments retains your Personal Data as long as it is necessary for the provision of the Services during the term of the contract concluded between you and Dream Stay Apartments and for 3 years after the term of the contract.

4.3          Pursuant to the Accounting Act, we retain accounting documents for 7 years.

4.4          Pursuant to Tourism Act, we retain registration data of the accommodation service user, which includes general personal information for 2 years.

4.5          For a more specific overview, please see Section 5 below. Technical data collected by the use of the cookies, are retained as indicated in the Section “Cookies”.

5.             OVERVIEW OF DATA PROCESSING

Personal data: First name, last name, e-mail  address, phone number, address and information concerning the Services and  Extra Services ordered. Purpose of processing: Enabling provision of the  Services in accordance to Terms and Conditions and our legitimate interest to  retain the related information until the end of applicable limitation  periods. Legal basis: GDPR Art. 6 (1) (b); GDPR Art. 6 (1) (f) and Estonian General Part of the Civil  Code Act § 146 (1). Retention period: 3 years

Personal data: First name, last name name, date  of birth, citizenship and address;  the  name, date of birth and citizenship of the co-Guest(s); the period of  provision of the accommodation Service; if the Client is not citizen of Estonia,  another Member State of the European Economic Area or Switzerland then also a  copy of the travel document and the state which issued it. Purpose of processing: Fulfilling our legal obligation  arising from tourism laws to register the recipient of accommodation service. Legal basis: GDPR Art. 6 (1) (c) and Estonian  Tourism Act § 24. Retention period: 2 years

Personal data: Accounting related data such as  invoices. Purpose of processing: Fulfilling your legal obligation  arising from accounting laws to process supporting documents of the  transactions. Legal basis: GDPR Art. 6 (1) (c) and Estonian  Accounting Act § 12. Retention period: 7 years

Personal data: Name, e-mail address. Purpose of processing: Sending marketing content. Legal basis: GDPR Art. 6 (1) (a). Retention period: Until the withdrawal of the  consent. Personal data: Technical data.

Purpose of processing: Our legitimate interest to ensure  security, continuity and/or improvement of the Portal Legal basis: GDPR Art. 6 (1) (f).

‍Retention period: Up to 2 years, please see Section  “Cookies” for more specific information. Personal data: Sensor data. Purpose of processing: Our legitimate interest to  improve our Services- Legal basis: GDPR Art. 6 (1) (f). Retention period: 5 years.

6.             WHEN DO WE SHARE YOUR PERSONAL DATA?

6.1          To the extent this is necessary for the provision of our Services, we may share your Personal Data with certain third parties. For example, if you ask us to order a taxi as Extra Service in accordance with the Terms and Conditions, we need to process this order for Extra Service and related data and to forward it to such Extra Service provider, to fulfil your order.

6.2          We may also share your Personal Data with third party suppliers providing services to us, e.g. IT suppliers or other service providers. We do our best to select only the most trust-worthy service providers and to select service providers that provide a level of data protection in accordance with the conditions described in this Privacy Policy and on the level as required by the GDPR.

6.3          We retain your Personal Data in Veebimajutus Cloud Platform located in Estonia.  However, Dream Stay Apartments may transfer Client Personal Data to third countries, i.e. countries outside the EU/EEA area, for the purposes explained in this Privacy Policy. When transferring Client’s Personal Data to third countries, Dream Stay Apartments will ensure that the transfer is subject to appropriate safeguards under the GDPR and that Client’s rights are protected, such as the Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses). Clients may request a copy of the safeguards we have put in place with respect to the transfer of Personal Data by contacting Dream Stay Apartments via contact details below.

6.4          Please note that we might access your Personal Data also when you have booked our Apartment through OTAs. In such a case your Personal Data will also be processed in accordance with the privacy policies adopted by specific OTA selected by you and who shall act as a separate Data Controller of your Personal Data.

7.             USE OF SECURITY CAMERAS

7.1          Please be noted that security cameras may be installed in public areas near the Apartment (outdoor areas, lobbies, etc). If the security cameras are installed, this is done by the security undertaking with whom Dream Stay Apartments may have entered a service agreement.

7.2          The use of security cameras may be necessary in order to ensure security, prevent and process security incidents and ensure the safety of the property and people near the Apartment. The legal basis for the use of security cameras is legitimate interest under article 6(1)(f) of the GDPR.

7.3          Please be noted that security cameras are never installed inside the Apartment or in areas where complete privacy can be presumed.

7.4          When security cameras are used, there shall always be a sign informing of the use of a camera in the security camera’s surveillance area, i.e. a sign depicting a camera and/or the words “VIDEO SURVEILLANCE”. In the absence of a sign, cameras are not used.

7.5          Dream Stay Apartments does not have the general access to the security camera recordings in most cases. Security undertaking organising the security near the respective Apartment shall have access to security camera recordings. The sign informing the use of the security cameras shall also include the details of the security undertaking who has installed the security cameras and who is conducting the security.

7.6          Security camera recordings are stored by security undertakings. Security undertaking shall retain security camera recordings in accordance with the applicable law. In Estonia, the Security Act provides that a surveillance equipment recording shall be preserved for at least one month as of the day the recording was made, but for no longer than one year. For more details, you may contact the respective security undertaking.

8.             HOW DO WE PROTECT YOUR PERSONAL DATA?

8.1          To protect your Personal Data from unauthorised access, unlawful processing or disclosure, accidental loss, modification or destruction, we use appropriate technical and organisational measures that comply with applicable laws. These measures include but are not limited to the implementation of appropriate computer security systems, protection of paper and electronic format files by technical and logical means, controlling and limiting access to documents and buildings.

9.             COOKIES

9.1          Our Website uses cookies. This section incorporates Cookie Policy that applies when you use the Website.

9.2          Cookies are small data files stored on your hard drive by a website. Cookies help us monitor and improve the functionality and usage of our Website and your experience on Website. We can use cookies to see which areas and features are popular and to count visits to our Website to recognise you as a returning visitor and to tailor your experience of the Website according to your preferences. We may also use cookies for targeting or advertising purposes.

9.3          We may use the following type of cookies on our Website:

9.3.1       Functional cookies that record information about choices you have made that allow us to tailor our Website to your needs. Functionality cookies remember choices you make.

9.3.2       Statistics cookies, that record information about the way our Website is used, to acquire knowledge on how often our Website is visited, where on our Website our visitors spend the most time, how often they interact with a page or part of a page, this allows us to make the structure, navigation, and content of our Website as user-friendly as possible.

9.3.3       Advertising cookies, to gather information from you on your device to display advertisements to you based on relevant topics that interest you.

9.4          You can delete or block the use of the cookies through your browser settings at any time. However, some cookies might be necessary for the functionality of Website. Therefore, you understand that when blocking or deleting the cookies some features of the Website might not function correctly.  

9.5          For more general information about cookies including the difference between session and persistent cookies please see www.allaboutcookies.org.

9.6          In case you have any question concerning the use of cookies, you may contact us via contact details provided below.

10.         YOUR RIGHTS

10.1       Dream Stay Apartments is dedicated to ensuring that all data subject rights arising under applicable law are always guaranteed to you. In particular, any data subject has:

10.1.1    the right to access the Personal Data that Dream Stay Apartments processes about you;

10.1.2    the right to request that Dream Stay Apartments rectifies any inaccurate Personal Data about you;

10.1.3    the right to request Dream Stay Apartments to erases your Personal Data and/or restricts of processing of your Personal Data if we do not have valid legal basis for processing;

10.1.4    the right to receive your processed Personal Data in a structured, commonly used and machine-readable format and have the right to transmit your Personal Data to another Controller;

10.1.5    the right to object to the processing of your Personal Data.

10.2       If you believe that your rights have been infringed, you may contact and lodge a complaint to the supervisory authority applicable for your jurisdiction (Data Protection Inspectorate in Estonia address Tatari 39,Tallinn 10134, info@aki.ee or other competent authority in your jurisdiction – you can find your data protection authority on the following website: https://edpb.europa.eu/about-edpb/board/members_en).

11.         GOVERNING LAW AND JURISDICTION

11.1       This Privacy Policy shall be governed by the laws of the Republic of Estonia. Any disputes arising from these Privacy Policy shall be settled in the Harju County Court in the Republic of Estonia, unless you have a right to turn to the court of your residence pursuant to statutory law.

12.         CONTACTS

12.1       If you have any questions about this Privacy Policy or Cookie Policy or if you have any concerns about how we use your personal or if you want to exercise your rights as described above, you may contact us via e-mail or in writing using the following contact information:

12.1.1    In Estonia:

(a)       Company Name: Dream Stay Apartments OÜ

Address: Rataskaevu 16, 10123 Tallinn

E-mail address: info@dreamstay.ee