Last update: 21.02.2026

1. About this policy

This GDPR Policy describes how we process personal data in connection with the website. theriver.ro, booking requests, communication with customers and provision of accommodation/rental services at The River Chalet, in accordance with Regulation (EU) 2016/679 (GDPR).

2. Data Controller

XUX Investment SRL
Headquarters: Sibiu, 12 Tractorului Street, Sibiu County
J32/712/2013 • CUI RO 32102114

Phone: +40 371 306 055

3. What data do we collect?

Depending on your interaction with us, we may process the following categories of data:

a) Identification and contact details

• name, surname

• email, phone

• other data voluntarily provided in the message

b) Reservation/contract related data

• check-in/check-out dates

• number of people, preferences, requests

• billing details (if applicable)

• correspondence and confirmations

c) Technical data (website)

• IP address, browser, device

• pages visited, traffic source

• cookie identifiers and browsing events (if enabled)

d) Payments

• us we do not store card data; card payments are processed by an authorized processor (e.g. NETOPIA Payments), which may collect data necessary for the transaction.

3A. How we collect data (sources)

Data can be collected in the following ways:

• directly from you, when you fill out the forms on the website (reservation / contact) or when you contact us by email / phone;
• automatically, through the operation of the website (server access logs – e.g. IP, date/time, pages accessed) and through cookies/similar technologies (depending on your settings and consent);
• through payment processors, when you choose to pay online with your card (the operator does not receive or store full card data).

4. Purposes and legal bases

We process data for:

1. Managing booking requests and communicating with you
   Grounds: actions at the request of the data subject / execution of the contract.

2. Conclusion and execution of the rental/service contract
   Grounds: execution of the contract.

3. Fulfillment of legal obligations (tax, accounting, archiving)
   Grounds: legal obligation.

4. Security, fraud prevention, protecting our rights
   Grounds: legitimate interest.

5. Marketing and measurement (only where applicable and permitted)
   Basis: consent (for non-essential cookies and certain tools).

4A. Online payments (NETOPIA Payments) – GDPR clarifications

If you use online payment, the transaction is processed by NETOPIA Payments (or another authorized processor). In this case:

• we do not store card data (card number, CVV, expiration date);
• the processor may process data necessary for making the payment and preventing fraud (e.g. name, email/phone, amount, currency, transaction identifier, technical data regarding the device and session, according to 3D Secure security requirements);
• the processing of this data is carried out in accordance with the processor's policies and legal obligations applicable to payment services.

5. Recipients of the data (who can receive the data)

We may disclose your data, strictly to the extent necessary, to:

• IT providers (hosting, maintenance, email)

• analytics/marketing service providers (if enabled)

• payment processors (e.g. NETOPIA Payments) for processing transactions

• public authorities, when we have a legal obligation

• consultants (accounting/legal), if necessary for our obligations.

6. Transfers outside the EEA

Certain providers may process data outside the European Economic Area. In such cases, we aim to use appropriate safeguards (e.g. standard contractual clauses), where applicable.

7. How long we keep the data (storage period)

• Data from forms (reservation/contact): as necessary for managing the request and internal records.

• Contractual/fiscal data: according to applicable legal terms (accounting/archiving).

• Technical data/cookies: according to cookie duration and settings/consent.

7A. Termene orientative de stocare (exemple)

For transparency, we use the following guidelines (where there are no longer legal obligations):

• booking requests / messages: kept as long as necessary for request management and internal records;
• contractual documents and financial-accounting documents (invoices, receipts): kept in accordance with legal archiving obligations;
• technical logs (security): kept for a reasonable period for security and abuse prevention.

8. Your rights (GDPR)

You have the following rights, under the law:

• the right of access

• the right to rectification

• the right to erasure (“the right to be forgotten”)

• the right to restriction

• the right to portability

• right to opposition

• the right to withdraw your consent (where processing is based on consent)

• the right to file a complaint with ANSPDCP.

8A. How to exercise your rights (procedure + deadline)

You can always send a request regarding your data to office@xuxinvestment.ro or chalet@theriver.ro, mentioning the name and email/phone address used in the communication.

We will respond within 30 days at most, according to GDPR (term that may be extended, in justified situations, with prior notice).

For data protection, we may request additional information to confirm your identity before providing a response.

9. Data security

We apply reasonable technical and organizational measures to protect data (access control, backup, secure communications). However, no transmission over the internet can be guaranteed to be 100% secure.

9A. Complaints / Authority

If you believe that your rights have been violated, you have the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).

10. Cookies and similar technologies

The website may use strictly necessary cookies and, depending on your settings/consent, analytical/marketing cookies. For details, please see the Privacy and Cookies Policy (if published separately) or the dedicated section of the Terms.

11. Contact

Pentru solicitări privind datele personale:
Email: chalet@theriver.ro / office@xuxinvestment.ro
Phone: +40 767 803 255