Privacy Policy

Privacy Policy

1. General Rules

1.1. This Privacy Policy defines how SIA “Mučas”,
Reg. No.: LV40103263487
Legal address: Jāņa Čakstes 1–41, Sigulda, LV-2150
(hereinafter – Data Controller) obtains, processes, and protects personal data.

1.2. This policy applies to individuals who make reservations, use the Service Provider’s services, or visit the website (hereinafter – Data Subject).

1.3. Personal data processing is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) and the laws of the Republic of Latvia.

2. Collection and Processing Purposes of Personal Data

2.1. The Data Controller collects personal data when the Data Subject:

  • makes an online reservation;
  • contacts the Service Provider;
  • uses the services available on the website.

2.2. Personal data is processed for the following purposes:

  • for receiving, confirming, and administering reservations;
  • for providing services;
  • for processing payments;
  • for communicating with the client;
  • for fulfilling regulatory requirements (e.g., accounting).

3. Categories of Personal Data Processed

The Data Controller may process the following personal data:

  • name, surname;
  • email address;
  • phone number;
  • reservation details (dates, selected service, number of guests);
  • payment information to a limited extent;
  • other information voluntarily provided by the Data Subject.

4. Legal Basis for Personal Data Processing

Personal data processing is carried out based on:

  • Article 6(1)(b) of the GDPR – performance of a contract;
  • Article 6(1)(c) of the GDPR – fulfillment of legal obligations;
  • Article 6(1)(f) of the GDPR – legitimate interests of the Data Controller.

5. Personal Data Storage Period

5.1. Personal data is stored only for as long as necessary for:

  • reservation and service fulfillment;
  • accounting records;
  • fulfillment of legal obligations.

5.2. After the storage period expires, personal data is deleted or anonymized.

6. Transfer of Personal Data to Third Parties

6.1. The Data Controller may transfer personal data to:

  • payment service provider Maksekeskus AS (makecommerce.lv);
  • accounting service providers;
  • state and law enforcement authorities in cases specified by regulatory acts.

6.2. Personal data is not transferred to third countries outside the European Union.

7. Personal Data Security

7.1. The Data Controller implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, loss, or destruction.

8. Data Subject Rights

The Data Subject has the right to:

  • access their personal data;
  • request data rectification or erasure;
  • restrict personal data processing;
  • object to data processing;
  • lodge a complaint with the Data State Inspectorate.

Requests can be submitted by contacting the Data Controller electronically.

9. Final Provisions

9.1. This Privacy Policy supplements the Terms and Conditions.

9.2. The Data Controller has the right to make changes to the Privacy Policy at any time. The current version is available on the website.