Privacy Policy
Last updated: 1 June 2026
This Privacy Policy describes how we process the personal data of visitors and guests of the website sozopolapartments.eu (the “Website”) in connection with the short-term rental of guest accommodation.
The Data Controller is Radoslav Evtimov Totalov, a natural person – landlord, registered and operating in the Republic of Bulgaria (rental of a room or place of accommodation subject to patent tax).
For enquiries regarding personal data, please contact: info@sozopolapartments.eu.
1. Personal Data We Collect and Process
- Data submitted via the Website enquiry/booking form: Name, telephone number, email address, period of stay (check-in and check-out dates), selected property, and comment/additional requirements (optional).
- Check-in registration data (legal requirement): Full name of guests, Personal Identification Number (EGN) / Personal Number of a Foreigner (LNCH) (or date of birth for foreign nationals), nationality, and number and country of issue of a valid identity document.
- Data provided during telephone calls: The telephone number from which you call and information you provide for the purpose of making a reservation. The content of calls is NOT recorded.
- Technical data (only with cookie consent): Anonymised statistics via Google Analytics (page visits, city/region of approximate location, device type, and browser).
2. Purposes and Lawful Bases for Processing
- Processing enquiries and managing reservations – taking steps at the data subject's request prior to entering into a contract and performance of a rental/accommodation contract (Article 6(1)(b) GDPR).
- Legal obligations under the Bulgarian Tourism Act – mandatory registration of guests in the Register of Accommodated Tourists and submission of information to the Unified Tourist Information System (ESTI) administered by the Ministry of Tourism (Article 6(1)(c) GDPR).
- Accounting and tax purposes – retention of payment records and patent tax reporting in accordance with Bulgarian tax legislation (Article 6(1)(c) GDPR).
- Web analytics (Google Analytics) – improving the operation of the Website, only after your explicit consent via the cookie banner (Article 6(1)(a) GDPR).
3. Recipients of Personal Data
Personal data may be disclosed to the following categories of recipients:
- Public authorities and institutions – the Ministry of Tourism (via the ESTI system), the Ministry of Interior, the Municipality, or the National Revenue Agency (NRA), where there is a legal basis for such disclosure.
- Service providers (data processors) – providers of hosting, email, and technical maintenance services for the Website – only to the minimum extent necessary for the performance of their functions.
- Transfers outside the EEA: Where analytics cookies are used, data may be transferred to Google LLC (United States) in compliance with the EU-US Data Privacy Framework.
- We do NOT sell, do NOT lease, and do NOT disclose your personal data to third parties for marketing purposes.
4. Retention Periods
- Reservation and enquiry data (not converted into a stay): Up to 1 year from the end of communication, for reference purposes.
- Tourist register data (ESTI): In accordance with the Tourism Act and applicable archiving requirements.
- Accounting records (receipts, rental agreements, tax returns): Up to 10 years, in accordance with the Accounting Act and the Tax and Social Security Procedure Code (TSSPC).
- Google Analytics data: In accordance with the retention period configured on the platform (e.g. 14 months) and the validity period of the cookies.
5. Your Rights under the GDPR
You have the following rights, which you may exercise at any time:
- Right of access to your personal data;
- Right to rectification of inaccurate or incomplete data;
- Right to erasure (“right to be forgotten”), except where data must be retained to comply with a legal obligation (e.g. ESTI or accounting requirements);
- Right to restriction of processing;
- Right to data portability;
- Right to object to processing;
- Right to withdraw your consent to analytics cookies at any time (via your browser settings or the cookie banner).
To exercise these rights, please contact us using the details provided at the beginning of this Policy. If you believe your rights have been infringed, you have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP) – 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria; website: www.cpdp.bg.
6. Data Security
We implement appropriate technical and organisational measures to protect your data, including encrypted connection to the Website (HTTPS protocol), secured web forms, password-protected access to devices and email accounts, and restricted access to physical media containing information.
7. Changes to This Policy
We reserve the right to update this Policy. Any changes will be published on this page with an updated effective date.
Related documents: Cookie Policy
