Privacy Policy
Last updated: 20 April 2026
This Privacy Policy explains how rentmonkey processes personal data when you visit our website at rentmonkey.pl or use the Guest Portal we provide to guests with confirmed reservations. We have written it to be readable; the legal substance is in there too.
1. Who we are
The data controller is:
- Anna Wojtowicz, sole proprietorship (jednoosobowa działalność gospodarcza, JDG), trading as rentmonkey
- Registered address: Zdrojowa 1/12, 72-400 Kamień Pomorski, Poland
- NIP: 9860263790
- Contact: admin [at] rentmonkey [dot] pl
References below to "we", "our" or "rentmonkey" mean the controller above.
We have not appointed a Data Protection Officer; for any privacy matter please use the contact email above.
2. Scope of this Policy
This Policy covers personal data we process as controller in connection with:
- The Site at rentmonkey.pl (browsing, contact form, cookies).
- The Guest Portal, which guests with a confirmed reservation use to complete check-in, view stay information, and communicate with us.
- Direct communications you send us (email, contact form).
This Policy does not cover:
- Owner / host accounts in the rentmonkey hosting back office. Owners are covered by a separate written agreement with us.
- Reservation Platforms (Airbnb, Booking.com and similar). When you book through them, they are independent controllers of your data on their side. Their privacy notices apply to anything you do on their platform; this Policy applies only once that data reaches us.
- Third-party services you reach via links from our Site or Portal (Google Maps, embedded YouTube videos, etc.). Their own privacy policies apply.
3. Definitions
- Personal data: any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
- Processing: any operation performed on personal data (collection, storage, use, sharing, deletion, etc.).
- GDPR: Regulation (EU) 2016/679.
- Reservation Platform: an external platform through which a reservation may be created (e.g. Airbnb or Booking.com).
- Guest Portal: the part of the Site that requires your reservation to be linked, where check-in and stay information live.
- Sub-processor: a third-party service provider that processes personal data on our instructions to deliver part of our service.
4. What data we collect
We only collect what we need for the purposes in §5. The categories below describe the maximum we may collect; for a given user, only the relevant subset will apply.
4.1 Site visitors
- Standard request data your browser sends: IP address, user-agent, referrer, requested URL, timestamps. This is logged for security and operations.
- Cookies — see §9.
- If you use the contact form: your name, email address, phone number (if you provide it), and the content of your message.
4.2 Reservation data
When a reservation is created — whether through a Reservation Platform or directly with us — we receive or generate:
- Your name, email address, phone number (where the booking channel provides it).
- The property booked, check-in / check-out dates, party size, total price.
- A reservation reference and any messages exchanged with us via the booking channel.
For reservations via a Reservation Platform, that platform is the original source of this data. For direct bookings, you provide it to us yourself.
4.3 Guest Portal access
To open the Guest Portal we use a one-time-password (OTP) flow rather than passwords:
- We send a numeric code to the email address on the reservation (and, where supported, to the phone number).
- We store the code in hashed form, plus its expiry and the IP address that requested it, so we can rate-limit attempts and prevent abuse.
- After a successful OTP verification we issue a session cookie/token. The session is short-lived and tied to your device.
4.4 Check-in data
During the in-Portal check-in wizard you may be asked to provide or confirm:
- Date of birth, nationality, phone number, residential address.
- The breakdown of guests in your party (number of adults, children, infants, pets).
- Where we ask for them, identification document data (e.g. document number) and a photograph of your ID. We collect ID data only where required by host obligations under Polish law (e.g. guest registration duties under the Ustawa o świadczeniu usług hotelarskich and related provisions) and store it only as long as legally needed.
- Optional add-ons / upsells you select.
- Whether you opt in to receive future marketing messages from us (see §6.2).
4.5 Communications
If you contact us through the contact form, the Guest Portal, email, or messaging on a Reservation Platform, we keep the content of those messages so we can answer you and so we have a record of what was agreed.
4.6 Direct-booking payment data
If you book directly with us (not via a Reservation Platform), payment of the deposit and the balance is handled by a payment processor that we will name in the checkout flow. We do not store full card numbers or other payment instrument data on our servers; we receive only confirmation that the payment has succeeded, the amount, and a reference.
4.7 Cookies and analytics data
See §9.
5. Why we process your data and our legal basis
We rely on the following legal bases under Art. 6(1) GDPR:
| Purpose | Categories | Legal basis |
|---|---|---|
| Performing the reservation and providing the Guest Portal | Reservation, Portal access, check-in | Contract — Art. 6(1)(b) |
| Issuing invoices, keeping accounting records | Reservation, payment | Legal obligation — Art. 6(1)(c) (Polish accounting and tax law) |
| Guest registration with public authorities where required | Identity / check-in | Legal obligation — Art. 6(1)(c) |
| Responding to your inquiries (contact form, email) | Communications | Legitimate interest — Art. 6(1)(f) (answering people who write to us); or Art. 6(1)(b) if the inquiry is pre-contractual |
| Site security, fraud prevention, abuse handling | Logs, IP, OTP attempts | Legitimate interest — Art. 6(1)(f) |
| Analytics on how the Site is used | Cookies (analytics) | Consent — Art. 6(1)(a) (via the cookie banner) |
| Marketing messages from rentmonkey | Email, name | Consent — Art. 6(1)(a) (separate opt-in, see §6.2) |
| Defending or asserting legal claims | Reservation, communications | Legitimate interest — Art. 6(1)(f) |
6. How long we keep your data
Defaults; specific cases may differ where the law demands longer or shorter retention.
| Data | Retention |
|---|---|
| Reservation records and related communications | Up to 6 years from the end of the stay (Polish statute of limitations for civil claims) |
| Accounting documents (invoices, receipts) | 5 years from the end of the tax year (Ordynacja podatkowa) |
| Guest registration records | As required by the applicable registration obligation |
| ID document scans / photos (where collected) | Only as long as legally required, then deleted |
| OTP codes and related rate-limit logs | Up to 30 days |
| Session tokens | Until session expiry or sign-out |
| Contact-form messages | Up to 24 months from your last contact, unless a longer period is needed for an open matter |
| Server / security logs | Up to 12 months |
| Marketing consent and related contact data | Until you withdraw consent, then deleted from active use |
| Analytics cookies | See §9 (cookie-by-cookie durations) |
6.1 Service messages
We will send you operational messages tied to your reservation (booking confirmation, OTP codes, check-in instructions, payment reminders, host messages). These are part of providing the service under §5; consent is not required and you cannot opt out of them while you have an active reservation.
6.2 Marketing messages
Marketing messages (newsletters, promotional offers, future-stay suggestions) are only sent if you have given us a separate, optional consent — typically via a checkbox in the Guest Portal check-in flow. The consent is granular and you may withdraw it at any time, with no effect on services tied to your reservation. To withdraw, click the unsubscribe link in any marketing message or write to admin [at] rentmonkey [dot] pl.
7. Who we share your data with
We only share what is needed for the purpose, and only with the parties below.
7.1 Sub-processors (act on our instructions)
| Sub-processor | Role | Data involved | Location |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting | All data stored on our servers | Germany (EU) |
| rapiddc.pl | Domain registration | Domain administrative data only | Poland (EU) |
| Hospitable | Property Management System: receives and synchronises reservation data | Reservation data, guest contact data | EU / depending on Hospitable's infrastructure |
| Google LLC | Analytics (Google Analytics), embedded maps (Google Maps), embedded videos (YouTube) | Cookie identifiers, IP, browser data — only if you accept the relevant cookies | United States (with EU SCCs and/or EU-U.S. Data Privacy Framework) |
When new sub-processors are added (e.g. an SMTP/email provider, an SMS/OTP provider, a payment processor for direct bookings), we will update this Policy before — or as soon as — they go live.
7.2 Independent controllers (not processors)
- Reservation Platforms (Airbnb, Booking.com and similar) when you book through them. They process your data on their own legal basis.
- Property owners / hosts when their identity is part of the service. We do not share guest contact data with hosts beyond what is necessary to operate the stay.
7.3 Public authorities
Where we are legally obliged (e.g. guest registration with the local authority, tax authorities, court orders, valid law-enforcement requests), we share the minimum necessary.
7.4 Professional advisers
Lawyers, accountants and auditors, bound by professional confidentiality, where needed for the purposes in §5.
We do not sell your personal data.
8. International transfers
Most data stays inside the European Economic Area. Where data leaves the EEA — primarily through Google services in the United States — the transfer is protected by the EU Standard Contractual Clauses and, where applicable, by the EU-U.S. Data Privacy Framework. You may request a copy of the transfer safeguards by writing to admin [at] rentmonkey [dot] pl.
9. Cookies
We use the following categories of cookies:
- Strictly necessary — required for the Site to work (e.g. session, cookie-consent state). Set on every visit; no consent required.
- Analytics — only set if you opt in via the cookie banner. We currently use Google Analytics (
_ga,_gid,_gat,_gat_gtag_*,_gac_*,AMP_TOKEN). - Functional / embedded content — only loaded when you interact with the relevant feature: Google Maps (when a map is shown) and YouTube (when a video is played). Both may set their own cookies under Google's privacy policy.
You can change your choice at any time by reopening the cookie banner from the footer. You can also block or delete cookies in your browser settings; doing so may break parts of the Site that depend on them.
A detailed per-cookie list (name, purpose, duration) is shown inside the cookie banner.
10. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate or incomplete data (Art. 16).
- Erase your data ("right to be forgotten") where the conditions in Art. 17 apply.
- Restrict processing (Art. 18).
- Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller, where applicable (Art. 20).
- Object to processing based on our legitimate interests, including profiling (Art. 21).
- Withdraw consent at any time, where processing is based on consent — without affecting the lawfulness of processing before withdrawal (Art. 7(3)).
- Lodge a complaint with a supervisory authority. In Poland this is the Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl. EU residents may also lodge a complaint with the supervisory authority in their country of habitual residence.
To exercise any of these rights, write to admin [at] rentmonkey [dot] pl. We will respond within one month, and may extend by two further months for complex requests in line with Art. 12(3) GDPR. We may need to verify your identity before acting.
11. Automated decision-making
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing within the meaning of Art. 22 GDPR.
12. Children
The Site and Guest Portal are intended for adults. We do not knowingly process personal data of children under 16 except where their data is provided as part of a reservation made by an accompanying adult (e.g. number of children in the party, names where required for guest registration).
13. Security
We use technical and organisational measures appropriate to the risk, including: TLS encryption in transit, hashed authentication credentials, OTP rate limiting, encrypted storage where appropriate for sensitive fields, periodic backups, restricted access on a need-to-know basis, and regular software updates. No system is perfectly secure, but we work to keep this one as secure as we reasonably can.
14. Changes to this Policy
We may update this Policy when our service or the law changes. We will publish the new version at the same URL and update the "Last updated" date at the top. Material changes — for example a new sub-processor in a different jurisdiction, or a new processing purpose — will be flagged in the Guest Portal and/or by email where reasonable.
15. Governing law and language
Polish law governs this Policy and any matters arising from it. The Polish version is the prevailing version in case of any conflict between language versions. Translations are provided for convenience.
16. Contact
For any privacy question, request, or complaint:
- Email: admin [at] rentmonkey [dot] pl
- Post: Anna Wojtowicz, Zdrojowa 1/12, 72-400 Kamień Pomorski, Poland
You may also contact UODO directly (see §10).