Privacy and important informations

Notification of a hacker attack!

We warn you against fake messages sent by hackers! Our hotel does NOT send messages with links to guests! We do NOT contact guests via instant messengers such as WhatsApp, Messenger, etc. If you receive a suspicious message with links informing you about problems with your booking or asking for additional information, please do not click on the links under any circumstances, block the sender and report it as spam/fraud. If you have any suspicions, please contact us by telephone on +48 665250025 Gostyń, 29 January 2026NOTICE OF A POTENTIAL PERSONAL DATA BREACH Dear Madam,
Dear Sir, ApartHotel Gostyń, ul. Ks. Olejniczaka 2, operated by Minicentrum Gostyń Sp. z o.o., with its registered office in 64-100 Leszno, ul. Narutowicza (hereinafter referred to as the “Controller”), in fulfilling its obligations as a data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR), hereby informs you that a potential personal data breach has been detected, which may have concerned your personal data. Therefore, we kindly ask you to read the following information carefully. Description of the nature of the potential breach On 11 December 2025, employees of our IT service provider informed us that one of the servers containing a database of our customers’ data had most likely been hacked. This database also contained your data from reservations made. The verification conducted so far has not shown that the attackers gained direct access to the database. There is also no certainty that your data was downloaded; however, at this stage such a possibility cannot be excluded.The categories of personal data that may potentially have been affected by the security incident include:
  • data relating to our facility,
  • reservation dates and reservation amounts,
  • data of our hotel guests (provided directly in the reservation, e.g. name, surname, email address, phone number, data included in accounting documents such as invoices and receipts, potentially including PESEL number if provided, or other data entered in the reservation),
  • issued accounting documents (invoices, receipts).
At present, we do not confirm that criminals accessed your personal data; however, in order to exercise due diligence and counteract potential effects of the identified incident, we inform you of the measures taken and the possible adverse consequences for you. Description of possible consequences of the potential personal data breach As a precaution, we inform you about possible consequences should it be confirmed that criminals downloaded your personal data. If such circumstances are confirmed, we will inform you in a separate communication (at present, to our knowledge, this has not occurred).If confirmed, potential consequences may include the use of your data by third parties for financial gain at your expense. The personal data may also be used to induce you to make payments for non-existent liabilities or to obtain additional personal data from you that were not originally affected by the breach, which could result in incurring other obligations, such as online purchases or fraudulent loans or credits from non-banking institutions.Potentially disclosed data may also be used to create online accounts in your name (e.g. on social media or email services), rent items in your name and then steal them. Recommended actions you may take to mitigate potential effects If you suspect unauthorized use of your personal data, please contact relevant authorities, e.g. the Police.Please pay attention to any correspondence addressed to you (using your personal data) by persons claiming to represent our hotel. Please verify such situations with us directly using the contact details provided at the end of this letter. In particular, be alert to fraud attempts involving impersonation of our identity and reference to reservation data, sent via email or messaging apps (e.g. WhatsApp), where you are asked to settle payments for your stay or provide personal data by clicking links in messages. Do not respond to such messages or click any links.Also pay attention to paper correspondence and carefully review its content, as it may include confirmations of agreements you never concluded or false payment demands relating to reservations at our facility. Such cases should be verified directly with the entities involved and, in doubtful situations, reported to the Police. We also remind you that in the case of distance consumer contracts, you usually have the right to withdraw within 14 days without consequences.In case of suspicious emails, pay particular attention to:
  • suspicious attachments (especially ZIP or RAR archives),
  • suspicious links in messages,
  • requests to provide additional personal data.
Such emails may contain malware or be used to obtain further sensitive data such as bank account numbers, credit card numbers, or login credentials. We therefore recommend particular caution and the use of up-to-date antivirus software.Please also review the passwords you use for online services (social media, email, portals, online banking). Passwords should not contain easily guessable words or elements based on your personal data (e.g. names, dates of birth, PESEL number, ID document number, phone number).If you suspect misuse of your data, you may also: a) Check your credit history with the Credit Information Bureau (BIK) – collects data on loans from banks and credit unions: https://www.bik.pl/
b) Check your data in the National Debt Register (KRD): https://krd.pl/
c) Consider reserving (blocking) your PESEL number via the mObywatel app or a municipal office: https://www.gov.pl/web/gov/zastrzez-pesel Due to the detailed nature of this letter, please do not disclose its content to untrusted persons, as this could facilitate misuse of your data. Security measures implemented Immediately after discovering the incident, together with our IT provider, we took steps to counteract the incident and its potential effects. We activated internal incident response procedures, disconnected affected IT resources, replaced them with new secured ones, and verified user accounts to ensure attackers no longer have access. Internal data protection services and authorities — Police, CERT, and the President of the Personal Data Protection Office — were notified. Contact with the Data Controller If you have further questions, please contact us at: apartamenty.gostyn@gmail.com
+48 665 25 00 25 We are continuously monitoring the situation and will provide updates if new findings arise.Yours sincerely, Michał Biegajski
President of the Management Board
Minicentrum Gostyń Sp. z o.o.

Download full document

Privacy policy

§1. GENERAL PROVISIONS This Privacy Policy applies to persons using the Website located at the URL: http://aparthotelgostyn.wa.profitroom.com and is effective from 01.08.2024.The administrator of user data is: MiniCentrum Gostyń Sp. z o.o. (hereinafter referred to as "We").Contact details of the Data Protection Officer: MiniCentrum Gostyń Sp. z o.o. , e-mail: recepcja@hotelgostyn.pl§2. PERSONAL DATAIn connection with the implementation of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC (General Data Protection Regulation - hereinafter referred to as "GDPR"), we hereby inform you that:1. We process data for the following purposes:

  • performance of a contract or taking steps at the request of the data subject prior to entering into a contract (legal basis: Article 6(1)(b) of the GDPR),
  • handling enquiries (Article 6(1)(f) of the GDPR),
  • handling complaints and claims (Article 6(1)(b) of the GDPR),
  • storing documentation and fulfilling the legal obligations incumbent on the Controller (Article 6(1)(c) of the GDPR),
  • sending newsletters (Article 6(1)(a) of the GDPR),
  • monitoring and improving the quality of services provided – requesting the completion of a survey or answering a few questions about the quality of services provided (Article 6(1)(f) of the GDPR),
  • displaying personalised commercial information on social networks (Article 6(1)(a) of the GDPR)

Providing data is voluntary, but necessary to use the services. Consent is voluntary and is given by clicking the checkbox containing the terms and conditions of consent. If a person has consented to the processing of data (legal basis: Article 6(1)(a) of the GDPR),the data is processed until the consent is withdrawn, but after that period, information about who gave what consent and when has the right to be archived (for the purposes of establishing, pursuing or defending legal claims). In other cases, the data is processed for a period justified by the purpose (e.g. performance of a contract, answering questions, tax regulations, etc.). The processing period depends on the possibility of establishing, pursuing or defending claims, or when data retention is required due to tax regulations. Consent may be withdrawn at any time. Please click on the link or send an email to: recepcja@hotelgostyn.plEvery data subject has the right to access, rectify, erase or restrict the processing of their personal data, the right to object, the right to data portability, and the right to lodge a complaint with a supervisory authority. Transaction data, including personal data, is transferred directly by the user to the payment service provider. Visitors to the Website may fill in a form and subscribe to the newsletter and provide their e-mail address and/or telephone number, which will be used for automatic contact. Visitors to the Website may consent to us conducting advertising campaigns on social networks targeted on the basis of their e-mail address.§3. DATA RECIPIENTS We use the services of software companies and ICT system maintenance companies with which we have concluded appropriate agreements. These agreements cover data processing and confidentiality rules. This data is not shared and none of these companies has the right to process the data in any way other than that specified in the agreement. Your data, to the extent that the company has access to it, may only be processed for the purposes of providing services properly.§4. COOKIES Cookies are transferred to web browsers and then stored in the memory of devices and read by the server each time you connect to the Website. Please note that cookies do not allow us to access your private device or read any data other than that stored in cookies. We use so-called technical cookies, which enable the proper use of message transmission and the memorisation of your settings, as well as the creation of simple Website statistics. We use cookies and data collection technologies to help us analyse traffic on the Website. This allows us to optimise its performance, improve the solutions that are most popular, and display dedicated messages and offers. You can consent, refuse, withdraw your consent or manage your settings by clicking here. We use the following cookies:

INFORMATION CLAUSE – WEBSITE USERS

Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), we inform you that:

  1. The controller of the personal data of website users is: Minicentrum Gostyń, ul. Narutowicza 48, 64-100 Leszno, e-mail address: apartamenty.gostyn@gmail.com
  2. When using the website, users’ personal data may be collected, such as IP address, data regarding the browser used, operating system, or cookies, for the purpose of ensuring the proper functioning of the website, security, and compiling visit statistics.
  3. The legal basis for data processing is Article 6(1)(f) GDPR – the legitimate interest of the controller consisting in operating and administering the website.
  4. Data may be disclosed to entities providing hosting and IT services, as well as to public authorities authorized under applicable law.
  5. Personal data are stored for the period necessary to fulfill the purposes for which they were collected, and in the case of cookies – until they are deleted by the user from their browser.
  6. Users have the right to: access their data, rectify them, erase them, restrict processing, data portability, object to processing, and lodge a complaint with the President of the Personal Data Protection Office.
  7. Providing data is voluntary; however, failure to provide them (e.g., failure to accept cookies) may limit the functionality of the website.
  8. Personal data are not transferred to third countries or international organizations.
  9. Personal data are not subject to profiling or automated decision-making producing legal effects.

INFORMATION CLAUSE – CONTRACTORS

Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), we inform you that:

  1. The controller of your personal data is: Minicentrum Gostyń Sp. z o.o., ul. Narutowicza 38, 64-100 Leszno, e-mail address: apartamenty.gostyn@gmail.com
  2. Your personal data will be processed for the purpose of concluding and performing a contract, fulfilling legal obligations related to accounting and tax documentation, and pursuing the legitimate interests of the controller, such as asserting claims.
  3. The legal basis for data processing is Article 6(1)(b) GDPR (performance of a contract), Article 6(1)(c) GDPR (legal obligation), and Article 6(1)(f) GDPR (legitimate interest of the controller).
  4. Personal data will be stored for the duration of the contract and, after its termination, for the period required by law, in particular tax and archival regulations.
  5. Access to your data will be granted to authorized employees of the controller and cooperating entities under data processing agreements (e.g., IT system providers, accounting services), as well as public authorities authorized to obtain data under applicable law (e.g., tax authorities, banks).
  6. In connection with the processing of personal data, you have the right to: access your data, rectify them, erase them, restrict processing, data portability, object to processing, withdraw consent (if it was the legal basis for processing), and lodge a complaint with the President of the Personal Data Protection Office.
  7. Providing personal data is voluntary but necessary for concluding and performing the contract. Failure to provide data may result in the inability to conclude the contract.
  8. The controller does not transfer data to third countries or international organizations.
  9. Personal data are not subject to profiling or automated decision-making producing legal effects.