PRIVACY POLICY 

Adrez Group 

Version: March 2026 | Effective date: 24 March 2026 

Note: This document is a translation of the Czech original. In the event of any discrepancy between the Czech and English versions, the Czech version shall prevail. 

1. Who We Are 

The controller of your personal data is the Adrez Group (hereinafter referred to as “we” or the “Controller”). The group consists of a parent company and subsidiaries operating individual accommodation facilities: 

Company / Reg. No. (IČO) / Role 

Adrez Group a.s. / 097 23 684 / Parent company, joint controller 

Adrez CZ Alfa s.r.o. / 109 97 989 / Accommodation facility operator 

Adrez CZ Beta s.r.o. / 272 13 358 / Accommodation facility operator 

Adrez CZ Gama s.r.o. / 196 62 173 / Accommodation facility operator 

Registered office of all companies: Žatecká 55/14, Josefov, 110 00 Prague 1, Czech Republic 

The individual subsidiaries are joint controllers of personal data together with the parent company Adrez Group a.s. The parent company ensures central coordination of data protection across the entire group. 

Joint Controller Arrangement (Article 26 GDPR): As required by Article 26 GDPR, the Adrez Group companies have entered into a joint controller arrangement. In summary: Adrez Group a.s. acts as the primary point of contact for all data subject rights requests and is responsible for central data governance. Each subsidiary is responsible for the personal data it collects directly in connection with the operation of its accommodation facilities. Data subjects may exercise their rights against any of the companies listed above. The essence of the joint controller arrangement is available on request by contacting us at the address in Section 2. 

2. Contact Details 

If you have any questions regarding the processing of your personal data, you can contact us: 

Email: booking,adrezliving,com 

Address: Adrez Group a.s., Žatecká 55/14, Josefov, 110 00 Prague 1 

Data Protection Officer: A Data Protection Officer has been appointed and can be contacted at gdpr,adrezliving,com. 

3. What Personal Data We Process 

We process the personal data entrusted to us responsibly and transparently, in accordance with Regulation (EU) 2016/679 (GDPR) and Czech Act No. 110/2019 Coll. on the processing of personal data. 

3.1 Data Provided During Booking and Accommodation 

• First and last name 
• Email address 
• Phone number 
• Permanent address 
• Passport or ID card number (legal obligation under Czech Act No. 565/1990 Coll.) 
• Payment card details (processed through a certified payment service provider) 
• Booking details (check-in and check-out dates, room type, special requests) 
• Data relating to travelling companions, including names of minors where provided for accommodation register purposes or service requests (e.g. cot, extra bed). 
• Records of damage claims, security deposit correspondence, and associated photographs, where applicable. 

3.2 Data Collected Automatically When Visiting Our Website 

• IP address 
• Browser type and version 
• Pages visited and time spent 
• HTTP response codes 
• Cookie data (see Section 7) 

3.3 Data Collected via Phone Bookings 

Where a booking is made by telephone, we may collect data in some of the same categories of personal data as set out in Section 3.1. By proceeding with a telephone booking, the caller acknowledges that their data will be processed in accordance with this Privacy Policy. 

3.4 Security Camera (CCTV) Data 

Security cameras may be installed in common areas of our accommodation buildings (e.g. entrance halls and external areas) for the purpose of property protection and guest safety. No cameras are installed inside individual apartments. CCTV footage is retained for a maximum of 30 days and is accessible only to authorised personnel. The legal basis for CCTV processing is our legitimate interest in property protection and guest safety (Article 6(1)(f) GDPR). 

4. Purposes and Legal Basis of Processing 

4.1 Performance of a Contract (Art. 6(1)(b) GDPR) 

• Processing and managing your booking 
• Providing accommodation services 
• Communication regarding your stay 
• Handling complaints and claims 

4.2 Compliance with Legal Obligations (Art. 6(1)(c) GDPR) 

• Maintaining the accommodation register under Czech Act No. 565/1990 Coll. on local fees 
• Reporting obligations to the Foreign Police 
• Fulfilment of tax and accounting obligations 

4.3 Legitimate Interest (Art. 6(1)(f) GDPR) 

• Property protection and guest safety (including CCTV in common areas) 
• Improving service quality 
• Website traffic analytics 
• Direct marketing to existing customers (with opt-out option) 

A Legitimate Interest Assessment (LIA) has been carried out for each purpose listed above, balancing our legitimate interests against your rights and freedoms. LIAs are available on request. Regarding direct marketing to existing customers: we send marketing communications only in relation to similar accommodation services, and every communication includes a clear and easy opt-out mechanism in accordance with Czech Act No. 480/2004 Coll. (Electronic Communications Act). 

4.4 Consent (Art. 6(1)(a) GDPR) 

• Sending marketing communications to new prospects 
• Processing data through optional cookies (analytics, marketing) 

5. Recipients of Personal Data 

• Your personal data may be shared with the following categories of recipients: 
• Other companies within the Adrez Group (for central booking and accounting management) 
• IT service providers and hotel software providers (Mews Systems, Operto, Autohost) 
• Payment service providers 
• Online travel agencies (OTAs): where you book through an OTA, the OTA acts as an independent data controller and their privacy policy governs the initial data collection. Adrez receives booking data from the OTA and processes it in accordance with this Privacy Policy. We do not share your personal data back to OTAs except where required to manage your booking or as required by law. 
• Public authorities, where required by law (in particular the Foreign Police, tax authorities) 

We do not share your data with third parties for their own commercial purposes without your consent. 

6. Data Retention Period 

Accommodation register data (passport/ID numbers): 6 years as required by Czech Act No. 565/1990 Coll. on local fees 

Booking and contract data: 6 years for tax and accounting purposes 

Website records (logs, cookies): maximum 1 year 

Marketing data: until consent is withdrawn or opt-out is exercised. Upon withdrawal or opt-out, marketing data will be deleted or anonymised within 30 days. 

Damage claim records and associated photographs: 3 years from check-out date, to allow for resolution of any disputes. 

CCTV footage: maximum 30 days (see Section 3.4). 

7. Cookies and Analytics Services 

We use cookies on our website. Analytics and marketing cookies may process data that constitutes personal data under GDPR (including IP addresses and device identifiers), which is why these categories require your consent. Essential cookies do not identify you personally and are required for basic website functionality. 

7.1 Types of Cookies 

Essential cookies: ensure basic website functionality, cannot be rejected 

Analytics cookies: help us understand how visitors use the website (consent-based) 

Marketing cookies: used for ad personalisation (consent-based) 

7.2 Analytics Services Used 

Google Analytics 

Facebook Pixel (Meta) 

Clarity (Microsoft) 

You can change your cookie settings at any time via the cookie banner on our website. 

8. Data Transfers to Third Countries 

Some services we use transfer data outside the European Economic Area. In such cases, data is protected through Standard Contractual Clauses (SCCs) approved by the European Commission or an adequacy decision. The following services involve third-country transfers: 

Service / Provider / Transfer Mechanism 

Google Analytics / Google LLC (USA) / EU-US Data Privacy Framework / SCC 

Facebook Pixel / Meta Platforms (USA) / SCC 

Clarity / Microsoft (USA) / SCC 

Operto / Operto Guest Technologies (Kanada) / SCC 

Autohost / Autohost Inc. (Kanada) / SCC  

Transfer Impact Assessments (TIAs) have been carried out for each third-country transfer listed above, in accordance with the CJEU judgment in Schrems II (C-311/18). TIAs are available on request. We also use Mews Systems as our property management system; we have verified that Mews processes data within the EEA. If this changes, we will update this section accordingly. Operto and Autohost are used for reservation processing and guest verification; data transfers to Canada are protected by SCCs. 

9. Your Rights 

In connection with the processing of your personal data, you have the following rights. To exercise any of these rights, please contact us at gdpr,adrezliving,com, providing your full name, booking reference (where applicable), and a description of your request. We may ask you to verify your identity before processing your request. 

9.1 Right of Access 

You have the right to obtain confirmation as to whether we process your personal data, and if so, to access such data. We will respond to your request within one month. In complex or high-volume cases, we may extend this by a further two months and will notify you of the extension within the first month. 

9.2 Right to Rectification 

You have the right to request the correction of inaccurate personal data concerning you. 

9.3 Right to Erasure 

You have the right to request the deletion of your personal data if the purpose of processing has ceased, you withdraw consent, or you raise a legitimate objection. This right does not apply where processing is required by law. 

9.4 Right to Restriction of Processing 

You have the right to request the restriction of processing of your data, in particular if you contest the accuracy of the data or object to the processing. 

9.5 Right to Data Portability 

You have the right to receive the personal data we hold about you in a structured, commonly used and machine-readable format, and to transmit it to another controller. 

9.6 Right to Object 

You have the right to object at any time to the processing of your data based on legitimate interest. Where you object to direct marketing, we will cease processing for that purpose immediately. 

9.7 Right to Withdraw Consent 

Where we process your data on the basis of consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent prior to its withdrawal. 

9.8 Automated Decision-Making 

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (Article 22 GDPR). If this changes, we will update this section and provide you with the relevant information and rights prior to implementing such processing. 

10. Right to Lodge a Complaint 

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority: 

Úřad pro ochranu osobních údajů 

(Czech Office for Personal Data Protection) 

Pplk. Sochora 27, 170 00 Prague 7 

Web: www.uoou.cz 

If you are resident in another EU member state, you also have the right to lodge a complaint with the supervisory authority in your country of habitual residence, in accordance with Article 77 GDPR. 

11. Data Security 

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include: 

• data encryption in transit and at rest 
• role-based access controls limiting data access to authorised personnel only 
• regular security assessments and audits 
• staff training on data protection and information security 
• documented incident response procedures; in the event of a personal data breach likely to result in a high risk to your rights, we will notify you without undue delay in accordance with Article 34 GDPR 

12. Changes to This Policy 

Material changes will be published on our website at least 14 days before taking effect, clearly identifying what has changed and the new effective date.