Privacy Policy · Hilberton

⚠️ Important: This document is a draft template for informational purposes. It has not been reviewed by a lawyer. Before going live with paying customers, please have this reviewed by a legal professional familiar with EU/Slovenian law and GDPR requirements.

1. Who We Are

Data Controller: Hilberton, Slovenia
Contact: legal@hilberton.com

This Privacy Policy explains how we collect, use, and protect personal data when you use the Hilberton platform. It applies to account holders (accommodation providers) and does not cover how our customers process their own guests' data — that is governed by our Data Processing Agreement.

2. Data We Collect

2.1 Account Data

Data	Purpose	Retention
Name, email address	Account creation, login, notifications	Until account deletion + 30 days
Business name	Account identification	Until account deletion + 30 days
Password (hashed with bcrypt)	Authentication	Until changed or account deleted
IP address, browser/device info	Security, fraud prevention	90 days

2.2 Usage Data

We collect usage logs (which features you use, when you log in) to improve the Service and diagnose technical issues. This data is retained for 90 days.

3. Legal Basis for Processing (GDPR)

Processing	Legal basis
Account registration and management	Contract performance (Art. 6(1)(b) GDPR)
Security and fraud prevention	Legitimate interest (Art. 6(1)(f))
Marketing emails (if opted in)	Consent (Art. 6(1)(a))
Service improvement analytics	Legitimate interest (Art. 6(1)(f))

4. Third-Party Services

We use the following third-party processors:

Provider	Purpose	Location	Safeguards
Resend	Transactional email	USA	Standard Contractual Clauses
PostgreSQL host (to be specified)	Database hosting	EU	EU-based servers

We do not sell your data to third parties. We do not use your data for advertising.

5. Guest Data (Your Customers)

When you use Hilberton to manage reservations, you store personal data about your guests (names, email addresses, ID documents, nationality, date of birth, etc.). For this data:

You are the Data Controller — you decide what data to collect and why
We are the Data Processor — we store and process it on your behalf
You are responsible for ensuring your guests are informed about data collection
The Data Processing Agreement governs our obligations

Guest data collected for eTurizem (Slovenia) or eVisitor (Croatia) reporting is processed under legal obligation and transmitted to the relevant government authority. We do not retain a copy beyond what is required for audit purposes (1 year).

6. Your Rights (GDPR)

As a data subject, you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — request deletion ("right to be forgotten")
Portability — receive your data in a machine-readable format
Restriction — limit how we process your data in certain circumstances
Object — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent

To exercise any of these rights, contact us at legal@hilberton.com. We will respond within 30 days. You also have the right to lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec): www.ip-rs.si.

7. Data Security

We implement appropriate technical and organisational measures to protect your data:

Passwords are hashed using bcrypt (cost factor 12)
All data is transmitted over HTTPS/TLS
Database access is restricted to application servers
Regular backups with encrypted storage
Access logs and audit trails for sensitive operations

8. Cookies

We use one essential cookie: a session authentication token (httpOnly, SameSite=Lax). This cookie is strictly necessary for the Service to function and does not require consent. We do not use tracking, analytics, or advertising cookies.

9. Data Retention

We retain your account data for as long as your account is active. After account deletion:

Account and user data: deleted within 30 days
Reservation data: deleted within 30 days unless you request export first
Anonymised analytics: may be retained indefinitely

10. Changes to This Policy

We will notify you of material changes by email at least 14 days in advance. The current version is always available at this URL.

11. Contact

Data protection questions: legal@hilberton.com
Hilberton, Slovenia