Narcisa B&B (“we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
This Privacy Policy explains what data we collect, how we use it, and the rights you have over your personal information.
1. Who We Are
Website: https://narcisabnb.com
Owner & Data Controller: Narcisa B&B
Address: Triq It-Tigrija, Nadur, Gozo, NDR9010, Malta
Email: info@narcisabnb.com
Phone: +356 7920 5778
2. Personal Data We Collect
We collect personal data only when necessary to provide our services or when you voluntarily submit information.
2.1. Data you provide directly
- Contact form submissions (name, email, phone, message)
- Booking requests (name, email, phone, booking details)
- Account or profile information (if applicable)
- Comments left on the website
2.2. Automatically collected data
- IP address
- Browser type and version
- Device information
- Cookies (see section 7)
- Pages visited and actions performed on the website
2.3. Booking and payment data
If you make a reservation via our booking engine (e.g., VikBooking or another system), we may collect:
- Guest details (name, email, phone, address)
- Booking preferences
- Stay information
- Payment status
Payments are processed securely through third-party processors (e.g., Stripe). We do not store full credit card details.
2.4. Media uploads
If you upload images to the site, avoid images containing EXIF GPS data. Visitors may download and extract this data.
3. Purpose and Legal Basis of Processing
We process your data under GDPR Articles 6(1)(a), 6(1)(b), and 6(1)(f).
We use your data for:
- Responding to enquiries via contact forms
- Managing bookings and reservations
- Sending essential booking confirmations or updates
- Improving website performance and user experience
- Preventing spam and fraudulent activity
- Analytics and performance measurement
- Managing user accounts
- Complying with legal obligations
4. Comments
When visitors leave comments, we collect:
- Data shown in the comment form
- IP address
- Browser user agent string (to prevent spam)
An anonymized string created from your email (a “hash”) may be provided to Gravatar.
Gravatar Privacy Policy: https://automattic.com/privacy/
Once approved, your profile image becomes visible with your comment.
5. Embedded Content
Articles may contain embedded content from third-party sites (e.g., YouTube, Google Maps, Instagram).
These sites may collect:
- Data about your visit
- Cookies
- Interaction tracking
Their data collection practices follow their own privacy policies.
6. Third Parties We Share Data With
We only share data when necessary to provide our services.
Examples of data processors:
- Booking system (e.g., VikBooking): reservation details
- Payment processor (e.g., Stripe): payment details
- Email providers (SMTP or transactional email services)
- Hosting provider for website operation
- Spam detection tools
If you request a password reset, your IP address is included in the reset email.
We never sell personal data.
7. Cookies
We use cookies to enhance functionality and improve your browsing experience.
7.1. Functional cookies
- Remembering login details
- Saving your display preferences
- Cookies created during content editing
7.2. Analytics cookies
Used to understand how visitors use the website.
7.3. Booking system cookies
Some cookies are required to maintain reservation sessions.
Your choices
You can manage or disable cookies in your browser settings.
Cookie examples (as required by WordPress):
- Comment cookies last 1 year.
- Login cookies last 2 days (or 2 weeks if “Remember Me” is used).
- Display settings cookies last 1 year.
8. How Long We Retain Data
- Comments and metadata: indefinitely, unless deleted
- Contact form messages: up to 12 months unless needed longer
- Booking records: up to 10 years for legal and tax purposes
- User accounts: until deletion by the user or administrator
Registered users may see, edit, or delete their personal data (except username).
9. Your GDPR Rights
You have the right to:
- Access your personal data
- Rectify incorrect or incomplete data
- Delete your data (“right to be forgotten”)
- Object to processing
- Restrict processing
- Receive a copy of your data in a portable format
- Withdraw consent at any time
To exercise your rights, contact: info@narcisabnb.com
We may request proof of identity for data security.
10. International Data Transfers
Some third-party services (e.g., hosting, Gravatar, Stripe) may store data outside the EU.
Transfers occur only to countries with adequate protection or through GDPR-approved safeguards (Standard Contractual Clauses).
11. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- SSL encryption
- Secure hosting
- Access restrictions
- Regular updates and monitoring
12. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or significant effects on individuals.
13. Contact
For any questions about this policy or your data rights:
Narcisa B&B
Email: info@narcisabnb.com
Phone: +356 7920 5778
Address: Triq It-Tigrija, Nadur, Gozo, Malta
14. Changes to This Policy
We may update this policy periodically. Any changes will be posted on this page with a new “Last updated” date.