COMFYREST
Last updated: 2026 03 20
1. Data Controller
This Privacy Policy explains how we collect, use, store and protect your personal data when you use our website www.comfyrest.lt and accommodation services.
Data Controller:
UAB Limo Trading Company
Company code: 133114845
Registered address: Ievos Kalno g. 6-10, LT-93103 Neringa
VAT number: LT100001342215
Email rest@comfyrest.lt
Phone: +37064569999
If you have questions about the processing of your personal data, you may contact us at the email address above.
2. What personal data we collect
We collect the following categories of personal data:
2.1 Booking data
First and last name, email address, phone number, postal address (if provided), check-in and check-out dates, number of guests, selected property, special requests or preferences.
2.2 Payment data
Payment method, transaction amount, transaction date and time, payment status. Payment card details (card number, expiry date, security code) are processed exclusively by Paysera – ComfyRest does not receive or store this data.
2.3 Guest registration data (E.tourist)
Under Article 32(3) of the Law on Tourism of the Republic of Lithuania we are required to collect: first and last name; date of birth; the state that issued the identity document; number of accompanying minor children; place of residence (country and city or settlement); dates of arrival and departure; whether the tourist arrived through a tour operator; main purpose of travel (leisure, work, health, other).
2.4 Communication data
Your correspondence with us by email, telephone or through the website contact form.
2.5 Website usage data
IP address, browser type and version, operating system, pages visited, date and duration of visit, referral source. This data is collected via cookies and analytics tools (see section 9).
3. Legal bases and purposes of data processing
We process your personal data on the following legal bases under Article 6 GDPR:
|
Purpose |
Legal basis |
Data categories |
|
Fulfilment of booking and provision of accommodation services |
Performance of contract |
Booking data, payment data |
|
Guest registration in the E.tourist system |
Legal obligation |
Guest registration data |
|
Maintenance of accounting and tax records |
Legal obligation |
Booking data, payment data |
|
Communication regarding your booking (confirmations, reminders, property information) |
Legitimate interest |
Contact data |
|
Service quality improvement and fraud prevention |
Legitimate interest |
Booking, communication, website data |
|
Marketing communications (newsletters, offers) |
Consent |
Name, email |
|
Ensuring website operation and analytics |
Legitimate interest / Consent |
Website usage data |
4. Recipients and processors of data
Your personal data may be transferred to the following recipients:
|
Recipient |
Purpose |
Role |
|
UAB "Paysera LT" |
Payment processing |
Data processor on our behalf for payment processing purposes. |
|
National Tourism Information System (E.tourist / NTIS) |
Guest registration under the Tourism Act |
Public authority (data recipient under law) |
|
Municipal authorities |
Tourist tax administration |
Public authority |
|
Accounting service provider |
Bookkeeping and tax filing |
Data processor |
|
Website hosting and IT service providers |
Website operation, email sending |
Data processors |
|
Law enforcement authorities |
Only where required by law or court order |
Data recipients under law |
We have concluded data processing agreements with all data processors in accordance with Article 28 GDPR. We do not transfer your personal data to third parties for marketing purposes without your explicit consent.
5. Transfer of data outside the EEA
Your personal data is processed primarily within the European Economic Area (EEA). If data is transferred outside the EEA for technical reasons (e.g. cloud service providers), we ensure that appropriate safeguards are in place:
- European Commission adequacy decision (GDPR Art. 45);
- Standard contractual clauses approved by the European Commission (GDPR Art. 46(2)(c));
- Other appropriate safeguards under the requirements of Chapter V GDPR.
You may obtain information about the specific safeguards applied by contacting us at the email address above.
6. Data retention periods
We retain your personal data only for as long as necessary to achieve the relevant purpose:
|
Data category |
Retention period |
Basis |
|
Booking and contract data |
10 years from end of contract |
Civil Code of the Republic of Lithuania (limitation period) and accounting law |
|
Accounting and payment documents |
10 years |
Law on Accounting of the Republic of Lithuania, Law on Tax Administration |
|
Guest registration data (E.tourist) |
As per NTIS rules (data transmitted to NTIS) |
Law on Tourism of the Republic of Lithuania |
|
Communication data (correspondence) |
3 years from last communication |
Legitimate interest (dispute resolution) |
|
Marketing consents and communications |
Until consent is withdrawn |
Consent |
|
Website analytics data |
Up to 26 months |
Legitimate interest / Consent |
Upon expiry of the retention period, your personal data is deleted or anonymised. If data must be retained longer due to legal disputes or court proceedings, the retention period may be extended until the dispute is resolved.
7. Your rights as a data subject
Under the GDPR you have the following rights:
Right to be informed. You have the right to be informed about the processing of your personal data. This Privacy Policy fulfils this right.
Right of access. You may obtain confirmation of whether we process your personal data and receive a copy of it (GDPR Art. 15).
Right to rectification. You may request correction of inaccurate or completion of incomplete personal data (GDPR Art. 16).
Right to erasure ("right to be forgotten"). You may request deletion of your personal data when it is no longer necessary for the purpose for which it was collected, or when you withdraw consent (GDPR Art. 17). This right may be limited where we are required to retain data by law.
Right to restriction of processing. You may request restriction of the processing of your data in certain circumstances (GDPR Art. 18).
Right to data portability. You may receive personal data you have provided in a structured, commonly used and machine-readable format and transmit it to another controller (GDPR Art. 20).
Right to object. You may object to the processing of personal data based on legitimate interest (GDPR Art. 21). Where data is processed for marketing purposes, the right to object is absolute.
Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to lodge a complaint. If you believe your rights are being violated, you may lodge a complaint with the State Data Protection Inspectorate (SDPI).
How to exercise your rights
You may submit requests to exercise your rights by email to rest@comfyrest.lt. We will respond within 30 calendar days of receiving the request. In exceptional cases where the request is particularly complex, the period may be extended by a further 60 days, of which we will inform you.
To protect your data, we may ask you to verify your identity before fulfilling the request.
8. Payment processing through Paysera
Payments for bookings are processed by UAB "Paysera LT" (electronic money institution licence No. 1, issued by the Bank of Lithuania).
Paysera as data processor: for payment processing purposes, Paysera acts as a data processor on our behalf (as data controller). A data processing agreement has been concluded with Paysera in accordance with Article 28 GDPR. Paysera processes only the data necessary to execute the payment transaction.
Paysera as independent data controller: due to its own regulatory obligations (anti-money laundering, payment services regulation, etc.), Paysera also processes certain data about you as an independent data controller under GDPR Art. 6(1)(c). This processing is governed by Paysera's privacy policy: www.paysera.com.
ComfyRest does not receive or store: your payment card number, expiry date or security code. All card data is processed directly in Paysera's systems, which comply with PCI DSS security standards.
9. Cookies
Our website uses cookies – small text files stored on your device. Cookies help ensure the website functions correctly and improve your user experience.
9.1 Cookie categories
|
Category |
Purpose |
Consent |
|
Essential cookies |
Website operation, security, session management, remembering cookie preferences |
Not required (legitimate interest) |
|
Functional cookies |
Remembering your preferences (language, region) |
Consent |
|
Analytical cookies |
Website traffic statistics, usage analysis (e.g. Google Analytics) |
Consent |
|
Marketing cookies |
Targeted advertising and service offers |
Consent |
9.2 Cookie management
When you first visit the website, you will see a cookie consent banner where you can choose which cookie categories you consent to. You may change your preferences at any time via the "Cookie settings" link in the website footer.
You can also manage cookies in your browser settings. Please note that disabling essential cookies may cause some website features to not work properly.
10. Data security
We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration or destruction:
- SSL/TLS encryption for data transmission between your browser and our servers.
- Access control – only authorised staff have access to personal data, in accordance with the principle of least privilege.
- Regular backup and data recovery procedures.
- Payment card data is never stored on our servers (processed by Paysera in accordance with PCI DSS).
- Staff training on personal data protection.
In the event of a data security breach that may pose a significant risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.
11. Minors
Our services are intended for adults. Bookings may only be made by persons aged 18 or over. We do not knowingly collect personal data from persons under 18 without parental or guardian consent. Guest registration data concerning minors (under 18) is collected as required by the Tourism Act.
12. Automated decision-making
We do not carry out fully automated decision-making, including profiling, that would have legal or similarly significant effects on you (GDPR Art. 22).
13. Direct marketing
We send marketing messages (newsletters, special offers) only with your explicit consent. Each message contains a one-click unsubscribe option.
You may also withdraw consent at any time by writing to us at rest@comfyrest.lt. Withdrawal of consent does not affect the lawfulness of messages sent prior to withdrawal.
14. Third-party links
Our website may contain links to third-party websites (e.g. Paysera, social networks). We are not responsible for the privacy practices of those websites. We recommend reviewing their privacy policies before submitting your data.
15. Supervisory authority
If you believe your personal data is being processed unlawfully, you have the right to lodge a complaint with:
State Data Protection Inspectorate (SDPI)
L. Sapiegos g. 17, LT-10312 Vilnius
Phone: +370 5 271 2804 / +370 5 279 1445
Email: ada@ada.lt
Website: www.ada.lt
Before contacting the SDPI, we recommend first contacting us directly – we will make every effort to resolve your concern.
16. Changes to the Privacy Policy
We may occasionally update this Privacy Policy to reflect changes in legislation, our practices or other reasons. The updated version will be published on the website with a new date. In the case of a material change, we will notify you by email (if we hold your contact details).
17. Contact
For all queries regarding personal data processing please contact:
UAB Limo Trading Company (ComfyRest)
Registered address: Ievos Kalno g. 6-10, LT-93103 Neringa
Email rest@comfyrest.lt
Phone: +37064569999