Privacy Policy
Stay Albanian Riviera ("we", "our", "us") respects your privacy. This policy explains what personal data we collect, the legal basis for collecting it, how long we keep it, who we share it with and your rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, the EU ePrivacy Directive and equivalent laws.
Short version. We don't collect anything until you click "Accept" on the cookie banner. If you reject cookies, we know literally nothing about you beyond the fact you visited and that you declined. If you accept, we use Google Analytics with anonymised IPs to understand which articles are useful, affiliate cookies so partners credit us when you book, and MailerLite to run our optional newsletter signup popup. The newsletter itself is a separate, explicit opt-in — you have to actively submit the form to subscribe. We never sell your data, never run retargeting ads, and you can change or withdraw your choice any time using "Cookie settings" in the footer.
1. Data controller
The data controller for this website is:
- Stay Albanian Riviera, operated by Strandway Systems
- Based in Prince Edward Island, Canada
- Contact for all privacy matters: contact@stayalbanianriviera.com
We act as both the controller and the processor for the limited data we hold ourselves. For data processed by third-party tools (analytics, affiliate networks, hosting), those providers act as independent controllers or joint controllers — see section 6.
2. EU representative (GDPR Article 27)
We are established outside the EU. The processing we carry out is occasional, does not include special categories of data on a large scale and is unlikely to result in a risk to the rights and freedoms of natural persons (Article 27(2)(a) GDPR). On that basis we are exempt from appointing an EU representative. If our processing changes such that this exemption no longer applies, we will appoint a representative and list their contact details here. EU residents can always contact us directly at the email above; we respond to all data subject requests within one month (Article 12(3)).
3. What personal data we collect
We collect personal data only after you give explicit consent via the cookie banner. Specifically:
- Analytics data (only if you opt in to "Analytics"): Google Analytics 4 with IP anonymisation enabled, page URLs visited, referring URL, device type, browser, language, approximate location (country and city level only, derived from anonymised IP), pseudonymous client ID stored in cookies.
- Affiliate / partner data (only if you opt in to "Affiliate tracking"): A click ID assigned by the partner (Booking.com, Viator, Localrent, Travelpayouts partners, Airalo, SafetyWing, Wise, Heymondo) when you click an affiliate link. The partner sets their own cookies and tracks whether your visit results in a purchase. We never see your name, payment details or what specifically you booked — only aggregate commission data.
- If you email us: the email address you write from, the content of your message and any attachments. We use this only to reply.
- If you sign up for our newsletter (only if you opt in to "Affiliate & newsletter" and then actively submit the form): the email address you give us and an optional first name, plus the signup timestamp, IP address (for proof of consent under GDPR Article 7(1)) and the form/page you signed up from. Processed by MailerLite. You can unsubscribe with one click from any email.
- Server-level data (strictly necessary): Cloudflare records IP addresses, request paths and timestamps in standard server logs to mitigate abuse and serve the site. Logs are retained for up to 30 days then deleted.
If you reject cookies we store only the consent record itself (in your browser's localStorage, not on our servers) so the banner doesn't re-appear on every page load.
4. What we do not collect
- We never ask for or store your name, postal address, phone number or payment details.
- We don't run retargeting or behavioural advertising.
- We don't profile users or make automated decisions that produce legal or similarly significant effects (Article 22 GDPR does not apply).
- We don't collect special categories of personal data (health, biometric, religious, political views, etc.).
- We don't knowingly collect data from children under 16. If you're under 16, please don't submit personal data through this site.
5. Legal basis (GDPR Article 6)
| Processing activity | Legal basis |
|---|---|
| Loading analytics & affiliate cookies | Consent — Article 6(1)(a) GDPR + Article 5(3) ePrivacy Directive. You opt in via the banner. |
| Serving the website itself (security logs, consent storage) | Legitimate interests — Article 6(1)(f) GDPR. Our legitimate interest is operating a secure, functional website. Balanced against your interests — no profiling, short retention, no sharing. |
| Replying to your email | Legitimate interests — Article 6(1)(f). To handle your enquiry. |
| Loading the MailerLite newsletter popup script | Consent — Article 6(1)(a) GDPR + Article 5(3) ePrivacy. You opt in via the cookie banner before MailerLite is loaded. |
| Sending you newsletter emails after you submit the signup form | Consent — Article 6(1)(a) GDPR. The form submission is your explicit, separate, granular opt-in to email marketing under Article 7. You can withdraw at any time via the unsubscribe link. |
6. Recipients and third-party processors
We share data with the following processors and joint controllers:
| Recipient | Purpose | Location | Safeguards |
|---|---|---|---|
| Google (Analytics 4) | Anonymised analytics | USA / global | EU–US Data Privacy Framework certified + Standard Contractual Clauses |
| Cloudflare | Hosting, CDN, DDoS protection | USA + EU edge | EU–US Data Privacy Framework + SCCs; EU edge servers serve most EU traffic |
| Travelpayouts | Affiliate aggregator: Booking.com (hotels), Localrent (car rental — primary partner), KiwiTaxi & GetTransfer (transfers), Tiqets (tickets), WayAway (flights) | Cyprus / EU | Within EEA; no additional safeguards required |
| Viator | Tour booking attribution | USA | SCCs |
| Discover Cars (reserved — no active links; superseded by Localrent) | Car rental attribution — listed for transparency only; not currently used. All active car rental links on this site route to Localrent via Travelpayouts. | Latvia / EU | Within EEA |
| Airalo, SafetyWing, Wise, Heymondo | Affiliate attribution for travel services | Mixed | SCCs / DPF where required — see each provider's policy |
| MailerLite (UAB MailerLite) | Email newsletter delivery, signup popup, double opt-in confirmation, unsubscribe handling | Lithuania (EU) / USA sub-processors | Within EEA for primary processing; SCCs + DPF for any USA sub-processors. See MailerLite sub-processors. |
We do not sell your personal data to anyone. We don't use it for AI training. We don't share it with data brokers.
7. International transfers
Some of the providers above (Google, Cloudflare, Viator, certain MailerLite sub-processors) process data in the United States. For those transfers we rely on either (a) the European Commission's EU–US Data Privacy Framework adequacy decision (10 July 2023) for DPF-certified providers, or (b) Standard Contractual Clauses (Decision 2021/914) for non-certified providers. You can request a copy of the relevant safeguards by emailing us.
8. Retention
- Google Analytics data: 14 months (default GA4 retention; we do not extend it).
- Affiliate click data: per partner cookie window — typically 30 days (Viator) up to lifetime (Booking.com via Travelpayouts, Localrent).
- Cloudflare server logs: up to 30 days.
- Email correspondence: up to 24 months after the last reply, then deleted.
- Newsletter subscriber data: kept in MailerLite while you remain subscribed. If you unsubscribe we keep your email address on a suppression list (so we don't accidentally re-email you) and delete all other personal data within 30 days. The suppression list is the lawful basis Article 6(1)(c) — legal obligation under Article 21(3) GDPR.
- Consent record: stored only in your browser's localStorage. Cleared whenever you do.
9. Your rights (GDPR Articles 15–22)
If you're in the EU, EEA, UK or Switzerland, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erasure — the "right to be forgotten" (Art. 17).
- Restrict processing while a complaint is investigated (Art. 18).
- Data portability — receive your data in a machine-readable format and transmit it elsewhere (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time, free and as easily as you gave it (Art. 7(3)) — use Cookie settings.
- Not be subject to automated decision-making, including profiling (Art. 22). We do not carry out any such processing.
- Lodge a complaint with your national supervisory authority. A list of EU/EEA authorities is at edpb.europa.eu/members. UK residents can contact the ICO.
To exercise any of these rights email contact@stayalbanianriviera.com. We respond within one month (extendable by two further months for complex requests, with notice) at no charge. We may ask you to confirm your identity if your request isn't tied to data we can match to you.
10. California, Virginia, Colorado & other US state residents
If you live in a US state with a comprehensive privacy law (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut, Utah, Texas, etc.), you have substantially the same rights listed above. We do not "sell" or "share" personal information in the way those laws define it. Contact us at the same email to exercise your rights.
11. Cookies
See our full Cookie Policy for a categorised list of every cookie and tracker on this site, who sets it, how long it lasts, and how to block it.
12. Changes to this policy
If we make material changes we'll update the "Last updated" date at the top, and where required by law we'll re-prompt for consent. Minor edits (typo fixes, link updates) won't trigger a re-prompt. The current version is always at this URL.
13. Questions
Email contact@stayalbanianriviera.com. We read everything and reply within a few working days.