Privacy policy

Caring about your personal privacy, with reference to art. 13 (1) and (2) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”), we hereby explain how we collect and use your personal data. The present privacy policy also explains your rights in relation to us and how you can assert your rights. You can always contact us with questions about privacy and data protection issues by sending an e-mail. These principles came into effect starting May 25th, 2018.

By using GetaClujTour services, you accept our privacy policy and our processing of your personal data. It is important that you read and understand our privacy policy before using our services.

GetaClujTour may, from time to time, make changes to this privacy policy. The latest version of the privacy policy is always available here.

Latest update: 26th of April, 2019.

Who we are

The Controller of personal data GetaClujTour, with an online office in Cluj-Napoca, registered in the Romanian National Trade Office, Cluj-Napoca division, with number J12/1328/2016, VAT no. 35886377, share capital RON 25.000, (hereinafter referred to as “the Controller”).

Our full details are:

Full name: S.C. CARPATINO TOURS S.R.L., Hayland Express online travel organization, trading as GetaClujTour

Email address: booking(at)

Postal location: Bucegi Street, no. 8/23, Cluj-Napoca, Romania

Phone number: +40(0)743374293

Website address:

The objective & legal basis of data processing

The Controller shall process your personal data for the purpose of:

1. Commencement, on your demand, of activities aimed at conclusion of an agreement with the Controller or performance of an agreement with the Controller (art. 6 (1) b GDPR) within the scope of services rendered by the Controller, such as: booking and sale of airline, railway and bus tickets, booking of accommodation, car rental, sale of trips, organization of MICE (meetings, incentives, conferences, events), complex organization of business trips.

2. Under certain circumstances, it may turn out to be necessary to process your data due to the legitimate interests of the Controller (art. 6(1) f GDPR), in particular, for the following purposes:

a. marketing of products and services of the Controller,

b. in association with monitoring and improvement of quality of services rendered and products offered by the Controller, analysis of your satisfaction with services rendered,

c. in association of sales of receivables of the Controller payable by you and claims of the Controller,

d. engaging in disputes, as well as proceedings before public authorities and other proceedings, including making of claims and defense against claims;

3. In other cases, your personal data shall be processed solely on the basis of a previous consent, within the scope and for the purpose specified in such content.

The obligation to provide personal data

Disclosure of your personal data is voluntary, but necessary for performance of the agreement or undertaking of tasks on demand of the data subject prior to conclusion of the agreement with the Controller, is due to performance of obligations specified by legal provisions in force or is necessary for achievement of the purposes based on legitimate interests of the Controller.

Non-disclosure of all of your required personal data shall make it impossible to conclude the agreement, preventing the Controller from rendering services on your behalf.

To the extent in which data is collected on the basis of your consent, disclosure of your personal data is voluntary.

What personal data we collect and why we collect it

Contact forms

The personal data provided, in particular, your first name, surname, address, e-mail address, phone number, are processed to the extent necessary to commence, shape the content, amend, terminate and properly perform the services rendered by the Controller and to complete the orders placed.

Under special circumstances, other additional data may be required, such as birth date or age, identity card number or other data necessary for the proper performance and quality of services rendered by the Controller and for completion of orders placed.


When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.


If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.


We may collect date using technological mechanisms, such as: IP addresses, Internet browser, location, the pages you access on our website.

Social Media

In the case in which you make use of any GetaClujTour social media features, either on our website or through a social media provider, we may access information about you via that social media provider in accordance with their privacy policies. When using a social media feature, we may access information such as your name, gender, year of birth, town or district and any other information you have chosen to make public on that social media website to provide you with relevant content.

Pictures, video & testimonials

Any image or video taken by the guide, driver or other official tour leaders during your holiday that contains your image may be used by GetaClujTour for promotional and marketing purposes without charge in all media including, but not limited to, booklets, website and social media channels. The feedback you supply us may also be used in print and online for marketing and advertising purposes. This includes, but is not limited to, third party review sites and questionnaires we provide you to fill in at the end of the tour. Additionally, any pictures, video and review text you send to us after the fulfillment of the services provided and in connection with them, must be the client’s own and by sending it, the client agrees that GetaClujTour can use it for advertising and marketing purposes.

Links to other websites

Our website contains links to several third party websites, all connected to the travel business. GetaClujTour does not take any responsibility for the contents of these external websites nor for their privacy policies. Please always check the privacy statements on the new websites that you visit.

Who we share your data with

In association with processing of your personal data for the purposes indicated in clause II, personal data may be made available to the entities participating in processes necessary for performance of agreements concluded with you, including:

a. hotels or accommodation facilities, in the case of booking of accommodation,

b. railway operators in the case of booking of railway tickets,

c. insurance companies in the case of purchase of tourist insurance policies,

d. transport companies in the case of car rental or transfer booking,

e. travel guides and tour managers,

f. other partners providing tourist services on the basis of the agreement concluded, including booking systems and tourism organizers and agents, cooperating with the Controller,

g. public authorities and entities performing public tasks or working on the basis of orders of public authorities, to the extent and for the purposes based on legal provisions in force.

Visitor comments may be checked through an automated spam detection service.

How long we retain your data

The period of processing of your personal data depends on the purpose of data processing. The period of storage of your personal data is calculated on the basis of the following criteria and is no longer than 5 years:

a. the legal provisions, which obligate the Controller to process data for a specific time period,

b. the period of rendering of services,

c. the period necessary to defend the interests of the Controller,

d. in the case of your consent for processing of data for marketing purposes, or after termination or expiry of the agreement, until the time of withdrawal of such consent.

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

What rights you have over your data

The Controller informs that all persons, whose personal data are processed, are entitled to specific rights based on GDPR. Therefore, you are entitled to the following rights:

1. The right of access to personal data, including the right to obtain a copy of this data,

2. The right to demand rectification of personal data, if such data is inaccurate or incomplete,

3. The right to demand erasure of personal data (the so-called “right to be forgotten”) in the case when:

a. the data is no longer necessary for the purpose, for which it was collected or otherwise processed,

b. the data subject has objected against processing of data,

c. the data subject has withdrawn their consent, serving as a basis for processing, and no other legal basis for processing of data exists,

e. the data is being processed illegally,

f. the data must be erased in order to meet the obligation based on legal provisions;

4. The right to demand limitation of processing of personal data, if:

a. the data subject has questioned the accuracy of personal data,

b. processing of data is illegal, and the data subject has objected against erasure of data, demanding a limitation instead,

c. the Controller no longer needs the data for their purposes, but the data subject needs this data for the establishment, exercise or defense of legal claims,

d. the data subject has objected against processing of data, until it has been determined whether the legal basis, to which the Controller refers, is superior to the basis for the objection,

5. The right to object against processing of personal data, including profiling, when:

a. there are reasons associated with your special circumstances and

b. processing of data is based on necessity resulting from a legitimate interest of the Controller, referred to in clause II above.

6. The right to withdraw the consent for processing of personal data to the extent, in which such consent for processing of personal data has been granted. Withdrawal of the consent shall be of no effect upon legality of processing of data on the basis of the consent prior to its withdrawal.

7. The right to submit a complaint to the appropriate supervision authorities in the case of finding that processing of personal data by the Controller violates the provisions of GDPR.

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.