- Duck Republik

Privacy Policy – Duck Republik

1. Who we are

Duck Republik (“we”, “us”, “our”) is the controller of your, your emergency contacts’ and your guests’ personal data.

Company name: Duck Republik SIA
Registration number: 40203202421
Registered address: Lauvas iela 1, Riga, LV-1003
Contact email: support@duckrepublik.eu

2. Data Protection Officer

At this time, Duck Republik has not appointed a Data Protection Officer, as we are not legally required to do so under the GDPR.

3. What data we collect

We collect only the data we actually need. No spying. No funny business.

3.1 Personal data you give us

We collect personal data when:

  • you apply or book a room
  • you use our accommodation services
  • you contact us through the website or by email
  • you access common areas monitored by CCTV
  • we manage and operate the hotel premises

This may include information that directly identifies you, such as your name or contact details and any other data submitted by you during our cooperation.

This may also include personal data of your emergency contacts as well as guests visiting you in our premises.

Whenever we ask for personal data, we link you to this Privacy Policy so you know exactly what’s happening.

3.2 Technical and usage data

When you visit our website, we automatically receive certain technical information from your browser or device, such as:

  • IP address
  • browser type
  • device type
  • pages visited before and after our site
  • general interaction data

If you access the site via mobile, this may also include your operating system, device identifiers, and similar diagnostic data.

This information helps us understand how the website is used and improve it. On its own, it does not allow us to identify you personally.

3.3 Cookies

We use cookies and similar technologies to keep the website functional and user-friendly.
Details are explained separately in our Cookie Policy.

4. Why we process your data (and for how long)

We process personal data only for specific, lawful purposes.

4.1 Room booking and accommodation services

Data collected:

  • First and last name
  • Date of birth and/or personal identification number
  • Address
  • Gender
  • Email address
  • Phone number
  • University name and study year

Legal basis:
Processing is necessary to enter into and perform a contract with you (GDPR Art. 6(1)(b)).

Storage period:
10 years after the end of the contractual relationship.

4.2 Billing, payments,  accounting and other legal obligations applicable to us

Data collected:

  • First and last name
  • Credit card details
  • Bank account number

Legal basis:
Processing is required to comply with legal (e.g. fire safety rules) and accounting obligations (GDPR Art. 6(1)(c)).

Storage period:
5 years after completion of the contract.

4.3 Communication via the website or otherwise

Data collected:

  • Name
  • Email address

Legal basis:
Processing is necessary to respond to your request before entering into a contract (GDPR Art. 6(1)(b)). Processing is also necessary to ensure that you are properly notified about events and activities available at our premises (GDPR Art. 6(1)(f)).

Storage period:
1 year from the date of the last correspondence.

4.4 Visitors

Data collected:

  • name and surname of your guests visiting you at the hotel premises

Legal basis:

To ensure our legitimate interests in protecting the property and enforcing internal rules, enabling us to prevent unauthorized access and hold residents accountable for the conduct of their guests (GDPR Art. 6(1)(f)).

Storage period:
___ after the end of visit.

4.5 Emergency contacts

Data collected:

  • name and surname of your emergency contacts
  • e-mail address and phone number of your emergency contacts

Legal basis:

To ensure our legitimate interests in facilitating prompt communication with designated persons in the event of medical emergencies, accidents, or other critical incidents (GDPR Art. 6(1)(f)).

Storage period:
While your contract is in force.

5. How we use your data

We use your personal data only for the purposes described above, including to:

  • provide and manage accommodation services
  • respond to inquiries
  • process payments
  • improve our website and services
  • communicate with you about Duck Republik

We may also use anonymised or aggregated data to better understand how our services are used.

6. Is providing personal data mandatory?

Yes—at least some of it.
If you want to use our accommodation services, we need the personal data listed above. Without it, we simply can’t proceed.

7. Where your data comes from

All personal data is collected directly from you when you submit it through our website or contact us. The data of your guests may be collected directly from them or from you.

8. Data sharing and transfers

We do not sell your data. Ever.

Your data may be shared only in the following cases:

8.1 Service providers

We work with trusted partners (IT, accounting, customer support, etc.) who help us operate our services.
They:

  • process data only on our instructions
  • are bound by confidentiality
  • have GDPR-compliant data processing agreements in place

8.2 Related companies

We may share data within the Duck Republik group where necessary for operational purposes. These entities follow the same data protection standards.

8.3 Business transactions

If Duck Republik is involved in a merger, sale, or restructuring, personal data may be transferred as part of that process.

8.4 Legal obligations

We may disclose data if required by law, a court order, or to protect legal rights, prevent fraud, or ensure safety.

We do not transfer personal data outside the European Union unless legally required or necessary for the purposes stated above.

9. Your rights under GDPR

You have the right to:

  • know how your data is processed
  • access your personal data
  • correct inaccurate data
  • request deletion of your data
  • restrict or object to processing
  • request data portability

You may also lodge a complaint with the supervisory authority:

Latvia – Data State Inspectorate
Elijas iela 17, Riga, LV-1050
Email: pasts@dvi.gov.lv

While we strive to honour all requests, we may not always be able to grant them if legal limitations apply. Every request will be reviewed thoroughly to determine the appropriate course of action. If processing is based on consent, you may withdraw that consent at any time by emailing support@duckrepublik.eu.
This does not affect processing that already took place.

To exercise your rights, please submit a written request that allows us to identify you. Anonymous requests cannot be processed.

10. CCTV and Video Surveillance

Duck Republik operates a closed-circuit television (CCTV) system on its premises. CCTV cameras are installed in common areas of the property and operate 24 hours a day, 7 days a week. CCTV is not installed in private living areas such as rooms, bathrooms, or similar private spaces.

Purpose of processing:
CCTV is used for the purposes of:

  • ensuring the safety and security of residents, visitors, and staff
  • protecting property and preventing theft, vandalism, and other unlawful activities
  • monitoring access to the premises
  • assisting in the investigation of incidents and security-related matters

Legal basis:
Processing of personal data through CCTV is based on Duck Republik’s legitimate interests (GDPR Art. 6(1)(f)), namely:

  • maintaining a safe living environment
  • protecting people and assets
  • ensuring orderly operation of the property

These interests have been carefully balanced against the rights and freedoms of data subjects. Appropriate technical and organisational measures are implemented to minimise intrusion and ensure proportionality.

Data retention:
CCTV recordings are stored for a limited period (30 days) and are automatically deleted unless:

  • an incident has occurred, or
  • footage is required for investigation, legal claims, or compliance with legal obligations

In such cases, recordings may be retained for as long as necessary for the relevant purpose.

Access to recordings:
Access to CCTV footage is strictly limited to authorised personnel only and is granted solely on a need-to-know basis. Footage may be disclosed to competent authorities (e.g. law enforcement) where required by law.

Impact assessment:
 Duck Republik treats CCTV as high-risk processing and conducts a Data Protection Impact Assessment (DPIA) in accordance with the GDPR and applicable regulatory guidance.

10. Updates to this policy

We may update this Privacy Policy occasionally.
The latest version will always be available on our website. Continued use of the site means you accept the updated policy.

Last updated: [date]