City Entrance

Privacy Policy

Last updated: 2026-05-10

1. Data controller

Krambi UAB (company code 302726084, VAT no. LT100007260215), registered office at M. Daukšos 3-23, LT-02101 Vilnius, Lithuania. Contact: bookings@cityentrance.com.

2. What we collect

  • Identification & contact: name, email, phone, country, language preference.
  • Booking details: apartment, dates, number of adults / children, optional promo code.
  • Payment metadata: Stripe payment-intent ID, charge status, last 4 digits of card. Card numbers are never stored on our systems — Stripe processes payment in their own PCI-DSS environment.
  • Billing details (optional): if you book as a company, your VAT number, company name, and billing address.
  • Operational data: server logs, basic browser info, IP address (retained briefly for security and abuse prevention).

3. Purposes and legal bases

  • Performing the booking contract (Art. 6(1)(b) GDPR) — booking, payment, communication, check-in details.
  • Legal obligation (Art. 6(1)(c)) — issuing VAT invoices, remitting Vilnius city tax (turistorinkliava) to the municipality, retaining accounting records.
  • Legitimate interests (Art. 6(1)(f)) — fraud prevention, server security, defending legal claims.

4. Recipients

  • Stripe Payments Europe Ltd. (Ireland) — payment processing.
  • Beds24 — channel manager / property management.
  • Cloudflare R2 — invoice PDF storage.
  • Hostinger — transactional email delivery.
  • Vercel — application hosting.
  • Neon — managed PostgreSQL database.
  • Vilnius City Municipality — aggregate stay data for monthly city-tax remittance (no individual guest details where avoidable).

All processors operate within the EEA or under approved transfer mechanisms. We do not sell personal data and do not use it for third-party advertising.

5. Retention

  • Accounting records (invoices, payment ledger): 10 years per Lithuanian tax law.
  • Booking and guest contact records: 5 years after checkout, then anonymised.
  • Server / security logs: 90 days.
  • Marketing consent (if you opt in): until you withdraw it.

6. Your rights

Under the GDPR you have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17, where lawful), restrict processing (Art. 18), portability (Art. 20), and object (Art. 21). To exercise any of these, email bookings@cityentrance.com. You also have the right to lodge a complaint with the Lithuanian Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — vdai.lrv.lt).

7. Cookies

We use only essential cookies needed for the booking flow (session state, language preference). No analytics or marketing cookies are set by default.

8. Changes

We may update this policy as our practices evolve. The current version’s “Last updated” date is shown at the top of the page.