Privacy notice
1. Who we are
This notice describes how Weareplonet Retail d.o.o. ("Weareplonet", "we") processes personal data collected through the Weareplonet dashboard and the website at weareplonet.org. Weareplonet is the data controller for personal data collected in the operation of the website and the customer account, and the data processor for personal data processed on behalf of a subscribing hotel while delivering the add-on modules. Contact: Data Protection Officer, dpo@weareplonet.org.
Legal registration: PIB 03761829, CRPS 4-2513628/2. Registered office ul. Vaka Đurovića 14, 81000 Podgorica, Crna Gora. Regulator: Agencija za zaštitu ličnih podataka (AZLP), reg. no. 05-030/26-3427.
2. Categories of personal data processed
- Contact data of the person operating the Weareplonet account: name, business email, phone (optional), employer name.
- Access logs: IP address, user agent, timestamp of authentication requests, module actions performed.
- Billing data: legal entity, VAT ID, billing address, payment method identifier (no PAN — PAN is handled by our PCI DSS-certified acquirer).
- Support correspondence: content of tickets and attachments, retained for the ticket's operational life plus 12 months.
- Guest personal data processed on behalf of the hotel via specific modules (Arrivals Digest, Guest Wi-Fi Sign-On): name, room number, arrival date. Processed as data processor, retained only as long as the module requires it (documented per module).
3. Legal basis
Contact and billing data are processed on the basis of the contract between the customer and Weareplonet (Article 6(1)(b) GDPR). Access logs and security data are processed on the basis of our legitimate interest in operating the service securely (Article 6(1)(f) GDPR). Marketing emails require prior consent (Article 6(1)(a) GDPR); we do not run marketing programmes at present. Guest personal data processed via modules is processed on the customer's legal basis under the DPA (Article 28 GDPR).
4. Retention
Contact data and billing data are retained for the life of the customer contract plus 10 years for statutory bookkeeping in Montenegro. Access logs are retained for 13 months. Support correspondence is retained for 12 months after the ticket is closed. Guest personal data processed via modules is retained only as long as the module operationally requires it — retention per module is documented in the dashboard.
5. Recipients and cross-border transfers
Personal data may be transferred to: our hosting provider (EU data centres in Frankfurt and Amsterdam), our payment acquirer (PCI DSS-certified), our email delivery provider (EU), the customer's own Protel installation (destination controlled by the customer), and authorities in Montenegro or the EU where required by law. No transfer outside the EU or Montenegro takes place without appropriate GDPR safeguards (Standard Contractual Clauses, adequacy decision, or equivalent).
6. Security
TLS 1.3 in transit, AES-256 at rest, per-property scoped API tokens, IP-restricted egress, quarterly independent penetration testing, security incident response process documented and rehearsed. Access to customer data by Weareplonet staff is role-based and logged.
7. Your rights
You have the right to request access, rectification, deletion, restriction, and portability of your personal data; to object to processing based on legitimate interest; and to withdraw consent at any time. Requests to dpo@weareplonet.org. We respond within 30 days.
You also have the right to lodge a complaint with the Montenegro data protection supervisory authority: Agencija za zaštitu ličnih podataka (AZLP), Bulevar Svetog Petra Cetinjskog 147, Podgorica, or with the supervisory authority in your EU member state of habitual residence.
8. Automated decision-making
Weareplonet does not carry out automated decision-making producing legal or similarly significant effects on data subjects.
9. Changes to this notice
We update this notice when our processing changes. Material changes are notified by email to the Weareplonet account owner at least 30 days before they take effect. Non-material updates are published silently with an updated version date at the top of this page.
Postal: Weareplonet Retail d.o.o., ul. Vaka Đurovića 14, 81000 Podgorica, Crna Gora
Regulator: Agencija za zaštitu ličnih podataka (AZLP, Podgorica), reg. no. 05-030/26-3427