Privacy statement
This page sets out what we do with any personal data you give us — through the website, a booking, a message, the newsletter — and the rights you have over that data under European law (the GDPR). It's written in plain English. Where something has a precise legal meaning, we say so.
Who controls your data
The data controller, in GDPR terms, is:
Tona BVBA, trading as ArdennerHof
zum Schwarzenvenn 4, 4770 Amel, Belgium
Reg. HRE 45 358 · VAT BE 0416 923 717
Contact for privacy questions: Dirk Warnaar — vakantiewoningardennerhof@gmail.com
What we collect
The data we hold depends on how you interact with us.
When you book. Your name, the lead guest's contact details (email, phone), billing address, group size, dates, and payment information. We need this to operate the booking — without it there isn't really a booking.
When you send a message. Whatever you put in the email, WhatsApp message or contact form, plus the contact detail you sent it from. We keep messages because we sometimes need to refer back to them — confirming what was promised, for example.
When you subscribe to the newsletter. Your email address and your language preference. That's it — no name required.
When you visit the website. Standard technical data: IP address (anonymised for analytics), browser type, pages viewed, approximate location. Used to keep the site secure and to understand what's working.
Why we collect it
Six grounds, each tied to specific data:
Booking and contractual obligations. Without contact and payment details we can't run a stay.
Communication. So we can answer your questions, send the rental agreement, and stay in touch through the stay.
Legal obligations. Tax law requires us to keep invoices and related accounting records for set periods.
Newsletter. Only if you've signed up. You can unsubscribe at any time using the link in every email.
Site improvement. Aggregate, anonymised analytics. We never sell this data, and we don't use it to target individuals.
Security. Detecting abuse, fraud or unauthorised access to the systems behind the site.
Who we share it with
We share what's necessary, and nothing more. The parties:
MyTourist — handles the availability calendar and the booking widget. They process the data needed to take a reservation.
Mollie — processes card payments. They see what's needed to handle a payment; we never see card numbers ourselves.
Google Analytics — anonymised, aggregated site analytics. IP addresses are masked before they reach Google.
MailerCloud — sends the newsletter if you've signed up.
Our accountant and Belgian tax authorities — invoices and accounting records, as required by law.
We don't sell your data, ever. We don't share it with marketing platforms, ad networks, or anyone else who hasn't been listed above.
Transfers outside the EU
Most of our processors are based in the EU. Where data does cross outside (Google Analytics, in practice), it's covered by the standard contractual clauses approved by the European Commission for that purpose.
If you'd like to see the specific transfer mechanisms for any service, ask.
How long we keep it
Different data, different periods:
Booking and invoice data: 7 years, the Belgian tax law minimum.
Email and WhatsApp correspondence: 2 years after the stay (or 2 years after the last exchange if no booking followed).
Newsletter subscription: until you unsubscribe.
Analytics data: 14 months in Google Analytics, anonymised.
Security logs: 6 months.
When a retention period ends, the data is deleted or fully anonymised. We don't keep things "just in case".
Your rights
Under the GDPR you have several rights regarding personal data we hold about you:
Access — ask for a copy of what we hold.
Correction — ask us to fix anything that's wrong.
Deletion — ask us to delete what we hold, subject to legal retention requirements.
Restriction — ask us to stop processing it while a question is being resolved.
Portability — ask for your data in a structured, machine-readable format.
Objection — object to certain processing, including direct marketing.
Withdrawing consent — where processing relies on consent, you can withdraw it.
To exercise any of these, email Dirk at vakantiewoningardennerhof@gmail.com. We respond within 30 days, usually much sooner.
If you think we've handled your data badly, you have the right to complain to the Belgian Data Protection Authority (dataprotectionauthority.be).
Security
Sensible measures, kept current: HTTPS across the entire site, encrypted backups, access to systems restricted to the people who genuinely need it, regular software updates.
If a data breach does occur and there's any risk to people's rights, we notify the Data Protection Authority within 72 hours and, where the regulation requires it, the affected individuals directly.
Children and minors
The site isn't aimed at children. We don't knowingly collect data from anyone under 16. If you think your child has provided us with information, let us know and we'll delete it.
Children are of course welcome as guests at the house — the data we have for them runs through the booking made by their parents or guardians.
Updates to this policy
When something genuinely changes — a new processor, an updated retention period — we revise this page. The date at the top reflects the most recent change. We don't notify subscribers about minor wording tweaks; for material changes affecting your rights, we'll email you if we hold your address.