NOTICE OF A POTENTIAL PERSONAL DATA BREACH

Dear Madam, Dear Sir, Boutique Residence Sp. z o.o. based in Gdańsk, at ul. Jaśkowa Dolina 4/3 (hereinafter referred to as the "Administrator"), owner of the facility Boutique Residence Gdańskat ul. Tadeusza Kościuszki 8a in Gdańsk, fulfilling its obligations as the data controller within the meaning of Art. 4(7) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereby informs that a potential personal data breach has been detected which may concern your personal data. Therefore, we kindly ask you to carefully read the content of the following communication.

Description of the nature of the potential breach
On 16.12.2025, employees of our IT service provider informed us that a probable intrusion occurred on one of the servers containing a database of our Clients' data. This database also included your data from confirmed reservations. The current verification of the incident did not indicate that the attackers gained direct access to the database, nor is there any certainty that your data was extracted; however, at this time this possibility cannot be ruled out, so we recommend heightened vigilance and ask you to review this letter thoroughly. The categories of personal data potentially involved in the security incident include: · data of our facility, · reservation dates and amounts, · data of our hotel guests (provided directly in the reservation, e.g. first name, last name, email address, phone number or other data you entered in the reservation), · issued accounting documents (invoices, receipts). Currently, we do not confirm that criminals have accessed your personal data, however, in order to exercise due diligence and counteract possible effects of the identified security incident, we inform you about the actions taken and the possible negative consequences for you of the incident.Description of possible consequences of the potential personal data breachOut of extreme caution, we inform you about potential consequences if it were established that your personal data was extracted by criminals.
We will inform you separately if such circumstances are confirmed (at this time, to our knowledge, this has not occurred).
In the event of confirmation, the potential consequence of the breach of your personal data may be the use of your data by third parties, e.g. for obtaining financial gain at your expense. The misused data may also potentially be used to induce you to pay non-existent charges or to obtain additional personal data from you that was not originally part of the breach, which could result in incurring other obligations, e.g. online purchases or obtaining loans or credits from non-bank institutions. The potentially disclosed data could also be used to create an online account in your name (e.g. on social media platforms, email services), rent items in your name and subsequently have them stolen by third parties.


Recommended actions you may take to prevent
potential consequences of the breachIf you suspect unauthorized use of your personal data, please contact the appropriate authorities, e.g. the Police. Please pay attention to all correspondence addressed to you (using your personal data) by persons claiming to be representatives of our hotel – please clarify such situations with us promptly via the contact details provided at the end of this letter. In particular, pay special attention to potential phishing attempts impersonating our identity and referencing reservation data, sent via email or instant messaging apps (e.g. WhatsApp) – where you might be asked to settle payment for your stay at our hotel or provide personal data by clicking on links included in the message. Do not respond to such messages or click on the links. Please also be vigilant about any correspondence delivered by postal mail and read it carefully, as these could be confirmations of contracts you never entered into or fraudulent payment requests related to reservations at our facility. Any such incidents should be immediately verified directly with the parties to the agreements and reported to the Police if suspicious. We also remind you that for consumer contracts concluded at a distance, you generally have a right to withdraw from the contract within 14 days without any consequences. In the case of receiving electronic (email) notifications of similar nature as mentioned above, pay special attention to: - suspicious attachments in emails – attachments should not be sent as ZIP or RAR archives, - suspicious links in the message content, - requests for additional personal data (e.g. for identity confirmation). Such emails may contain malicious software (e.g. viruses, trojans) and be attempts to obtain further personal data such as bank account numbers, credit card numbers or login credentials (e.g. usernames and passwords). Therefore, we recommend extreme caution when opening such messages. We also recommend using antivirus software with an always up-to-date virus signature database. Please also review the passwords you use for Internet resources (e.g. social media accounts, emails, portals, online banking). Passwords should not contain easily guessable words or parts thereof, especially those based on your personal data (e.g. names, surnames, birthdates, PESEL number, identity document series and number, phone numbers). If you suspect unauthorized use of your data, you may also: a) check your credit history at the Credit Information Bureau – a body collecting and processing data on all loans taken out with banks and credit unions. The BIK shows information about loans repaid on time and payment arrears. Detailed information is available here: https://www.bik.pl/ b) check your data in the National Debt Register – KRD allows monitoring inquiries regarding loan applications. Detailed information is available here: https://krd.pl/ Given the detailed description, please do not disclose the contents of this letter to untrusted persons, as this may facilitate unauthorized persons' actions aimed at exploiting your personal data. If you provided your PESEL number in your reservations, we recommend reserving your PESEL using the service available at https://www.gov.pl/web/gov/zastrzez-swoj-numer-pesel-lub-cofnij-zastrzezenie.


Description of security measures implemented to counteract the personal data breach or minimize its possible negative effectsImmediately after discovering the above-described incident, together with our IT service provider, we took actions aimed at promptly counteracting the incident and its potential effects, in particular: we initiated an internal procedure for responding to potential personal data breaches, disabled the IT resources affected by the attack, replaced them with new, additionally secured ones, and conducted verification of user accounts to ensure attackers no longer have access to our databases.
Internal departments responsible for personal data protection, as well as authorities – Police, CERT, President of the Personal Data Protection Office – were informed about the event.

Contact with the Data Administrator
If you have any additional questions, we are at your disposal. We continuously monitor the situation related to the identified incident and, in case of further findings, will keep you informed. Should you have additional questions, contact us via
email: concierge@stay2rest.pl
or by phone: +48 58 55 88 22 0

Sincerely,
Jakub Tański
Proxy of Boutique Residence Sp. z o.o.