- baris.drazen@gmail.com
- Puntarski Mol, Baška
Privacy Policy
Effective Date: April 21, 2025
1. Data Controller
COMPANY XXX (“we”, “us”, “our”) is the controller of personal data collected when you make a reservation via our website.
2. Personal Data We Collect
- Contact info: name, email address, phone number
- Reservation details: date, time, number of guests, reservation ID
- Payment data: Stripe payment ID, Checkout Session ID (we do not store full card details)
- Device & location data: device type and country via IPInfo when scanning QR codes or clicking CTA links
- Technical data: IP address, browser user agent
- Children’s data: we do not knowingly collect personal data from anyone under 18. If we learn we have collected data from a minor, we will delete it immediately.
3. How We Use Your Data
- To confirm and manage your reservation (Legal basis: contract performance)
- To process payments via Stripe (contract performance)
- To send transactional emails (Twilio) such as confirmations, reminders, and updates (contract performance)
- To track marketing links and QR code scans (IPInfo) (legitimate interest)
- To analyze usage and improve our service (Vercel Analytics & Umami) (legitimate interest)
- To send promotional offers & gift codes (see section 4) based on your consent.
- To comply with legal obligations and handle refund or session‑expiration issues (legal obligation)
4. Promotional Offers & Gift Codes
With your consent, we may send you special promotional offers or gift codes via email or SMS/WhatsApp. We do not send newsletters. You can withdraw consent at any time by replying STOP via email or SMS/WhatsApp, and we will immediately stop sending promotions.
5. Third‑Party Processors & DPAs
We share data only with trusted service providers under their publicly available Data Processing Agreements:
- Tournee – details at toursfirsthand.com/legal
- Stripe – DPA at stripe.com/en-hr/legal/dpa
- Twilio – DPA at twilio.com/legal/dpa
- IPInfo – DPA at ipinfo.io/dpa
- Umami – privacy info at umami.is/docs/privacy
- Vercel Analytics – DPA at vercel.com/legal/data-processing-agreement
6. International Transfers
Some of our processors are located outside the EU/EEA. We rely on the European Commission’s Standard Contractual Clauses or adequacy decisions where available to ensure an adequate level of protection.
7. Cookies & Tracking
We use cookies and similar technologies to operate the site, remember preferences, and gather analytics. You may consent to non‑essential cookies via our cookie‑consent banner at the bottom of your screen, or manage cookies in your browser settings.
8. Data Retention
We retain your reservation, payment, device, and analytics data only as long as necessary to fulfill the purposes above, comply with legal obligations, resolve disputes, and enforce our agreements.
9. Your Rights under GDPR
If you are in the EU or UK, you have the right to:
- Access your personal data
- Correct inaccurate or incomplete data
- Request deletion of your data (“right to be forgotten”)
- Restrict or object to processing
- Withdraw consent at any time (where processing is based on consent)
- Receive your data in a portable format
- Lodge a complaint with your local supervisory authority (e.g., the Croatian Personal Data Protection Agency)
To exercise any of these rights, email us at XXXX@EMAIL.COM.
10. Security Measures
We implement industry‑standard technical and organizational measures (encryption, access controls, secure backups) to protect your data.
11. Additional GDPR Compliance Steps
- Maintain an internal Record of Processing Activities (RoPA)
- Deploy a cookie‑consent banner for EU/UK visitors
- Operate a data‑subject request process (respond within 30 days)
- Follow a breach‑notification procedure (notify within 72 hours)
- Conduct an annual review of privacy practices
12. Changes to This Policy
We may update this policy from time to time. We’ll post changes here with a new “Effective Date.”
13. Contact Us
If you have questions about this policy, please email XXXX@EMAIL.COM.