1. Data Controller
The controller responsible for processing your personal data is:
2. What Data We Collect
We collect the following personal data when you interact with our website or book an experience:
- Identity information: Full name
- Contact information: Email address, phone number
- Booking details: Selected experience, date, time, number of guests, and any special requests
- Payment information: Processed securely by Stripe — we do not store your card details on our servers
- Communication records: Messages you send us via email, contact form, or WhatsApp
- Technical data: IP address, browser type, device information, and pages visited (collected via cookies and analytics)
3. Why We Collect Your Data
We use your personal data for the following purposes:
- Process bookings: To confirm and manage your reservation, collect payment, and coordinate your experience
- Send confirmations: To provide booking confirmations, reminders, and important updates about your trip
- Respond to inquiries: To answer your questions and handle any complaints
- Improve our service: To understand how our website is used and make it better for future visitors
- Legal compliance: To meet our obligations under Croatian tax and business law
We will never sell your personal data to third parties or use it for purposes other than those described here.
4. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we process your data based on the following legal grounds:
- Contract performance: Processing necessary to fulfil your booking and provide the service you purchased (Article 6(1)(b))
- Legitimate interest: Processing necessary for our legitimate business interests, such as improving our website and preventing fraud (Article 6(1)(f))
- Consent: Where you have given explicit consent, such as opting in to marketing communications or accepting non-essential cookies (Article 6(1)(a))
- Legal obligation: Processing required to comply with Croatian tax and accounting laws (Article 6(1)(c))
5. Third-Party Services
We share your data with the following trusted third-party services, only to the extent necessary:
- Stripe — Processes payments securely. Stripe is PCI DSS compliant. Stripe Privacy Policy
- Google Workspace — Used for email communication (Gmail) and internal operations. Google Privacy Policy
- Google Analytics — Helps us understand how visitors use our website. Data is anonymised where possible. Google Privacy Policy
All third-party processors are bound by data processing agreements and comply with GDPR requirements.
6. Data Retention
- Booking and transaction data: Retained for 5 years from the date of the transaction, as required by Croatian tax and accounting regulations.
- Contact form inquiries: Retained for up to 2 years unless the inquiry leads to a booking (in which case the booking retention period applies).
- Marketing consent records: Retained until you withdraw your consent.
- Analytics data: Retained for 14 months (Google Analytics default).
After the retention period expires, your data is securely deleted or anonymised.
7. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Ask us to correct inaccurate or incomplete data.
- Right to erasure: Request deletion of your data (subject to legal retention requirements).
- Right to data portability: Receive your data in a structured, commonly used format.
- Right to restrict processing: Ask us to limit how we use your data in certain circumstances.
- Right to object: Object to processing based on legitimate interest or for direct marketing purposes.
- Right to withdraw consent: Withdraw consent at any time where processing is based on your consent.
To exercise any of these rights, email us at info@malamara-dubrovnik.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) at azop.hr.
8. Cookies
Our website uses cookies to ensure it functions properly and to help us understand how visitors interact with it.
Essential cookies
These are necessary for the website to work (e.g., session management, security). They cannot be disabled.
Analytics cookies
We use Google Analytics to collect anonymised usage data. These cookies are only placed with your consent. You can manage your cookie preferences at any time through your browser settings.
We do not use tracking cookies for advertising purposes.
9. Data Protection Contact
For any questions or concerns about how we handle your personal data, or to exercise your rights, please contact us:
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will update the "Last updated" date at the top of this page.
We encourage you to review this page periodically. Continued use of our website and services after changes are posted constitutes your acceptance of the updated policy.
