Privacy Policy
Content
Definitions
- Personal data — any information relating to an identified or identifiable natural person.
- Processing — any operation or set of operations performed on personal data.
- Data subject — a natural person whose personal data are processed.
- Child — a natural person under 18 years of age.
- User — a user of our website or services; a visitor.
- Consent — the data subject’s statement by which they agree to the processing of personal data for a specific purpose in accordance with this Privacy Policy.
- Data Controller / Company / We / Us / Our — Guest House Rustico
- Regulation — the General Data Protection Regulation (GDPR).
- Processor — a natural or legal person who processes personal data on behalf of the Data Controller under a processing agreement and in accordance with applicable data protection laws.
- Website — refers to all web pages on the domain plitviceaccommodation.com
Data Controller
Rudanovac 87, Rudanovac
53230 Korenica
Phone: +385 98 572 858
Email: info@plitviceaccommodation.com
Data Protection Officer (DPO) contact details
Email: info@plitviceaccommodation.com
Depending on the access to personal data you request, we may require verification of your identity before we can comply with your request.
Our Personal Data Protection Principles
Guest House Rustico adheres to the following data protection principles:
- Processing is lawful, fair, and transparent.
- Our processing activities are based on lawful grounds.
- Upon your personal request, we will provide you with information about the processing of your personal data.
- Processing is limited to specific purposes. Our processing activities correspond to the purposes for which the personal data were collected.
- We collect and process only the minimum amount of personal data necessary for each purpose.
- Processing is limited in time. We will not retain your personal data longer than necessary.
- We will take all reasonable steps to ensure the accuracy of the data.
- We will take all reasonable measures to ensure the integrity and confidentiality of the data.
- We do not intend to collect personal data from children. Our services and products are not directed at persons under 18 years of age without the presence and consent of a parent or legal guardian.
Legal bases and retention periods
We base the collection and processing of your personal data on various legal bases, including your consent, the performance of a contract, compliance with legal obligations, and our legitimate interests.
The retention period for personal data depends on the type of personal data and the presently applicable tax, accounting and other specific regulations. For certain categories of data, the retention period continues for as long as the purpose for which the data were collected remains.
If judicial, administrative or extrajudicial proceedings are initiated, we may retain personal data until the conclusion of such proceedings and for the period during which legal remedies may be exercised.
Categories of personal data we process
Website visitors
When you browse our website, your activity may be recorded. This includes information that is automatically stored in cookies and the website IP address. We store the original IP address only if our security system detects misuse or an attempt of unauthorized actions on the website. In all other cases the visitor’s IP address is stored in an anonymized form, after which those records no longer constitute personal data. We use cookies for technical reasons that enable the display of our website in your browser. More information about the cookies we use can be found in our Cookie Policy.
Legal basis: legitimate interest and the data subject’s consent.
Storage period: 30 days or until the purpose is fulfilled.
Contact form submissions
If you submit an inquiry using the contact form on our website, we collect the information you provide: first name, last name, email address, phone number, confirmation of your consent to personal data processing, and the message you sent.
Legal basis: the data subject’s consent.
Storage period: until the purpose is fulfilled.
Employees
For the purpose of employment and realizing employment-related rights, we process data such as name and surname, residence address, personal identification number (OIB), date and place of birth, nationality, gender, phone number, email address, marital status, bank account number, identity card data, job title, occupation, education, work experience, professional training and other personal data required by special regulations.
Legal basis: compliance with legal obligations.
Storage period: in accordance with tax, accounting and other applicable regulations.
Job applicants
For recruitment purposes we process data such as name and surname, residence address, personal identification number (OIB), date and place of birth, nationality, gender, phone number, email address, job title, occupation, education, work experience, professional training and test results.
Legal basis: the data subject’s consent.
Storage period: 12 months.
Clients of our services
In order to perform contractual obligations we process data such as name and surname, residential address (street, city, country), identification document number, issuing authority of the identification document, date of birth, email address and phone number.
Legal basis: the data subject’s consent.
Storage period: 12 months.
Children’s data
For the purpose of legally registering each guest in the national eVisitor system, we are required to collect personal data for all persons under 18 staying at the property. This includes full name, date of birth, nationality and identity document number (where applicable). The data are collected and processed solely for guest registration purposes in accordance with applicable law and our Privacy Policy.
Suppliers and business partners
To perform contractual obligations we process data such as the name and surname, email address and phone number of the responsible persons and contact persons in legal entities or natural persons who are responsible for communications and performance of contracted obligations.
Legal basis: processing is necessary for the performance of a contract and legitimate interest.
Storage period: until the purpose is fulfilled.
Web traffic analysis
Privacy‑aware analytics
Purpose of processing: to create detailed statistics on user behavior on the website in order to obtain analytical information. This requires processing of data that may be used to:
- determine the user’s country and city;
- user language;
- the type of device used to access the website (device type, operating system, browser, screen resolution;
- page views and session duration;
- navigation path data (clicks within the site);
- usage frequency and intensity;
- interactions with site content and features;
- traffic sources (e.g., channels through which users arrive at the site).
Based on the data we collect, it is not possible to identify users. We collect limited data in a manner that respects visitor privacy and complies with the GDPR. The technical solution is fully GDPR‑compliant, developed and hosted within the EU.
- Subject of processing: Visitors to our website.
- Security measures: IP addresses are not stored (fully anonymized). Data are analyzed only in aggregated form (without identifying individuals). We implement technical and organizational measures to prevent unauthorized access.
- Legal basis: legitimate interest
- Retention period: Data are retained permanently in an anonymized form and cannot be linked to individual users.
Google Analytics
Purpose of processing: Google Analytics generates detailed statistics about user behavior on the website in order to obtain analytical insights. This requires processing the user’s IP address and metadata that can be used to determine the user’s country, city, and language. Cookies or cookie‑like technologies may be stored and read. They may contain personal data and technical data such as a user ID, which may provide the following additional information:
- timestamps indicating when and for how long a user visited various pages on the site;
- the device category (desktop, mobile, or tablet), the platform used (web, iOS app, or Android app), the browser and the screen resolution;
- the traffic source (e.g., referring website, search engine including the search query, social network, newsletter, organic video, paid search or campaign);
- whether the user belongs to a target audience/segment;
- the user’s on‑site actions and the events triggered by those actions (for example: page views, user engagement metrics, scroll behavior, clicks, entry of payment details, and custom events such as e‑commerce tracking).
- conversions (e.g., whether a user made a purchase and what was purchased);
- gender, age, and interests where assignment is possible.
These data may also be used by Google to collect information about visited websites and to improve Google’s services. They may be linked across multiple domains managed by the owner of this website and with other Google products used by the owner (e.g., Google AdSense, Google Ads, BigQuery, Google Play). Google may also link them with data of users logged into Google sites (e.g., google.com). Google provides personal data to its affiliated companies and to other trusted companies or persons who process the data on Google’s behalf and in accordance with Google’s privacy policy. The data may also be used for profiling by the website owner and by Google, for example to provide personalized services to the user, such as interest‑based advertising or recommendations.
- Subject of processing: Visitors to our website who have given consent for statistical purposes.
- Security measures: IP addresses are neither stored nor processed — data processing is carried out in accordance with Google’s anonymization policy on Google’s servers. We implement technical and organizational measures to prevent unauthorized access to the system.
- Legal basis: User consent and consent for storing or accessing information on the user’s device — entirely voluntary and withdrawable at any time via our consent management system.
- Retention period: User and event data are stored in Google Analytics for up to 24 months, depending on configuration, after which they are automatically deleted.
Cookies (e.g., _ga) have a maximum lifespan of 24 months but may be deleted earlier through the user’s cookie settings or browser.
How we use your personal data
On the basis of a concluded contract or the performance of contractual obligations, we process your personal data for the following purposes:
- to identify you;
- to provide the requested service or to deliver/offer a product;
- to communicate with you for sales purposes and to issue offers and invoices;
On the basis of legitimate interest, we process your personal data for the following purposes:
- to send you tailored offers;
- to manage and analyze our customer database (behavior and purchase history) in order to improve the quality, variety, and availability of the services/products we offer;
- to conduct customer satisfaction surveys;
With your consent, we process your personal data for the following purposes:
- sending newsletters about our services and products;
- other purposes for which we have obtained your consent.
Who else may access your personal data
Our IT solution and service providers, who act as data processors, may have access to your personal data. We have entered into contracts with these processors that specify in detail how personal data must be handled. Accordingly, these IT service providers are not permitted to process your personal data without our instruction or to disclose it to third parties.
We may disclose your personal data to third parties if you have given your consent to such disclosure or if there is an explicit legal basis for disclosing the data.
In all other circumstances, we do not disclose your personal data to anyone.
How we secure your data
We use secure protocols (such as HTTPS) for communication and data transmission.
All systems storing the personal data we process are protected by strong encryption at all storage levels.
We use cloud storage services hosted on servers located within the EU. All data stored on these servers are double‑encrypted. The first layer of encryption is implemented by the service provider, ensuring that all data are encrypted at rest. The second layer of encryption is performed within our IT infrastructure: the data we store in the cloud are additionally encrypted and are decrypted in real time on our systems.
Where appropriate, we employ anonymization and pseudonymization of visitors’ IP addresses.
We continuously monitor and regularly update our systems to address potential vulnerabilities and security threats.
In the event of a security breach, we will notify the relevant supervisory authorities.
We will also inform you if there is any threat to your rights or interests.
We will take all reasonable steps to prevent security breaches and to assist the authorities in the event of any incident.
Data subject rights
Right of access to personal data
You have the right to access the personal data we process about you. This includes your right to request and receive a copy of your personal data. You may also request detailed information about the purposes of processing, the categories of personal data being processed, the recipients or categories of recipients of your personal data, and the envisaged storage periods for those data. You have the right to request correction, erasure, or restriction of processing of your personal data, the right to object to processing, and the right to lodge a complaint with the supervisory authority.
Access to personal data may, in some cases, be restricted by law, for example where such a restriction is necessary to protect the fundamental rights and freedoms of others.
Right to rectification of personal data
You have the right to request correction of inaccurate or incomplete personal data concerning you. Taking into account the purposes of processing, you have the right to complete incomplete personal data, including by providing an additional statement.
Right to erasure (“right to be forgotten”)
You have the right to request deletion of your personal data from our records where one of the following grounds applies:
· your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
· you withdraw consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing;
· you object to processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object under Article 21(2);
· your personal data have been unlawfully processed;
· personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
· personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
The above rights to erasure do not apply to the extent that processing is necessary for:
· the exercise of the right to freedom of expression and information;
· compliance with a legal obligation requiring processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
· reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
· archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) insofar as the right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
· the establishment, exercise, or defense of legal claims.
Right to restriction of processing
You have the right to request restriction of processing from the controller where one of the following applies:
· you contest the accuracy of your personal data for the period enabling the controller to verify the accuracy of the personal data;
· the processing is unlawful and you oppose the erasure of the personal data and instead request restriction of their use;
· the controller no longer needs your personal data for the purposes of the processing, but you require them for the establishment, exercise, or defense of legal claims;
· you have objected to processing under Article 21(1) pending verification of whether the controller’s legitimate grounds override yours.
If you obtain restriction of processing under the above, the controller will inform you before the restriction is lifted.
Right to data portability
You have the right to receive the personal data you have provided to the controller in a structured, commonly used and machine‑readable format, and you have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where:
· the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a), or on a contract pursuant to Article 6(1)(b); and
· the processing is carried out by automated means.
When exercising your data portability rights, you also have the right to have the personal data transmitted directly from one controller to another where technically feasible.
This right to data portability shall not adversely affect the rights and freedoms of others.
Right to withdraw consent
You have the right to withdraw any consent you have given for the processing of your personal data, except where there are legal grounds for processing.
Below you can find the options to exercise your consent rights on this website:
Right to lodge a complaint
If we refuse your request under the Right of access to personal data, we will provide you with the reasons for the refusal. If you are not satisfied with how your request has been handled, please contact us.
Right to assistance from the supervisory authority
You have the right to seek assistance from the competent supervisory authority and to pursue other legal remedies.
Management of cookies
To manage cookies and similar tracking technologies (tracking pixels, web beacons, etc.) and related consent, we use the consent management tool “Real Cookie Banner.” Detailed information on how the Real Cookie Banner tool operates is available at https://devowl.io/rcb/data-processing/.
The legal bases for processing personal data in this context are Article 6(1)(c) and Article 6(1)(f) of the GDPR. Our legitimate interest is the management of cookies and similar technologies and the associated consent.
Providing personal data is not a contractual obligation nor is it necessary for concluding a contract. You are not obliged to provide personal data. If you do not provide personal data, we will be unable to manage your consents.
List of cookies we use
You can view the list of cookies we use on our Cookie Policy page
Links to other websites
Our website may link to other websites or otherwise include references to information, documents, software, materials and/or services provided by third parties.
Those other websites are not under our control, and we are not responsible for their accuracy, copyright compliance, legality, decency, or any other aspect of the content of such websites, nor are we responsible for any errors or omissions in references to other parties or their products and services. Any inclusion of such a link or reference is provided solely as a convenience and does not imply endorsement or affiliation with the linked website, nor any warranty, express or implied.
If you follow such links, we recommend that you review the privacy settings of the website to which the link leads.
Supervisory authority
In addition to lodging a complaint with us, you may also lodge a complaint with the supervisory authority:
Agency for Personal Data Protection (AZOP)
Selska cesta 136, 10000 Zagreb, Croatia
Phone: +385 1 4609-000
Email: azop@azop.hr
web: www.azop.hr
Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy.
Last updated: July 22, 2025.
Version 1.0.
Ponedjeljak - Nedjelja
07:00h - 22:00h
