DATA PROTECTION

Privacy Policy

1. Controller

The controller responsible for data processing on this website is:

Apartments VillaMare
Owner: Morgan Takisha Rebecca
Ulica Baselovici 35
22000 Grebaštica
Croatia

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Croatian data protection law.

2. Hosting and website provision

Our website is hosted by Wix.com Ltd., 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel.
Wix processes data on servers located in the EU, in Israel and, where necessary, in other third countries.

Israel is subject to an adequacy decision by the European Commission. For data transfers to other third countries, Standard Contractual Clauses and additional safeguards are used.

The legal basis for hosting and technical provision of the website is Art. 6 (1) (f) GDPR (legitimate interest in a secure and functional website).

When you visit our website, certain data are automatically stored in server log files, including:

IP address of the requesting device
date and time of access
pages/files accessed
referrer URL
browser type and version, operating system
name of your internet service provider

These data are required to technically provide the website and to protect it against attacks. Log files are usually deleted after a maximum of 30 days, unless further storage is necessary for evidence purposes.

3. Cookies and consent tool

We use cookies on our website. These are small text files stored on your device.

Technically necessary cookies are required for the operation of the website and are set automatically.
Optional cookies (e.g. for statistics or marketing) are only set with your explicit consent via a consent management tool.

Legal bases:

Technically necessary cookies: Art. 6 (1) (f) GDPR (legitimate interest in a secure and functional website)
Optional cookies: Art. 6 (1) (a) GDPR (consent)

You can change or withdraw your cookie consent at any time with effect for the future via the consent tool on our website.

4. Contact (contact form and e-mail)

When you contact us via the contact form or by e-mail, we process the personal data you provide (e.g. name, e-mail address, travel dates, number of guests, message) in order to handle your request and, where applicable, to prepare or fulfil a booking.

Legal bases:

Art. 6 (1) (b) GDPR, where the request relates to a booking or pre-contractual measures
Art. 6 (1) (f) GDPR, for other enquiries (legitimate interest in responding to contact requests)

We store these data only as long as necessary to process your request, or – in case of a booking – as long as required by statutory retention periods (e.g. tax or accounting obligations).

5. Bookings via external platforms (e.g. Booking.com)

Our website may contain links or buttons to external booking platforms (e.g. Booking.com).
When you click such a link or button, you are redirected to the respective platform; from that moment on, the privacy policy of that platform applies.

We receive from the platform only the personal data necessary to manage your booking (e.g. name, contact details, travel dates, number of guests).

The legal basis for this data processing is Art. 6 (1) (b) GDPR (performance of the booking contract).

6. Use of Google services

Where we use services provided by Google Ireland Limited on our website (e.g. Google Fonts, Google Maps, reCAPTCHA), personal data (such as your IP address) may be transmitted to Google servers, including in third countries such as the USA.

Legal bases:

Art. 6 (1) (f) GDPR (legitimate interest in attractive website presentation, functionality and security)
and, where obtained via the consent tool, Art. 6 (1) (a) GDPR (consent)

For international data transfers, Google relies on adequacy decisions (e.g. EU–US Data Privacy Framework) and/or Standard Contractual Clauses.

For further information on data processing by Google, please refer to Google’s Privacy Policy:
https://policies.google.com/privacy

7. Your rights

With regard to your personal data, you have the following rights under the GDPR:

right of access (Art. 15 GDPR)
right to rectification (Art. 16 GDPR)
right to erasure (Art. 17 GDPR)
right to restriction of processing (Art. 18 GDPR)
right to data portability (Art. 20 GDPR)
right to object to certain processing activities (Art. 21 GDPR)
right to withdraw consent at any time with effect for the future (Art. 7 (3) GDPR)

You can exercise these rights at any time by contacting us using the contact details provided in section 1.

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

8. Supervisory authority

The competent supervisory authority in Croatia is:

Agencija za zaštitu osobnih podataka (AZOP)
Ulica Metela Ožegovića 16
HR – 10 000 Zagreb
Croatia

E-mail: azop@azop.hr
Website: https://azop.hr

9. Data security and storage periods

We use SSL/TLS encryption to protect your data during transmission. You can recognise an encrypted connection by the prefix “https://” and the lock symbol in your browser’s address bar.

We also implement appropriate technical and organisational measures to protect your data against loss, misuse and unauthorised access.

We store personal data only for as long as necessary to fulfil the respective purposes or as long as required by statutory retention obligations. After that, the data are deleted or anonymised.

10. Changes to this Privacy Policy

This Privacy Policy is currently valid (status: January 2026).

We may update this Privacy Policy if our website or the legal framework changes. The latest version is always available on this website.