Legal

Privacy Policy

As of: Mai 2026

Please note: only the German version of this document is legally binding. This translation is provided for your convenience.

Introduction

This Privacy Policy explains how your personal data is collected, used, and processed in connection with your use of our website and the booking of our apartments. Please note that data transmission over the internet may carry security risks — complete protection of your data against access by third parties is not possible.

As a rule, our website may be used without providing personal data. However, certain data (e.g. pages accessed, date and time) is automatically stored for statistical purposes each time the website is accessed, without us being able to attribute this directly to you. We only collect personal data such as your name, address, or e-mail address if you voluntarily provide it to us. Such data is only passed on to third parties in the cases described in this policy, or with your express consent.

Controller

The controller within the meaning of data protection law (in particular the EU General Data Protection Regulation, GDPR) is:

Ruža Balta
Vizinada 75c
52460 Buje, Croatia
E-mail: [email protected]

As the controller, we determine the purposes and means of processing your personal data.

Data Security and Encryption

To protect your data during transmission, we use current encryption technologies (such as SSL/TLS) over HTTPS. You can recognise an encrypted connection by the address bar in your browser changing from "http://" to "https://" and by a padlock symbol appearing in the browser bar. When SSL/TLS encryption is active, data you transmit to us cannot be read by third parties.

Processing of Personal Data

The legal bases for processing your personal data are set out in the GDPR. We primarily rely on:

  • Your consent (Art. 6(1)(a) GDPR): Where you have given us consent to process your data, e.g. by agreeing to receive a newsletter or to the use of certain cookies. You may withdraw your consent at any time with effect for the future.
  • Performance of a contract (Art. 6(1)(b) GDPR): Where processing your data is necessary to perform a contract with you or to take pre-contractual steps — for example, to process your booking enquiry and carry out the rental agreement.
  • Legitimate interests (Art. 6(1)(f) GDPR): Where we have a legitimate interest in processing, e.g. to ensure the stability and functionality of our website or to improve our services.

Disclosure and Retention

Your personal data is only disclosed to third parties in the following cases: where this is necessary to fulfil our contractual obligations or legal requirements, or where you have expressly given your consent. Potential recipients of such data include in particular payment service providers for the processing of payments, or authorities and public bodies where we are legally required to do so (for example, reporting guest data to local authorities for tourism tax purposes).

We retain your personal data only for as long as necessary for the respective purpose. Booking data is retained for as long as required for the processing and completion of your booking, and thereafter in accordance with statutory retention periods.

Guest Registration (eVisitor)

Under Croatian law, we are required to register all guests in the national registration system eVisitor. For this purpose, we collect the following data upon your arrival: name, date of birth, nationality, identity document details, and length of stay. This data is transmitted to the competent Croatian authorities. The legal basis for this processing is the fulfilment of a legal obligation (Art. 6(1)(c) GDPR).

Hosting and Content Delivery Network (Cloudflare)

Our website is hosted by Cloudflare (Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA; represented within the European Union by Cloudflare Germany GmbH, Rosental 7, 80331 Munich). Cloudflare provides website delivery (Cloudflare Pages), server-side functions, a content delivery network, and security services. When you access our site, Cloudflare automatically processes technical access data — in particular your IP address — to ensure the delivery, availability, and security of the website.

To protect against spam and automated access, we use the Cloudflare Turnstile service. To limit abusive requests (rate limiting) and for security-related logging, IP addresses are stored for a limited period in Cloudflare storage services (Workers KV). Data relating to confirmed bookings is additionally stored in a Cloudflare database (D1).

The legal basis is our legitimate interest in the secure, stable, and efficient operation of the website (Art. 6(1)(f) GDPR) as well as contract performance (Art. 6(1)(b) GDPR). Cloudflare acts as a data processor on our behalf; we have entered into a data processing agreement in accordance with Art. 28 GDPR. Data transfers to the USA are safeguarded on the basis of appropriate guarantees (EU Standard Contractual Clauses and/or the EU-US Data Privacy Framework). Further information: cloudflare.com/privacypolicy.

Booking System (Smoobu)

We use the booking system Smoobu (Smoobu GmbH, Wönnichstr. 68/70, 10317 Berlin, Germany) to manage reservations and bookings. When you make a binding booking via our website, the necessary contractual and booking data (in particular name, contact details, address, and length of stay) is transmitted to and stored by Smoobu. Smoobu is not the host of our website; general enquiries submitted via our enquiry form are not transmitted to Smoobu.

The legal basis is the performance of our contract with you (Art. 6(1)(b) GDPR). Smoobu acts as a data processor on our behalf; we have entered into a data processing agreement with Smoobu in accordance with Art. 28 GDPR. Further information on data protection at Smoobu can be found at: smoobu.com/de/datenschutz.

E-mail Delivery (Resend)

For the sending of our e-mails — in particular the confirmation of your enquiry, booking confirmations, and related notifications — we use the service Resend (Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA). In this process, your e-mail address and the content of the relevant message are processed.

The legal basis is the processing of your enquiry and/or contract performance (Art. 6(1)(b) GDPR), as well as our legitimate interest in reliable communication (Art. 6(1)(f) GDPR). Resend acts as a data processor on our behalf; data transfers to the USA are safeguarded on the basis of appropriate guarantees (EU Standard Contractual Clauses and/or the EU-US Data Privacy Framework). Further information: resend.com/legal/privacy-policy.

Payment Processing

For the processing of payments for bookings, we engage external payment service providers. Your data is transmitted to these providers on the basis of Art. 6(1)(b) GDPR (processing for the performance of a contract).

PayPal

If you choose PayPal as your payment method, payment is processed by the online payment service provider PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg. Please note that we do not have full control over data processing by PayPal. Further information: paypal.com/de/webapps/mpp/ua/privacy-full.

Stripe (Credit Card)

If you choose to pay by credit card, payment is processed by the payment service provider Stripe Payments Europe Ltd., Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland. Further information: stripe.com/privacy.

Video Surveillance

The driveway and car park at the Villakasandra property are under video surveillance. The purpose of this surveillance is to protect our property, ensure the safety of our guests, and to detect and prevent criminal offences.

The legal basis for video surveillance is our legitimate interest in exercising our right of domicile and protecting our property (Art. 6(1)(f) GDPR). The monitored areas are indicated by appropriate signs on site.

Retention period: Recordings are regularly overwritten unless an incident justifies longer retention. Recordings are only shared with the competent authorities or insurers in the event of an incident.

Contact

If you contact us (e.g. by e-mail or via a contact form), your details, including the contact information you have provided, are stored for the purpose of processing your enquiry and any follow-up questions. We do not share this data without your consent.

Cookies

Our website uses cookies. Cookies are small text files stored on your device when you visit a website. They help make the online service more user-friendly and effective overall.

Essential Cookies

These cookies are essential for the basic functionality of the website (e.g. for the booking process). The legal basis is our legitimate interest (Art. 6(1)(f) GDPR) or contract performance (Art. 6(1)(b) GDPR).

Analytics and Marketing Cookies

These cookies (e.g. for Google Analytics) help us understand how visitors use the website. They are only set if you have given us your express consent (Art. 6(1)(a) GDPR) via the cookie banner.

You may withdraw your consent at any time or adjust your browser settings to restrict or delete cookies.

Google Analytics

If you have given your consent (Art. 6(1)(a) GDPR), this website uses Google Analytics, a web analytics service provided by Google Ireland Limited. We use Google Analytics with IP anonymisation enabled. As a result, your IP address is shortened by Google within the EU/EEA before transmission to the USA.

You may withdraw your consent at any time by changing your settings in our cookie banner. Further information on data protection at Google: policies.google.com/privacy.

Google Maps

We embed maps from the Google Maps service provided by Google Ireland Limited on our website to display geographical information. The legal basis is your consent (Art. 6(1)(a) GDPR) or our legitimate interest (Art. 6(1)(f) GDPR).

Server Log Files

Our website provider automatically collects and stores information in server log files that your browser transmits on access: date and time of access, page requested (URL), referrer URL, browser type and version, operating system used, and anonymised IP address. This data is not merged with other data sources.

Your Rights as a Data Subject

With regard to your data stored by us, you have comprehensive rights under the GDPR:

  • Right of access (Art. 15 GDPR): You have the right to request information about your personal data processed by us.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data or the completion of incomplete data held by us.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no legal retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you may request that the processing of your data be restricted.
  • Right to data portability (Art. 20 GDPR): You have the right to receive data in a common, machine-readable format.
  • Right to object (Art. 21 GDPR): You have the right to object to the processing of your data.
  • Right to withdraw consent (Art. 7(3) GDPR): You may withdraw any consent you have given at any time with effect for the future.
  • Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority.

To exercise these rights, please contact the controller named above.

Updates to this Privacy Policy

We review this Privacy Policy regularly and update it as necessary to meet current legal requirements or changes to our services. The current version is always available on our website.

Back to home