1. Who we are and what this Policy covers
This Privacy Policy explains how OTRA d.o.o., through its branch OTRA d.o.o., Podružnica Turistička agencija Cres Lošinj, Pod urom 8, 51557 Cres, e-mail: info@todocreslosinj.com (hereinafter: OTRA, we, us), collects, uses, shares and protects the personal data of users of the To Do Cres & Lošinj platform available at https://todocreslosinj.com (hereinafter: the Platform).
This Policy applies to visitors to the Platform, Customers who browse or purchase services, persons who create a user account, representatives of Suppliers, and other persons who contact us by e-mail, telephone or otherwise in connection with the Platform.
2. Data controller and contact details
The controller of personal data is OTRA d.o.o., through its branch OTRA d.o.o., Podružnica Turistička agencija Cres Lošinj, Pod urom 8, 51557 Cres.
For any questions concerning the processing of personal data or the exercise of your rights, you may contact us at: info@todocreslosinj.com.
3. What personal data we collect
Depending on how you use the Platform, we may collect the following categories of personal data:
- identification and contact data (first and last name, e-mail address, telephone number, address where required for an invoice or contractual documentation);
- data relating to the user account (username, password in encrypted form, account settings, booking history);
- data relating to the booking and performance of the Service (selected service, date and time, number of participants, special requests, booking-related communication, booking status and any complaint);
- transaction data (amount, currency, payment status, transaction identifier, payment method to the extent provided to us by the payment service provider);
- technical and usage data (IP address, browser type and version, operating system, system logs, device identifiers, access time, pages viewed, clicks and other data concerning use of the Platform);
- communication data (messages, enquiries, complaints, ratings and feedback sent to us).
As a rule, we do not request special categories of personal data (for example, health data), unless they are exceptionally necessary for the performance of a specific Service and there is an appropriate legal basis for such processing. In such cases, we will request only the data that are necessary and will process them with particular care and restricted access.
4. From which sources we collect data
We collect personal data:
- directly from you when you enter them in a registration, purchase or contact form;
- automatically, through cookies and similar technologies when you use the Platform;
- from Suppliers, where this is necessary for the performance of a booking, handling of a complaint or processing of a refund;
- from payment service providers to the extent necessary for transaction confirmation and record-keeping.
5. Purposes of processing and legal bases
We process personal data only where there is an appropriate legal basis. The most common purposes of processing and legal bases are:
- performance of a contract or taking steps at your request prior to entering into a contract – for the purpose of creating a user account, processing purchases, communicating about purchases, fulfilling obligations towards Customers and Suppliers, and processing cancellations and refunds;
- compliance with legal obligations – for accounting, tax obligations, record-keeping, responding to requests from competent authorities and exercising consumer rights;
- OTRA’s legitimate interests – for protecting the security of the Platform, preventing fraud and misuse, maintaining logs, usage analytics, improving user experience, defending legal claims and internal administration;
- consent – where it is required for sending newsletters, marketing communications, certain types of cookies or processing data that are not necessary for the performance of a contract or compliance with a legal obligation.
Where we rely on consent as the legal basis for processing, you may withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
6. To whom we disclose personal data
We share personal data only where necessary and to a proportionate extent, in particular with the following categories of recipients:
- Suppliers – to the extent necessary for the performance of a booking, communication before and during provision of the Service, and handling of complaints and refunds;
- payment service providers – for the processing of online payments, transaction confirmation, refunds and fraud prevention;
- IT, hosting and communications service providers – who maintain the Platform, security systems, data storage, e-mail and similar functionalities;
- accounting, legal and other professional advisers – where necessary for orderly business operations and for establishing, exercising or defending legal claims;
- competent public authorities, courts, regulators and law-enforcement authorities – where necessary to comply with a legal obligation or to protect the rights of OTRA, Suppliers, Customers or third parties.
- Suppliers generally act as separate controllers in relation to the personal data they receive for the purpose of performing their Service. In relation to the processing of payment data, payment service providers may act as separate controllers or as processors, depending on their role in the specific transaction.
7. International data transfers
As a rule, we seek to process personal data within the European Economic Area. Where the provision of a particular service or the use of a particular supplier requires the transfer of personal data outside the European Economic Area, we will ensure that such transfer is carried out subject to appropriate safeguards in accordance with applicable personal data protection legislation, for example on the basis of an adequacy decision, standard contractual clauses or another lawful transfer mechanism.
8. How long we retain data
We retain personal data only for as long as is necessary to fulfil the purpose for which they were collected, unless a longer retention period is required or permitted by law.
- user account data are retained for as long as the account is active and for a reasonable period after its closure for the purpose of handling possible requests, disputes and security checks;
- data concerning purchases, payments and accounting documentation are retained in accordance with the prescribed retention periods for financial and tax documentation;
- data concerning communications, complaints and claims are retained for as long as is necessary to resolve the matter and, where applicable, to defend legal claims;
- technical records and security logs are retained for a period proportionate to the purposes of security, misuse prevention and system maintenance.
9. Cookies and similar technologies
The Platform may use cookies and similar technologies for essential functionality, security, analytics and – where you have given your consent – marketing and personalisation. Cookies are small text files stored on your device when you visit a website.
You can control cookies through your browser settings and, where applicable, through the consent management tool on the Platform. Disabling certain cookies may affect the functionality of the Platform.
10. Data security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, unauthorised alteration or destruction. Such measures include access management, access logs, encryption where proportionate and applicable, backups, contractual restrictions imposed on service providers and internal procedures.
Although we take reasonable security measures, no transmission of data over the internet or electronic storage system can be absolutely secure. We therefore cannot guarantee absolute security, but we continuously work to reduce risks.
11. Your rights
In accordance with applicable personal data protection legislation, you have the right to request:
- access to your personal data;
- rectification of inaccurate personal data or completion of incomplete personal data;
- erasure of personal data where the statutory conditions are met;
- restriction of processing;
- data portability where the statutory conditions are met;
- objection to processing based on legitimate interests;
- withdrawal of consent at any time where processing is based on consent.
To exercise your rights, you may contact us at info@todocreslosinj.com. To protect privacy and security, we may ask you to provide additional confirmation of identity before acting on your request. If you consider that the processing of your data is unlawful, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or another competent supervisory authority.
12. Relationship with Suppliers and payment providers
OTRA operates the Platform as an intermediary platform. When a Customer purchases a Service, part of the data must necessarily be forwarded to the relevant Supplier for the purpose of performing the Service. Once the Supplier receives those data and starts using them for the performance of the Service and for complying with its legal obligations, the Supplier may act as a separate controller and is responsible for its own processing of data in accordance with its privacy rules and applicable legislation.
Online payments are processed by external payment service providers. The processing of payment data by those providers is governed by their privacy rules and terms of business.
13. Children
The Platform is not intended for persons under the age of 18 for independent registration and purchase. If we become aware that we have collected a child’s personal data without the appropriate consent of a parent or guardian where such consent is required, we will take reasonable steps to erase those data.
14. Changes to this Policy
We may amend this Privacy Policy from time to time in order to comply with legislation, technological changes, changes in business operations or changes in the organisation of the Platform. The updated version will be published on the Platform together with its effective date. We recommend that you review this Policy periodically in order to stay informed of any changes.
15. Effective date
This Privacy Policy applies from the date of its publication on the Platform.