Privacy Policy
1. Introduction
This Privacy Policy is issued by programiraj.hr, obrt za računalno programiranje, vl. Marko Hruška (hereinafter: programiraj.hr). programiraj.hr protects your personal data and processes it in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Croatian act implementing the GDPR. The Policy applies to the website www.bookadria.com and the BookAdria platform, including its subdomains (administration, the public booking storefront, the embeddable widget).
2. Controller — contact
- Controller: programiraj.hr
- OIB: 83795940054
- Address: Ulica Ivana Mažuranića 23, Belica
- Email: info@bookadria.com
- Web: www.bookadria.com
3. Roles in processing
With regard to website visitors, enquirers and subscribers (organisers of tours and activities; hereinafter: Organisers), programiraj.hr is the controller. With regard to guests' personal data that Organisers enter or collect through bookings, programiraj.hr is the processor on behalf of the Organiser — the controller of that data is the Organiser with whom the booking was made, and the mutual rights and obligations are governed by the data processing agreement that forms an integral part of the Terms of Service.
4. What data we process and from where
a) Website visitors — technical server logs (IP address, access time, browser data) for security, abuse limitation (rate-limiting) and troubleshooting; cookies as per the Cookie Policy.
b) Enquiries (demo, website creation) — company name, name and surname, email, phone, website address and message content; you provide this data directly.
c) Application to use the service and the subscription relationship — company/sole-trader data (name, OIB, address, web), administrator data (name and surname, email, mobile), the chosen package and the calculation; offers, invoices and payment records.
d) Organiser and employee user accounts — name and surname, email, mobile, role and permissions, password (stored solely in a cryptographically protected form); login records (time, IP address, browser) and last activity, and a change log (who changed what) — for security and accountability.
e) Communication — support messages and a record of sent email and SMS messages (recipient, content, time, delivery status) for proof of delivery and troubleshooting.
f) Guest data (processing on behalf of the Organiser) — name and surname, email, phone, language and booking data (departure, number of participants, amount, payments) and reviews. The data is provided by the guest at booking or entered by the Organiser.
5. Purposes and legal bases
- provision of the Service and performance of the contract (account, bookings, guest notifications, support management) — Art. 6(1)(b) GDPR;
- processing of enquiries and applications (pre-contractual steps at the data subject's request) — Art. 6(1)(b);
- compliance with legal obligations (accounting and tax regulations) — Art. 6(1)(c);
- security, abuse prevention and accountability (login records, change log, sending records, technical logs) — legitimate interest, Art. 6(1)(f);
- visit statistics (Google Analytics) — solely with your consent, Art. 6(1)(a), which you may withdraw at any time.
We do not carry out automated individual decision-making or profiling that would produce legal effects.
6. Recipients of data (processors / sub-processors)
We do not sell data. Access to data is granted only to trusted service providers, to the extent necessary to provide the Service:
- hosting and email infrastructure — hosting of the application, database and sending of email;
- SMS providers — Infobip (EU) and Twilio (USA) — receive the phone number and message content for SMS delivery;
- network resources — a CDN for fonts/icons and map tiles — receive your IP address when the page loads;
- Google Analytics (Google Ireland/USA) — only with consent, with an anonymised IP address;
- accounting and legal advisers and public authorities where required by law.
7. Transfers to third countries
Data is primarily processed within the EU/EEA. Exceptionally, with certain recipients (Twilio, Google) data may be transferred to the USA; such transfers are based on an adequacy decision (EU–U.S. Data Privacy Framework) or the European Commission's standard contractual clauses.
8. Retention periods
- invoices and accounting documentation — 11 years (Accounting Act);
- contractual documentation and subscription-relationship data — for the duration of the relationship and thereafter within statutory limitation periods;
- change log (audit) — 12 months; login records and message-sending records — for the duration of the subscription relationship, for security and proof of delivery;
- enquiries (demo/web) — for as long as the communication regarding the enquiry lasts;
- guest data — the periods are set by the Organiser as controller; upon the end of the subscription relationship they are deleted or anonymised within a reasonable time (see the Terms of Service), unless the law requires longer retention;
- cookies — according to the periods in the Cookie Policy.
9. Your rights
You have the right of access, rectification, erasure, restriction of processing, data portability and objection, and, where processing is based on consent, the right to withdraw consent without affecting the lawfulness of prior processing. Send your request to info@bookadria.com; we will respond without undue delay, within one month at the latest. If you believe your rights have been infringed, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP), azop.hr.
Guests primarily exercise their rights with the Organiser with whom they booked (that Organiser is the controller); a request received at our address will be forwarded to the competent Organiser and we will assist in resolving it.
10. Data security
We apply appropriate technical and organisational measures: encrypted communication, access control, protected password storage and regular backups.
11. Children and the obligation to provide data
The Platform is not intended for persons under 16 and we do not knowingly collect their data. Providing data marked as mandatory is a condition for concluding and performing the contract — without it the service, i.e. the booking, cannot be carried out.
12. Changes to the Privacy Policy
programiraj.hr reserves the right to amend this Policy. Amendments take effect on the day of publication on the website.
Last updated: 10 July 2026.