Skip to main content
Šibenik — panorama across the old town to the channel and St. Nicholas Fortress
Your data

Privacy Policy

Privacy policy for the Šibenik Old Town House website

0. Controller

Responsible for the processing of personal data on this website (Art. 4 (7) GDPR):
Šibenik Old Town House
Biskupa Fosca 9, 22000 Šibenik, Hrvatska
Phone: +43 664 1839903
Email: info@sibenikoldtownhouse.com

1. Data Protection at a Glance

The following notices provide a simple overview of what happens to your personal data when you visit this website.

2. Data Collection on This Website

Cookies

This website uses only technically necessary cookies. No tracking or analytics cookies are used.

Contact Form

When you send us inquiries via the contact form, your data from the form, including the contact details you provide, will be stored for the purpose of processing your inquiry. Legal basis: Art. 6 (1) b GDPR (pre-contractual measures at your request).

Retention: Inquiries that do not lead to a contract are deleted 12 months after receipt. Confirmed bookings are retained for the duration of the Croatian tax-record-keeping obligation (currently 11 years for paušal tax records), then deleted.

WhatsApp

When you click the WhatsApp button on this site, you will be redirected to WhatsApp (Meta Platforms Inc., USA). Your phone number and connection metadata are processed by Meta. The chat content itself is end-to-end encrypted between you and us.

eVisitor — Mandatory guest registration (HR)

Croatian tourism law (Zakon o boravišnoj pristojbi) requires us to register every overnight guest with the Croatian National Tourist Board via the eVisitor system within 24 hours of arrival. For this purpose we collect and transmit the following data per guest:

  • Full name, date of birth, nationality
  • ID/passport type and number
  • Check-in and check-out dates

Legal basis: Art. 6 (1) c GDPR in conjunction with the Croatian Sojourn Tax Act. Recipient: Croatian National Tourist Board / Ministry of Interior (MUP). Retention: legally mandated periods (typically several years for tourism and tax records). The transmission is mandatory; without it we cannot accommodate you.

Server logs & anti-spam

When you submit the booking form, we store your IP address and browser user-agent string for up to 30 days. Purpose: protection against bots and spam (rate-limiting). Legal basis: Art. 6 (1) f GDPR (legitimate interest in operating a non-abusive service). After 30 days these audit fields are anonymised; the booking record itself is retained longer for tax and legal-defence reasons (see retention below).

eVisitor data retention

Passport / ID-card data we collect for the eVisitor registration (see section above) is automatically deleted from our internal records 30 days after your departure. The original transmission to the Croatian National Tourist Board is retained by them on the legal periods set by Croatian law.

3. Third-party processors & international transfers

We use the following processors. Data processing agreements (DPAs) are in place with each. Transfers to the USA are based on the EU-US Data Privacy Framework (DPF) and EU Standard Contractual Clauses (SCCs).

Cloudflare — Hosting, database, storage, admin access

Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. EU-US DPF certified. We use:

  • Pages — static + server-side rendering
  • D1 — booking database (EU region)
  • R2 — image storage (EU region)
  • Access — authentication for the admin area

Server logs (IP addresses, request paths) are kept by Cloudflare for up to 14 days for security and abuse-prevention purposes.

Resend — Transactional e-mail

Resend, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA. EU-US DPF certified. Sends booking confirmation e-mails to you and notification e-mails to us. Recipient address, inquiry content and IP of the sending server are processed.

Telegram — Push notifications (owner-side only)

Telegram FZ-LLC, Dubai, UAE. Used optionally by the owner to receive a push notification when a new inquiry arrives. Your inquiry text, name and dates are forwarded to the owner's personal Telegram chat. If you object to this routing, please write to us on the contact address below — we can disable Telegram and keep e-mail-only notifications.

WhatsApp / Meta — only on click

See the WhatsApp section above. Loaded only after explicit consent in the dialog.

4. Your Rights

You have the right to access (Art. 15), rectification (Art. 16), deletion (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21) regarding your personal data. To exercise these rights, write to the controller address above. We will reply within one month.

Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). Our lead supervisory authority is:

Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10000 Zagreb, Croatia
azop.hr

Guests resident in Germany may also contact their state data protection authority (e.g. LfDI BW, BfDI).

5. Contact

For data protection inquiries, please contact:
Šibenik Old Town House
info@sibenikoldtownhouse.com

This site stores your language and cookie choice locally in your browser. We do not use tracking or analytics cookies.