Privacy Policy

Privacy Policy

How NATKA collects, uses, and protects personal information. Last updated: 2026-04-16.

Legal review required. This page is a working draft based on standard Croatian and EU GDPR-compliant privacy boilerplate. Before publishing, please have it reviewed by qualified legal counsel and complete the company-specific fields marked [OWNER TO COMPLETE].

1. Who we are

NATKA is the operating brand for accommodation services run by the Osmanović family in Rovinj, Croatia. For the purposes of this Privacy Policy, the data controller is:

  • Legal entity name: [OWNER TO COMPLETE]
  • OIB (Croatian tax number): [OWNER TO COMPLETE]
  • Registered address: [OWNER TO COMPLETE]
  • Contact for privacy matters: osmanovic.bundo@gmail.com
  • Phone: +385 95 399 8089

References in this document to "we", "us", or "NATKA" refer to the legal entity above.

2. What this policy covers

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you:

  • visit any NATKA website (this site at [domain TBD]) or its language variants;
  • make a reservation at one of our properties — Hotel Boutique Natka, Bella Natka, or Villa Natka — directly via our Rentlio booking widget, by email, or by phone;
  • stay at one of our properties (in-stay data, e.g. registration form, identification);
  • contact us with a general inquiry, request, or complaint;
  • subscribe to any future communications we may offer.

For bookings made through third-party booking platforms (Booking.com, etc.), the platform is the initial data controller for booking data. We become a controller for the data the platform shares with us as your accommodation provider.

3. Personal data we collect

Data you give us directly

  • Full name and contact details (email, phone, postal address)
  • Identification (passport or ID card number, country of issue) — collected at check-in as required by Croatian law for guest registration
  • Payment-card details (processed by our payment provider; we do not store full card numbers)
  • Travel details (arrival/departure, number of guests, child ages where relevant, special requests)
  • Communication content (the messages, emails, and call notes you exchange with us)

Data we collect automatically

  • Device and browser information (IP address, browser type, OS, device type)
  • Pages visited, time on page, navigation paths (where analytics are enabled)
  • Cookies and similar technologies (see Section 8)

Data we receive from third parties

  • Booking platforms (e.g. Booking.com) when you book through them: name, contact, dates, room type, payment status
  • Payment processors: confirmation that payment has been authorised
  • Channel-management software (Rentlio): aggregated booking data

4. Why we collect it (purposes and legal bases)

Purpose Legal basis (GDPR Art. 6)
Process and manage your reservation and stay Performance of contract
Comply with Croatian guest-registration law (eVisitor) Legal obligation
Issue invoices and meet tax-record obligations Legal obligation
Respond to inquiries, requests, and complaints Legitimate interest / contract
Improve our website and services Legitimate interest
Send transactional emails (booking confirmations, pre-arrival info) Performance of contract
Send marketing communications (if and only if offered, with your consent) Consent
Defend or pursue legal claims Legitimate interest / legal obligation

5. Croatian guest registration (eVisitor)

Under Croatian law, accommodation providers must register every guest staying overnight in the eVisitor system, operated by the Croatian National Tourist Board. We submit the legally required guest information — name, date of birth, nationality, ID document type and number, dates of stay — to eVisitor. This is a legal obligation under the Croatian Hospitality Industry Act and the law on tourist tax. You cannot opt out of this registration if you stay at a Croatian accommodation.

6. Sharing your data

We share personal data only where necessary, and only with:

  • eVisitor (Croatian National Tourist Board) — guest registration as required by law.
  • Tax authorities — invoice and stay records as required by law.
  • Booking platforms (Booking.com, etc.) — communication and modifications related to bookings made through that platform.
  • Rentlio — our booking-engine and channel-management provider.
  • Payment processors — to process payments at the time of booking and on site.
  • Email and IT service providers — hosting, email delivery, and analytics, where we use them.
  • Legal and professional advisors — accountants, lawyers, where reasonably required.
  • Public authorities — police or courts where required by law.

We do not sell personal data to anyone, ever.

7. International transfers

Most of our processors are located within the European Economic Area (EEA). Where a processor is outside the EEA (for example, a US-based analytics or email provider), we rely on standard contractual clauses or other approved transfer mechanisms under GDPR.

8. Cookies and analytics

This website uses cookies and similar technologies. Categories used:

  • Strictly necessary cookies — required for the site to function (booking widget, language preference). These do not require consent.
  • Analytics cookies — anonymised or pseudonymised, to measure visitor patterns and improve the site. Used only where you have consented via the cookie banner.
  • Marketing cookies — only set with your explicit consent via the cookie banner.

You can manage cookie preferences via the banner on first visit, change them at any time via [link TBD], and disable cookies in your browser settings.

9. Data retention

We keep personal data only as long as needed for the purposes for which it was collected, and for any longer period required by law:

Data Retention
Booking and stay records At least 11 years (Croatian tax-record obligation)
Invoices 11 years (Croatian tax law)
eVisitor records As required by Croatian law
Inquiries via the contact form (no booking made) Up to 24 months from last contact
Marketing consent (if collected) Until you withdraw consent
Website analytics (anonymised/pseudonymised) Up to 26 months

10. Security

We protect personal data with reasonable technical and organisational measures: access controls, secure hosting, TLS encryption for data in transit, and limited access on a need-to-know basis. No system is perfectly secure; we work to minimise risk and respond promptly if anything goes wrong.

11. Your rights under GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure ("right to be forgotten") — ask us to delete data, subject to legal-retention obligations.
  • Restriction — ask us to limit processing in certain circumstances.
  • Portability — receive your data in a portable format.
  • Object — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — at any time where processing is based on consent.
  • Lodge a complaint — with the Croatian Personal Data Protection Agency (AZOP), www.azop.hr.

To exercise any right, write to osmanovic.bundo@gmail.com. We respond within 30 days.

12. Children

Our properties welcome children, but our website is not directed at children under 16. We do not knowingly collect personal data from children under 16 without parental consent.

13. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be flagged on the homepage banner.

14. Contact

Questions about this Privacy Policy or your personal data:

Contact us →

Footer rendered globally.