Legal

Privacy Policy

How we collect, use, and protect your personal data

Last updated: 18 March 2026  |  Effective date: 18 March 2026

1. Data Controller

The data controller responsible for your personal data is:

Motovun Villas Management d.o.o.
Company's seat: Trscanska 22, 52100 Pula, Croatia
OIB: 28570916017
Email: dlazukic@motovunvillas.com
Phone: +385 97 769 1977

2. What Data We Collect

We collect the following categories of personal data:

2.1 Data You Provide Directly

  • Contact information: name, email address, phone number — when you submit our contact form or make a booking inquiry
  • Booking information: check-in/check-out dates, number of guests, villa preferences — when you make a reservation
  • Communication data: the content of messages you send to us via our contact form or email

2.2 Data Collected Automatically

  • Technical data: IP address, browser type, operating system, device information
  • Usage data: pages visited, time spent on pages, referral source
  • Cookie data: as described in Section 7 below

2.3 Payment Data

All payment processing is handled exclusively by Stripe, Inc. (a PCI DSS Level 1 certified payment processor). We do not collect, store, or have access to your credit card numbers, debit card numbers, or any other payment card details. Stripe processes your payment data in accordance with their own Privacy Policy. We only receive a confirmation of successful payment, the transaction amount, and a unique transaction ID.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): to process your booking, manage your reservation, and provide our accommodation services
  • Legitimate interests (Art. 6(1)(f) GDPR): to improve our website, respond to inquiries, prevent fraud, and for internal administrative purposes
  • Legal obligation (Art. 6(1)(c) GDPR): to comply with Croatian tax law, tourism regulations, and guest registration requirements (Croatian Tourism Act)
  • Consent (Art. 6(1)(a) GDPR): for optional marketing communications and non-essential cookies — you may withdraw consent at any time

4. How We Use Your Data

We use your personal data for the following purposes:

  • Processing and managing villa bookings and reservations
  • Communicating with you regarding your booking or inquiries
  • Mandatory guest registration with Croatian tourist authorities (as required by the Croatian Tourism Act)
  • Processing payments through our payment processor (Stripe)
  • Sending booking confirmations and pre-arrival information
  • Improving our website and services
  • Complying with legal and tax obligations
  • Sending marketing communications (only with your explicit consent)

5. Data Sharing and Third Parties

We share your personal data only with the following categories of recipients:

  • Stripe, Inc. — payment processing (based in the US; data transfers are covered by Standard Contractual Clauses and Stripe's Data Processing Agreement)
  • Supabase, Inc. — secure database hosting for booking management
  • Croatian tourist authorities — mandatory guest registration (eVisitor system) as required by law
  • Tax authorities — as required by Croatian and EU tax regulations

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

6. International Data Transfers

Some of our service providers (Stripe, Supabase) are based in the United States. Any transfer of personal data outside the European Economic Area (EEA) is protected by:

  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Appropriate supplementary measures as required by GDPR

7. Cookies

Our website uses the following types of cookies:

  • Strictly necessary cookies: required for the website to function (e.g., session management). These do not require consent.
  • Functionality cookies: to remember your preferences (e.g., language selection)
  • Analytics cookies: to understand how visitors use our website and improve our services

You can control cookie preferences through your browser settings. Disabling certain cookies may affect website functionality.

8. Data Retention

We retain your personal data only for as long as necessary:

  • Booking data: for the duration of your stay plus 11 years (as required by Croatian tax and accounting regulations)
  • Contact form inquiries: up to 2 years, unless a booking is made
  • Guest registration data: as required by the Croatian Tourism Act
  • Marketing consent records: for the duration of consent plus 1 year
  • Website analytics: aggregated and anonymised after 26 months

9. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15) — obtain a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
  • Right to restriction (Art. 18) — limit how we process your data
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at dlazukic@motovunvillas.com. We will respond within 30 days of receiving your request.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • SSL/TLS encryption for all data transmitted through our website
  • Secure hosting infrastructure with access controls
  • PCI DSS-compliant payment processing through Stripe (we never handle or store card data)
  • Regular security reviews and updates

11. Children's Privacy

Our website is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority:

Agencija za zastitu osobnih podataka (AZOP)
Croatian Personal Data Protection Agency
Selska cesta 136, 10000 Zagreb, Croatia
Website: azop.hr
Email: azop@azop.hr

13. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

14. Contact Us

For any questions or concerns about this Privacy Policy or your personal data, please contact:

Motovun Villas Management d.o.o.
Email: dlazukic@motovunvillas.com
Phone: +385 97 769 1977
Address: Company's seat: Trscanska 22, 52100 Pula, Croatia