Privacy Policy

This Privacy Policy explains how Apartments Pula collects, uses and protects your personal data in accordance with GDPR and applicable Croatian law.

Last updated: 2026-02-16

Privacy Policy Cookies Policy

1. Data controller

The data controller responsible for processing your personal data is:

Dejan Mihelac (OIB: 93409697905)
Flanatička 37, 52100 Pula, Croatia
Phone: +385 97 7989 422
E-mail: info@apartments-pula.eu

If you have any questions about this Privacy Policy or how we process your personal data, you can contact us using the details above.

2. What data we collect

We collect and process only the data that is necessary to provide our services and comply with our legal obligations. Depending on the situation, this may include:

  • Identification and contact details – first and last name, address, e-mail address, telephone number, nationality, date of birth.
  • Booking details – dates of stay, number of guests, apartment type, special requests or preferences you share with us.
  • Legal registration data – data required for registration of guests in the Croatian eVisitor system (for example citizenship, type and number of ID or passport, place and date of birth), as prescribed by Croatian tourism and residence laws.
  • Payment information – information about payment method and status (we do not store full card numbers when payment is processed via external providers).
  • Communication data – the content of your messages and enquiries sent via our contact form, e-mail, phone or through booking platforms.
  • Website usage data – IP address, date and time of access, pages visited, information about your browser and device, and cookies (see section 8).

3. How we collect your data

We obtain personal data in the following ways:

  • directly from you when you make an enquiry or booking via our website, e-mail or phone;
  • via online booking platforms (such as Booking.com or similar), when you choose to book Apartments Pula through those services;
  • during check-in at the property, when we are legally obliged to collect your data for guest registration (eVisitor and other mandatory records);
  • automatically, when you visit our website, through server logs and cookies.

4. Purposes and legal bases for processing

We process your personal data for the following purposes and based on the following legal grounds under Article 6 GDPR:

  • Booking and performance of the accommodation contract
    To process your enquiry or booking, confirm the reservation, communicate with you about your stay and provide accommodation and related services.
    Legal basis: performance of a contract or steps taken at your request prior to entering into a contract (Art. 6(1)(b) GDPR).
  • Compliance with legal obligations
    To register guests in the eVisitor system and keep records required by Croatian tourism, foreigner registration and tax regulations.
    Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).
  • Communication and support
    To respond to your questions, handle requests or complaints and provide customer support.
    Legal basis: performance of a contract / legitimate interest (Art. 6(1)(b) and 6(1)(f) GDPR).
  • Security and prevention of misuse
    To protect our website, our property and other guests, and to prevent fraud or misuse of our services.
    Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Direct communication with existing guests
    We may occasionally contact you with important information related to your previous stay or to remind you of seasonal offers that may be relevant to you.
    Legal basis: legitimate interest (Art. 6(1)(f) GDPR), with the option to opt out at any time.
  • Marketing communications and optional cookies
    If you subscribe to a newsletter or accept non-essential cookies (for example analytics), we process data based on your explicit consent.
    Legal basis: consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time.

5. Who we share your data with

We do not sell your data. We share it only when necessary, with:

  • Booking platforms – when you use services such as Booking.com (or similar), some of your data is processed by the platform according to their own privacy policy.
  • Payment service providers and banks – for processing payments and refunds.
  • Public authorities – tourist boards, police, tax authorities and other public bodies, when required by law (eVisitor registration, residence reporting, invoicing, tax records and similar).
  • IT and hosting providers – companies that maintain our website, server or e-mail, strictly for the purpose of providing these services.
  • Professional advisers – such as accountants or legal advisers, when necessary to comply with our legal obligations.

All such recipients are required to protect your data in accordance with applicable data protection laws and to process it only for the agreed purposes.

6. International data transfers

Our servers are located in the European Union. However, some of our service providers or booking platforms may process data outside the EU/EEA (for example global booking websites or cloud services).

In such cases we ensure that appropriate safeguards are in place, such as an adequacy decision by the European Commission, or standard contractual clauses approved by the European Commission, together with additional measures where necessary.

7. How long we keep your data

We keep personal data only for as long as necessary for the purposes described in this Policy or as required by law. The main retention periods are:

  • Booking and billing records – generally kept for 5–11 years in accordance with Croatian accounting and tax regulations.
  • Guest registration records (eVisitor) – kept for the period prescribed by Croatian tourism legislation.
  • Communication data (e-mails, enquiries) – usually up to 2 years after the end of the calendar year in which the communication took place, unless a longer period is justified (for example an ongoing dispute).
  • Website logs – typically kept for up to 6 months for security and maintenance.
  • Marketing / newsletter data – until you withdraw your consent or unsubscribe.

After the retention period expires, personal data is securely deleted or anonymised.

8. Cookies and website analytics

Our website uses cookies and similar technologies to function correctly and, where enabled, to help us understand how visitors use the site.

  • Necessary cookies – required for the website to work (for example language settings, security and basic functionality). These cookies are always active and do not require consent.
  • Optional cookies (for example analytics or marketing cookies) – used only if you give your consent via the cookie banner. You can withdraw your consent at any time by changing your cookie settings in the browser or through our cookie banner (where available).

The exact list of cookies and analytics tools used on this website may change over time. Where we use third-party tools (for example Google Analytics), those providers may act as independent controllers of your data in accordance with their own privacy policies.

For more details about cookies, please see our Cookies Policy.

9. Your rights under GDPR

As a data subject, you have the following rights regarding your personal data:

  • Right of access – to know whether we process your data and to receive a copy.
  • Right to rectification – to have inaccurate or incomplete data corrected.
  • Right to erasure ('right to be forgotten') – to request deletion of your data where there is no longer a legal basis for its processing.
  • Right to restriction of processing – to request that we temporarily limit the processing of your data in certain situations.
  • Right to data portability – to receive your data in a structured, commonly used and machine-readable format and transmit it to another controller, where technically feasible.
  • Right to object – to object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent – where processing is based on your consent, you can withdraw it at any time (this does not affect the lawfulness of processing before withdrawal).

To exercise any of these rights, please contact us at info@apartments-pula.eu. We may need to verify your identity before fulfilling your request.

You also have the right to lodge a complaint with the competent supervisory authority:

Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10000 Zagreb, Croatia
Website: azop.hr

10. Data security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse or disclosure. These measures include restricting access to data only to persons who need it to perform their duties, using secure connections, keeping software up to date and regularly reviewing our security practices.

11. Children

Our services are intended for adults. We do not knowingly collect personal data directly from children under 16 years of age without the consent of a parent or legal guardian. Data about minors may be processed only as part of a booking made by adults and solely for the purposes of legal guest registration.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example if our processing activities change or if required by law. The updated version will be published on this page and the 'last updated' date will be changed accordingly.

We encourage you to review this Policy occasionally to stay informed about how we protect your data.