Privacy policy.

PRIVACY POLICY

Effective date: October 1st, 2025

  1. Who we are (data controller)

    This notice explains how we process personal data when you visit www.noir43.hr, contact us, make enquiries, or use our services.

    Legal name: MARASOVIĆ UGOSTITELJSTVO d.o.o.

    Registered address: Stomorica 4, Zadar, Croatia

    OIB (tax ID): 23251268752

    MB (company ID): 05213827

    Email for privacy requests: hello@noir43.hr

    We act as a controller under the EU General Data Protection Regulation (GDPR) and Croatian law. 

  2. Personal data we process

    A) Data you provide: name, contact details (email, phone, address), account credentials (passwords stored hashed), order/reservation details, messages, support requests, feedback or reviews, and business details (for B2B contacts).

    B) Data collected automatically: IP address, device and browser type, operating system, timestamps, pages visited, referral URLs, error logs, and approximate location derived from IP. We also use cookies or similar technologies—some are necessary for security and basic functions; others (analytics, personalisation, advertising) operate only with your consent (see Section 6).

    C) Data from third parties: service providers (hosting, payments, analytics, CRM, email), logistics/reservation partners, and marketing platforms may provide limited data about interactions with our services (e.g., delivery status, aggregate metrics).

  3. Purposes and legal bases (GDPR Art. 6)

    • Provide and improve the website and services; manage accounts, bookings, and customer support – Contract necessity; Legitimate interests (secure, reliable operation).

    • Payments, invoicing, and tax compliance – Contract necessity; Legal obligation (accounting/tax).

    • Security, fraud prevention, and incident response – Legitimate interests; Legal obligation where applicable.

    • Analytics and diagnostics – Consent for cookie‑based analytics; Legitimate interests for strictly necessary, low‑privacy‑impact measurements.

    • Marketing communications and on‑site personalisation – Consent (you can withdraw at any time).

    • Legal claims and compliance – Legal obligation; Legitimate interests.

  4. Sharing and recipients

    We share data only as needed with: processors (hosting/cloud/CDN, security, analytics, email/SMS, payment, CRM/helpdesk), logistics/reservation partners, professional advisors, authorities when legally required, and parties to corporate transactions under appropriate safeguards. We do not sell personal data.

  5. International data transfers

    If personal data is transferred outside the EEA, we use one or more of: European Commission adequacy decisions; Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with supplementary measures where required; your explicit consent for specific transfers; or applicable GDPR derogations for occasional, necessary transfers. 

  6. Cookies and similar technologies

    We use:

    • Strictly necessary cookies (always on): security, session continuity, load balancing.

    • Analytics cookies (with consent): to understand site usage and improve features.

    • Functional cookies (with consent): to remember preferences beyond a session.

    • Advertising cookies (with consent): to measure campaigns or personalise ads, if used.

    You can set or withdraw choices via our cookie banner on first visit and via the “Cookie settings” link in the footer at any time. Under EU guidance, valid consent must be a clear affirmative act; pre‑ticked boxes or inactivity do not constitute consent. 

  7. Data retention

    We keep data only as long as necessary for the purposes described:

    • Accounts and transactions: for the life of the account/contract plus the period needed for queries and statutory accounting/tax retention.

    • Communications and support: typically 12–24 months after resolution.

    • Marketing: until you unsubscribe or withdraw consent (we keep a minimal suppression record to honour your opt‑out).

    • Security logs: short, purpose‑bound periods unless an incident requires longer retention.

  8. Security

    We apply technical and organisational measures proportionate to risk, including TLS encryption in transit, access controls and least‑privilege, pseudonymisation where appropriate, vulnerability management, and staff confidentiality obligations. No internet system is 100% secure; we maintain incident response procedures and will notify authorities and users where required by law.

  9. Your rights

    You may request access, rectification, erasure, restriction, or portability of your personal data, and object to processing based on legitimate interests or to direct marketing. We respond without undue delay and within one month (extendable by two months for complex cases, with notice). To exercise rights, email us at the address above; we may request identity verification before acting. 

  10. Children’s data

    Our services are not directed to children. Where consent is the basis for processing in relation to information‑society services offered directly to a child, the default GDPR age is 16, and Member States may set a lower age. If you believe a child has provided personal data, contact us and we will take appropriate steps. 

  11. Third‑party services and links

    Our site may link to or embed third‑party services (e.g., maps, video, social media widgets). Those third parties process data under their own privacy policies and may set cookies subject to your consent. Review their notices before use.

  12. Changes to this policy

    We may update this policy to reflect legal, technical, or business developments. We will post changes here and, if material, provide additional notice (e.g., banner or email). The effective date at the top shows when this policy last changed.

  13. How to contact us about privacy

    Controller: MARASOVIĆ UGOSTITELJSTVO d.o.o., Stomorica 4, Zadar, Croatia

    Email: hello@noir43.hr