Last updated: 2026-05-27
This Privacy Policy explains how My Luxoria d.o.o. ("we", "us", "My Luxoria") collects, uses, and protects your personal data when you use our website, contact us, or make a booking. It is issued in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Croatian Act on the Implementation of the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka, NN 42/2018).
1. Who is the data controller?
Domus properties d.o.o.
Ul. Vladimira Nazora 1, 22000, Šibenik
OIB: 97941229837
Registered with: Trgovački sud u Zadru - stalna služba u Šibeniku - Reg. br. 110068105
Share capital: 2654.46 EUR
E-mail: [email protected]
Data Protection contact
For any question relating to your personal data or to exercise your rights under GDPR, contact: [email protected].
2. What personal data we collect
We collect only the data we need to deliver our services and run our business.
- Identity & contact: first and last name, e-mail, phone, country, address (when required for invoicing).
- Booking data: dates of stay, number of guests, special requests, the rental selected, dietary or health information you choose to share.
- Payment data: card payments are processed exclusively by Stripe; we do not store full card numbers. We retain the payment reference, amount and status.
- Guest registration: where required by Croatian law (eVisitor), passport / ID information of guests.
- Technical & usage data: IP address (stored only as a salted hash), browser type, pages visited, referrer, device type.
- Marketing attribution: if you click an ad and accept marketing cookies, we store the campaign identifier (gclid, fbclid, msclkid, utm parameters).
- Consent record: anonymous consent identifier, categories you accepted, policy version, locale, hashed IP and user agent.
3. How we collect it
- Directly from you — when you fill in a contact form, make an inquiry, request a callback, subscribe to our newsletter, leave a review, or book a property.
- Automatically — via cookies and similar technologies (see our Cookie Policy).
- From third parties — advertising platforms (Google, Meta, Microsoft) may pass us a click identifier so we can attribute your booking back to the right ad.
4. Purposes & legal bases
We process your data on the following Article 6 GDPR legal bases:
| Purpose | Legal basis |
|---|---|
| Replying to inquiries & callbacks | Art. 6(1)(b) — pre-contractual steps at your request |
| Creating and managing a reservation | Art. 6(1)(b) — performance of contract |
| Processing payments & issuing invoices | Art. 6(1)(b) + Art. 6(1)(c) — contract and legal obligation (tax & fiscalisation law) |
| Croatian guest registration (eVisitor) | Art. 6(1)(c) — legal obligation |
| Newsletter sign-up | Art. 6(1)(a) — your consent (you can withdraw at any time) |
| Analytics, advertising & remarketing | Art. 6(1)(a) — your consent recorded via the cookie banner |
| Spam / fraud prevention on forms and payments | Art. 6(1)(f) — legitimate interest in protecting the service |
| Defending or pursuing legal claims | Art. 6(1)(f) — legitimate interest |
5. Who we share data with
We share data only with processors and partners that we have a written agreement with, and only to the extent necessary for the purposes above.
- Property owners: guest contact details for arrival coordination.
- Stripe Payments Europe Ltd. (payment processing) — stripe.com/privacy
- Google Ireland Ltd. (Analytics, Tag Manager, Maps, Ads) — policies.google.com/privacy
- Meta Platforms Ireland Ltd. (advertising attribution, when you accept marketing cookies) — facebook.com/policies
- Twilio Ireland Ltd. (SMS notifications)
- Hosting & IT providers (EU-located)
- Croatian tax authority (Porezna uprava) (fiscalisation of invoices, where required by law)
- Croatian Ministry of Tourism (eVisitor) (guest check-in, where required by law)
- Our accountants and legal advisors (bound by professional confidentiality)
6. International data transfers
Most of our processors are located in the EU/EEA. Where a transfer outside the EEA is necessary (typically Google services that may process data in the United States), the transfer is protected by the Standard Contractual Clauses adopted by the European Commission and, where applicable, the EU–U.S. Data Privacy Framework.
7. How long we keep data
- Inquiries and contact-form submissions: up to 24 months from last contact, then deleted or anonymised.
- Reservations & invoices: 11 years (Croatian Accounting Act / VAT Act retention).
- Newsletter subscriptions: until you unsubscribe.
- Consent log: for the duration of your active consent + 5 years (to demonstrate compliance).
- Technical / access logs: up to 12 months.
- Cookies: as listed in the Cookie Policy.
8. Your rights
Under GDPR you have the right to:
- access the personal data we hold about you (Art. 15);
- have inaccurate data corrected (Art. 16);
- have data erased where the legal basis no longer applies (Art. 17 — note that records we are legally obliged to keep, such as invoices, cannot be deleted on request);
- restrict processing (Art. 18);
- receive your data in a portable format (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- withdraw consent at any time — without affecting the lawfulness of processing before withdrawal (Art. 7(3)).
To exercise any of these rights, contact [email protected]. We will respond within one month. We may need to verify your identity before acting on the request.
9. Right to lodge a complaint
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency:
Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10 000 Zagreb, Croatia
E-mail: [email protected] · Tel: +385 1 4609 000
azop.hr
You also have the right to lodge a complaint with the supervisory authority in your country of residence.
10. Cookies & tracking
Detailed information about the cookies we use, why we use them, and how to control them is set out in our Cookie Policy.
11. Children
Our service is intended for adults. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, please contact us and we will delete it.
12. Security
We use industry-standard technical and organisational measures (TLS encryption in transit, hashed IPs, access controls, regular backups, vetted EU-based processors) to protect your personal data.
13. Changes to this Privacy Policy
We may update this policy from time to time. The version date above shows the current revision. If the change is material, we will notify you via the website and request renewed consent where required.