Privacy Policy

Hotel Nostromo respects your privacy and is committed to protecting the personal data you entrust to us. This Privacy Policy explains what data we collect, why we collect it, how we use it, whom we share it with, and what rights you have regarding your data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) and the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018).

1. Data Controller

The controller of your personal data is: [Full legal name of the business/company] Obala maršala Tita 7, 52221 Rabac, Croatia OIB (PIN): [OIB] Telephone: +385 91 175 5770 E-mail: [Official e-mail] Web: www.nostromo.hr

For any questions regarding the processing of your personal data, you may contact us using the details provided above.

2. What Personal Data We Collect

Depending on the purpose, we may collect the following categories of personal data:

  • Reservation and stay data: first and last name, date of birth, nationality, type and number of identification document, residential address, arrival and departure dates, number of persons, and special requests related to the reservation.

  • Contact details: e-mail address and telephone number.

  • Payment data: data necessary for billing services; sensitive card data is processed exclusively through the systems of authorized payment service providers, and Hotel Nostromo does not store the full card number or CVV.

  • Communication data: content of inquiries sent via e-mail, contact forms, or telephone.

  • Technical data: IP address, device and browser type, operating system, language, pages visited on our site, and time of visit – collected through cookies and similar technologies (more details in the Cookie Policy).

Providing personal data necessary for the conclusion and execution of the accommodation agreement (e.g., during reservation and check-in) is a requirement for using our services; without this data, the reservation cannot be completed, nor can legal obligations be fulfilled.

3. Purposes and Legal Bases for Processing

We process your personal data for the following purposes and under the following legal bases:

  • Reservation, conclusion, and execution of the accommodation contract (Art. 6, para. 1, point b of the GDPR) – processing guest data, contact details, and reservation information.

  • Compliance with legal obligations (Art. 6, para. 1, point c of the GDPR) – registering guests in the eVisitor system in accordance with the Sojourn Tax Act, issuing invoices and maintaining business records in accordance with tax regulations, and fulfilling obligations under fire safety regulations and the guest registry.

  • Responding to inquiries received via e-mail, telephone, or contact forms (Art. 6, para. 1, point b or f of the GDPR).

  • Protection of legitimate interests (Art. 6, para. 1, point f of the GDPR) – ensuring the security of the facility and guests, fraud prevention, exercising and defending legal claims, and basic website usage analytics.

  • Sending promotional messages and newsletters, where applicable (Art. 6, para. 1, point a of the GDPR) – exclusively with your prior consent, which you may withdraw at any time.

4. Data Retention Period

We store personal data only as long as necessary to fulfill the purpose for which it was collected or as prescribed by applicable laws:

  • Accommodation contract data and guest data: for the periods prescribed by law (generally up to 11 years for accounting documentation).

  • Data registered in the eVisitor system: in accordance with the periods prescribed by competent authorities.

  • Data from inquiries that do not result in a reservation: up to 12 months from the last communication.

  • Data processed based on consent: until the withdrawal of consent.

  • Technical data and cookies: as specified in the Cookie Policy.

Upon expiration of the retention period, the data is deleted or anonymized.

5. Recipients of Personal Data

We may share your personal data with carefully selected recipients acting as data processors or independent controllers, exclusively to the extent necessary to achieve the stated purposes:

  • Competent public authorities (e.g., Ministry of Tourism via the eVisitor system, Ministry of the Interior, Tax Administration) when it is a legal obligation;

  • Payment service providers and credit card companies for payment processing;

  • Online booking platforms (e.g., Booking.com, Expedia, etc.) when the reservation is initiated through them;

  • IT service providers, website maintenance, and hosting providers;

  • Accounting services and bookkeepers;

  • Attorneys and other professional services, when necessary to protect our rights.

Appropriate data processing agreements have been concluded with all data processors.

6. Data Transfer Outside the European Economic Area (EEA)

As a rule, we process personal data within the European Economic Area (EEA). If certain service providers (e.g., analytical or marketing tools) process data outside the EEA, such transfer is carried out exclusively with appropriate safeguards prescribed by the GDPR, including the European Commission’s Standard Contractual Clauses.

7. Your Rights

Regarding the processing of your personal data, you have the following rights:

  • Right of access: to access your data and receive information about its processing;

  • Right to rectification: to correct inaccurate or incomplete data;

  • Right to erasure (“right to be forgotten”): when legal conditions are met;

  • Right to restriction of processing;

  • Right to data portability: when processing is automated and based on consent or a contract;

  • Right to object: to processing based on legitimate interest or for direct marketing purposes;

  • Right to withdraw consent: at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

  • Right to lodge a complaint with a supervisory authority: the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, www.azop.hr.

You may exercise your rights by sending a request to the e-mail: [Official e-mail] or in writing to our registered office address. We will respond to your request without delay, and at the latest within one month of receipt.

8. Data Security

We apply appropriate technical and organizational measures to protect personal data from unauthorized access, loss, alteration, or destruction, including access control, system protection, encryption where applicable, and regular employee training.

9. Changes to the Privacy Policy

We reserve the right to periodically amend and supplement this Privacy Policy to align with regulatory changes or changes in our business operations. Any changes will be published on this page with the date of the last update indicated.

Date of last update: [17.04.2026.]