Privacy Policy

Unique Adriatic Villas, operated by Adriatic Concierge d.o.o. ("we", "our", "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website uniqueadriaticvillas.poratdev.hr and use our services.

We comply with the General Data Protection Regulation (GDPR) and applicable Croatian data protection laws.

The data controller responsible for your personal data is:

Given the nature and scale of our data processing activities, we are not required to designate a Data Protection Officer under GDPR Article 37. For all privacy-related inquiries, please contact us at info@uniqueadriaticvillas.poratdev.hr.

3.1 Information You Provide

We collect information you voluntarily provide when:

• Submitting a booking inquiry (name, email, phone, travel dates, guest count)
• Submitting a concierge service inquiry
• Contacting us via forms or email

3.2 Automatically Collected Information

When you visit our website, we automatically collect:

• Device information (browser type, operating system)
• IP address and approximate location
• Pages visited and time spent on site
• Referring website
• Cookies and similar tracking technologies

We process your personal data for the following purposes, based on the indicated legal grounds under GDPR:

Our website uses cookies to enhance your browsing experience. Types of cookies we use:

• Essential Cookies: Required for website functionality
• Analytics Cookies: Help us understand how visitors use our site
• Marketing Cookies: Used to deliver relevant advertisements

You can manage your cookie preferences through your browser settings or our cookie consent banner. Note that disabling certain cookies may affect website functionality.

We may share your information with the following categories of recipients:

• Property Owners/Managers: To process your booking inquiry and facilitate accommodation
• Amazon Web Services (AWS): Image and media storage (EU region, eu-central-1 — Frankfurt). AWS acts as our data processor under their Data Processing Addendum, which incorporates Standard Contractual Clauses (SCCs). Only property images and marketing content are stored — no personal data is transmitted to AWS.
• DigitalOcean LLC: Managed PostgreSQL database hosting (Frankfurt, Germany). DigitalOcean stores the system of record for every booking inquiry, concierge inquiry, contact-form submission, audit-log entry and admin account. DigitalOcean is a US-incorporated company operating EU data centres; data physically rests in the EU under their Data Processing Addendum, which incorporates Standard Contractual Clauses as a fallback for any out-of-region support access.
• Hetzner Online GmbH: VPS hosting (Falkenstein, Germany). Runs the application server and stores 7-day local encrypted database backups. Hetzner is an EU-based processor under their Data Processing Addendum.
• Brevo (Sendinblue SAS): Transactional email delivery (SMTP). Sends booking confirmations and admin notifications, which include the guest name, email, phone number (when provided), travel dates and free-text message. Brevo is EU-headquartered (Paris, France) with EU data centres and acts as our data processor under their Data Processing Addendum.
• DeepL SE: Translation service used server-side only. No personal data is shared with DeepL; only website content is processed for translation purposes.
• Legal Authorities: When required by law or to protect our rights

We do not sell your personal data to third parties.

All processors we use to handle personal data operate within the European Union or the European Economic Area (EEA): Amazon Web Services S3 in eu-central-1 (Frankfurt), DigitalOcean Managed PostgreSQL in Frankfurt, Hetzner Cloud in Falkenstein (Germany), Brevo/Sendinblue in France, and DeepL in Germany. We do not routinely transfer your personal data to third countries.

Where a processor is incorporated outside the EU (for example DigitalOcean LLC, headquartered in the United States) and personal data may be accessed by support staff outside the EEA in the course of operating the service, we rely on Standard Contractual Clauses approved by the European Commission as a transfer safeguard. Should we add a processor that materially changes this posture, we will update this policy before that processor receives any personal data.

We retain your personal data for the following periods:

• Booking and service inquiries: 3 years from submission
• Contact-form inquiries: 3 years from submission
• Security and audit logs: Anonymized after 12 months, deleted after 3 years
• Cookie consent preferences: Duration of browser storage
• Admin accounts: Until deletion requested, plus a 30-day grace period
• Backups: Encrypted database backups are retained as a 7-day local copy on the application server (Hetzner), a 7-day automated copy by our managed-database provider (DigitalOcean) and a 30-day archival copy in Amazon S3 (eu-central-1). Erasure requests are honoured against the live database immediately; backup copies are overwritten on the next scheduled retention sweep.

After the applicable retention period, personal data is securely deleted or anonymized.

Under GDPR, you have the following rights:

• Access (Art. 15): Request a copy of your personal data
• Rectification (Art. 16): Request correction of inaccurate data
• Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Restriction (Art. 18): Request limited processing of your data
• Portability (Art. 20): Receive your data in a portable format
• Objection (Art. 21): Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at info@uniqueadriaticvillas.poratdev.hr. We will respond within 30 days.

You also have the right to lodge a complaint with the supervisory authority:

Providing your name and email address is necessary to process your booking or service inquiry. Without this information, we cannot respond to your request.

Providing your phone number is optional. We do not use automated decision-making or profiling in relation to your personal data.

We implement appropriate technical and organizational measures to protect your data, including:

• SSL/TLS encryption for data transmission
• Secure server infrastructure
• Access controls and authentication
• Regular security assessments

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a minor, please contact us immediately.

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Significant changes will be communicated via email or website notice.

For questions, concerns, or requests regarding this Privacy Policy or your personal data: