Privacy Policy
This policy explains which data is collected, how it is used and what your rights are under the Serbian Personal Data Protection Act.
Last updated: {{last_updated}}
Introduction
This Privacy Policy governs how {{legal_name}} ("Controller", "we", "us") collects, uses, stores and protects the personal data of visitors and users of the website {{website}} ("Site").
The Policy is aligned with the Serbian Personal Data Protection Act ("Official Gazette of RS", No. 87/2018, "ZZPL") and fulfils the information obligation under Article 23 ZZPL.
By accessing and using the Site, you confirm that you have read, understood and accepted this Privacy Policy in full.
Data Controller
The personal data controller pursuant to Article 4(1)(8) ZZPL is:
| Name: | {{legal_name}} |
| Legal form: | {{legal_form}} |
| Tax ID (PIB): | {{pib}} |
| Registration No: | {{maticni}} |
| Registered office: | {{legal_address}} |
| Responsible person: | {{responsible_person}} |
| Privacy email: | {{privacy_email}} |
| Phone: | {{phone}} |
All questions, requests and complaints regarding the processing of your personal data may be sent to {{privacy_email}}.
What Data We Collect
We collect only the personal data necessary for the purposes set out in this Policy. Specifically, we may process the following data categories:
Data you directly provide to us
- Contact details: first name, last name, email, phone — when you message us through the contact form or directly.
- Reservation data: name, phone, email, party size, date and time — when you make a booking via the Site.
- Message content: the message text you voluntarily send us.
Data we collect automatically
- Technical data: IP address, browser type and version, operating system, time zone, browser language.
- Site usage data: pages you visited, time of visit, referrer.
- Cookie data: see Section 8.
We do not collect sensitive personal data within the meaning of Article 17 ZZPL (health, racial origin, political opinions, religion, sexual orientation, biometric data).
Purposes of Processing
We process your personal data exclusively for the following purposes:
- Responding to your enquiries — when you contact us, we use your data to respond and provide the requested information.
- Reservations and orders — for confirmation, reminders and changes of reservations or orders.
- Improving the Site — anonymised visit analytics to improve content and user experience.
- Legal obligations — to fulfil statutory obligations (tax, accounting, etc.).
- Protection from abuse — preventing unauthorised access, fraud and other abuse.
We do not use your personal data for marketing purposes without your prior explicit consent.
Legal Basis
We process personal data exclusively on one of the following legal bases under Article 12 ZZPL:
- Consent (Article 12(1)(1) ZZPL) — when you have given us clear, explicit consent for a specific purpose (e.g. newsletter signup).
- Contract performance (Article 12(1)(2) ZZPL) — when processing is necessary to perform a reservation, order or other service you requested.
- Legal obligation (Article 12(1)(3) ZZPL) — when we are required to retain certain data by law (e.g. accounting records).
- Legitimate interest (Article 12(1)(6) ZZPL) — for core Site functionality, security and fraud protection.
Retention Periods
We retain your personal data only as long as necessary for the purpose for which it was collected, or as required by law. Specific periods:
| Data type | Retention period |
|---|---|
| Contact form (enquiries) | 12 months from last interaction |
| Reservations (fulfilled) | 3 years (accounting period) |
| Payment data | 10 years (legal obligation) |
| Analytics data | 14 months (Google Analytics default) |
| Technical logs | 30 days |
| Newsletter consent | Until consent withdrawn |
After these periods, data is permanently deleted or anonymised.
Data Recipients
We do not sell or rent your personal data to third parties.
We may share your data only with the following categories of recipients, and only to the extent necessary for the above purposes:
Data processors
We have entrusted the processing of certain data to the following trusted partners acting as processors under Article 4(1)(9) ZZPL, under a written data processing agreement:
- ZeroToSite (Site build and maintenance provider)
- Cloudflare Inc. (hosting and DDoS protection)
- Google LLC (Google Analytics, Google Business Profile)
- Meta Platforms Ireland Ltd. (Facebook/Instagram integrations, only if present)
- Supabase Inc. (reservation database, only if present)
Government authorities
We may disclose data to competent government authorities only on the basis of a lawfully issued request (court order, police order, tax authority request, etc.).
Transfers outside Serbia
Some of our processors (Google, Meta, Cloudflare) are located outside the Republic of Serbia. Such transfers are made with appropriate safeguards under Articles 64 and 65 ZZPL (standard contractual clauses, adequacy decisions, etc.).
Your Rights
Under Articles 21–37 ZZPL, you have the following rights regarding your personal data:
- Right of access (Article 26 ZZPL) — you may obtain confirmation that we process your data and a copy of that data.
- Right to rectification (Article 29 ZZPL) — you may request correction of inaccurate or completion of incomplete data.
- Right to erasure ("right to be forgotten", Article 30 ZZPL) — you may request deletion of your data when it is no longer necessary or if you withdrew consent.
- Right to restriction (Article 31 ZZPL) — you may request that we temporarily restrict processing of your data.
- Right to portability (Article 36 ZZPL) — you may receive your data in a structured, machine-readable format or have it transferred to another controller.
- Right to object (Article 37 ZZPL) — you may object to processing based on legitimate interest.
- Right to withdraw consent — at any time you may withdraw consent you have given us, without any consequences.
To exercise any of these rights, contact us at {{privacy_email}}. We will respond within 30 days of receiving the request.
Right to lodge a complaint with the Commissioner
If you believe we have violated your rights or processed your personal data contrary to ZZPL, you have the right to lodge a complaint:
Bulevar kralja Aleksandra 15
11000 Belgrade, Republic of Serbia
Phone: +381 11 3408 900
Email: office@poverenik.rs
Site: www.poverenik.rs
Data Security
We apply appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, destruction or misuse. These measures include:
- Encrypted communication (HTTPS/TLS)
- Access control and authentication
- Regular data backup
- Restricted data access (authorised personnel only)
- Procedures for responding to data breaches
Breach notification: In the event of a personal data breach that may pose a risk to your rights and freedoms, we will notify the Commissioner within 72 hours, and you without undue delay where required by law.
Children
The Site is not intended for children under 15. We do not knowingly collect personal data from children under 15 without parental or guardian consent. If we learn that we have collected such data by mistake, we will delete it immediately.
Changes to the Privacy Policy
We reserve the right to update this Privacy Policy periodically. Any material change will be posted on this page, and the date of the last update will be refreshed at the top of the document. We recommend checking this page periodically to stay informed of the latest version.
Contact
For all questions, requests or complaints regarding this Privacy Policy or the processing of your personal data, contact us:
- Email: {{privacy_email}}
- Phone: {{phone}}
- Address: {{legal_address}}
- Responsible person: {{responsible_person}}