+385 95 533 0061 info@lukskayaking.com
EN
English
Hrvatski
Deutsch
Italiano

Legal Document

Privacy Policy

Last updated: 2026-03-29 22:27:47

Luks Kayaking (hereinafter: "we", "us", "our") respects your privacy and processes personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable regulations of the Republic of Croatia.

1. Data Controller

Name: Luks Kayaking
E-mail: info@lukskayaking.com
Phone: +385 95 533 0061

If you have any questions about this policy or wish to exercise your rights, please contact us using the contact details above.

2. What data we collect

We collect only the data necessary for communication, booking, and service execution.

a) Contact form (contact.php)

  • first and last name
  • e-mail address
  • phone number (optional)
  • subject and message content
  • confirmation of consent to the Privacy Policy

b) Reservation / booking (reservation.php, api/booking_*)

  • first and last name
  • phone number
  • e-mail
  • note (if provided)
  • booking data: tour/product, date, time slot, number of persons/kayaks, amount, currency, booking code, status

c) Payment (Stripe)

For online payments, data necessary to initiate and confirm the transaction is processed (e.g. amount, currency, session ID, payment status, booking reference code). Card details are entered directly into the Stripe payment form.

d) Technical data

Like most websites, hosting and technical infrastructure may automatically log technical data (e.g. IP address, access time, user-agent, request URL) for security, diagnostics, and abuse prevention.

3. Purposes and legal basis for processing

We process data on the following bases:

  • performance of a contract / taking steps prior to entering into a contract (booking, confirmations, changes)
  • legal obligation (e.g. accounting and tax records)
  • legitimate interest (system security, abuse prevention, booking status records)
  • consent (e.g. sending inquiries through the contact form with confirmed consent)

4. Recipients and data processors

We share your data only when necessary to provide the service:

  • Stripe, Inc. – processing card payments and transaction confirmations
  • SMTP/e-mail provider (configured for sending system e-mails) – sending confirmations and notifications
  • hosting / IT providers – technical maintenance and security

Additionally, the website uses external CDN and widget services that may receive technical access data (e.g. IP address and user-agent), including:

  • code.jquery.com (jQuery)
  • cdn.tailwindcss.com (Tailwind CDN)
  • cdn.jsdelivr.net (Flatpickr)
  • fonts.googleapis.com / fonts.gstatic.com (Google Fonts)
  • elfsightcdn.com (review widget on certain pages)

5. Cookies and similar technologies

The website currently uses at least the following functional cookie:

site_lang – remembers the selected interface language (duration up to 12 months).

Without this cookie, the language preference cannot be reliably remembered between visits.

If you use the administrative part of the system (/podium), session cookies necessary for authentication and security may also be used.

6. Payments

Card payments are processed by Stripe. We do not store full card numbers, CVC codes, or other sensitive card data. We store technical and business transaction data (e.g. session ID, status, amount, currency) for booking confirmation, records, and handling complaints/refunds.

7. E-mail communication

Messages from the contact form and booking system are sent by e-mail (to the user and administrator) via an SMTP system. The message content and contact data are used exclusively for processing your inquiry/booking and customer support.

8. Data retention

We retain data only for as long as necessary for the purpose of processing:

  • contact inquiries: as long as needed to respond and possibly continue communication
  • bookings and related payment data: during service provision and afterwards according to legitimate interests and legal obligations
  • accounting/tax documents: in accordance with legal retention periods
  • technical logs: according to system security and operational requirements

When data is no longer required, it is deleted or anonymized.

9. Transfer of data to third countries

Some service providers (e.g. Stripe or CDN services) may process data outside the EU/EEA. In such cases we ensure appropriate safeguards in accordance with GDPR (e.g. standard contractual clauses and/or other lawful mechanisms).

10. Your rights

You have the right:

  • to access your personal data
  • to correct inaccurate data
  • to delete data ("right to be forgotten")
  • to restrict processing
  • to data portability
  • to object to processing based on legitimate interest
  • to withdraw consent (if processing is based on consent)
  • to file a complaint with the supervisory authority (AZOP)

To exercise your rights, contact: info@lukskayaking.com.

11. Data security

We implement reasonable technical and organizational measures to protect data from unauthorized access, modification, loss, and misuse.

12. Policy changes

We may update this Privacy Policy from time to time. The new version applies from the date of publication on this page.

13. Push notifications (if enabled)

In parts of the system that support web/push notifications, OneSignal may be used. In that case technical device/subscription identifiers (e.g. subscription ID, notification permission status) may be processed solely for sending notifications you have enabled.