Privacy Notice

PRIVACY NOTICE

This Privacy Notice explains who we are, what personal data we collect, why we collect it, and how we use and protect it, in compliance with the General Data Protection Regulation (GDPR) (EU Regulation 2016/679).

“Personal data” means any information that can directly or indirectly identify you and the data controller is responsible for managing and protecting this information.

Please read this Notice carefully. If you do not agree with its terms, please do not provide us with your personal data.

1. WHO WE ARE?

Data controller: Orvas d.o.o. (further as: “Orvas”, or “we” or “The Controller”)

Address: Leopolda Mandića 10, 21204 Dugopolje, Croatia

PIN Nr.: 38192148118

VAT Nr: HR38192148118

IBAN: HR3924070001100586377 (OTP banka); IBAN: HR61248400811015885668 Raiffeisenbank Austria d.d.)

Members of the management board and general directors: Ivo Lelas and Tonći Roglić

Share capital: 635.078,64 EUR, paid in full amount

Registered at the Commercial Court in Split

Registration: Tt-16/2645-3

MBS: 060052347

Agency code: HR-AB-21-060052347

2. WHAT DOES THIS PRIVACY NOTICE COVER

This Notice covers how we process your data whenever you interact with us, including when you:

visit any of our websites;
use our social media channels;
purchase and use our products and services, systems and applications;
subscribe to our newsletters;
provide to us your goods or services, systems or applications;
contact our customer support;
join our business events;
participate to our contests;
participate to our promotions;
or otherwise interact with us

as consumer, business customer, partner, (sub)supplier, contractor or other person with a business relationship with us.

“Processing” means any operation performed on personal data, which includes collection, recording, storage, modification or update, retrieval, consultation, use, disclosure by manual and/or automated means.

3. WHAT IS THE DATA THAT WE COLLECT ABOUT YOU?

Depending on who you are (e.g. customer, consumer, supplier, business partner, etc.) and how you interact with us (e.g. online, offline, phone, etc.) we may process different types of personal data. In this notice we cover all possible personal data that we collect from you.

DATA YOU PROVIDE DIRECTLY TO US (EXAMPLES BELOW)

Category	Examples
Personal identification	Name, last name, title, date of birth
Contact information	Email, phone number, address, country
Images/Videos	Picture/video uploaded/ provided to us
Financial data	Credit card details, bank account information
Other information	Household information, interests, profession, preferences

INFORMATION FROM THIRD-PARTY SOURCES (EXAMPLES BELOW)

We may receive information about you from publicly available sources (as permitted by law) such as public databases, our marketing partners, or social media platforms when you choose to connect to such services. We may combine this information with other information we receive from you.

Category	Examples
Public databases	Business registers, company ownership details, sanction lists, government directories
Marketing partners	Information about preferences, responses to online ads, participation in loyalty or referral programs
Social media platforms	Profile information, username, comments/posts when interacting with our official pages, connected account details
Event organizers or partners	Registration details if you sign up for an event we co-host or sponsor
Online payment or booking service providers	Transaction confirmations, booking IDs, limited billing details (no full card data)

*ONLINE PAYMENTS – Payment Processing by WSPay

For the purpose of processing online payments, we use the secure payment gateway WSPay. When you make a payment on one of our websites, certain personal data necessary to complete the transaction (such as your name, surname, email address, billing information, and partial card details) are transferred to WSPay.

WSPay acts as an independent data controller or data processor (depending on the transaction flow) and processes personal data in accordance with applicable laws and the GDPR. We do not store or have access to your full payment card details. These are processed exclusively by WSPay on secure servers, certified according to the highest payment security standards (PCI DSS compliance).

For more information on how WSPay processes your personal data, please refer to their Privacy Policy: https://www.wspay.info/.

4. HOW DO WE USE YOUR DATA?

We process your data only for specific purposes and only where there is a legal basis under GDPR. Examples include:

PROCESS/SERVICE	PURPOSE	LEGAL BASIS
USE OF THE SERVICE Personal data of all natural persons using the Website (including IP address or other identifiers and information collected through cookies or other similar technologies), and who are not registered Users (i.e. persons who do not have a profile on the Website).	in order to provide services ordered on the Website.	necessity of processing for the performance of the contract - Article 6(1)(b) GDPR
	analytical and statistical purposes, consisting of conducting analyses of Users' activities, as well as their preferences in order to improve the functionalities used and services provided	Controller's legitimate interest - Article 6(1)(f) GDPR
	possible establishment and investigation of claims or defence against claims	Controller's legitimate interest - Article 6(1)(f) GDPR
	The User's activity on the Website, including his/her Personal Data, is recorded in system logs. The information collected in the logs is processed primarily for purposes related to the provision of services. The Controller also processes them for technical, administrative purposes, for the purposes of ensuring the security of the IT system and the management of this system, as well as for analytical and statistical purposes	Controller's legitimate interest - Article 6(1)(f) GDPR
REGISTRATION ON THE SITE Those who register on the Website are asked to provide the data necessary to create and operate an account. In order to facilitate the service, the User may provide additional data, thereby consenting to its processing. Such data can be deleted at any time. The provision of data marked as mandatory is required in order to create and operate an account, and failure to provide such data will result in the inability to create an account. The provision of other data is voluntary.	in order to provide services related to the maintenance and operation of the account on the Website	necessity of processing for the performance of the contract - Article 6(1)(b) GDPR, and with regard to data provided optionally - the legal basis for processing is consent - Article 6(1)(a) GDPR
	analytical and statistical purposes, consisting of conducting analyses of Users' activity on the Website and the way they use their account, as well as Users' preferences in order to improve the applied functionalities	Controller's legitimate interest - Article 6(1)(f) GDPR
	possible establishment and investigation of claims or defense against claims	Controller's legitimate interest - Article 6(1)(f) GDPR

PLACING ORDERS (USE OF PAID SERVICES ON THE SITE) The placement of an order (purchase of goods or services) by the User of the Website involves the processing of his/her Personal Data. The provision of data marked as mandatory is required in order to accept and process the order, and failure to provide such data will result in the order not being processed. Provision of the remaining data is optional.	fulfilling a submitted order	necessity of processing for the performance of the contract - Article 6(1)(b) GDPR; for data provided on an optional basis, the legal basis for processing is consent - Article 6(1)(a) GDPR
	to comply with statutory obligations incumbent on the Controller, arising in particular from tax and accounting legislation	legal obligation - Article 6(1)(c) GDPR
	analytical and statistical purposes, consisting of conducting analyses of Users' activity on the Website, as well as Users' purchasing preferences in order to improve the applied functionalities	Controller's legitimate interest - Article 6(1)(f) GDPR
	possible establishment and investigation of claims or defense against claims	Controller's legitimate interest - Article 6(1)(f) GDPR
CONTACT FORMS The Controller provides the possibility to contact him/her using electronic contact forms. The use of the form requires the User to provide Personal Data necessary to contact the User and respond to the enquiry. The User may also provide other data in order to facilitate the contact or handling of the enquiry. The provision of data marked as mandatory is required in order to receive and handle the enquiry, and failure to provide such data will result in the impossibility of service. The provision of other data is voluntary.	identification of the sender and the handling of his/her enquiry sent via the form provided	performance of the contract for the provision of the service - Article 6(1)(b) GDPR; with regard to the data provided optionally, the legal basis of the processing is consent - Article 6(1)(a) GDPR
	analytical and statistical purposes consisting of keeping statistics on queries submitted by Users via the Website in order to improve its functionality	Controller's legitimate interest - Article 6(1)(f) GDPR
MARKETING The Controller may use your personal data to inform you about products, special offers, services or events.	displaying marketing content to User that is not tailored to his/her preferences (contextual advertising)	Controller's legitimate interest - Article 6(1)(f) GDPR

Orvas d.o.o. may send you communications about our products, services, events, and promotions. These communications may be delivered through different channels: email, phone, SMS, post, or social networks. To provide you with the best experience, they may be tailored to your preferences (for example, if you indicate email as your preferred channel of communication with us, or if we determine it based on the links you click in our emails). Where required by law, we will ask for your consent before carrying out the above activities.

5. WHEN DO WE SHARE YOUR DATA WITH THIRD PARTIES?

Your data will be processed by us and other entities within the Orbico Group. In exceptional cases and only to fulfil the above-described purposes, your data might be shared with the following parties:

Service providers: we may outsource certain data processing activities to trusted third party service providers to perform functions and provide services to us, such as ICT service providers, consulting providers, shipping providers…
Business partners: our services are integrated with various online booking platforms and channel managers so we may share your data with our booking and distribution partners, such as Nausys, MMK-a Systems, MyRent, Phobs, Booking.com, Airbnb, and similar service providers, in order to process and manage your reservations.
Public and governmental authorities: when required by law, or as necessary to protect our rights, we may share your data with entities that regulate or have jurisdiction over Orbico Group;
Professional advisors: such as auditors, lawyers, accountants, other professional advisors;
Other parties with corporate transactions: such as during a sale of a business or a part of a business to another company, or any reorganization, merger, joint venture, or other disposition of our business, assets, or stock (including in connection with any bankruptcy or similar proceeding).

Transfer of your data outside of EEA

The level of protection of Personal Data outside the European Economic Area (EEA) differs from that provided by European law. For this reason, Orvas transfers Personal Data outside the EEA only when necessary and with an adequate level of protection, primarily by:

cooperation with processors of Personal Data in countries for which a relevant decision of the European Commission has been issued as to whether an adequate level of protection of Personal Data is ensured (for more information, please go through the list provided here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en);
the use of standard contractual clauses (SCCs) approved by the European Commission.

6. HOW LONG DO WE KEEP/RETAIN YOUR DATA?

We keep your data only for the period necessary to fulfill the purposes for which it was collected (see above section 4. “How do we use your data?”). Sometimes we might keep your data longer if required or permitted by law. We determine the period based on the following criteria:

How long is the data needed to provide you with our products or services or to operate our business?
Do you have an account with us? Then we will keep your data while your account is active.
Are we required by law, contract, or other similar obligations to retain your data?
In some cases, we may be legally or contractually obligated to retain your personal data. Examples include mandatory data retention laws, government orders related to investigations, or requirements to preserve data for legal proceedings or litigation purposes.

7. HOW DO WE SECURE YOUR DATA?

To protect your data, we implement appropriate technical and organizational measures to prevent and secure your data against unauthorized access, loss, misuse, alteration, or disclosure. We also require our service providers, business partners and professional advisors to apply equivalent safeguards.

8. WHO IS RESPONSIBLE FOR YOUR DATA?

Orvas d.o.o with its head office at Leopolda Mandića 10, Dugopolje, is the data controller responsible for your personal data. For some services, we use specialized partners who process data strictly under our instructions and in line with our data protection policy.

We are therefore the party you, should contact with any questions regarding how our company processes your personal data.

9. WHICH LEGISLATION APPLIES?

The protection of your personal data is governed by the Regulation EU 2016/679, (i.e. “GDPR”) and applicable national laws of Croatia. We undertake to comply with our obligations and respect your rights whenever we process your data.

10. YOUR RIGHTS

You have the right to access the content of the data and to request rectification, erasure, restriction of processing, the right to data portability and the right to object to the processing of the data, as well as the right to complain to the supervisory authority in charge of the protection of Personal Data (AZOP – azop@azop.hr).

Where processing is based on your consent, you may withdraw your consent at any time via the unsubscribe link, by contacting us, or by using the functionalities made available on the Website (the cookie banner's “options” button). If we ask you to provide us with your data, but you choose not to, in some cases, we may not be able to offer you the full functionality of our products, services, systems, or applications. Additionally, we may not be able to respond to any requests you may have.

You have the right to object to the processing of data for marketing purposes if the processing is carried out in connection with the legitimate interest of the Controller, and - for reasons related to the User's particular situation - in other cases where the legal basis of the data processing is the Controller's legitimate interest (e.g. in connection with the realization of analytical and statistical purposes).

You can exercise your rights by contacting us at the following e-mail: privacy@orvas.hr. We will respond promptly, and no later than within one month, unless extraordinary complexity requires an extension of the response time.

You exercise your rights without cost. However, if you frequently or excessively (for example, requesting all your personal information in writing) request access to or transfer of your personal information, we have the right to ask you to bear our costs before carrying out such an action.

11. CHANGES IN THIS PRIVACY

We reserve the right to change this Privacy Notice at any time to reflect changes in law, technology, or our practices. Updates will be posted on this page with a revised “Last Updated” date.

Last updated: 15.09.2025.