PRIVACY NOTICE

IKADOR LUXURY BOUTIQUE HOTEL & Spa, owned by AUTO ZUBAK – ZAGREB Ltd., Sesvete, Ljudevita Posavskog 7/a, PIN: 34970126847 (hereinafter referred to as: “AZZ” or “we”), pays particular attention to the protection of personal data of its users (hereinafter referred to as: “data subjects”), which it collects and processes in performing its operations. Accordingly, we take special measures to ensure that the processing of personal data that we perform is lawful, fair and transparent. We collect, process and use such data in accordance with the relevant data protection regulations, and the terms used in this Notice have the meanings as defined under Regulation (EU) 2016/679.

More precisely, pursuant to Regulation (EU) 679/16 AZZ may have different roles with regard to your personal data, i.e. it may be the controller and/or the processor. This Notice serves to inform you, our users, of:

• the identity and contact details of the controller and/or processor (Section 1),
• the legal bases for processing personal data of data subjects, the purposes for such processing and the way personal data of data subjects is processed (Section 2),
• the recipients of personal data (Section 3),
• the period for which your personal data are stored (Section 4),
• the personal data safeguards in place (Section 5),
• your rights regarding the processing of your personal data and the way you can exercise those rights (Section 6),
• your obligation to provide personal data (Section 7),
• whether automated decision-making and profiling are used or not (Section 8), and
• the application of cookies on our web pages (Section 9).

1. Basic information about AUTO ZUBAK – ZAGREB Ltd. as the controller and/or processor

1.1. Identity and contact details: IKADOR LUXURY BOUTIQUE HOTEL & Spa, owned by AUTO ZUBAK – ZAGREB Ltd., Sesvete, Ljudevita Posavskog 7/a, PIN: 34970126847, Republic of Croatia; info@ikador.com; www.ikador.com

1.2. Contact details of the data protection officer: e-mail: info@ikador.com

2. How do we collect your data, on what basis do we process them and for which purposes do we use them?

We process your data in the following manner and for the following purposes:

2.1. Accommodation inquiries and reservations (via phone, e-mail, our website)

When you make an accommodation inquiry or a reservation request (via phone, e-mail or our website), you will be asked to provide such personal data which we need to give you the requested information, or confirm your reservation, for the purpose of signing an accommodation agreement.

The personal data that we collect when an accommodation inquiry is made are:

• first and last name of the guest,
• phone number,
• e-mail address,
• other data that we may need to assure relevant information.

The personal data that we collect when a reservation request is made are:

• first and last name of the guest (main guest or all guests arriving under the reservation),
• phone number,
• e-mail address,
• credit card details (booking guarantee) – type of credit card, credit card number, cardholder, date of expiry, CVC (optional).

To users of reservation system, we assure highest standards in personal data protection. For safe data processing between our user’s computers and our servers we use SSL certificate of a recognized issuer and communication encryption. All personal information that you provide in this way is transmitted entirely through a connection secured by encryption.

2.2. Registration at the accommodation facility (check-in)

Upon registration of guests at the accommodation facility (check-in), we collect and keep such personal data which we need to provide accommodation services, comply with our statutory obligation to collect, and enter the personal data associated with the hospitality services which we provide into a designated system (i.e., eVisitor – a guest check-in/check-out information system), as well as to ensure you the best possible service. If for some reason you are unable or unwilling to provide the requested data, you will not be able to use our accommodation services.

The personal data that we collect upon check-in are:

• first and last name,
• city, country, and date of birth,
• citizenship,
• identification document type, number, and place of issue,
• permanent address (current address),
• sex,
• date and time of arrival to and departure from the accommodation facility,
• e-mail address,
• phone number.

We keep the above-mentioned data in our databases and enter them into the eVisitor system. Pursuant to the relevant legal regulations, such data are stored and retained for a period of 10 years.
Upon registration at the accommodation facility (i.e., upon check-in), you may also be asked to provide certain additional data (e.g., your nutritional preferences, and similar), which will allow us to personalize the service provided to you. Additional data are marked as optional and are not required for the provision of accommodation services. However, without such additional data, we will not be able to provide you a personalized service.

2.3. Information about our services and products

Your personal data (e-mail address) that we have collected upon reservation or during registration at the hotel (check in), we will process a certain time in purpose of sending notices and information about special events, offers, benefits, services and news in our offer, and sending greeting cards for special occasions. As you are our user, we consider you showed an interest in our services and therefore we consider processing of your data as our legitimate interest. At any time, you can complain about this process by selecting the appropriate option to log out, as will be described in each notification received. This data is not necessary to assure accommodation service, but we need it if you want to receive the above-mentioned information and notices.

2.4. Video surveillance

Based on a legitimate interest and for the purpose of protecting people and property, we have put in place appropriate security and technical measures, i.e., we have installed a video surveillance system. The recordings obtained through video surveillance are kept for up to 6 months.

2.5 Inquiries via website

When making an inquiry through our website, we will ask you for information:

• first and last name,
• e-mail address.

The above data will be used for the purpose of sending you answers to your inquiry.

2.6. Satisfaction surveys/questionnaires

In principle, customer satisfaction surveys and questionnaires are anonymous, and you are therefore not required to provide your personal data when completing the same. The data collected in this manner will be used exclusively for the purpose of increasing the quality of service.

2.7 Complaints

Upon submitting a complaint, you will be required to provide the following data:

• first and last name,
• period of stay,
• number of guests who stayed at the facility,
• names of guests who stayed at the facility,
• reservation number,
• phone number,
• e-mail address.

We will use the above data for the purpose of sending an answer to your complaint, and we will store and retain such data for a period of 1 year from the date of receipt of the same in writing, in accordance with the relevant legal regulations.

2.8. Information from other sources

We can also obtain your personal data from other sources. Such other sources include our online partner agencies or travel agencies whose services you have used to book accommodation with us, which have later forwarded your personal data to us. We need the data obtained and processed in this manner for the purpose of confirming your reservation and signing an accommodation agreement with you.

Through our online partner agencies and travel agencies we collect the following data:

• first and last name of the guest (main guest or all guests arriving under a reservation),
• phone number (optional),
• e-mail address,
• country (optional),
• credit card details (booking guarantee) – type of credit card, credit card number, cardholder, date of expiry, CVC (optional).

3. Do we share your data with third parties – recipients of personal data?

3.1. The data collected from you and other data that concern you remain stored in AZZ’s databases. Your data may be shared with third parties:

a) in cases where we are required by law to disclose such data (e.g., obligation to submit data to the Tourist Board via the eVisitor system), or where disclosure of such data is necessary to respond to a legal action or to a request made by competent law enforcement institutions in connection with minor offense, criminal offense or court procedures (on the basis of a written order);
b) for the purpose of protecting our rights, privacy, safety or property, and that of the public;
c) for the purposes of administrative or technical support (e.g., to our partners performing accounting, information system maintenance, and similar operations), or for other business purposes with a view of facilitating transactions with you;
d) for the purpose of analyzing our data, conducting mobile analytical services, or for the purpose of maintaining or improving our services (subject to non-disclosure agreements, where appropriate);
e) for the purpose of finding appropriate legal remedies and limiting possible damage;
f) for the purpose of complying with the terms and conditions of any contract or our business relationship with you, or with the terms and conditions applicable to our online service (e.g., for the purpose of providing accommodation reservations services, for the purpose of providing accommodation services, and similar);
g) for the purpose of processing transactions with our branches, business partners, agents or agencies whose services you have used to arrange or request our services;
h) in other cases, subject to your consent.

3.2. Your personal data may be transferred to another legal entity in the event of a transfer, change of ownership, reorganization or merger of AUTO ZUBAK – ZAGREB Ltd. or a certain part of that company with another legal entity, or in the event of a transfer of the company’s property to another legal entity.

3.3. In cases where it shares your data with third parties, AZZ will require that such third parties refrain from using your data for purposes other than the agreed one and will also obligate its business partners to protect the confidentiality of personal data.

4. Period for which your personal data will be stored

4.1. The period for which your data will be stored/retained depends on the type/category of data, the purpose for which they were provided or collected, and the laws or legal obligations that AZZ is required to comply with. The personal data will be kept for a period prescribed by the law, or for a period deemed necessary to provide the requested service or perform the service or purpose for which you have given your consent, unless otherwise required by the law (e.g., in connection with an ongoing court procedure).

4.2. The data that refer to statutory and legal obligations of AZZ are stored for the period prescribed by the respective laws (e.g., the obligation to store and the period for which invoices and bookkeeping records (which, among other, contain your data) are to be retained is prescribed under the Accounting Act. Accordingly, such invoices and records are kept for 11 years.

4.3. The data in respect of which a specific storage (retention) period is not prescribed under any laws or regulations will be stored and retained for a period deemed reasonable depending on the category of the relevant data and the purpose for which they were collected in the first place. The data collected for a specific purpose will be used for that purpose only. After the expiry of the reasonable period of storage (retention) and after the relevant purpose is fulfilled, such data will no longer be actively used. However, anonymized data may continue to be used for statistical and marketing purposes, as well as for archiving and other analytical purposes. When providing such data, you will be informed of the applicable storage (retention) period, and the criteria in accordance with which such period is determined.

5. Personal data safeguards

5.1. When we process your personal data, we implement appropriate technical, organizational, and legal personal data protection safeguards to prevent unauthorized access and any further unauthorized processing. We collect only the data that are necessary for the purpose of processing and do not keep them longer than necessary or determined by applicable legal regulations.

6. Your rights regarding data processing

6.1. Regarding all your personal data stored in our databases and depending on the purpose and legal basis for storing and retaining such data, you have the following rights:

a) the right to access your personal data – you have the right to request and receive information from us regarding whether your personal data are being processed. If they are being processed, in addition to the right to access such data, you have the right to receive additional information regarding the purpose of processing, the categories of personal data that are being processed, the recipients or categories of recipients of personal data, the period for which personal data are stored (retained), the rights you have as data subjects, the right to lodge a complaint with a supervisory authority, the source of your personal data if not collected directly from you, the use (or non-use) of automated decision-making and profiling, as well as the transfer of personal data to third countries or international organizations;
b) the right to rectify or supplement your personal data – without undue delay, you will have the right to rectify inaccurate or supplement incomplete personal data which concern you;
c) the right to erase your personal data (“the right to be forgotten”) – you have the right to request that your personal data be erased at any time, and we will honor your request and act upon it if the relevant personal data are no longer needed for the purposes for which they were collected, if you withdraw the consent on the basis of which such data are processed, if you object to the processing performed on the basis of a legitimate interest, if the data are unlawfully processed, or if they are contrary to the provisions of the Regulation on any other basis. The right to erasure is not an unrestricted right. More precisely, we will not be able to honor your request and act upon it if there is a legal or some other obligation on the basis of which we are required to store and retain your personal data (e.g., storing and retaining invoices and book-keeping records), of which you will be informed timely;
d) the right to restrict the processing of your personal data – you will have the right to request that the processing of your personal data be restricted if you believe that the data are inaccurate (for a period allowing us to check the accuracy of the relevant data); if the processing is unlawful, without requesting erasure, however; if we no longer need the relevant data but you need them for the purpose of establishing, exercising or defending a legal claim; or if you have objected to the processing on the basis of a legitimate interest (e.g., restricting the use of an e-mail address for sending certain notifications/information).
e) the right to data portability – if you have provided your personal data in a structured, commonly used, and machine-readable format, you have the right to obtain such data and transmit them to another controller, provided the processing is based on consent or on a contract, and provided the processing is carried out by automated means. If technically feasible, you may request that your data be directly transmitted to another controller;
f) the right to object to the processing – you have the right to object to the processing performed on the basis of a legitimate interest at any time (e.g., direct marketing);
g) the right to lodge a complaint with the relevant supervisory authority – if you consider that any of your rights, which arise in connection with the processing of your personal data, is breached, you may lodge a complaint with the Personal Data Protection Agency (AZOP), Martićeva 14, 10 000 Zagreb, azop@azop.hr), in accordance with the applicable personal data regulations;
h) if the processing of your personal data is based on consent, you have the right to withdraw your consent at any time, where such withdrawal will take effect on the date it is made.

6.2. Requests to exercise the rights from the preceding section (except for requests under point g)) may be submitted in writing and sent to the address specified in Section 1 or via e-mail to info@ikador.com. If you cannot be identified as the owner of the relevant personal data, your request may be denied.

7. Are you required to provide your personal data to us?

7.1. When you request AZZ’s services, submit a particular request, ask for an offer to be made to you, file a complaint in connection with a particular agreement or execution thereof, you must provide to us such personal data that allow us to identify you as a user of our services, and to enter into and execute a contract with you, handle your request, or resolve your complaint. In such situations, provision of your personal data represents your legal and contractual obligation, and a precondition for entering into and executing a contract, for handling a request, or resolving a complaint.

8. Does AZZ use automated decision-making and profiling?

8.1. AZZ does not use automated decision-making.

9. Online security of personal data

9.1. On our website, your personal data are protected from unauthorized access, use or disclosure. The data stored on computer servers are kept in a controlled and safe environment, with safeguards against unauthorized access, use or disclosure in place.

10. Application of cookies

10.1. On our web pages we use cookies, i.e. textual files stored on the user’s computer by the internet server that they use. Such files are created when the browser on the user’s device uploads the visited web destination, which sends the data to the browser and creates a textual file (a cookie). The browser then retrieves such file and sends it to the web destination server (location, page) when the user returns to the same.

10.2. The cookies are used to allow the functioning of all website features as well as to ensure a better customer experience, and they may be either temporary (stored only during the visit to a web page) or permanent (they remain stored on the user’s computer even after the visit is ended).
Third-party cookies are used to obtain statistical data about how frequently our web pages are visited and in what manner they are used. The data which are collected include: the user’s IP address, browser data, language data, operating system data, and other standard data which are collected and analyzed on a massive scale and in an anonymized form, unless user data are concerned. AZZ’s web pages do not contain cookies that allow running of programs or installation of viruses onto your computer.

10.3. Where our web pages are concerned, we use the Google Analytics statistical services. The rules regarding third-party cookies are available on the Google Analytics site. From time to time, we may also collect information about the manner in which the users use our web pages using other tools similar to Google Analytics.

10.4. Disabling cookies: If you do not want to accept cookies, you can easily delete (or disable) them on your computer or mobile device by adjusting your browser settings. You can find out more about the way cookies are managed on your browser pages or on www.allaboutcookies.org.

10.5. Since the purpose of cookies is to improve the functioning and allow the use of our web pages and the related processes, please bear in mind that by disabling or deleting cookies you might affect the proper functioning of our website features or cause them to function or appear differently in your browser.

11. Amendments to the Privacy Notice

Privacy Notice is regularly updated if we consider it necessary. You will be informed about all changes in a timely manner via our website in accordance with the principle of transparency.

The Privacy Notice was updated on March 19, 2021., and it is applied since.