Privacy Policy
How we collect, use, and protect your personal data.
Last updated: 2026-06-09
Apartments Veronika (https://aptveronika.com) is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have under GDPR and applicable Croatian law.
1. Data controller
Apartments Veronika
Makarska, Croatia
Email: info@aptveronika.com
Website: https://aptveronika.com
We are the data controller for all personal data collected through this website. Contact us at the email above for any data-related requests.
2. Data we collect
Booking requests
First name, last name, email, phone (optional), country, check-in/out dates, number of guests, promo code, special requests.
Guest account
First name, last name, email, hashed password. We never store passwords in plain text.
Contact form
Name, email, phone (optional), subject, message.
Reviews
Name, country, review text, scores — submitted voluntarily. Approved reviews may be published publicly.
Technical data
IP address, browser type, visited pages via server logs; anonymised usage data via Google Analytics 4 with your consent.
3. Legal basis (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Processing booking requests, managing stays | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails | Contract performance (Art. 6(1)(b)) |
| Managing guest accounts | Contract performance (Art. 6(1)(b)) |
| Responding to contact form enquiries | Legitimate interest (Art. 6(1)(f)) |
| Publishing approved reviews | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention, server logs | Legitimate interest (Art. 6(1)(f)) |
| Google Analytics 4 | Consent (Art. 6(1)(a)) |
4. How we use your data
- To evaluate, approve, or decline your booking request
- To send transactional emails: booking received, confirmed or declined, pre-arrival info, review request
- To manage your guest account and booking history
- To publish approved reviews on the website
- To respond to your contact form enquiries
- To maintain the security and stability of the website
- To understand and improve how visitors use the website (analytics — with consent only)
We do not use your data for automated decision-making or profiling.
5. External API
This website operates a write-only External API that allows authorised external systems (channel managers, property management systems) to push availability and pricing data. This API does not expose, transmit, or share any guest personal data, booking data, or financial data.
6. Email communications
We send transactional emails via PHPMailer using an admin-configured SMTP provider. We do not send marketing emails without your explicit consent.
7. Data retention
| Data type | Retention period |
|---|---|
| Booking data | 5 years (legal obligation), then permanently deleted |
| Guest account data | Until you request deletion |
| Contact form messages | 12 months, then deleted |
| Published reviews | While published; deleted on request |
| Server logs | 30 days, then automatically deleted |
| Google Analytics data | 14 months (Google default) |
8. Third-party processors
| Processor | Purpose | Location |
|---|---|---|
| Spaceship (web hosting) | Website hosting, file storage, database | EU |
| SMTP provider (admin-configured) | Transactional email delivery | EU/EEA |
| Google LLC (Analytics 4) | Anonymised website analytics | USA (SCCs) |
We do not sell your data to third parties.
9. Cookies
We use cookies as described in our Cookie Policy. Manage your preferences at any time via Manage Cookies.
10. Your rights under GDPR
- Right of access — request a copy of your personal data.
- Right to rectification — ask us to correct inaccurate data.
- Right to erasure — ask us to delete your data, subject to legal retention obligations.
- Right to restrict processing — ask us to pause processing in certain circumstances.
- Right to data portability — receive your data in a machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to withdraw consent — withdraw analytics consent at any time via cookie settings.
To exercise any of these rights, email us at info@aptveronika.com. We will respond within 30 days.
11. Supervisory authority
If you believe your data has not been handled correctly, you may lodge a complaint with the Croatian Data Protection Agency (AZOP):
Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10 000 Zagreb, Croatia
Web: azop.hr
12. Changes to this policy
We may update this Privacy Policy from time to time. The last updated date at the top will reflect any changes. Continued use of the website after changes constitutes acceptance.