Privacy policy
Data Controller
SmartIT Integrated Software Solutions Ltd.
Bitoljska ulica 8
10000 Zagreb
OIB: 70983205378
Tel: +385 98 299 068
Mail: luka.betevic@smartit.hr
Data protection contact:
+385 99 8793 471
Data Protection
Regarding data protection, the company adheres to the highest standards of protection. It operates under the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) and the Law on the Implementation of the General Data Protection Regulation (NN 42/18).
The company monitors changes related to personal data protection and periodically updates its Privacy Policy accordingly.
Information Collection
The company collects only information necessary for providing services and business needs.
Information is collected from Users and Guests. Some data is collected directly from Users or Guests, while some are collected automatically.
From Users, the company collects data such as:
The company only collects information necessary for providing services and business needs.
Information is collected from Users and Guests. Some data is collected directly from Users or Guests, while some are collected automatically.
From Users, the company collects data such as:
- name and surname or company name, residential address or headquarters of the legal entity,
- personal identification number,
accommodation data such as the address of the accommodation facility and its characteristics, - data necessary for transactions for payment of company services,
- contact information such as email, and similar.
From Guests, the company collects data necessary to reserve accommodation with the User, and such data includes:
- name and surname,
- address,
- email and other contact information,
- data necessary for the realization of the transaction for payment of accommodation, and similar.
Legal bases for the processing of personal data:
- Data is necessary for fulfilling contractual obligations – data is required for processing reservations, informing Guests or Users, and fulfilling other contractual obligations.
- Data is necessary to fulfill the legal requirements of the controller
- data required for accounting purposes, tax obligations, and similar.
- Consent – collection through cookies, for marketing purposes, and similar.
- Legitimate interest – informing about changes, providing timely information, informing about offers and programs, enabling business with third parties.
Data Sharing
The company does not sell User and Guest data under any circumstances.
The company shares data only to the extent necessary for optimal provision of services and proper business operation.
Employees of the company who are involved in the operation of the Application have access to the data. The company also shares data with external partners such as accounting services or transaction processing services with whom we have agreements or contractual clauses on personal data protection. The company expects all partners to apply data protection rules.
The company also shares data with competent authorities when requested to prevent or detect malpractices and other criminal offenses, fulfilling tax obligations, legal disputes to prove, and similar.
Data Retention
The company retains data for the duration of the contractual relationship, data that may be needed for evidentiary purposes in case of any judicial proceedings, and data necessary for keeping accounting records, which the company keeps following legal regulations.
The company keeps all email correspondence permanently to prove contractual relationships and other business needs.
Data Subjects' Rights (Users and Guests)
At the time of collecting personal data, the Company provides the data subject with all of the following information:
- The identity and contact details of the Company and (if applicable), the Company's representative
- Contact details of the data protection officer,
- The purposes of processing for which personal data are used as well as the legal basis for processing;
- If the processing is based on the legitimate interests of the Company, the legitimate interests pursued by the Company or a third party;
- Recipients or categories of recipients of personal data, if any;
- The fact that the Company intends to transfer personal data to a third country or international organization;
- The period for which the personal data will be stored or, if not possible, the criteria used to determine that period;
- The right to request access to personal data and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing as well as the right to data portability;
- The data subject has the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to complete incomplete personal data, including using providing a supplementary statement.
Anyone who believes that any right guaranteed by the Law on the Implementation of the General Data Protection Regulation and the General Data Protection Regulation has been violated can file a request with the Agency to determine the violation of rights.
For any questions regarding the exercise of rights from this chapter, data subjects can contact the Data Controller using the contacts provided in this document.
Security Measures
The Company implements appropriate technical and organizational measures such as:
- Pseudonymization and encryption of personal data;
- Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, including regular system updates;
- Timely restoration of availability of personal data and access to them in the event of a physical or technical incident, for which purpose we maintain secure backups;
- Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
- The Company enters into appropriate contracts with its partners to whom it transfers personal data, which may be standalone contracts, Company policies, or part of a business relationship contract, ensuring the protection of personal data by the Company and its partners.
- The Company maintains records of data processing.
Data Transfer to Third Countries
Any transfer of personal data processed or intended for processing after transfer to a third country or international organization shall only occur if the data controller and processor act by the conditions of the General Regulation.
All transfers to third countries are carried out in accordance with legal regulations and only to the extent necessary for optimal provision of services (name and surname, contact information), or for making reservations and complying with contractual and legal obligations.
For any additional questions, data subjects can contact the Data Controller using the contacts provided in this document.
Responsibility for Data Accuracy
The User and Guest are fully responsible for the accuracy of the data they provide to use the service and the Application, and if the data subject reports inaccuracies or changes in the data, the company will act in accordance with the Regulation and this document.
The company bears no responsibility for incomplete, untrue, or generally inaccurate data.
Newsletter
Personal data obtained by the company for the purpose of the functioning of the Application, optimal provision of services, or accommodation reservations may be used for sending advertising content, but in that case, the company will request consent from the User or Guest through a separate consent.
Consent
Although the company primarily collects data based on contracts, there may be situations, such as sending newsletters, when the company will request consent. When processing is based on consent, the company must be able to prove that the data subject has given consent for the processing of his or her personal data. Consent must be given by a clear affirmative action expressing the data subject's voluntary, specific, informed, and unambiguous consent to the processing of personal data concerning him or her. Predefined statements such as pre-ticked boxes, silence, and the like, are not considered consent.
The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent must be as easy as giving it.
Communication
In case of any questions regarding the processing and protection of personal data, each data subject can contact the company via email: info@nokumo.net or info@smartit.hr.