Privacy Policy

NOKUMO SERVICES d.o.o. Bosiljevska ulica 2, 10000 Zagreb, Croatia Tax ID (OIB): 57497980030 Email: support@nokumo.net Phone: +385 1 4641 264

We follow the highest standards of data protection under GDPR (EU Regulation 2016/679) and applicable Croatian implementation law.

From Users (accommodation operators): - Company name, address, and tax identification number - Contact person name, email, and phone number - Payment and banking information for subscription billing - Accommodation property details (name, address, room inventory)

From Guests (travellers): - Full name and residential address - Email address and phone number - Passport or ID document details (for regulatory guest registration) - Payment card information (tokenised via Stripe — never stored on Nokumo servers) - Booking history and preferences

Technical data: - Browser type, IP address, device information - Platform usage analytics (anonymised, via Pulserio AG)

We process personal data on the following legal bases:

Contract fulfillment (Art. 6(1)(b)): Processing necessary to provide the Nokumo platform — reservation management, invoicing, channel synchronisation, fiscal compliance.

Legal compliance (Art. 6(1)(c)): Processing required by law — guest registration with eVisitor (Croatia), AJPES/eTurizem (Slovenia), fiscal receipt generation for tax authorities.

Legitimate interests (Art. 6(1)(f)): Platform analytics and security monitoring.

Consent (Art. 6(1)(a)): Marketing emails, non-essential cookies. Consent can be withdrawn at any time with equal ease.

• Providing and maintaining the Nokumo platform
• Processing reservations and generating fiscal receipts
• Guest registration with Croatian eVisitor and Slovenian AJPES/eTurizem systems
• Sending automated operational emails (booking confirmations, pre-arrival communications)
• Customer support and onboarding
• Billing and invoice generation
• Platform security monitoring and fraud prevention

We do not sell User or Guest data under any circumstances.

We share data only where necessary:

Sub-processors: Stripe (payment processing), Microsoft Azure (infrastructure), Pulserio AG (anonymised analytics). All sub-processors are bound by data processing agreements compliant with GDPR.

Regulatory authorities: eVisitor (Croatian Ministry of Interior), FURS (Slovenian Tax Authority), Croatian Tax Administration — data shared only as required by law for fiscal and tourist registration compliance.

Professional advisors: Accountants and legal counsel bound by professional confidentiality.

A complete sub-processor list is available on request at security@nokumo.net.

All data is stored within EU data centres operated by Microsoft Azure (Frankfurt, Germany and Amsterdam, Netherlands). Data never leaves EU jurisdiction.

Retention periods: - Reservation records: 10 years (legal requirement for fiscal documentation) - Guest registration records: 5 years (regulatory requirement) - Email correspondence: Retained for the duration of the business relationship - Anonymised analytics data: Up to 3 years - Account data: Retained for the duration of the subscription + 30 days for export

On account termination, all data is permanently deleted within 30 days of the export window closing.

• AES-256 encryption for all data at rest
• TLS 1.3 for all data in transit
• Payment card data tokenised via Stripe — never stored on Nokumo servers
• ISO 27001-aligned information security management system
• Annual penetration testing by independent security researchers
• Incident response commitment: 4-hour notification for material breaches
• Role-based access controls with per-property staff permissions
• All sub-processors bound by contractual security requirements

Under GDPR, you have the right to:

• **Access:** Request a copy of all personal data we hold about you
• **Rectification:** Request correction of inaccurate data
• **Erasure:** Request deletion of your data (subject to legal retention requirements)
• **Restriction:** Request that we limit processing in certain circumstances
• **Portability:** Receive your data in a machine-readable format
• **Object:** Object to processing based on legitimate interests
• **Withdraw consent:** At any time, without affecting prior processing

To exercise any right, contact support@nokumo.net. We respond within 30 days.

We use essential cookies for platform operation and authentication. Analytics cookies (Pulserio AG) are used to understand platform usage — data is anonymised and you may object at any time.

A full cookie policy is available at nokumo.net/cookies.

For privacy questions or to exercise your rights:

Email: support@nokumo.net Phone: +385 1 4641 264 Address: Bosiljevska ulica 2, 10000 Zagreb, Croatia

If you believe your rights have not been respected, you may lodge a complaint with the Croatian Personal Data Protection Agency (AZOP): azop.hr