Privacy Policy
Last updated: 16 May 2026
Effective date: 16 May 2026
This Privacy Policy explains how Lux Nautic (“we“, “us“, “our“) collects, uses, shares and protects personal information when you visit our website at luxnautic.com, request a quote, book a boat tour, contact us, or otherwise interact with us. We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR“), the ePrivacy Directive, and the Croatian Personal Data Protection Implementation Act.
1. Who we are (Data Controller)
The data controller responsible for your personal data is:
Luxnautic d.o.o.
Croatia (registered address available on request)
OIB / VAT: available on request
Email: info@luxnautic.com
Phone: +385 99 5419 649
We have not appointed a Data Protection Officer because our processing is not of a scale or nature that requires one under Article 37 GDPR. You can contact us at the email above for any data-protection question.
2. Scope of this policy
This policy applies to personal data we collect:
- through our website luxnautic.com and its language versions (/de/, /hr/),
- through booking and contact forms on the website,
- when you communicate with us by email, phone, or messaging apps (such as WhatsApp),
- in person at ACI Marina Rovinj or aboard our vessels.
It does not apply to third-party websites we link to. Those sites have their own privacy policies.
3. What information we collect
3.1 Information you provide directly
| When | What we collect | Purpose |
|---|---|---|
| Booking a tour (booking form) | Full name, email address, phone number, number of guests, requested date and trip, special requests, language preference | To process and confirm your booking, communicate with you, and prepare for the tour |
| Paying with card (Stripe) | Card details — handled directly by Stripe; we receive only the transaction reference, amount, and last 4 digits of the card | To process payment securely |
| Paying with PayPal | PayPal transaction details — handled directly by PayPal; we receive only the transaction reference and amount | To process payment securely |
| Contact form / email | Your name, email, message contents | To answer your enquiry |
| Direct messaging (WhatsApp, phone, email) | Whatever you choose to share with us | To answer you and arrange your trip |
We do not ask for, and do not want to receive, special-category personal data (such as health information, beliefs, etc.). If you choose to share such information with us — for example a medical condition relevant to the trip — we will use it only for the purpose you shared it and we will not retain it longer than necessary.
3.2 Information collected automatically
When you visit our website, certain information is collected automatically:
- Server log data, recorded by our hosting provider Infomaniak (Switzerland): your IP address, timestamp, requested URL, referring URL, user agent, response status. Retained for security and troubleshooting.
- Cookies and similar technologies, only after you give consent through our cookie banner. See §6 below for details.
- Analytics data (if you consent): which pages you view, how long you spend on them, your approximate location (city-level), and the device and browser you use.
- Advertising data (if you consent): how you arrived at the site (search ad, organic, referral), conversion events such as a completed booking enquiry, and identifiers used to measure ad performance.
3.3 Information from third parties
If you reach us through a third-party platform (e.g. an Online Travel Agency, a tourism portal, or a referral partner), we may receive your contact details and booking request directly from that platform under their terms.
4. How we use your information and on what legal basis
We process your personal data only when we have a valid lawful basis under Article 6 GDPR.
| Purpose | Categories of data | Legal basis (GDPR Art. 6) |
|---|---|---|
| Processing your booking and providing the boat-tour service | Contact, booking, payment data | Art. 6(1)(b) — performance of a contract |
| Sending booking confirmations, reminders, and trip-related notifications by email and SMS | Contact data | Art. 6(1)(b) — performance of a contract |
| Responding to enquiries you send us | Contact data | Art. 6(1)(b) — pre-contractual measures, or Art. 6(1)(f) — legitimate interest |
| Issuing invoices and meeting accounting and tax obligations | Booking, payment, identity data | Art. 6(1)(c) — legal obligation (Croatian fiscal law) |
| Keeping our website secure (firewall, malware scanning, spam detection) | IP address, user agent, behavioural signals | Art. 6(1)(f) — legitimate interest in protecting our website and customers |
| Measuring website usage and improving content (analytics) | Cookies, page-view data, device data | Art. 6(1)(a) — your consent |
| Advertising and remarketing | Cookies, conversion data, hashed contact data (enhanced conversions) | Art. 6(1)(a) — your consent |
| Replying to you on WhatsApp or by phone | The information you share in those channels | Art. 6(1)(f) — legitimate interest in customer service |
| Asking for a public review after your trip (optional) | Email address | Art. 6(1)(f) — legitimate interest; you can object at any time |
We do not make automated decisions or carry out profiling that has legal or similarly significant effects on you.
5. Who we share your information with
We share personal data only with the recipients listed below, only for the purposes described, and only under written agreements (data-processing agreements) where the law requires.
| Recipient | Role | What it sees | Privacy info |
|---|---|---|---|
| Stripe Payments Europe Ltd. (Ireland) | Card payment processor | Your name, email, billing address, full card details (entered directly on Stripe’s hosted form) | stripe.com/privacy |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) | Alternative payment processor (when you choose PayPal) | Your PayPal account details | paypal.com/privacy |
| Infomaniak Network SA (Switzerland) | Web hosting and email | Everything on our site and our outgoing email | infomaniak.com/en/legal/privacy-policy |
| Twilio Inc. (USA, EU data region) | SMS booking notifications (only if you opted in) | Your phone number and the SMS content | twilio.com/legal/privacy |
| Google Ireland Ltd. (Ireland) — only after consent | Web analytics (Google Analytics 4), advertising and conversion measurement (Google Ads), tag management (Google Tag Manager) | Cookies, page views, device data, hashed contact data for enhanced conversions | policies.google.com/privacy |
| Defiant Inc. (Wordfence) and BlogVault Inc. (MalCare) (USA) | Website security and malware scanning | IP addresses, attack signatures, traffic patterns | wordfence.com/privacy-policy · blogvault.net/privacy |
| Croatian Tax Administration (Porezna uprava) | Fiscalisation of invoices | Booking and invoice data as required by law | — |
| Banks, accountants, lawyers | Financial and legal services | Only as needed for a specific purpose | — |
| Skippers, hostesses and crew | Operational | Your name, contact, trip details | Bound by confidentiality |
We do not sell personal data to anyone and we do not disclose it to third parties for their own marketing.
6. Cookies and similar technologies
When you first visit our website you see a cookie banner managed by our consent-management platform (Complianz). The banner asks you to allow or deny:
- Functional cookies — strictly necessary for the website to work (e.g. remembering your cookie choice, holding a booking session, language preference). These are always active and cannot be refused.
- Statistical cookies — Google Analytics 4. Only set if you give consent.
- Marketing cookies — Google Ads, conversion tracking. Only set if you give consent.
We implement Google Consent Mode v2. If you deny consent, Google services do not set identifiers and we receive only aggregated, anonymised modelling.
You can change your choice at any time from the cookie preferences link in the website footer.
For a current list of every cookie set on our site, see the Cookie Settings link in the footer (provided by Complianz).
7. International data transfers
Some of our processors are based outside the European Economic Area (EEA), in particular in the United States and Switzerland. We rely on the following safeguards under Chapter V GDPR:
- Switzerland (Infomaniak): the European Commission has adopted an adequacy decision for Switzerland, so transfers do not require additional safeguards.
- United States (Google, Stripe US affiliates, Wordfence, BlogVault, payment-card networks, etc.): transfers are covered by the EU–US Data Privacy Framework for participating providers, and otherwise by the European Commission’s Standard Contractual Clauses (2021/914/EU) signed with the processor.
- PayPal Luxembourg keeps EU data within the EEA in principle.
Copies of the relevant transfer safeguards can be obtained from us on request.
8. How long we keep your information
We keep personal data only for as long as we need it for the purpose we collected it, and then we delete or anonymise it.
| Data | Retention |
|---|---|
| Booking enquiries that did not become a booking | 12 months from your last contact, then deleted |
| Confirmed bookings (name, contact, trip details) | 24 months after the trip, for customer-service and dispute purposes |
| Invoicing and accounting records | 11 years (Croatian Accounting Act / General Tax Act minimum) |
| Email correspondence | 24 months from the last message |
| Web server logs | 30 days |
| Security and firewall logs (Wordfence) | 90 days |
| Analytics data (Google Analytics 4) | 14 months (default GA4 retention setting) |
| Advertising / conversion data (Google Ads) | 13 months |
| Cookies | Varies; see Cookie Settings for each cookie’s lifetime |
When retention ends we either delete the data or anonymise it so that you can no longer be identified.
9. Your rights
Under the GDPR you have the following rights in respect of your personal data:
- Right of access (Art. 15) — to know what we hold about you and obtain a copy.
- Right of rectification (Art. 16) — to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”, Art. 17) — to ask us to delete your data, subject to retention obligations.
- Right to restriction (Art. 18) — to ask us to limit our processing of your data while a dispute is resolved.
- Right to data portability (Art. 20) — to receive the data you provided in a structured machine-readable format.
- Right to object (Art. 21) — to object to processing based on legitimate interest, including direct marketing.
- Right to withdraw consent (Art. 7) — for anything we process on the basis of your consent, at any time, without affecting prior processing.
To exercise any of these rights, contact us at info@luxnautic.com. We respond within one month of your request, as required by Article 12 GDPR. We may ask you for proof of identity if we cannot identify you from the data we already hold.
You also have the right to lodge a complaint with the supervisory authority:
Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10 000 Zagreb, Croatia
Phone: +385 1 4609-000 · Email: azop@azop.hr
Website: azop.hr
10. Security
We protect personal data with technical and organisational measures appropriate to the risk, including:
- TLS / HTTPS for all data in transit between you and our website.
- Encryption at rest for backups (provided by our host).
- Access controls: only authorised staff can access the booking system, and each user has a unique account with strong passwords and two-factor authentication where supported.
- Web Application Firewall, malware scanning and brute-force protection (Wordfence, MalCare).
- Tokenised payments: full card details are entered on Stripe’s hosted page and never reach our servers.
- Regular software updates and offsite backups.
- Staff confidentiality obligations.
No method of internet transmission or electronic storage is 100% secure. In the unlikely event of a personal-data breach we will notify the supervisory authority within 72 hours, and you directly if the breach is likely to result in a high risk to your rights and freedoms, as required by Articles 33–34 GDPR.
11. Children
Our services are intended for adults aged 18 and over. We do not knowingly collect personal data from children. If you are a parent or guardian and you believe your child has provided personal data to us, please contact us and we will delete it.
12. Links to other websites
Our website may contain links to third-party websites (for example tourism portals or social-media profiles). We are not responsible for their content or privacy practices. Please read their policies before sharing personal data with them.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top. If the changes are material we will give you a more prominent notice (for example a banner on the website or, for active customers, an email).
14. How to contact us
If you have any question about this Privacy Policy or about how we process your personal data, please contact us:
Luxnautic d.o.o.
Croatia (registered address available on request)
Email: info@luxnautic.com
Phone: +385 99 5419 649
This policy is provided in English, German and Croatian. In case of a discrepancy between language versions, the English version prevails.