1. Who we are
NATKA is the operating brand for accommodation services run by the Osmanović family in Rovinj, Croatia. For any question about your personal data or this policy, contact us at:
- Email: [email protected]
- Phone: +385 95 399 8089
References in this document to "we", "us", or "NATKA" refer to the accommodation business operated by the Osmanović family from Rovinj, Croatia.
2. What this policy covers
This Privacy Policy explains how we collect, use, store, share, and protect personal data when you:
- visit the NATKA website or its language variants;
- make a reservation at one of our properties — Hotel Boutique Natka, Bella Natka, or Villa Natka — directly via our Rentlio booking widget, by email, or by phone;
- stay at one of our properties (in-stay data, e.g. registration form, identification);
- contact us with a general inquiry, request, or complaint;
- subscribe to any future communications we may offer.
For bookings made through third-party booking platforms (Booking.com, etc.), the platform is the initial data controller for booking data. We become a controller for the data the platform shares with us as your accommodation provider.
3. Personal data we collect
Data you give us directly
- Full name and contact details (email, phone, postal address)
- Identification (passport or ID card number, country of issue) — collected at check-in as required by Croatian law for guest registration
- Payment-card details (processed by our payment provider; we do not store full card numbers)
- Travel details (arrival/departure, number of guests, child ages where relevant, special requests)
- Communication content (the messages, emails, and call notes you exchange with us)
Data we collect automatically
- Device and browser information (IP address, browser type, OS, device type)
- Pages visited, time on page, navigation paths (where analytics are enabled)
- Cookies and similar technologies (see Section 8)
Data we receive from third parties
- Booking platforms (e.g. Booking.com) when you book through them: name, contact, dates, room type, payment status
- Payment processors: confirmation that payment has been authorised
- Channel-management software (Rentlio): aggregated booking data
4. Why we collect it (purposes and legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Process and manage your reservation and stay | Performance of contract |
| Comply with Croatian guest-registration law (eVisitor) | Legal obligation |
| Issue invoices and meet tax-record obligations | Legal obligation |
| Respond to inquiries, requests, and complaints | Legitimate interest / contract |
| Improve our website and services | Legitimate interest |
| Send transactional emails (booking confirmations, pre-arrival info) | Performance of contract |
| Send marketing communications (if and only if offered, with your consent) | Consent |
| Defend or pursue legal claims | Legitimate interest / legal obligation |
5. Croatian guest registration (eVisitor)
Under Croatian law, accommodation providers must register every guest staying overnight in the eVisitor system, operated by the Croatian National Tourist Board. We submit the legally required guest information — name, date of birth, nationality, ID document type and number, dates of stay — to eVisitor. This is a legal obligation under the Croatian Hospitality Industry Act and the law on tourist tax. You cannot opt out of this registration if you stay at a Croatian accommodation.
6. Sharing your data
We share personal data only where necessary, and only with:
- eVisitor (Croatian National Tourist Board) — guest registration as required by law.
- Tax authorities — invoice and stay records as required by law.
- Booking platforms (Booking.com, etc.) — communication and modifications related to bookings made through that platform.
- Rentlio — our booking-engine and channel-management provider.
- Payment processors — to process payments at the time of booking and on site.
- Email and IT service providers — hosting, email delivery, and analytics, where we use them.
- Legal and professional advisors — accountants, lawyers, where reasonably required.
- Public authorities — police or courts where required by law.
We do not sell personal data to anyone, ever.
7. International transfers
Most of our processors are located within the European Economic Area (EEA). Where a processor is outside the EEA (for example, a US-based analytics or email provider), we rely on standard contractual clauses or other approved transfer mechanisms under GDPR.
8. Cookies and embedded third-party content
We do not use analytics, advertising, or tracking cookies. We do not run Google Analytics, Meta Pixel, or any similar tool.
What the site uses:
- Local storage (first-party) — a small flag to remember that you dismissed the cookie notice, and any language preference. This is not a cookie and is not shared with anyone.
- Embedded Google Maps — the contact page shows a map for each property. These embeds are not loaded by default. You click "Show map" to load them, at which point Google sets its own cookies (
NID,CONSENT, and similar) under its own privacy policy. If you never click "Show map", no Google cookies are set. - Rentlio booking engine — when you submit the booking form, we open Rentlio's booking page in a new tab. Any cookies set there are governed by Rentlio's own privacy policy; they are not set on our domain.
You can clear local storage and cookies at any time via your browser settings. Clearing them will make the cookie notice appear again and reset the maps-consent click.
9. Data retention
We keep personal data only as long as needed for the purposes for which it was collected, and for any longer period required by law:
| Data | Retention |
|---|---|
| Booking and stay records | At least 11 years (Croatian tax-record obligation) |
| Invoices | 11 years (Croatian tax law) |
| eVisitor records | As required by Croatian law |
| Inquiries via the contact form (no booking made) | Up to 24 months from last contact |
| Marketing consent (if collected) | Until you withdraw consent |
| Website analytics (anonymised/pseudonymised) | Up to 26 months |
10. Security
We protect personal data with reasonable technical and organisational measures: access controls, secure hosting, TLS encryption for data in transit, and limited access on a need-to-know basis. No system is perfectly secure; we work to minimise risk and respond promptly if anything goes wrong.
11. Your rights under GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure ("right to be forgotten") — ask us to delete data, subject to legal-retention obligations.
- Restriction — ask us to limit processing in certain circumstances.
- Portability — receive your data in a portable format.
- Object — object to processing based on legitimate interests or for direct marketing.
- Withdraw consent — at any time where processing is based on consent.
- Lodge a complaint — with the Croatian Personal Data Protection Agency (AZOP), www.azop.hr.
To exercise any right, write to [email protected]. We respond within 30 days.
12. Children
Our properties welcome children, but our website is not directed at children under 16. We do not knowingly collect personal data from children under 16 without parental consent.
13. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be flagged on the homepage banner.
14. Contact
Questions about this Privacy Policy or your personal data:
- Email: [email protected]
- Phone: +385 95 399 8089
Footer rendered globally.