1. Introduction
KAPETAN LUKA KRILO d.o.o. (OIB: 00186984900), with its registered office at Poljička cesta Suhi Potok 28, 21314 Krilo Jesenice (hereinafter: "Data Controller" or "we"), is committed to protecting the privacy and personal data of all users of our services and visitors to our website www.krilo.hr.
This Privacy Notice explains how we collect, use, process, store, and protect your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR) and the Act on the Implementation of the General Data Protection Regulation of the Republic of Croatia.
Our cookie usage policy is also available on our website, detailing which cookies we use and for what purposes.
2. Personal Data We Collect
In the course of providing our services, we collect the following categories of personal data:
- Identification data: first and last name, date of birth (for children to determine discount eligibility).
- Contact data: email address, telephone number, postal address.
- Transaction data: details of purchased travel tickets, route, date and time of travel, payment method (we do not store credit card data – payment is processed through a certified payment service provider).
- Communication data: content of your inquiries, complaints, and other correspondence with us.
- Technical data: IP address, browser type, operating system, cookie data, and data about your use of our website (collected through analytical tools).
3. Purpose and Legal Basis for Processing
We process your personal data for the following purposes:
- Performance of the transport contract (Art. 6(1)(b) GDPR): processing reservations, issuing travel tickets, notifying of schedule changes, processing refund requests.
- Compliance with legal obligations (Art. 6(1)(c) GDPR): maintaining business books and records in accordance with tax and accounting regulations, fulfilling obligations to maritime authorities.
- Legitimate interests (Art. 6(1)(f) GDPR): improving the quality of our services, analyzing website usage, preventing fraud, ensuring safety on vessels.
- Consent (Art. 6(1)(a) GDPR): sending marketing communications and promotional offers (only with your explicit consent, which you may withdraw at any time).
4. Data Protection Measures
We implement appropriate technical and organizational measures to protect personal data, including:
- SSL/TLS encryption of all data transmitted through our website,
- restricted access to personal data only to authorized employees who need it to perform their duties,
- regular updating of security systems and software,
- pseudonymization and anonymization of data where possible,
- regular testing and assessment of the effectiveness of technical and organizational measures to ensure the security of processing,
- use of certified payment service providers (PCI DSS Level 1) for processing payment transactions.
5. Sharing Data with Third Parties
We may share your personal data with the following categories of recipients:
- payment service providers (Monri Payment Gateway) for processing payment transactions,
- IT service and hosting providers for technical support and system maintenance,
- analytics service providers (Google Analytics) for website usage analysis,
- competent authorities and courts where legally required or to protect our legitimate rights.
All our data processors are committed to protecting personal data in accordance with the GDPR and apply appropriate technical and organizational protection measures.
6. Data Retention Period
We retain your personal data only for as long as necessary to fulfill the purpose for which it was collected:
- transaction and booking data: 11 years in accordance with tax regulations,
- communication data (inquiries, complaints): 3 years from the last communication,
- marketing data: until consent is withdrawn,
- technical data and cookie data: in accordance with the periods specified in the cookie policy.
After the retention period expires, personal data is deleted or anonymized.
7. Your Rights Under the GDPR
As a data subject, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR): you have the right to obtain confirmation as to whether your personal data is being processed and access to that data and information about the processing.
- Right to rectification (Art. 16 GDPR): you have the right to request the rectification of inaccurate personal data or the completion of incomplete data.
- Right to erasure (Art. 17 GDPR): you have the right to request the erasure of your personal data where there is no longer a legal basis for processing.
- Right to restriction of processing (Art. 18 GDPR): you have the right to request restriction of processing of your personal data in certain circumstances.
- Right to data portability (Art. 20 GDPR): you have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21 GDPR): you have the right to object to the processing of your personal data based on legitimate interests.
- Right to withdraw consent: where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
8. Data Protection Contact
For any questions regarding the protection of your personal data, to exercise your rights, or to submit a request, you may contact us at:
- Email: support@krilo.hr
- Address: KAPETAN LUKA – KRILO, Poljička cesta Suhi Potok 28, 21314 Krilo Jesenice, Republic of Croatia
We will respond to your request without undue delay and no later than 30 days from receipt of the request.
If you believe that the processing of your personal data is in violation of the GDPR, you have the right to lodge a complaint with the supervisory authority – the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, www.azop.hr.
Last updated: 6 March 2024
