Privacy Policy

1. Introduction

Tendo d.o.o. ("tendo.hr", "we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website tendo.hr or use our services.

We comply with the General Data Protection Regulation (GDPR) and applicable Croatian data protection legislation. By using our website, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

3. Information We Collect

3.1 Information You Provide Directly

• Account registration: Name, email address, phone number, password
• Booking inquiries: Name, contact details, travel preferences, group size
• Contact forms: Name, email, message content
• Reviews: Name, travel dates, review content

3.2 Information Collected Automatically

• Usage data: Pages visited, time spent, clicks, search queries
• Device information: Browser type, operating system, screen resolution
• IP address: Used for security, fraud prevention, and approximate location
• Cookies and tracking: Session cookies, analytics cookies (with your consent)

3.3 Information from Third Parties

We may receive information from third-party service providers such as payment processors, when you interact with our booking and payment systems.

4. How We Use Your Information

We use the information we collect to:

• Process and manage your bookings and inquiries
• Communicate with you about your reservations
• Provide customer support and respond to your requests
• Send you relevant updates and promotional materials (with your consent)
• Improve our website, services, and user experience
• Comply with legal obligations and resolve disputes
• Detect and prevent fraudulent activity
• Analyse website traffic and usage patterns (analytics)

5. Legal Basis for Processing

We process your personal data on the following legal grounds:

• Contract performance: Processing necessary to fulfil a booking or service agreement with you
• Legal obligation: Processing required to comply with applicable laws
• Legitimate interests: Analytics, fraud prevention, and improving our services
• Consent: Marketing communications and non-essential cookies (you may withdraw consent at any time)

6. Cookies

We use cookies to enhance your browsing experience. Cookies are small text files stored on your device that help us provide a personalised experience and analyse how you use our website.

6.1 Types of Cookies We Use

• Strictly necessary cookies: Required for the website to function. These cannot be disabled.
• Analytics cookies: Help us understand how visitors interact with our website (Umami Analytics — only with your consent).
• Session cookies: Maintain your login session and preferences during your visit.

You can manage your cookie preferences through the cookie consent banner displayed on your first visit, or by adjusting your browser settings.

7. Data Sharing and Disclosure

We do not sell, trade, or rent your personal data to third parties. We may share your information with:

• Service providers: Charter companies, villa owners, and activity operators as necessary to fulfil your booking
• Technology partners: Cloud hosting, email delivery, and analytics services that help us operate our platform
• Legal authorities: When required by law or to protect our rights

All third-party service providers are bound by data processing agreements and are required to maintain the confidentiality and security of your data.

8. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

• Booking records: 7 years (Croatian accounting and tax requirements)
• Account data: Until account deletion + 1 year
• Marketing preferences: Until you withdraw consent
• Analytics data: Up to 2 years in anonymised form

9. Your Rights

Under the GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restriction: Request that we limit how we use your data
• Right to portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time without affecting prior processing

To exercise any of these rights, please contact us at privacy@tendo.hr. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction, including:

• SSL/TLS encryption for all data transmitted over the internet
• Secure, access-controlled server infrastructure
• Regular security assessments and updates
• Staff training on data protection practices

11. International Transfers

Your data may be processed by service providers located outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

12. Children's Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of our services after any changes constitutes acceptance of the updated policy.

14. Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the Croatian Data Protection Agency (AZOP):

15. Contact Us

For any privacy-related questions or to exercise your rights, please contact our Data Protection team: