Privacy Policy for 300 Adventures
Effective date: 21 July 2025
1 Introduction
Thank you for visiting 300 Adventures (“we”, “our”, “us”). We respect your privacy and are committed to protecting your personal data. This Policy explains how we collect, use, disclose, and safeguard information in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Croatian Act on the Implementation of the GDPR.
2 Controller & contact details
| Role | Details |
|---|---|
| Legal entity / controller | 300 GYM, obrt za sportsku pripremu i zdravstveno usmjereno tjelesno vježbanje |
| Address | BLATO, 1. Ulica br. 28 20271 |
| OIB (VAT ID) | 55955061998 |
| nikola.boroe@gmail.com | |
| Telephone | +385 95 572 3723 |
| Data-protection officer (DPO) | We are not required to appoint a formal DPO; please use the contact details above for all privacy matters. |
Supervisory authority: You have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP), Martićeva 14, 10000 Zagreb, tel. +385 1 4609 000, e-mail azop@azop.hr.
3 What data we collect
| Category | Typical items | Source |
|---|---|---|
| Inquiry data | Name, e-mail, phone (optional), message text, service dates, party size | Contact / booking forms, WhatsApp link |
| Technical data | IP address (anonymised), device/OS, browser, city/country, pages visited, session duration | Google Analytics cookies (blocked until consent) |
| Usage data | Interaction with embedded Google Maps, YouTube/Vimeo videos, Google Reviews widget | Third-party embeds (blocked until consent) |
| Security data | IP addresses and request headers logged by our firewall | Wordfence plugin / Hostinger server logs |
4 Purposes & lawful bases
| Purpose | Legal basis (Art 6 GDPR) | Details |
|---|---|---|
| Responding to inquiries & preparing bookings | Art 6 (1)(b) – pre-contract steps | We cannot answer you without this data. |
| Providing WhatsApp click-to-chat support | Art 6 (1)(f) – legitimate interest (efficient customer service) | You start the chat voluntarily; Meta may process data in the US—see §6. |
| Running website analytics (GA4) | Art 6 (1)(a) – consent | Cookies are dropped only after affirmative consent via our banner. |
| Showing maps, videos & reviews | Art 6 (1)(a) – consent | Third-party content is blocked until you opt in. |
| Maintaining site security | Art 6 (1)(f) – legitimate interest | Essential logs help detect fraud and abuse. |
5 Cookies & similar technologies
We use a GDPR-compliant consent banner that:
- blocks all non-essential cookies and third-party scripts until you click Accept;
- offers Reject all and Preferences buttons; and
- stores your choice for 6 months.
A complete cookie table (name, provider, purpose, lifespan) is always available at /cookie-policy.
6 International data transfers
Some providers (Google LLC, YouTube LLC, WhatsApp LLC) are based in the United States. Transfers occur only if you consent to the relevant service. We rely on:
- EU-US Data Privacy Framework certification of each recipient (e.g. Google LLC, Meta Platforms Inc.); and
- the European Commission Standard Contractual Clauses (EU 2021/914) plus our own transfer-impact assessments.
7 Recipients / processors
We share data only with the following service partners under GDPR-compliant Data-Processing Agreements (DPAs):
| Processor | Role | Safeguards |
|---|---|---|
| Hostinger International Ltd. | Web hosting | Servers in the EU; DPA 2024-04-15 |
| Google Ireland Ltd. / Google LLC | Analytics, Maps, YouTube | DPF certification & SCCs |
| Defiant Inc. (Wordfence) | Security/firewall | SCCs & EU data-centre logging |
| WPForms LLC | Form plugin | No data stored on their servers; data stays in WP database |
8 Retention periods
| Data set | Retention rule |
|---|---|
| Inquiry e-mails & form submissions | 3 years after the end of the season in which the inquiry was made (unless legal claims require longer) |
| GA4 analytics events | 14 months (Google’s maximum default) |
| Server security logs | 180 days |
| Cookie-consent logs | 6 months |
9 Your GDPR rights
You have the rights of access, rectification, erasure, restriction, objection, and data portability. To exercise any right or withdraw consent at any time, e-mail nikola.boroe@gmail.com. We may need to verify your identity before acting on a request.
10 Children
Our services are not directed to children under 16. We do not knowingly process such data. Parents or guardians who believe a child has provided us with personal information should contact us so we can delete it promptly.
11 Automated decision-making
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
12 Data security
- HTTPS/SSL encrypts all traffic.
- Wordfence Web Application Firewall blocks malicious traffic.
- Least-privilege access controls and regular software patching apply on all servers.
13 Changes to this Policy
Any future changes will appear on this page and, where appropriate, we will notify you by e-mail. Please check back periodically.