Privacy Policy and Personal Data Processing Statement
Pistacio d.o.o. respects the privacy of all clients and users of our website. We have implemented the General Data Protection Regulation (GDPR – EC 2016/679) to ensure the highest level of security for your data.
1. DATA CONTROLLER
Pistacio d.o.o., Svetog Mikule 7, 52220 Labin, Croatia
OIB: 78918951347
E-mail: [email protected]
For all questions related to personal data processing, please contact us at the above e-mail address.
2. CATEGORIES OF DATA SUBJECTS AND DATA
We collect only the data necessary for the specific purpose of the business relationship:
- Real estate clients (sellers/buyers): Name, surname, Company name, OIB, address, phone, e-mail, property data (cadastral data, floor plans, documentation), bank account details, proof of ownership.
- Web design and digital services clients: Name, surname, Company name, OIB, registered address, contact details, CMS and hosting access credentials (if required).
- Website visitors: IP address, browser data (user agent), cookies, visit parameters.
3. PURPOSES, LEGAL BASES AND RETENTION PERIODS
| Legal basis | Purpose | Retention |
|---|---|---|
| Art. 6(1)(b) (Contract) | Conclusion and execution of real estate brokerage or digital services contracts (web design and development). | Until contract purpose fulfilled. |
| Art. 6(1)(c) (Law/AML) | Customer due diligence (AML/KYC). | 10 years from end of business relationship. |
| Art. 6(1)(c) (Accounting) | Legal obligations (invoicing, tax reporting). | 11 years (Accounting Act). |
| Art. 6(1)(f) (Legitimate Interest) | Responding to inquiries, asset protection and web analytics. | 2 years or until objection. |
| Art. 6(1)(a) (Consent) | Newsletter, remarketing, analytics cookies. | Until consent withdrawn. |
4. ONLINE FORMS AND CONTACT INQUIRIES
We use Tally (tally.so) on our website to manage online contact forms. Data entered by the user is used exclusively to respond to the inquiry and for further communication. Tally acts as a data processor under Article 28 of the GDPR.
5. DATA RECIPIENTS
We share your data with third parties only when necessary:
- Legal and notary offices: For preparation of sales documentation.
- Accounting services: Financial data and invoice processing.
- Government bodies: Tax authority, Land Registry, Anti-Money Laundering Office.
- Technology partners: Google LLC (Analytics) under EU-US Data Privacy Framework, Cloudflare, Tally.
- Banks: For transaction execution and payment of agreed fees.
6. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
- Encryption: Website protected with SSL/TLS protocol.
- CMS systems: Cloud storage within the EU, mandatory 2FA authentication.
- Backup: Regular encrypted backups with 30-day retention period.
- Training: Regular GDPR training for employees.
7. SERVER LOGS
The hosting server automatically records technical data (IP address, date and time of access, browser, operating system). Data is used solely for website security and stability and is automatically deleted after the required period. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
8. COOKIES
Our website uses necessary cookies for basic functionality. Analytics cookies (Google Analytics) are used only with your consent via the cookie banner. You can change your settings in your browser or by clicking 'Cookie Settings' in the banner.
9. YOUR RIGHTS
| Right | Description | Timeframe |
|---|---|---|
| Access and rectification | Access to data and corrections. | 30 days |
| Erasure / Right to be forgotten | Deletion of data where no legal retention obligation exists. | 30 days |
| Restriction of processing | Suspension of processing in specific circumstances. | 30 days |
| Objection (Marketing) | Immediate cessation of marketing processing. | Immediately |
| Portability | Delivery of data in machine-readable format. | 30 days |
Send your request to: [email protected]. We will respond within 30 days.
Note: You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
10. RIGHT TO LODGE A COMPLAINT
You may lodge a complaint with the supervisory authority:
Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, Croatia, www.azop.hr
Last updated: 13 March 2026.