+385 99 518 3477 info@zicotours.com
+385 99 518 3477 info@zicotours.com

Privacy Statement

Privacy Statement

Introduction

This Privacy Statement explains how Zico turizam d.o.o. (hereinafter: “Zico Tours”, “we”, “us”, “our”) collects, uses, stores, and protects your personal data when you visit our website zicotours.com, contact us, or book our services.

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the Croatian Personal Data Protection Implementation Act, and other applicable data protection laws.

Data Controller:

Zico turizam d.o.o.
Matije Mrazovića 7
10000 Zagreb, Croatia
OIB: 18947907582
ID Code: HR-AB-01-050015899
Email: info@zicotours.com
Phone: +385 99 518 3477

What is personal data?

Personal data is any information relating to an identified or identifiable individual. This includes information such as your name, address, email address, phone number, date of birth, identification documents, payment information, IP address, and browsing behavior on our website.

Information that cannot be linked to an identified person (such as aggregated website statistics) is not considered personal data.

What personal data do we collect?

Depending on your interaction with us, we may collect the following categories of personal data:

1. Booking and travel data

  • Full name, date of birth, gender, nationality
  • Postal address, email address, phone number
  • Travel document data (passport or ID number, expiration date, country of issue) when required for the trip
  • Information about your travel companions (when you book on their behalf)
  • Information whether the booking is for an individual, couple, family, or group
  • Special dietary requirements, accessibility needs, or health-related information you choose to share
  • Booking history and preferences

2. Payment data

  • Payment method (bank transfer, credit card via Stripe through Bokun)
  • Billing address
  • Transaction reference numbers

We do not store full credit card numbers on our servers. Payment processing is handled by Bokun and Stripe, which are PCI-DSS compliant.

3. Communication data

  • Messages you send us via the contact form, email, phone, or social media
  • Records of communication about your bookings or inquiries

4. Website usage data

  • IP address (anonymized where possible)
  • Browser type, device type, operating system
  • Pages visited, time spent on pages, referral source
  • Cookie and tracking data (see our Cookie Policy for details)

Why do we collect your personal data?

We collect and process your personal data for the following purposes, each based on a specific legal ground under GDPR:

Purpose Legal basis (GDPR)
Booking and providing travel services contracted with you Performance of a contract (Art. 6(1)(b))
Processing payments and issuing invoices Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
Communicating about your booking, changes, or assistance during travel Performance of a contract (Art. 6(1)(b))
Responding to inquiries submitted via the contact form or email Legitimate interest (Art. 6(1)(f)) and pre-contractual measures (Art. 6(1)(b))
Sending marketing emails (newsletters, special offers) Your consent (Art. 6(1)(a))
Website analytics and improvement Your consent (Art. 6(1)(a)) for cookie-based analytics; legitimate interest (Art. 6(1)(f)) for server-side analytics
Online advertising and remarketing Your consent (Art. 6(1)(a))
Complying with legal obligations (accounting, tax law, tourism regulations) Legal obligation (Art. 6(1)(c))
Handling complaints and resolving disputes Legitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
Fraud prevention and security Legitimate interest (Art. 6(1)(f))

How long do we keep your personal data?

We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, taking into account legal retention obligations:

Data category Retention period
Booking and travel data Up to 11 years from completion of the trip (in line with Croatian accounting and tax law)
Invoices and payment records 11 years (Croatian VAT Act and Accounting Act)
Travel document data Only for the duration necessary for the trip; deleted promptly after
Contact form inquiries (without booking) Up to 2 years
Email correspondence Up to 5 years
Marketing subscriber data Until you unsubscribe
Website analytics (Google Analytics) Up to 2 years from last interaction
Website analytics (Independent Analytics, server-side) Up to 12 months
Cookie consent records Up to 1 year

When the retention period expires, we securely delete or anonymize your personal data.

To whom do we share your personal data?

We share your personal data only when necessary to provide our services or comply with legal obligations. We do not sell personal data to third parties under any circumstances.

Service providers and partners

  • Tourism service providers – hotels, transport operators, local guides, restaurants, attraction ticket providers, and similar partners involved in delivering your trip. Data shared is limited to what is necessary (typically name and number of guests).
  • Bokun (TripAdvisor-owned booking platform) – processes booking reservations, calendar availability, and payment flows. Bokun acts as our data processor. Privacy policy: https://www.bokun.io/privacy-policy
  • Stripe – processes credit card payments via Bokun. Stripe acts as an independent data controller for payment data. Privacy policy: https://stripe.com/privacy
  • Insurance companies (e.g. Allianz) – when you purchase trip cancellation insurance, accident insurance, or health insurance through us, the relevant data is shared with the insurer. They act as independent data controllers.
  • Google LLC – analytics (Google Analytics 4) and advertising (Google Ads) services, used with your consent via our cookie banner. Google may process data on servers in the U.S. under the EU-U.S. Data Privacy Framework. Privacy policy: https://policies.google.com/privacy
  • TripAdvisor – review widget displayed on our website. TripAdvisor sets a tracking cookie when the widget loads (after your consent). Privacy policy: https://www.tripadvisor.com/PrivacyPolicy
  • IT and hosting providers – our website hosting provider, email service, and backup services. These providers act as data processors and are bound by data protection agreements.
  • AcroA – our IT and website management partner (Croatian company). Acts as a data processor with restricted access only as required for technical maintenance.
  • Authorities – when required by law, we may share data with tax authorities, immigration authorities, law enforcement, or courts.

Data transfers outside the EU/EEA

Some of our service providers (notably Google and Stripe) may process data on servers outside the European Economic Area (EEA), primarily in the United States. For such transfers, we rely on:

  • The EU-U.S. Data Privacy Framework (for Google and Stripe), which provides adequate protection equivalent to GDPR standards.
  • Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.

For trips outside the EEA, your booking data may be shared with local tourism partners (e.g. hotels in non-EEA countries). In such cases, we limit the data to what is strictly necessary and require partners to apply appropriate safeguards.

Cookies and website tracking

Our website uses cookies and similar technologies for site functionality, analytics, advertising, and third-party widgets. We use the CookieAdmin plugin to manage your consent preferences.

For a complete list of cookies, their purposes, and how to manage them, please read our Cookie Policy.

Key analytics tools we use:

  • Google Analytics 4 – activated only with your consent, with Google Consent Mode v2 implemented where applicable. IP addresses are anonymized.
  • Independent Analytics Pro – a server-side analytics tool that does not set cookies and does not transfer data to third parties. All data is stored on our own servers.
  • Google Ads – activated only with your consent, used for conversion tracking and remarketing.

How do we protect your personal data?

We implement appropriate technical and organizational measures to protect your personal data, including:

  • HTTPS encryption – all data transmitted between your browser and our website is encrypted using TLS (SSL).
  • Secure hosting – our website is hosted on a server with hardened security configuration, including a Web Application Firewall, security headers, and regular security audits.
  • Access control – access to personal data is restricted to authorized personnel only.
  • Encrypted backups – regular encrypted backups protect against data loss.
  • Payment security – payment data is processed exclusively through PCI-DSS compliant providers (Stripe via Bokun). We do not store full credit card numbers.
  • Staff training – team members handling personal data are trained on GDPR compliance and data protection best practices.

While we apply industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security but commit to promptly investigate and respond to any security incident.

Your rights under GDPR

You have the following rights regarding your personal data:

  • Right of access – obtain confirmation of whether we process your data and receive a copy.
  • Right to rectification – request correction of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) – request deletion of your data when no longer necessary, subject to legal retention exceptions.
  • Right to restriction of processing – request that we temporarily suspend processing of your data.
  • Right to data portability – receive your data in a structured, machine-readable format and transfer it to another controller.
  • Right to object – object to processing based on legitimate interest, especially for direct marketing purposes.
  • Right to withdraw consent – withdraw your consent at any time without affecting the lawfulness of previous processing.
  • Right not to be subject to automated decision-making – we do not make decisions about you based solely on automated processing.

To exercise any of these rights, contact us at:

  • Email: info@zicotours.com
  • Post: Zico turizam d.o.o., Matije Mrazovića 7, 10000 Zagreb, Croatia
  • Contact form on our website

We will respond to your request as soon as possible, and at the latest within 30 days. We may extend this period by an additional 60 days for complex requests, in which case we will inform you of the extension within 30 days.

Access to your data is free of charge. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

Right to lodge a complaint with the supervisory authority

If you believe that the processing of your personal data is not in accordance with GDPR or other applicable laws, you have the right to lodge a complaint with the competent supervisory authority:

Croatian Personal Data Protection Agency (AZOP)
Ulica Metela Ožegovića 16
HR – 10 000 Zagreb, Croatia
Email: azop@azop.hr
Tel: +385 (0)1 4609-000
Fax: +385 (0)1 4609-099
Web: https://azop.hr/

If you are resident in another EU member state, you may also lodge a complaint with the data protection authority of your country of residence.

Links to other websites

Our website may contain links to third-party websites (e.g. social media platforms, partner sites, review platforms). This Privacy Statement does not apply to those websites. We encourage you to read the privacy policies of any third-party websites you visit, as their practices may differ from ours.

Marketing communications

If you have subscribed to our newsletter or otherwise consented to receive marketing communications, we may send you information about our tours, special offers, and travel inspiration.

You can unsubscribe at any time by:

  • Clicking the “Unsubscribe” link in any marketing email
  • Sending a request to info@zicotours.com

Unsubscribing is free of charge and immediate. We will stop sending marketing communications but may continue to send transactional messages related to your bookings (e.g. booking confirmations, important travel updates).

Children's privacy

Our services and website are not intended for children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent. When a booking includes minors as travelers, we collect their data only as necessary for the trip, and only from a parent or legal guardian.

If you believe we have collected data from a child without proper consent, please contact us immediately at info@zicotours.com and we will delete the data.

Changes to this Privacy Statement

We may update this Privacy Statement from time to time to reflect changes in our practices, services, or applicable law. We will publish updates on this page with a new “Last updated” date. For significant changes, we will notify you via email (if we have your email address) or through a prominent notice on our website.

We recommend reviewing this page periodically to stay informed about how we protect your personal data.

Last updated: May 2026.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by