0

No products in the cart.

Privacy Policy

NINI TOURS d.o.o. · Vrlička 27, 21000 Split, Croatia · OIB 16246966048 · Effective 26 May 2026

1. Introduction and data controller

This Privacy Policy describes how NINI TOURS d.o.o. (“we”, “us”, “the Company”) collects and processes personal data when you use ninitours.com, communicate with us, request a quote, or book travel services.

We act as the data controller within the meaning of Regulation (EU) 2016/679 (GDPR) and the Croatian Act on the Implementation of the General Data Protection Regulation.

Controller
NINI TOURS d.o.o., Vrlička 27, 21000 Split, Croatia
OIB / MB
16246966048 / 02170906
Privacy enquiries
info@ninitours.com · +385 98 742 325

2. Scope

This policy applies to:

  • visitors to our website and users of online enquiry or booking tools we operate;
  • customers and prospective customers who contact us by email, phone, or in person;
  • passengers and other individuals whose data you provide when making a booking on their behalf;
  • business contacts (e.g. suppliers or partners) where we process personal data in a B2B context.

Separate privacy notices may apply where we link to third-party websites (payment pages, social networks, partner booking engines). Those providers are responsible for their own privacy practices.

3. Legal bases for processing

We process personal data only where a legal basis applies under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)): handling enquiries, preparing offers, concluding and performing travel contracts, customer support related to your booking.
  • Consent (Art. 6(1)(a)): where required, e.g. non-essential cookies, certain marketing communications, or processing that goes beyond what is necessary for the contract. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Legal obligation (Art. 6(1)(c)): accounting, tax, invoicing, anti-money laundering checks where applicable, responses to lawful requests from authorities.
  • Legitimate interests (Art. 6(1)(f)): securing our IT systems, preventing fraud, defending legal claims, proportionate direct follow-up on an enquiry you initiated, and improving our services, provided your interests do not override ours.

Where we process special categories of data (e.g. health or dietary information relevant to a trip), we rely on Article 9 GDPR grounds such as your explicit consent or the necessity of processing for the establishment or defence of legal claims, and only to the minimum extent required.

4. Categories of personal data

Depending on your interaction with us, we may process:

Identity and contact

  • Name, email address, telephone number, postal address, nationality or ID details where required for travel documentation.

Booking and travel

  • Trip dates, destinations, passenger names and ages, rooming preferences, special requests (mobility, diet, medical needs you choose to disclose), booking references, correspondence about the arrangement.

Payment

  • Payment status, transaction identifiers, billing details, limited card data handled by payment providers (we do not store full card numbers on our servers where card processing is outsourced).

Technical and usage

  • IP address, browser type, device information, pages visited, referral source, date and time of access, server and security logs.

Marketing and communications

  • Your marketing preferences, records of newsletters or promotional messages sent, and proof of consent where applicable.

Cookies

  • Information collected via cookies and similar technologies as described in Section 12.

Providing certain data is contractually necessary. Without it we may be unable to complete a booking or comply with carrier, border, or safety requirements.

5. Purposes of processing

We use personal data for the following purposes:

  1. Reservations and contract performance: processing bookings, issuing confirmations, vouchers, and invoices, coordinating with transport and activity providers.
  2. Customer support: answering questions before, during, and after travel.
  3. Quotes on request: preparing and sending tailored offers where you ask for them.
  4. Security and fraud prevention: protecting our website, staff, customers, and business against misuse.
  5. Accounting and compliance: bookkeeping, tax reporting, and retention of records required by Croatian and EU law.
  6. Service improvement: understanding how our website is used (where analytics are lawfully enabled).
  7. Marketing: sending promotional information only where permitted by law and, where required, your consent.
  8. Legal claims: establishing, exercising, or defending legal rights.

6. Travel and booking-specific processing

As a travel agency, we routinely share passenger and booking data with service providers necessary to deliver your trip, such as coach or boat operators, guides, insurers (if you purchase insurance through us), and accommodation or activity partners. Those parties process data under their own responsibilities and may require data well in advance of departure (e.g. passenger manifests, safety briefings, or port authority requirements).

Where your booking constitutes a package within the meaning of Directive (EU) 2015/2302, pre-contractual and contractual information is provided separately; this Privacy Policy explains how related personal data are handled.

If you book on behalf of others, you confirm that you are authorised to provide their personal data and, where appropriate, to share this Policy with them.

7. Recipients and data processors

Personal data may be disclosed to:

  • Payment service providers and banks processing your payment;
  • Booking, reservation, or channel management systems we use to operate sales and availability;
  • Transport, maritime, and excursion operators performing the services you booked;
  • Hosting, email, cloud storage, and IT support providers maintaining our infrastructure;
  • Analytics and advertising partners, only where configured and lawful (see cookies);
  • Professional advisers (lawyers, accountants, auditors) bound by confidentiality;
  • Public authorities when disclosure is required by law.

Processors act on documented instructions under Article 28 GDPR. We do not sell personal data.

8. International transfers

Your data are primarily processed within the European Economic Area (EEA). Where a provider or destination requires transfer outside the EEA (e.g. international carriers or cloud services in third countries), we ensure appropriate safeguards under Chapter V GDPR, such as:

  • an adequacy decision by the European Commission; or
  • Standard Contractual Clauses approved by the Commission, supplemented by additional measures where required; or
  • another valid mechanism under applicable law.

You may request further information on safeguards by contacting us at info@ninitours.com.

9. Retention periods

We retain personal data only as long as necessary for the purposes above, including:

  • Contract and booking records: for the duration of the business relationship and thereafter for statutory limitation and accounting periods under Croatian law (typically several years for financial documentation).
  • Marketing based on consent: until you withdraw consent or object, plus a short period to record the withdrawal.
  • Security logs: for a limited period aligned with security needs and log rotation.
  • Claims and disputes: until resolved and for any additional period required to defend legal rights.

When retention ends, data are deleted or irreversibly anonymised unless further storage is legally required.

10. Security measures

We implement appropriate technical and organisational measures, including access controls, confidentiality obligations for staff and contractors, secure transmission where feasible (HTTPS), and procedures to respond to suspected personal data breaches. No method of transmission over the internet is completely secure; we encourage you to use strong passwords where you maintain accounts with third parties linked to our services.

11. Your rights

Under GDPR, you may have the following rights, subject to conditions and exceptions in law:

  • Right of access to your personal data and related information;
  • Right to rectification of inaccurate or incomplete data;
  • Right to erasure (“right to be forgotten”) in applicable cases;
  • Right to restriction of processing in defined circumstances;
  • Right to data portability for data you provided, processed by automated means on the basis of contract or consent;
  • Right to object to processing based on legitimate interests or to direct marketing at any time;
  • Right to withdraw consent where processing is consent-based;
  • Right not to be subject to a decision based solely on automated processing with legal or similarly significant effects, except where permitted by law with appropriate safeguards.

To exercise your rights, email info@ninitours.com with sufficient detail to identify you and your request. We respond within one month, extendable by two further months where complex, as permitted by Article 12 GDPR. We may request proof of identity to prevent unauthorised access.

12. Cookies and similar technologies

Our website may use cookies and similar technologies as follows:

Strictly necessary

Required for core operation (e.g. security, load balancing, session continuity, essential form functions). These do not require consent under the ePrivacy rules where exempt.

Analytics

Help us understand traffic and improve the site (e.g. aggregated visit statistics). Where required by law, analytics cookies are placed only after you accept them via our cookie notice or settings.

Marketing

May be used to measure campaigns or deliver relevant ads on other platforms, only if enabled and, where required, after consent.

You can control cookies through your browser settings and any consent tool on our site. Blocking strictly necessary cookies may affect site functionality.

13. Children

Our services are not directed at children under 16 to enter contracts independently. We process minors’ data only when necessary for a family or group booking and provided by a parent or legal guardian, or as otherwise permitted by law.

14. Automated decision-making and profiling

We do not use automated decision-making that produces legal or similarly significant effects concerning you based solely on automated processing, unless we inform you separately and have a valid legal basis with suitable safeguards.

15. Complaints and supervisory authority

If you believe our processing infringes GDPR, you may lodge a complaint with:

Agencija za zaštitu osobnih podataka (AZOP)
Martićeva 14, 10000 Zagreb, Croatia
Website: azop.hr

You may also seek a judicial remedy before the competent courts in Croatia.

16. Changes to this policy

We may update this Policy to reflect legal, technical, or business changes. The effective date at the top will be revised accordingly. Material changes affecting your rights will be highlighted on the website or communicated by appropriate means where required.

17. Contact and final provisions

For privacy questions, data subject requests, or information about international transfers:

NINI TOURS d.o.o.
Vrlička 27, 21000 Split, Croatia
Email: info@ninitours.com
Phone: +385 98 742 325

Where GDPR does not apply to a specific processing activity, applicable national law of the Republic of Croatia and other mandatory rules still apply. This Policy is provided in English for convenience; in case of conflict with a Croatian authoritative version, the Croatian text prevails if published.

  • Vrlička ulica 28, 21000 Split
  • +385 98 742 325
  • info@ninitours.com

Highlighted Tours

Top Destination

Information

Facebook

Payment channels

Copyright © 2026 Nini Travel Tours. All Rights Reserved.