Privacy Policy

Adriatic Pass ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have in relation to it.

This policy applies to all personal data we process through adriaticpass.com and any associated services. It is written in accordance with the EU General Data Protection Regulation (GDPR) and Croatian data protection law.

The data controller responsible for your personal data is:

If you have any questions about how we handle your data, please use the contact details above.

We collect the following categories of personal data:

• Account data — your name and email address, collected when you create an account or purchase a pass.
• Payment data — processed securely via Stripe. We never store your card details; Stripe acts as the payment processor under its own privacy policy.
• Pass usage data — which experiences you redeem, timestamps of redemptions, and pass activation/expiry times. This is necessary to validate your pass at partner venues.
• Technical data — IP address, browser type, and device information collected automatically via server logs and analytics. This helps us diagnose issues and improve the platform.

We do not collect sensitive personal data (such as health, race, religion, or biometric data).

We use your personal data for the following purposes:

• Contract performance — to create your account, issue your pass, send the activation confirmation email, and validate redemptions.
• Customer support — to respond to your queries and resolve any issues with your pass or purchase.
• Legal compliance — to comply with applicable Croatian and EU laws, including tax and accounting requirements.
• Platform improvement — anonymised and aggregated analytics to understand how the platform is used and improve our service.

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

We share your personal data with a limited number of trusted service providers who help us operate the platform. Each provider is contractually bound to process data only as instructed and in compliance with GDPR:

• Supabase — database and authentication provider. Your account data and pass usage records are stored on Supabase infrastructure within the EU.
• Resend — email delivery service used to send your pass confirmation and any transactional emails.
• Stripe — payment processing. Your payment is handled entirely by Stripe; we receive only a payment confirmation, not your card details.
• Vercel — website hosting. Technical data such as IP addresses may be processed by Vercel as part of serving the website.

We do not sell, rent, or share your personal data with any other third parties for their own marketing or commercial purposes.

We retain your personal data for as long as necessary to fulfil the purposes described in this policy:

• Account and pass data — retained for the duration of your pass validity plus a 90-day support window. After this period, your data may be anonymised or deleted upon request.
• Financial records — retained for 5 years as required by Croatian tax and accounting law.
• Technical logs — retained for up to 30 days for security and debugging purposes.

You may request deletion of your account and associated data at any time (see Section 8).

We use two categories of cookies:

• Essential cookies — required to maintain your login session and keep you authenticated across pages. These cannot be disabled without breaking core platform functionality. No consent is required for these.
• Analytics cookies (Google Analytics 4) — used to collect anonymous usage data such as pages visited, session duration, and general device type. This helps us understand how Adriatic Pass is used and where we can improve. These cookies are only placed if you give explicit consent via our cookie banner. You may withdraw your consent at any time by clearing your browser cookies or local storage for adriaticpass.com.

We do not use advertising cookies, retargeting pixels, or cookies for profiling purposes. When you first visit the site, you will be presented with a cookie preference panel where you can choose whether to enable analytics cookies. Your preference is stored locally in your browser and can be changed at any time.

Google Analytics 4 data is processed by Google LLC in accordance with its own Privacy Policy. For more information on how Google processes analytics data, visit policies.google.com/privacy.

If you are located in the European Union or European Economic Area, you have the following rights under GDPR:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — ask us to correct inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data ("right to be forgotten").
• Right to restriction — ask us to limit how we process your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.

To exercise any of these rights, email us at adriaticpass@gmail.com with the subject line "Data Request". We will respond within 30 days.

You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) at azop.hr.

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted connections (HTTPS), access controls, and using reputable infrastructure providers (Supabase, Vercel) with their own robust security practices.

No online platform is completely immune to security risks. In the unlikely event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority as required by GDPR.

Your data is primarily stored and processed within the European Union (Supabase EU infrastructure). Some of our service providers (such as Resend and Vercel) may process data outside the EU, but only under appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

We will not transfer your personal data to countries without adequate data protection without ensuring appropriate safeguards are in place.

Adriatic Pass is not intended for children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we do, we will update the "Last updated" date at the top of this page.

For material changes, we will endeavour to notify you via email. We encourage you to review this policy periodically to stay informed about how we protect your data.

For any questions, concerns, or requests relating to this Privacy Policy or your personal data: