HR EN DE PL FR ES
GDPR / Personal Data Protection

Privacy Policy

Your privacy is extremely important to us. This policy describes what personal data we collect, why we process it, how long we keep it and what rights you have regarding that data, in line with the General Data Protection Regulation (EU) 2016/679 (GDPR).

1. Data Controller

The data controller for personal data collected through the portal is:

Data controller
CroDodo, vl. Domagoj Skledar
Tax ID (OIB)
67680955120
Registered address
Vilima Korajca 5, Zagreb, Croatia
E-mail
karlobag@karlobag.eu

2. What Data We Collect

Data you provide yourself: name and e-mail address when subscribing to the newsletter; name, e-mail, subject and message when submitting the contact form; content of correspondence if you contact us directly.

Data collected automatically: IP address, device type, browser type and language, operating system, referrer URL, date and time of visit, visited pages. This data is collected through cookies and server logs and is used for the security of the portal, statistics and error troubleshooting.

We do not collect special categories of personal data (racial or ethnic origin, political, religious or philosophical beliefs, health data, sexual orientation or biometric data).

3. Purposes and Legal Bases for Processing

We process personal data only when an appropriate legal basis exists under Article 6 of the GDPR.

  • Consent — Art. 6(1)(a) GDPR: used for newsletter subscription and for analytics and marketing cookies, when user consent is required. You can withdraw your consent at any time through the consent management panel or by contacting the data controller. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
  • Steps taken at the user's request — Art. 6(1)(b) GDPR: used to process data you send us via the contact form or by direct e-mail, in order to respond to your inquiry.
  • Legitimate interests — Art. 6(1)(f) GDPR: used for portal security, prevention of spam and abuse, protection against unauthorised access, server logs, troubleshooting and maintaining portal functionality.
  • Legal obligation — Art. 6(1)(c) GDPR: used when processing is necessary to fulfil the controller's legal obligations or to act on a lawful request from a competent authority.

4. Cookies and Analytics

The portal uses necessary, functional, analytical and marketing cookies. Necessary cookies are used for the basic operation of the portal, while analytical and marketing cookies are used only with the user's consent, where required. A detailed list of cookies, their purposes, durations and consent management settings is available in the document Cookie Policy.

5. Data Retention Period

We retain data only for as long as necessary for the purposes for which they were collected, unless longer retention is prescribed by law or required to protect legal interests.

Newsletter data is kept until consent is withdrawn or unsubscription. Contact inquiry data is kept up to 24 months from the last correspondence, unless longer retention is required to handle the request, protect rights or fulfil a legal obligation. Server logs are kept up to 12 months, except in the case of a security incident when they may be kept longer, proportionate to the need for investigation and protection of the portal. Analytics data is kept in line with the analytical tool's settings and the user's given consent. After the expiry of these periods, data are deleted or anonymised.

6. Data Recipients and Transfer to Third Countries

Your personal data are not sold to third parties and are not forwarded to third parties for their own marketing purposes.

Certain data may be processed by technical service providers we use to operate the portal, such as hosting, e-mail communication, spam protection, analytics and consent management. These providers act as data processors or independent data controllers, depending on the specific service and their terms.

If personal data are transferred outside the European Economic Area, the transfer is carried out only when an appropriate legal basis exists, such as a European Commission adequacy decision, standard contractual clauses or another mechanism permitted by the GDPR.

7. Your Rights

In line with the GDPR you have the following rights regarding the processing of your personal data:

  • Right of access — you can obtain confirmation of whether your data are being processed, what data we hold about you and a copy of that data.
  • Right to rectification — you may request correction of inaccurate or completion of incomplete data.
  • Right to erasure (right to be forgotten) — you may request the erasure of your data when they are no longer needed for the original purpose, when you withdraw consent, or when data are processed unlawfully.
  • Right to restriction of processing — you may request temporary restriction of processing while the accuracy of data or an objection is being resolved.
  • Right to data portability — you may receive your data in a structured, commonly used and machine-readable format and transmit them to another data controller.
  • Right to object — you may at any time object to processing based on legitimate interests or to direct marketing.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at karlobag@karlobag.eu. We will respond within 30 days of receiving the request, in line with the GDPR.

8. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data violates the GDPR or national regulations, you may lodge a complaint with the supervisory authority — the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, Zagreb, e-mail azop@azop.hr — or with the supervisory authority in your country of habitual residence.

9. Data Security

We apply appropriate technical and organisational data protection measures, including HTTPS transmission encryption, restriction of access to administrative and database systems, regular security updates, security logging of changes, parameterised SQL queries to reduce the risk of SQL injection, honeypot protection against bot spam in the contact form, and rate limiting of requests per IP address where applicable. We recommend that you also protect your devices, login credentials and passwords.

10. Changes to the Privacy Policy

The data controller reserves the right to amend this Privacy Policy in line with legislative changes or changes to business practice. Amendments take effect upon publication on the portal. The date of the last amendment is stated at the bottom of this page. We recommend periodically reviewing this page for up-to-date information.

Last updated: 2026-05-01

Newsletter — top events of the week

One email per week: top matches, top concerts, price drop alerts. Nothing more.

No spam. One-click unsubscribe. GDPR compliant.