Privacy policy

Read ours

Privacy policy


Data Controller:
Epic Croatia d.o.o.
Sv. Križa 3, 20000 Dubrovnik
OIB: 98011161628

1. We consider personal data protection a key part of our work

With this privacy policy, Epic Croatia d.o.o. (hereinafter: Epic Croatia) sets a standard of data collection, processing, retention and deletion within its business.

Below you can find the types of data we collect and process, the purposes data is intended for, the lawful bases for the processing, the periods during which we store them, the measures we use to protect them, the third parties we transmit them to, and the rights you have regarding the protection of your data - in accordance with the General Data Protection Regulation (GDPR).

2. Purposes we collect data for, types of data and legal basis for processing

Booking form
  • Types of data: Name, surname, date of birth, gender, citizenship, passport number, e-mail address, phone number, height, health condition (food alergies, medications), travel insurance details
  • Legal basis: Necessary for the performance of a contract and legitimate interest
Online card payment
  • Types of data: Name, surname, address, telephone, postal code, IP address, Email, City, date and time of payment
  • Legal basis: Necessary for the performance of a contract
  • Types of data: First name, last name, address, city, postal code, country, OIB (for Croats)
  • Legal basis: Legal obligation
Data necessary for holding multi-day tours
  • Types of data: First name, last name, flight number and arrival time, cell phone number, emergency contact, height (for bike tours)
  • Legal basis: Legitimate interest
Health data necessary for holding multi-day tours
  • Types of data: allergy information, medications, other relevant medical information, dietary restrictions
  • Legal basis: Explicit consent
Client photos for marketing
  • Types of data: Photo
  • Legal basis: Consent
Mail communication about the job competition
  • Types of data: Name, e-mail address, resume, sports experience, knowledge of English
  • Legal basis: Legitimate interest

2.1. Cookies

Our website uses cookies - small text files that are stored on your device when you visit a particular website. We use two types of cookies: those necessary for the operation of the website, and statistics to understand visitors' behavior better and improve our services.

3. Lawfulness and fairness of data collection and processing

Epic Croatia collects and processes data in accordance with contractual obligations, legal obligations, our legitimate interest, or with provided consent.

We respect the fundamental principles laid down in the GDPR: we adhere to legal data processing mechanisms, the data is collected for specified, explicit and legitimate purposes and it's processed in accordance with them. We collect the minimum amount of data, strive to ensure that it is accurate, and we keep it only for as long as necessary for the purposes they're processed for. We conduct pseudonymization as well as anonymization of personal data wherever possible.

4. Data subjects rights and their exercise

  • Right of access to personal data
  • Right to rectification of inaccurate personal data
  • Right to erasure of personal data
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing
  • Right to not be subject to automated decision-making

You can request the exercise of the aforementioned rights by making an inquiry to our physical address (Sv. Križa 3, 20000 Dubrovnik), or the e-mail address

You can also contact us for any interpretation of your rights, as well as request a summary of our data protection impact assessment. We respond to all requests within one month of receiving the request.

You can also submit a complaint to the Croatian Data Protection Supervisor: Personal Data Protection Agency (AZOP), Martićeva 14, Zagreb,

5. Relationship with third parties

Each relationship with our trusted partners is contractually specified for data protection. Our partners must not process your information outside of our instructions, they must take adequate measures to protect it securely and can only keep it for an agreed period.

These are the only purposes our partners can process your data for:
  • Accommodation, transfers, catering and multi-sport activities providing
  • Online card payment processor
  • Cloud service for internal use
  • Accounting Services
  • Website maintenance
  • Digital marketing

6. Security of data protection

We use organizational, technical, and physical risk-based measures to protect personal data from destruction, loss, alteration, and unauthorized disclosure or access. Within the company, there is an ongoing dimension of privacy culture: the Director and all employees whose job description involves processing personal data are educated about the obligations and rights prescribed by the Regulation. Regular privacy awareness training is conducted.

The data collected through the website is protected by an SSL certificate, a technology that encrypts the connection between our server and your internet browser, ensuring that no one else has access to the data you give us. We work with trusted and professional partners who are committed to using high standards of protection.

Last update: 01.04.2020