Privacy Policy

Last updated: April 23, 2026

This Privacy Policy explains how Punta Diving (operated by Punta Diving d.o.o., OIB 51597636896, Branimirova 19, 22244 Betina, Croatia, hereinafter “we”, “us”) processes personal data of visitors and customers of punta-diving.com. We comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and Croatian data-protection law.

1. Controller and contact

Data controller: Punta Diving d.o.o. (OIB 51597636896), Branimirova 19, 22244 Betina, Croatia. For any question about this policy, your personal data, or to exercise your rights, contact us at info@punta-diving.com. We have not appointed a Data Protection Officer because we are not required to under Art. 37 GDPR.

2. What personal data we collect

  • Inquiries and contact form: name, email, phone (optional), message content.
  • Bookings: name, email, phone, nationality, certification level, date of birth (for courses and insurance), emergency contact, dive experience, and any medical information you voluntarily disclose on the PADI/SSI medical statement.
  • Website analytics: only with your consent, we receive a pseudonymous identifier, IP address (truncated — “IP anonymisation”), approximate location, device/browser metadata, pages viewed, and referrer. See our Cookie Policy.
  • Newsletter (optional): email address, opt-in timestamp.

3. Purposes and legal basis

  • Answering inquiries — Art. 6(1)(b) GDPR (pre-contractual steps) or Art. 6(1)(f) (legitimate interest to respond).
  • Processing bookings and running courses — Art. 6(1)(b) (performance of contract). Medical statements are processed under Art. 9(2)(a) (explicit consent).
  • Issuing invoices and keeping tax records — Art. 6(1)(c) (legal obligation under Croatian accounting and tax law).
  • Service emails (changes to your booking, safety info) — Art. 6(1)(b).
  • Website analytics and marketing cookies — Art. 6(1)(a) (consent), withdrawable at any time via the “Cookie preferences” link in the footer.
  • Newsletter — Art. 6(1)(a) (consent), withdrawable via the unsubscribe link.
  • Security and abuse prevention — Art. 6(1)(f).

4. Recipients and processors

We share data only with service providers acting as processors under Art. 28 GDPR:

  • Website hosting: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (EU). Access is limited to the data stored on the server (inquiries, bookings, admin users) and to server / backup logs needed to keep the site running. A Data Processing Agreement under Art. 28 GDPR is in place.
  • Email delivery: [EMAIL PROVIDER, COUNTRY].
  • Website analytics: Google Ireland Limited (Google Analytics 4), with onward transfer to Google LLC in the United States.
  • Training-agency systems: SSI / PADI for certification issuance, strictly limited to what the agency requires.
  • Accountant: [ACCOUNTANT NAME, COUNTRY], for invoicing and tax reporting.

We do not sell your personal data to anyone.

5. International transfers

Analytics data processed by Google may be transferred to the United States. Such transfers are covered by the EU–US Data Privacy Framework and by the Standard Contractual Clauses approved by the European Commission, supplemented by Google’s additional safeguards (IP truncation, data-region controls). A copy of the safeguards is available on request.

6. Retention

  • Contact-form messages: up to 24 months after the last reply.
  • Booking and course records: for the duration of the contract and then for 11 years to comply with Croatian tax / accounting law.
  • Medical statements: stored separately and deleted 12 months after the activity, unless a longer period is legally required in case of an incident.
  • Newsletter subscribers: until you unsubscribe, plus a short suppression record to honour your opt-out.
  • Analytics: per the retention period configured in Google Analytics 4 (currently 14 months).
  • Server and security logs: up to 90 days.

7. Your rights

Under the GDPR you have the right to:

  • access your data and receive a copy (Art. 15);
  • request rectification of inaccurate data (Art. 16);
  • request erasure (“right to be forgotten”, Art. 17);
  • request restriction of processing (Art. 18);
  • data portability for data you provided (Art. 20);
  • object to processing based on legitimate interest (Art. 21);
  • withdraw consent at any time, without affecting processing performed before withdrawal (Art. 7(3));
  • lodge a complaint with the Croatian supervisory authority, the Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, azop.hr.

To exercise any right, write to info@punta-diving.com. We reply within one month (Art. 12(3) GDPR).

8. Automated decision-making

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on you.

9. Children

Our diving services are sold to adults. Minors may be registered for courses only by a parent or legal guardian, who provides consent on their behalf. We do not knowingly collect data of children under 16 through the website.

10. Security

We use TLS (HTTPS) for all site traffic, role-based access to the admin, regular backups, and keep processor agreements in place with every vendor listed in section 4.

11. Changes to this policy

We may update this policy from time to time. Material changes will be highlighted on this page with a new “last updated” date at least 30 days before they take effect.

12. Contact

Questions about this policy, or about how we handle your data: info@punta-diving.com.