4 Wheels Adventures – Privacy Policy

Last updated: 1 July 2025

1. Introduction

Your privacy matters to 4 Wheels Adventures d.o.o. ("4WA", "we", "us", "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit www.4wheeladventures.com.hr (the "Website") or use our off‑road tours, rentals, gift vouchers, or related services (collectively, the "Services").

We process personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and Croatian data‑protection legislation. 

By accessing the Website or booking our Services you acknowledge that you have read and understood this Policy.


2. What Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

Category

Examples

Identification data

First and last name, date of birth

Contact details

E‑mail address, postal address, phone number

Booking details

Tour date, group size, payment reference, voucher codes

Demographic data

Nationality, language preference

Marketing preferences

Newsletter opt‑in/opt‑out status

Technical data

IP address, browser type, device identifiers, cookies

Other information you provide

Feedback, photo uploads, social‑media tags


We do not knowingly collect data from minors under 18 without parental consent.


3. How We Collect Your Data

  • Online forms & checkout pages (reservations, contact forms, gift‑voucher purchases)
  • Newsletter sign‑ups and promotional campaigns
  • Direct communication (e‑mails, phone calls, social‑media messages)
  • Cookies and analytics tools when you browse the Website

All data are provided voluntarily; however, certain information is necessary to complete a booking. 
If you decline to supply mandatory fields, we may be unable to deliver the requested Service.


4. Why We Use Your Data (Purposes & Legal Bases)

Purpose

Legal basis (Art. 6 GDPR)

Processing reservations, payments, and issuing invoices

Contract – Art. 6 (1)(b)

Communicating pre‑tour instructions, safety notices, and itinerary changes

Contract – Art. 6 (1)(b)

Sending newsletters, promotions, or surveys

Consent – Art. 6 (1)(a)

Internal analytics and service improvement

Legitimate interest – Art. 6 (1)(f)

Responding to enquiries or complaints

Legitimate interest – Art. 6 (1)(f)

Fulfilling legal obligations (e.g. tax, accounting)

Legal obligation – Art. 6 (1)(c)


You can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.


5. How We Share Your Data

We never sell or rent your personal data. We may share it only with: 
1. Service providers – payment processors, IT‑hosting companies, marketing‑e‑mail platforms, all bound by confidentiality agreements. 
2. Professional advisers – accountants, lawyers, auditors, to the extent required. 
3. Public authorities – where mandated by law or to protect our rights, property, or safety.

All third parties are vetted and required to process data only on our instructions.


6. International Transfers

Your data are stored on servers located in the European Economic Area (EEA)
If we transfer data outside the EEA, we will ensure adequate safeguards (e.g. EU Standard Contractual Clauses) are in place.


7. Data Retention

  • Booking records and invoices: 11 years (mandatory under Croatian accounting rules).
  • Marketing‑e‑mail lists: until you unsubscribe or your e‑mail address bounces.
  • Basic contact records: 3 years after your last interaction, unless needed for legal claims.

We delete or anonymise data once the retention period expires.


8. Security Measures

  • Secure Socket Layer (SSL) encryption on all Website forms
  • Role‑based access control – staff access limited on a need‑to‑know basis
  • Regular software updates, firewalls, and malware scanning
  • Encrypted off‑site backups

If a personal‑data breach occurs, we will notify the Croatian Data Protection Agency (AZOP) and affected individuals within 72 hours, as required by GDPR Art. 33–34.


9. Your Rights

Under the GDPR you have the right to: 
1. Request access to your personal data (Art. 15)
2. Request rectification of inaccurate or incomplete data (Art. 16) 
3. Request erasure (“right to be forgotten”) in certain circumstances (Art. 17) 
4. Request restriction of processing (Art. 18) 
5. Object to processing based on legitimate interests or direct marketing (Art. 21) 
6. Request data portability in a structured, machine‑readable format (Art. 20) 
7. Withdraw consent at any time where processing is based on consent (Art. 7)

To exercise any of these rights, contact us using the details below. 
We will respond within one month (extendable by two months for complex requests).

You also have the right to lodge a complaint with AZOP (www.azop.hr) if you believe your data are being processed in breach of GDPR.


10. Cookies & Tracking Technologies

We use:

  • Essential cookies – necessary for the booking engine and user‑session security (cannot be disabled).
  • Analytics cookies (Google Analytics 4) – collect aggregated, anonymous statistics; loaded only after you click “Accept”.
  • Marketing cookies – used for remarketing via Meta Ads; loaded only with explicit consent.

You can manage or delete cookies in your browser settings at any time.


11. Children’s Privacy

Our Services are not directed to children under 12, and we do not knowingly process their data without parental consent. 
If you believe a minor has provided us data without permission, please contact us so we can delete it.


12. Changes to This Policy

We may update this Policy from time to time. Any changes will be posted on this page with a revised “Last updated” date. Significant changes will be announced via e‑mail where feasible.


Thank you for trusting 4 Wheels Adventures. We take your privacy seriously—see you off‑road, safely and securely!