← Back to Home

Privacy Policy

Last updated: June 2026

1. Data Controller

Zagreb Reviews (“we”, “us”, “our”) operates the platform at zagrebreviews.com. We are the data controller for personal data collected through this platform, in compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Croatian Act on the Implementation of the General Data Protection Regulation (NN 42/18), enforced by the Croatian Personal Data Protection Agency (AZOP).

Contact: privacy@zagrebreviews.com

2. What Data We Collect

We collect the following categories of personal data, depending on the settings chosen by the business using our platform:

  • Review data: Name, email address, phone number (when enabled by the business), star rating, and written feedback.
  • Technical data: IP address, device type, browser, operating system, and approximate geographic location derived from IP.
  • Account data: For registered users — name, email, phone number, and billing information (processed securely by Stripe).

Data minimization: Businesses can configure which fields (name, email, phone) are collected. If a business disables a field, that data is not collected or stored.

3. Legal Basis for Processing

We process personal data based on the following legal grounds under Article 6 GDPR:

  • Consent (Art. 6(1)(a)): When you voluntarily submit your data through a review form and tick the consent checkbox.
  • Contract (Art. 6(1)(b)): For registered business customers, to provide the subscribed service.
  • Legitimate interest (Art. 6(1)(f)): For analytics and platform improvement, where our interest does not override your rights.

4. How We Use Your Data

  • To facilitate the review process for local businesses
  • To provide feedback to the business that owns the review page
  • To generate anonymized analytics (device types, locations, conversion rates)
  • To process subscription billing (via Stripe)
  • To send transactional emails related to your account or subscription

We do NOT sell your personal data to third parties.

5. Data Sharing

Your review data (name, email, phone, rating, feedback) is shared with the specific business whose review page you used. It is not shared with any other businesses or third parties.

We use the following processors:

  • Stripe Inc. — Payment processing (PCI-DSS compliant)
  • Hetzner Online GmbH — Server hosting (EU-based, Germany)

6. Data Retention

Review data is retained for as long as the business maintains an active account with us, or until you request deletion. Account data is retained for the duration of the subscription plus 30 days after cancellation. Technical/analytics data is anonymized after 12 months.

7. Your Rights (GDPR Articles 15-22)

Under GDPR and Croatian law, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Correct inaccurate data
  • Erasure — Request deletion of your data (“right to be forgotten”)
  • Restriction — Limit how we process your data
  • Portability — Receive your data in a structured, machine-readable format
  • Object — Object to processing based on legitimate interest
  • Withdraw consent — At any time, without affecting prior processing

To exercise any of these rights, contact us at privacy@zagrebreviews.com. We will respond within 30 days as required by GDPR.

8. Cookies & Tracking

Our platform uses essential cookies for authentication and session management. When a business enables tracking pixels (Google Analytics, Meta Pixel), these are disclosed on the respective review page. You can manage cookies through your browser settings.

9. International Transfers

All data is stored on servers located within the European Union (Hetzner, Germany). We do not transfer personal data outside the EU/EEA unless required by a processor with adequate safeguards (Standard Contractual Clauses per Article 46 GDPR).

10. Data Security

We implement appropriate technical and organizational measures including: SSL/TLS encryption, password hashing (bcrypt), access controls, and regular security reviews.

11. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP):

Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10000 Zagreb, Croatia
azop.hr · azop@azop.hr

12. Changes

We may update this policy from time to time. Changes will be posted on this page with an updated date. Continued use of the platform after changes constitutes acceptance.

© 2026 Zagreb Reviews. All rights reserved.