Privacy & Cookie Use Policy
Effective Date: 16 September 2023
In the course of its activities, the operator of this site, Hvar Away Limited, trading as Hvar Away, located at Sunset Lodge, 71 Hillrise Avenue, Sompting, Lancing, West Sussex, United Kingdom, BN15 0LT (hereinafter “HA”) may process “Personal Data” as part of your use of the site.
The definition of “Personal Data” and other important terms can be found in the Glossary that appears at the end of this document. Personal Data we collect and use includes information relating to users of our website (hereinafter "Users") at https://hvaraway.com (hereinafter the "Website"). In this respect, HA acts as the Data Controller.
Your complete satisfaction and confidence in Hvar Away are absolutely essential to us. In this respect, we deeply care in protecting your privacy, and that's why, as part of our commitment to meeting your expectations, we have created this Privacy Policy. This Privacy Policy formalises our commitments to you and describes how we collect and use your Personal Data. In order to provide you with information in a clear and transparent manner, the Privacy Policy has been drafted to inform you in a general way about the practices of HA, and also to provide you with precise and tailored information, depending on your location.
We recommend that you read this Privacy Policy carefully in order to understand the nature of the Personal Data that HA collects about you and the way we use the information.
HA is based in the UK and is therefore subject to UK legislation including the Data Protection Act of 2018. However, as our business also targets data subjects located in the European Union, we must also comply with the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of April 27th, 2016 (GDPR).
In addition to the GDPR, HA may also be subject to local laws and regulations depending on where you live. To learn more about these specific rules, we invite you to go directly to section 15 "If You Live Outside the European Union" of this Privacy Policy.
General Principles Applicable to All Our Personal Data Processing
1. To whom does the Privacy Policy apply?
This Privacy Policy applies to Users.
2. What are our commitments?
HA processes all your Personal Data according to the terms of this Privacy Policy and in compliance with the applicable laws.
More specifically, HA has established the following 10 principles for the processing of your Personal Data:
1. Lawfulness: we use Personal Data only if their processing is based on one of the legal basis presented in the GDPR.
2. Fairness: we explain to you why we need the Personal Data we collect.
3. Identified Purposes and Data Minimisation: we only use Personal Data that we really need. If the result can be achieved with less Personal Data, then we make sure we use the minimum Data required.
4. Transparency: We inform data subjects about the way we use their Personal Data.
5. We facilitate the exercise of the data subject’s rights.
6. Storage limitation: we retain Personal Data for a limited period.
7. We use industry-standard measures designed to the security of Personal Data, i.e. its integrity and confidentiality.
8. If a third party uses Personal Data, we make sure it has the capacity to protect that Personal Data.
9. If Personal Data is transferred outside Europe, we ensure this transfer is covered by specific legal protection and tools.
10. If Personal Data is compromised (lost, stolen, damaged, unavailable, etc.), we notify such breaches to the respective country’s responsible authority and to the data subject concerned, if the breach is likely to cause a high-risk in respect of the rights and freedoms of this person.
For any questions concerning these ten data protection principles of HA, please contact us directly at hello@hvaraway.com.
3. What Personal Data is collected?
Contact information, such as full name, phone, email address, postal address;
Browsing information (e.g. IP address);
Other Personal Data that may be disclosed during correspondence.
4. What special categories of data are collected?
By way of principle, HA does not collect, use, store or process so-called "sensitive" Personal Data, i.e. data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data used to uniquely identify a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.
Nonetheless, HA may collect and process so-called sensitive Data concerning Users when the information is voluntarily communicated to us unsolicited. In this case, the sensitive Data that you choose to communicate to us will be collected and processed only if we have obtained your explicit consent. HA does not discriminate or permit discrimination based on national origin, race, colour, religion, disability, gender, sexual orientation, political affiliation, parental status, marital status, or any other unlawful basis of discrimination.
5. Cookies and other trackers
HA uses cookies and other tracking devices on its Website. Cookies are packets of information sent by our servers to your web browser and then sent back by the browser each time it accesses our servers. The cookies may contain a variety of information, such as the web pages you have accessed, session durations and IP addresses. Cookies are used for various purposes, such as to collect statistical information about your use of the Website.
This information is used to make the Website work more efficiently, as well as to provide business and marketing information, and to gather such personal data as browser type and operating system, referring page, path through site, domain of ISP, etc. for the purposes of understanding how visitors use a website. Cookies and similar technologies help us tailor the Website to your personal needs, as well as to detect and prevent security threats and abuse.
When you first visit the Website, you are provided the option to accept use of marketing and tracking cookies for a three-month period.
If you wish to block cookies, you may do so through your browser’s settings or using the option on the Website for blocking marketing cookies. You can delete cookies that are already on your computer and you can set your browser to prevent them from being placed going forward. Please refer to the browser's help menu for further information. However, please bear in mind that disabling cookies may adversely affect your user experience on the Website. To learn more about how to reject cookies, visit www.allaboutcookies.org.
6. What measures are taken to ensure personal data security?
HA takes appropriate technical and organisational measures, in accordance with applicable legal provisions (in particular: Art. 32 GDPR), to protect your Personal Data against illicit or accidental destruction, alteration or loss and unauthorised access, modification or disclosure.
7. Is your data transferred outside of the European Union?
HA may transfer your Personal Data to internal or external recipients, such as our contracting service providers, who may be located in countries offering different levels of Personal Data protection.
In any case, in addition to implementation of this Privacy Policy, HA employs appropriate measures to ensure secure transfer of your Personal Data to any external recipient located in a country or region offering a different level of privacy from that in the country or region where the Personal Data was collected.
You can request more information on the guarantees in place by sending us an email at hello@hvaraway.com.
8. How to exercise your data rights?
You have the following rights regarding your Personal Data in our possession. You have the right to:
• Request access to your Personal Data collected by HA at any time subject to legal requirements. This allows you to obtain a copy of the Personal Data we hold about you and to verify that we are processing it lawfully.
• To request the rectification of any Personal Data held by us which is incorrect, incomplete or inaccurate.
• Request the deletion of your Personal Data from our files and systems where we have no valid reason to continue to hold it.
• Object to our use of your Personal Data to meet our (or a third party's) legitimate interests or where we use it for direct marketing purposes.
• Request that we limit the processing of your Personal Data, for example, if you want us to establish its accuracy or the purposes for which we use it.
• Ask us to transfer your Personal Data to another person or organisation (right to portability). In addition, you also have the option, if French law applies to you, to define instructions for the Processing of your Personal Data after your death (so-called "post-mortem" directives).
These rights can only be exercised insofar as they do not prevent the proper execution of the agreement that binds you to HA. You may exercise any of your rights by sending us an email to the following address: hello@hvaraway.com
For the purposes of confidentiality and Personal Data protection, we will need to confirm your identity in order to respond to your request. In case of reasonable doubts concerning your identity, you may be asked to include a copy of an official piece of identification, such as an ID card or passport, driver’s licence along with your request. A black and white copy of the relevant page of your identity document is sufficient. All requests will receive a response promptly. Finally, you also have the right to lodge a complaint with a data protection authority.
10. If you are a User
Users are the physical persons navigating on the Website. HA may collect Personal Data from Users. We process your Personal Data according to the following characteristics.
11. If you live outside the European Union
Depending on your country of residence, specific rules of your local law may apply. You will find these below:
If you live in the United States
• We do not sell your Personal Data. Your Data is only shared for the purposes described in this Privacy Policy under agreements that prohibit their use for any other purpose.
• Principle 1 “Lawfulness” described in section 2 of this Privacy Policy has the following meaning: “we use Personal Data only as reasonably necessary and proportionate to achieve the lawful purposes for which it was collected as described in this Privacy Policy”.
• Principle 10 described in section 2 of this Privacy Policy is replaced by the following: “if Personal Data is the subject of a data breach resulting in unauthorised use or disclosure, we take immediate action to remedy it and we report the incident as required by law”.
• In addition to the rights listed in section 8, you can also object to any attempt by us to sell your information to a third party (which we do not do), except that we may transfer your data to a successor-in-interest in the event of a merger, acquisition, or sale of all or part of our business. In any case, you will not be discriminated against in doing business with us simply because you exercised any of these rights.
• The U.S. Children’s Online Privacy Protection Act (“COPPA”) and similar laws require that online service providers obtain parental consent before they knowingly collect Personal Data online from children. If you are a child under 18 years old, please do not use the Website or send any personal information about yourself to us. If we learn we have collected personal information from a child under 18, we will delete that information promptly. If you believe that a child under 18 may have provided us personal information, please contact us immediately as described in section 8 above.
• The Website may not recognise or take action in response to Do Not Track (“DNT”) signals from web browser settings. At this time, there is no generally accepted standard for what a company should do when a DNT signal is detected. In the event a final standard is established, we will assess how to appropriately respond to these signals.
If you live in England
This Privacy Policy is likely to evolve or be modified. When we update this Privacy Policy, we will post it on our Website with the date it was updated. Consequently, we invite you to regularly take note of it as published on the Website.
For any questions concerning the present Privacy Policy, please contact us.
• Applicable regulation: UK General Data Protection Regulation (UK GDPR) applies to HA.
• Personal Data transfers outside of the EEA: the abovementioned framing of the personal data outside of the EEA is accompanied, where necessary, with the UK international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers.
• The retention period of your Data for accounting and tax management is 7 years.
• The data protection authority with whom you can lodge a complaint is the Information Commissioner’s Office.
9. Updates and questions
Glossary
“Legal basis” means what legally authorises the implementation of a Processing, which gives the right to an organisation to process Personal Data. There are several legal bases,
including consent, contract, legal obligation, legitimate interest of the Data Controller, etc.
“Recipient” means any person who is entitled to receive Personal Data by virtue of his or her position.
“Personal Data” or “Data” means information that identifies you, either directly or indirectly by reference to an identifier. This may include your last name, your first name, your contact information, your image or voice, an IP address, identifiers from your computer but also your health care number, or health plan number, and every other information that can be used to identify you.
“Purpose” means the primary purpose for which we use Personal Data. In other words, it is the reason why we process your data.
“Data Controller” means the person or entity who determines the purposes and means of the Processing of your Data, i.e. all the operations carried out on your Data (such as their collection, consultation, storage, etc.). In other words, it is the person who decides why and how to process your Personal Data.
“Data Processor” means the natural or legal person (company or public body) who processes data on behalf of the Controller, in the context of a service or performance. Relations with our Data Processors are governed by data processing agreements, in accordance with the applicable legal requirements.
“Processing” means an operation, or a set of operations, concerning Personal Data, whatever the process used (collection, recording, organisation, conservation, adaptation, modification, extraction, consultation, use, communication by transmission or diffusion or any other form of provision, reconciliation, etc.).
“UK General Data Protection Regulation / UK GDPR” means the retained EU law version of the GDPR as modified by English laws.