Skip to main content
Zori Timeless

Zori Timeless

Privacy Policy

Last updated: June 2026 · Version 1.0

This Privacy Policy explains how your personal data is collected, used, shared, stored and protected when you visit zori.hr, contact us, subscribe to our letters, or stay with us. It is provided under Articles 13 and 14 of the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Croatian Act on the Implementation of the GDPR (NN 42/2018). Please read it together with our Cookie Policy.

1. Who is responsible for your data (controller)

The data controller is:

GALLO RESTAURANT d.o.o. (trading as Zori Timeless)
Registered seat: Ulica Andrije Hebranga 34, 10000 Zagreb, Croatia
Venue: Vinogradišće bay, Palmižana (Sveti Klement), 21450 Hvar, Croatia
OIB (company ID / VAT): 81412172571 · MBS: 080429079 (Commercial Court in Zagreb)
Email: info@zori.hr · Phone: +385 91 322 2227

For any question about this policy or your data, contact us at info@zori.hr. We have not appointed a Data Protection Officer, as we are not legally required to; privacy requests are handled directly by the company.

2. What data we collect, why, and our legal basis

We collect only what we need. The table below sets out each purpose, the data involved, and our lawful basis under Article 6 GDPR.

  • Enquiries & the concierge form — your name, email, optional phone, and the message and stay details you provide. Purpose: to answer you and prepare a possible reservation. Lawful basis: Art. 6(1)(b) (steps at your request prior to a contract) and Art. 6(1)(f) (our legitimate interest in responding to enquiries).
  • Reservations — guest name, contact details, stay dates, party details and, where applicable, payment data. Bookings are taken through our reservation provider (Phobs) on its platform; card payment, where taken, is processed by the provider, not stored by us. Lawful basis: Art. 6(1)(b) (performance of the accommodation contract) and Art. 6(1)(c) (legal obligations, e.g. guest registration and tax/ accounting law).
  • Newsletter (“Letters from the bay”) — your email address. Purpose: to send occasional editorial letters and news. Lawful basis: Art. 6(1)(a) (consent). You may withdraw consent and unsubscribe at any time from any letter, with no effect on prior sending.
  • Anonymous website measurement — page views, clicks and referring page, recorded without cookies, without storing your name and without storing your IP address in raw form (we keep only a daily-rotating, salted, irreversible hash used to count unique visits). Lawful basis: Art. 6(1)(f) (legitimate interest in understanding and improving the site). This data cannot be used to identify you.
  • Optional third-party analytics — Google Analytics 4, Google Tag Manager and Microsoft Clarity, which set cookies and process usage data. These run only if you accept them in our cookie banner. Lawful basis: Art. 6(1)(a) (consent) and Art. 5(3) of the ePrivacy Directive. See the Cookie Policy.
  • Marketing & advertising — when you accept marketing cookies, we use Google Ads and Meta (Facebook/Instagram) to measure our advertising and to show relevant ads, including remarketing. This runs only if you accept marketing cookies. Lawful basis: Art. 6(1)(a) (consent) and Art. 5(3) ePrivacy. See the Cookie Policy.
  • Email correspondence & server logs — content of the emails you send us, and standard technical logs kept by our hosting and email providers for security and to keep the service running. Lawful basis: Art. 6(1)(f) (legitimate interest in security, fraud prevention and service integrity).

Providing data is voluntary, but if you do not provide the data needed to answer an enquiry or complete a booking, we may be unable to do so. We do not carry out automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR).

3. Who we share data with (recipients & processors)

We do not sell your data. We share it only with service providers who process it on our behalf, under written data-processing agreements (Art. 28 GDPR), and where required by law.

  • Vercel Inc. — website hosting and delivery.
  • Supabase — database storing enquiries and subscribers.
  • Resend — sending and receiving transactional email.
  • Cloudflare — media (image/video) delivery and CDN.
  • Phobs (Nivco d.o.o.) — the reservation/booking engine.
  • Google Ireland Ltd — analytics, tag management and Google Ads (only with your consent).
  • Meta Platforms Ireland Ltd — Facebook/Instagram advertising measurement and remarketing (only with your consent).
  • Microsoft Ireland Operations Ltd — Clarity analytics (only with your consent).
  • Public authorities — where we are legally obliged (e.g. guest registration, tax authorities, courts).

4. International transfers

Some providers are established outside the European Economic Area (for example in the United States). Where data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V GDPR, in particular the European Commission’s Standard Contractual Clauses, and, where relevant, the EU-US Data Privacy Framework. You may request a copy of the relevant safeguards by writing to info@zori.hr.

5. How long we keep your data (retention)

  • Enquiries & concierge messages — up to 24 months after our last contact, then deleted, unless they lead to a booking.
  • Reservation & accounting records — for the period required by Croatian accounting and tax law (generally up to 11 years).
  • Newsletter — until you unsubscribe or withdraw consent.
  • Consent records — for as long as needed to evidence consent and a reasonable period afterwards.
  • Anonymous measurement — retained in aggregate only and not linked to you; third-party analytics follow each provider’s retention (typically up to 14 months) where consented.

6. Your rights

Under the GDPR you have the right, at any time, to:

  • be informed and to access a copy of your data (Art. 15);
  • have inaccurate data rectified or completed (Art. 16);
  • have your data erased (Art. 17);
  • restrict processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interests (Art. 21);
  • withdraw consent at any time, for the newsletter or analytics, without affecting processing already carried out (Art. 7(3)).

To exercise any right, email info@zori.hr. We respond within one month (extendable by two further months for complex requests, of which we will inform you). We may need to verify your identity. Exercising your rights is free unless a request is manifestly unfounded or excessive.

You also have the right to lodge a complaint with the supervisory authority: the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, azop.hr, or with the authority in your country of residence.

7. Security

We apply appropriate technical and organisational measures (Art. 32 GDPR): encryption in transit (HTTPS), access controls and least-privilege access to our database, signed and time-limited sessions for the private admin area, and providers who maintain recognised security standards. No method of transmission is completely secure, but we work to protect your data and will notify you and the authority of a breach where the law requires.

8. Children

The site and our services are intended for adults. We do not knowingly collect data from children under 16. If you believe a child has provided us data, contact info@zori.hr and we will delete it.

9. Cookies

We use cookies and similar technologies as described in our Cookie Policy. Non-essential cookies load only with your consent.

10. Changes to this policy

We may update this policy to reflect changes in our practices or the law. The version and date above show the latest revision; material changes will be made prominent on the site.

11. Contact

GALLO RESTAURANT d.o.o. · Ulica Andrije Hebranga 34, 10000 Zagreb, Croatia · info@zori.hr · +385 91 322 2227.

Return to Zori Timeless