Privacy Policy

This Privacy Policy describes how 360 tour obrt (“360 tour”, “we”, “us”), the operator of the Bokrez platform available at bokrez.com, collects, uses, stores and shares your personal data when you use our service. Please read this document carefully before using the platform.

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR, EU Regulation 2016/679) is:

360 tour obrt

Zagreb, Croatia

Web: www.360tour.hr

Privacy contact: privacy@bokrez.com

For all questions regarding the processing of your personal data, please contact us at the above address. We will respond within 30 days of receiving your request.

2. Data We Collect and From Whom

Bokrez operates on two levels:

Business users (business owners) — register to manage bookings and their business.
End users (clients) — use the platform to book appointments.

2.1 Data collected from users

Category	Examples	Who
Identity data	First name, last name, email, password (stored as hash)	All users
Contact data	Mobile number	All users (optional)
Business data	Business name, address, description, photos, working hours	Business users
Booking data	Appointment date and time, selected service, notes	All users
Subscription & billing data	Subscription status, amount, invoice date (no card data stored)	Business users
Communication data	Messages between users and businesses within the platform, notifications	All users
Technical data	IP address, browser type, OS, session cookies	All users
Preference data	Preferred language, favourites, CRM notes about clients	All users

2.2 Data collected automatically

When you use Bokrez, we automatically collect certain technical data such as IP address, browser information, pages visited and session duration. This data is used solely for platform security and diagnosing technical issues.

3. Purposes and Legal Basis for Processing

Purpose	Legal basis (GDPR Art. 6)
Providing the service (account management, bookings, notifications)	Performance of a contract — Art. 6(1)(b)
Subscription billing and invoice issuance	Performance of contract / Legal obligation — Art. 6(1)(b)(c)
Sending transactional emails (booking confirmations, reminders)	Performance of a contract — Art. 6(1)(b)
Platform security and fraud prevention	Legitimate interests — Art. 6(1)(f)
Analytics and service improvement	Legitimate interests — Art. 6(1)(f)
Processing tax records and accounting documents	Legal obligation — Art. 6(1)(c)
Sending marketing communications (where consent given)	Consent — Art. 6(1)(a)

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You have the right to object to such processing (see section 7).

4. Data Retention Periods

Type of data	Retention period
Account data	Until account deletion + 30 days for backups
Booking records	5 years from booking date (statutory obligation)
Invoices and financial records	5 years (Croatian Income Tax Act)
In-platform messages	1 year from last activity
Technical logs	90 days
Data on deleted accounts	Immediately upon deletion, except where statutory retention applies

5. Sharing Data with Third Parties

We do not sell your personal data. We share data only with carefully selected service providers who assist us in operating the platform:

Provider	Purpose	Location
Resend Inc.	Sending transactional emails (confirmations, reminders)	USA (EU-US DPF)
Hosting provider (EU server)	Data storage and hosting on EU server	EU

Each of these providers is bound by a data processing agreement ensuring they process your data only on our instructions and in compliance with GDPR.

We may also disclose data to competent authorities where required by law or court order.

6. International Data Transfers

Some of our service providers (e.g. Resend) are based in the United States. Transfers to the USA are based on the EU-US Data Privacy Framework (DPF), which the European Commission recognised as providing adequate protection by Decision of 10 July 2023.

For any provider not covered by the DPF, we use the European Commission's Standard Contractual Clauses (SCCs) as a safeguard for adequate data protection.

7. Your Rights as a Data Subject

Under GDPR, you have the following rights:

→

Right of access: You may request a copy of the personal data we process about you.

→

Right to rectification: You may request correction of inaccurate or incomplete data.

→

Right to erasure ("right to be forgotten"): You may request deletion of your personal data, except where we have a statutory obligation to retain it.

→

Right to restriction of processing: You may request restriction of processing in certain circumstances.

→

Right to data portability: You may receive your data in a machine-readable format and transfer it to another controller.

→

Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.

→

Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without consequence.

→

Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority.

To exercise your rights, contact us at privacy@bokrez.com. We will respond within 30 days. If we have not satisfied your request, you may contact:

Agencija za zaštitu osobnih podataka (AZOP)

Selska cesta 136, 10000 Zagreb, Croatia

azop.hr | azop@azop.hr

8. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

Encryption of data in transit (TLS/HTTPS)
Passwords are never stored in readable form — we use bcrypt hashing with cost factor 12
Role-based access control (RBAC)
Regular database backups
Access to personal data restricted to authorised personnel only

In the event of a personal data breach that could jeopardise your rights and freedoms, we will notify the competent supervisory authority (AZOP) within 72 hours, and notify you personally where required by law.

8b. Administrative Data Access

Authorised Bokrez administrative staff (platform administrators) have access to your data for the purposes of technical support, security monitoring, quality assurance and service improvement. Access is limited to personnel with a legitimate need and is logged for auditing purposes.

Reviewing and managing user accounts and business data when resolving issues
Security monitoring and preventing misuse
Ensuring service quality and improving functionality
Fulfilling legal obligations (e.g. processing tax records)

8c. Automated Decision-Making

The platform uses automated rules for managing bookings (e.g. auto-confirmation, auto-rejection based on criteria) and a system for assessing client no-show risk. These features are configured by Business Users within their settings. They do not affect your legal rights beyond the purposes of processing.

9. Children's Privacy

Bokrez is not intended for persons under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without parental consent, we will delete it without delay. If you are a parent and believe your child has registered an account, please contact us at privacy@bokrez.com.

10. Cookies

Bokrez uses cookies. Detailed information about the types of cookies we use and how to manage them can be found in our separate Cookie Policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. In the event of a material change, we will notify you by email or by a prominent notice within the platform at least 14 days before the change takes effect, unless the change is not within our discretion (e.g. a change in law). Continued use of Bokrez after a change takes effect constitutes acceptance of the updated policy.

12. Contact

For any questions, requests or complaints regarding the processing of your personal data, contact us:

360 Tour — Obrt za virtualne zapise

Zagrebačka cesta 81, 10000 Zagreb, Croatia

OIB: 59456273095

Email: privacy@bokrez.com

Web: bokrez.com