Visit Serbia platform

I. INTRODUCTION

1.1. We are Visit Online LLC Belgrade, a company established for the development of sustainable tourism based on innovative technologies, registered in the Business Registers Agency of the Republic of Serbia, with registered seat at Bilecka 67, under registration number 21863289 (hereinafter: Visit Online or We), and we, among other things, created and designed a website and online store called visit-serbia and visit-serbia.online (hereinafter together: the Platform). The Platform is aimed to introduce the visitors of the Platform with the beauties and attractions of the Republic of Serbia in the way that meets the needs of modern society.

1.2. When you use our Platform, Visit Online processes your personal data and we want you to feel secure with regard to the protection of your personal data when you visit our website. Heaving in mind that Visit Online is strongly committed to the protection of human rights, including the protection of privacy and personal data, the protection of your personal data for us represents more than compliance with the legal obligations and we approach its processing very seriously.

1.3. Our main goal in the field of personal data protection is primarily to become a service provider of trust, which we are trying to achieve through (i) legal, fair and transparent processing, with respect for other processing principles, (ii) exercising of data subject rights, while providing assistance to the data subject in exercising his rights, (iii) achieving the highest level of personal data protection in accordance with the best practices and standards in that area, (iv) confidentiality, integrity and availability of personal data, (v) ensuring compliance of our external service providers with the requirements of regulations and rules of Visit Online in the field of personal data protection, as well as (vi) ongoing education in the field of protection personal data of persons who have access to the personal data.

1.4. This Privacy Notice aims to provide you with information on personal data that we process during your visit to our website, i.e. how and way we collect, use, disclose, transfer and store your personal data when you use our Platform.

1.5. This Privacy Notice applies to all personal data that we process when you are using the Platform.

1.6. For information about the terms and conditions on how you can use the Platform, please see our General Terms and Conditions.

II. OUR CONTACT INFORMATION

2.1. Our contact details are: Visit Online d.o.o. Belgrade, Bilecka 67, Belgrade, Phone number: +381 62 773 138 (Monday-Friday, 9:00 a.m. - 5:00 p.m.), e-mail: office@visitonline.rs.

2.2. We do not have a designated data protection officer, considering that we do not carry out regular and systematic monitoring of the data subjects on a large scale, nor our core activities consist of processing special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) or data relating to criminal convictions and offences, but we will revise the aforementioned as necessary.

III. VOCABULARY

3.1. For the purpose of this Privacy Notice, terms used in this text, have the following meaning:

"personal data" means any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly;
"anonymized data" means data that cannot identify or determine natural person in any other way;
"technical data" means personal data such as Internet Protocol (IP) address, browser type and version, website browsing actions and patterns, language setting, device model, device location, country location, time zone, browser plug-in types and versions, operating system information and other device technologies that you use to access the Platform;
"usage data" is information about how you use the Platform;
"processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
"user" is a natural person who is registered as a user on the Platform;
"guest" is a natural person who is using the services of Visit Online, but is not registered as a user on the Platform;
"previous purchases data" is data on the number of tickets purchased by the user or guest, the date and location of the attraction or activity, as well as data on refunds in case the user or guest cancels the purchase after purchasing the ticket/s;
"controller" means Visit Online or other the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
"processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
"recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not or other controller or processor;
"GDPR" means General Data Protection Regulation of the European Parliament and of the Council No. 2016/679;
"personal data protection legislation" means GDPR and the Personal Data Protection Law of the Republic of Serbia ("Off. Gazette of RS", No. 87/2018) with by-laws;
"supervisory authority" means an independent public authority which is established by a European Union Member State for monitoring the application of the GDPR;
"Commissioner" is the Commissioner for Information of Public Importance and Protection of Personal Data, as a competent body for monitoring the implementation of regulations in the field of personal data protection in the Republic of Serbia.

IV. PERSONAL DATA THAT WE ARE PROCESSING, PURPOSE OF PROCESSING (WHY ARE WE PROCESSING DATA) AND THE LAWFULNESS OF PROCESSING

4.1. When you use our Platform, we process your personal data, for different purposes, all as explained in detail below.

Purpose of processing	Personal data being processed	Legal basis for processing
Providing benefits to registered users	Name, username or e-mail address and password	Consent (article 6, paragraph 1 a) of the GDPR and article 12. paragraph 1 point 1) of the Law)
Providing of services	Contact information, email address and information on previous purchases	Processing is necessary for the performance of a contract (article 6, paragraph 1 b) of GDPR and article 12. paragraph 1 point 2) of the Law)
Newsletters	e-mail address	Consent (article 6, paragraph 1 a) of the GDPR and article 12. paragraph 1 point 1) of the Law)
Better functionality and personalization of the Platform	technical and usage data	Consent (article 6, paragraph 1 a) of the GDPR and article 12. paragraph 1 point 1) of the Law)
Analytics for further development of the Platform	technical and usage data	Consent (article 6, paragraph 1 a) of the GDPR and article 12. paragraph 1 point 1) of the Law)
Prevention of misuse and fraudulent behavior on Platform	technical and usage data	Legitimate interest (article 6, paragraph 1 f) of the GDPR and article 12. paragraph 1 point 6) of the Law)

Personal data we collect directly from you

4.2. If you give us your consent, we process personal data you provide us with - your name, username, e-mail address and password for registration purposes so we can provide you with additional benefits through our Platform, such as discounts for the certain number of purchased tickets and etc.

4.3. When you want to use the services of the Platform, i.e. buy tickets for the desired attraction, either as a registered user or as a guest, for performance of contract, i.e. purchase tickets and on the other hand for providing an adequate services by us through the Platform, we need your contact information for financial institutions, e-mail address for sending confirmation of purchased tickets and data on previous purchases, so that you can manage your purchases, more precisely to see, change or cancel purchased tickets.

4.4. If you are interested and give us your consent, we use your e-mail address to send you notifications about news on our Platform, about our partners or their news, which can be especially useful if you want to be up to date with destinations, attractions and activities in the Republic of Serbia.

4.5. For preventing misuse and fraudulent behavior on our Platform, we use technical and usage data, as well as data on previous purchases. We process personal data based on our legitimate interest, i.e. for safe trade and safe functioning of the Platform, protection of our business, but also the protection of our partners and visitors to the Platform, which is essential to us, but also to you as visitors who visit and/or use our Platform. Legitimate interest, including the necessity and proportionality of processing is explained in detail in the document "Legitimate interest - protection against abuse and fraudulent behavior on our websites".

Personal data we collect automatically

4.6. When you use the Platform, our website uses "cookies", and if you give us your consent, we receive certain personal data automatically, such as Internet Protocol (IP) address, browser type and version and other technical data, as well as the actions and browsing patterns of our internet pages.

4.7. We use the above data for the purpose of functionality and personalization, as well as for the analytics purposes, in order to further develop the Platform. For analytics purposes, we use aggregate data, such as statistical or demographic data that does not directly or indirectly reveal your identity. For example, we may aggregate your data in order to calculate the percentage of users who access a certain destination and/or attraction, or what was the total number of visits to the Platform on a daily, weekly or monthly basis, the number of visitors by territory. Analytical data is anonymized data.

4.8. You can see more about cookies, i.e. what are cookies, how do we use them and why, how you can accept or reject them, in our Cookie Notice.

Personal data we collect from third parties

4.9. If you choose to log to the Platform through your Google, Facebook or Twitter account, we obtain information about your user’s name, email address and password from the companies that own those applications, more precisely from Google LLC, for your Google account, Meta Platforms Inc. for your Facebook account and Twitter Inc. for your Twitter account.

4.10. In that case, the data from the specified accounts is only a source of data, so that you do not have to fill in the data yourself.

4.11. We need the above data for your registration, if you want to become a user of the Platform and receive benefits that are only provided for the users of the Platform, all as stated under point 4.2. this Privacy Notice.

V. MANDATORY PROVISION OF PERSONAL DATA

5.1. The provision of personal data is a contractual requirement, or a requirement necessary to enter into a contract, if you want to use our services through the Platform. If you do not provide us with the necessary data, Visit Online will not be able to provide you the requested services and you will not be able to obtain the requested tickets.

VI. CONSENT AND WITHDRAWAL OF CONSENT

6.1. Giving consent when that is the legal bases for the processing of personal data is completely voluntary and is not a statutory or contractual requirement, or a requirement necessary to enter into a contract with us and you shall not have any consequences in case of failure to provide your personal data, only additional benefits from using the Platform.

6.2. You can withdraw your consent at any time and you can do the same by canceling your user account, or by simply clicking on "Unsubscribe" when the consent was given for receiving the newsletters.

6.3. You can withdraw your consent for the purpose of functionality and personalization, as well as for analytical purposes, in your cookie settings. For other ways, please see our Cookie Notice.

6.4. In any case, you can withdraw your consent by submitting a request via the e-mail address: office@visitonline.rs, in person at our premises and by mail to the registered seat of our company.

6.5. Withdrawal of consent does not affect the lawfulness of processing carried out based on your consent prior to withdrawal.

VII. SHARING PERSONAL DATA (WHO ARE RECEPIENTS OF THE DATA)

7.1. You should know that we do not sell, or otherwise disclose personal data collected as explained above, except as described in this Privacy Notice.

7.2. Having in mind that our Platform is created and designed based on the software provided by the company KUPUJ ONLINE LLC with the registered seat in the territory of the Republic of Croatia, Fiorella La Guardie 13, Rijeka (City of Rijeka), registration number: 040236017, as our majority owner, which hosts and stores the data from the Platform on our behalf, the same is considered as processor of the data and therefore a recipient of personal data, in accordance with the personal data protection legislation. This service provider, i.e. the data recipient, is not authorized to review, use or disclose your personal data.

7.3. When you use our services, payment is made through the Web Secure Payment Gateway system, i.e. the company CSTI GROUP d.o.o. Belgrade, Dalmatinska 72, ID number: 21067172, and we share your contact information with them necessary for financial institutions in order to make the payment. Please note that Visit Online does not have access to your financial data, such as the account number through which you make the payment, nor the data you provide for the purposes of payment authorization. For the conditions of use and the Privacy Notice of the provider of the Web Secure Payment Gateway system, please see their website - www.wspay.rs

7.4. If you agree to the processing of your data for analytical purposes, we also share data with Google Inc. since we use Google Analytics tools for those purposes. Please note that data for analytic purposes are anonymized data and you cannot be identified, directly or indirectly.

7.5. In case your behavior during the usage of our Platforms becomes illegal or has elements of a criminal act, we could share your personal data with the competent authorities for the purpose of sanctioning such behavior and/or criminal prosecution.

7.6. Finally, please note that we will ensure that our recipients always act according to our instructions, with the application of the highest standards of personal data protection. Also, we shall keep this Privacy Notice up to date so that you can always be aware with whom we have shared your data and why.

VIII. DATA TRANSFERS

8.1. Please have in mind that all servers on which personal data are stored are located in the territory of the European Union and that all countries of the European Union are considered to have an adequate level of personal data protection in accordance with the personal data protection legislation of the Republic of Serbia.

8.2. Also, if you give us your consent for analytic purposes, we use Google Analytic tools from the company Google LLC, whose servers are located in Ireland, the United Kingdom and the United States of America. Please note that data for analytic purposes are anonymized data and you cannot be identified, directly or indirectly. In the configuration of Google Analytics, we have ensured that Google receives this data as a data processor and is not allowed to use this data for its own purposes. Any sharing of personal data with Google for advertising purposes as well as for any other purpose by Google as a data controller is disabled.

8.3. In case of any other transfers of your personal data, we will take all necessary actions to ensure at least the same level of protection of personal data as in the Republic of Serbia and the European Union and we will keep this Privacy Notice up to date so that you can always be informed where we transfer your personal data.

IX. HOW LONG DO WE KEEP DATA (DATA STORAGE)

9.1. Personal data that we process based on your consent, we delete immediately after the withdrawal of consent. You can see more about consent and withdrawal in Part VI of this Privacy Notice relating to consent and withdrawal of consent.

9.2. When we process your personal data in order to provide the services through the Platform, i.e. to execute the contract, we store the data on the made purchases for one year, considering that the validity of individual tickets can lasts for that period of time, after which the data is being anonymized.

9.3. In case you use our Platform and/or services for illegal actions or activities as defined in the General Terms and Conditions, we store your data for 5 years, which is the absolute statute of limitations for damages, and if your actions have elements of a criminal offense, then we store the data in the time specified for the statute of limitations for criminal prosecution.

X. HOW DO WE PROTECT YOUR PERSONAL DATA

10.1. Visit Online protects your personal data by collecting only the data that is absolutely necessary for us to provide services, while respecting the appropriate technical, organizational and HR measures for the protection of personal data.

10.2. All your personal data shall be only available to the persons who need the data to perform their work and who are familiar with the requirements and principles of personal data protection, who have responsibility for their compliance and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

10.3. All personal data shall be transmitted using the SSL (Secure Socket Layer) protocol, a 128-bit encryption method (RSA with 1024 bits), which currently represents the latest security standard on the Internet, as well as the use of the PKI system, which is currently the most modern cryptographic technology.

XI. YOUR RIGHTS REGARDING THE PROCESSING OF PERSONAL DATA

11.1. Under GDPR and Personal Data Protection Law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

right of access - You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
right to data portability - This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
Right to object – when processing is based on our legitimate interest.

11.2. If you object, we are obliged to stop processing your personal data, unless the we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

11.3. You can submit a request for exercising the data protection rights to the email address office@visitonline.rs, in person at our premises and by mail to our registered seat.

11.4. You are not required to pay any charge for exercising your rights. We have 30 days or one month to respond to you, depending on which period is shorter, even though that period may be extended by another 60 days or two further months where necessary, taking into account the complexity and number of the requests.

11.5. Also, if you believe that the processing of your personal data is not in accordance with GDPR or personal data protection legislation of the Republic of Serbia, you may file a complaint to the competent supervisory authority, including the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia. Contact details of Commissioner for Information of Public Importance and Personal Data Protection are Bulevar kralja Aleksandra no. 15, Belgrade, telephone: 011 3408900, e-mail: office@poverenik.rs

11.6. Lodging a complaint to the competent supervisory authority, including the Commissioner, does not affect your possibility to protect your rights by initiating appropriate judicial or administrative proceedings.

XII. QUESTIONS AND ADDITIONAL INFORMATION

12.1. For all questions and concerns or for the purposes of exercising your rights, you can contact us by mail, at the address of our registered seat or by e-mail office@visitonline.rs.

XIII. CHANGES TO THIS NOTICE

13.1. We can change this Privacy Notice from time to time. We will not reduce your rights under this Privacy Notice without your explicit consent

13.2. If we change this Privacy Notice, you will be notified in a timely manner through a notification that we will send you before such changes take effect.

XIV. FINAL PROVISIONS

14.1. This Privacy Notice is written in English and shall be interpreted in accordance with the GDPR as well as positive regulations of the Republic of Serbia

14.2. This Privacy Notice, as well as updated versions shall be published on our website.

14.3. Last version: 22nd February 2023.

BY CHECKING THE BOX NEXT TO THE PRIVACY NOTICE, THE USER ACKNOWLEDGES THAT HE HAS READ AND UNDERSTAND ALL OF THE ABOVE MENTIONED