Legal
Privacy policy
Updated · July 4, 2026
Effective date
This Privacy Policy took effect on [insert date]. The date of the last update is shown in the page header.
Data controller
The controller of your personal data under the General Data Protection Regulation (EU 2016/679 — GDPR) is:
- 01Mundo Transfer d.o.o.
- 02Registered office: Kobilićka ulica 12, 10000 Zagreb, Croatia
- 03OIB (tax number): 98982032366
- 04Company ID (MB): 081512650
- 05E-mail address: info@mundotransfer.hr
- 06Phone: +385 99 168 8866
If you have any questions about how we handle your personal data, please contact us at the e-mail address above.
Data protection officer
Mundo Transfer is not required to appoint a data protection officer, as processing personal data is not our core activity, we do not carry out large-scale monitoring of data subjects, and we do not process special categories of data on a large scale. For any questions about the processing of personal data, you can contact us directly at info@mundotransfer.hr.
If you believe your rights have been infringed, you may at any time also contact the supervisory authority — the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, azop@azop.hr, www.azop.hr.
What data we collect
Depending on how you use our service, we collect the following categories of personal data:
- 01Identification data: first and last name
- 02Contact data: phone number and e-mail address
- 03Trip data: pickup, drop-off, date and time, number of passengers, optional note
In addition, to improve the site we keep purely anonymous visit statistics (page viewed, country of visit, device type). This data cannot be used to identify individuals, so it is not personal data under the GDPR; we mention it for full transparency. We do not store IP addresses, do not use third-party cookies and do not run advertising trackers.
Is providing data mandatory
Providing the personal data required for a reservation (name, contact, trip details) is a contractual requirement — without it we cannot accept and carry out your transport booking. Providing the data is not a statutory obligation and you are not required to provide it, but in that case we cannot process your reservation or provide the service.
Purposes and legal bases
We process your personal data exclusively for the following purposes:
- 01To perform the transport contract — legal basis: Art. 6(1)(b) GDPR (necessary for the performance of a contract or to take steps at your request prior to entering into a contract)
- 02To communicate with you about your reservation (confirmations, reminders, changes) — legal basis: Art. 6(1)(b) GDPR
- 03To fulfil legal obligations (invoicing, tax and accounting records) — legal basis: Art. 6(1)(c) GDPR
The anonymous visit statistics described above do not constitute processing of personal data, so no Art. 6 GDPR legal basis is required for them.
Recipients
We may share your personal data with the following categories of recipients, only to the extent necessary for the service:
- 01The driver performing your transfer (name, phone, trip details)
- 02The e-mail service provider (Zoho) through which we send confirmations and notifications
- 03The server infrastructure provider (Hetzner, Germany) on which our application runs
- 04Competent authorities, where required by law
We carefully select all business partners and have data processing agreements in place with them in accordance with Art. 28 GDPR.
Transfers outside the EU
Our application and reservation data are hosted on a server in Germany, that is, within the European Union. The e-mail service provider (Zoho) processes data on infrastructure within the European Economic Area. We do not transfer your personal data outside the European Economic Area without appropriate safeguards; where necessary, standard contractual clauses are in place with service providers to ensure the level of protection required by the GDPR.
Retention periods
We retain your data only for as long as necessary for the purpose for which it was collected, or as required by applicable law:
- 01Reservation and communication data: up to 12 months after service completion
- 02Invoices and tax-relevant documentation: 11 years (the Accounting Act, the VAT Act and the General Tax Act, Croatia). Personal data contained in invoices is retained only for as long as necessary to meet tax and accounting obligations.
Your rights
Under the GDPR, at any time you have the right to:
- 01Request access to your personal data
- 02Request correction of inaccurate or incomplete data
- 03Request erasure when there is no longer a legal basis to retain the data
- 04Request restriction of processing
- 05Object to processing based on legitimate interest
- 06Object to processing for direct marketing purposes at any time
- 07Request data portability in a machine-readable form
- 08Withdraw consent, where processing is based on consent, without affecting prior lawful processing
To exercise these rights, contact us at info@mundotransfer.hr. We will respond without undue delay and within 30 days at the latest.
Automated decision-making and profiling
We do not carry out automated decision-making, including profiling, that would produce legal effects concerning you or similarly significantly affect you. Every reservation is reviewed and confirmed by our staff.
Data security
We apply reasonable technical and organisational measures to protect your data: HTTPS traffic encryption, controlled access to the admin interface, regular security updates and access to data restricted to authorised personnel only.
Cookies
Our site uses a minimal set of cookies needed for it to function:
- 01Admin session cookie (`next-auth.session-token`) — keeps the administrator logged in, deleted on logout
- 02Language preference cookie (`NEXT_LOCALE`) — remembers the Croatian or English language choice
- 03Access cookie (`mundo_gate`) — used only during the preview phase, while the site is not yet public
These are strictly necessary cookies for the site to work, for which no prior consent is required under electronic communications regulations. We do not use third-party cookies or tools such as Google Analytics or Facebook Pixel. Visit statistics are kept anonymously on our own server, with no user identification.
Right to lodge a complaint with a supervisory authority
If you believe your rights have not been respected, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency:
- 01Personal Data Protection Agency (AZOP)
- 02Selska cesta 136, 10000 Zagreb, Croatia
- 03E-mail address: azop@azop.hr
- 04Web: www.azop.hr
Changes to this policy
We may update this policy from time to time to reflect changes in our services or in the law. Any update will be published on this page; the date of the last update is shown in the header.