Privacy Policy

Privacy Policy

Last updated: 01.04.2026

This Privacy Policy explains how Lenox Villas [Lenox d.o.o. OIB: 53827849896] (“Lenox Villas”, “we”, “us” or “our”) collects, uses, stores and protects personal data when you visit lenox.hr, contact us, make a booking enquiry, book a villa, request additional services, or communicate with us.

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), applicable Croatian data protection laws and other applicable EU privacy rules.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Lenox Villas [Lenox d.o.o.]

Address: ulica Valovine 34A, 52100 Pula, Croatia

Email: info@lenox.hr

Phone: +385 99 357 9930

For any privacy-related request, please contact us at info@lenox.hr.

2. Personal Data We Collect

We may collect and process the following categories of personal data:

a) Contact and enquiry data:

Name, surname, email address, phone number, message content, preferred communication method and any other information you provide through contact forms, email, WhatsApp, phone or social media.

b) Booking and guest data:

Booking dates, villa selected, number of guests, guest preferences, special requests, arrival and departure information, billing details, reservation history and information necessary to manage your stay.

c) Payment and billing data:

Payment amount, transaction status, invoice details, billing address, deposit information and payment references. If card or online payments are available, payment card details are processed by external payment service providers. We do not store full card numbers or CVV codes on our website.

d) Website and technical data:

IP address, browser type, device information, operating system, pages visited, time spent on the website, referral source, cookie identifiers and similar technical information.

e) Owner and property management data:

If you contact us as a villa owner or investor, we may process your name, contact details, property details, ownership or management information, financial information, contract data and other details necessary to assess or manage a business relationship.

f) Optional information:

You may voluntarily provide additional information, such as travel preferences, accessibility needs, dietary requirements or other special requests. We process such information only where necessary to provide the requested service or where you have given us permission to do so.

3. Purposes and Legal Bases for Processing

We process personal data for the following purposes:

a) Responding to enquiries

To respond to your questions, requests and messages.

Legal basis: pre-contractual steps and/or legitimate interest.

b) Managing bookings and villa stays

To create, confirm and manage reservations, prepare rental arrangements, communicate with guests and provide accommodation services.

Legal basis: performance of a contract or steps prior to entering into a contract.

c) Payments, deposits and invoices

To process payments, issue invoices, manage deposits, refunds and accounting records.

Legal basis: performance of a contract and compliance with legal obligations.

d) Legal and regulatory compliance

To comply with applicable tourism, tax, accounting, consumer protection, security, immigration or other legal obligations.

Legal basis: legal obligation.

e) Customer support and service communication

To provide support before, during and after your stay, including check-in information, service updates and responses to complaints.

Legal basis: performance of a contract and legitimate interest.

f) Additional services

To arrange services such as car rental, catering, food hampers, babysitting, cleaning or event support where requested.

Legal basis: performance of a contract, pre-contractual steps or consent, depending on the service.

g) Marketing communication

To send promotional emails, offers or updates where you have consented or where permitted by law. You can unsubscribe at any time.

Legal basis: consent or legitimate interest, where applicable.

h) Website analytics and improvement

To understand how visitors use our website, improve user experience, measure performance and improve our services.

Legal basis: consent for non-essential cookies and similar technologies; legitimate interest for basic aggregated analytics where permitted.

i) Website security and fraud prevention

To protect our website, systems, users and business from misuse, fraud, spam, cyberattacks or unlawful activity.

Legal basis: legitimate interest and/or legal obligation.

j) Legal claims and dispute resolution

To establish, exercise or defend legal claims.

Legal basis: legitimate interest and/or legal obligation.

4. Cookies and Similar Technologies

Our website uses cookies and similar technologies.

Necessary cookies are required for the website to function properly and cannot usually be disabled through our cookie banner. These may include security, session and consent-management cookies.

With your consent, we may also use functional, analytics, performance or marketing cookies. These cookies help us remember preferences, analyse website usage, improve our services and, where applicable, provide relevant advertising.

You can accept, reject or manage non-essential cookies through the cookie settings available on our website. You can also delete or block cookies through your browser settings. Some website features may not work properly if cookies are disabled.

5. Who We Share Personal Data With

We do not sell your personal data.

We may share personal data only where necessary with the following categories of recipients:

- IT, hosting, website maintenance and security providers;

- booking, reservation and property management systems;

- payment service providers, banks and financial institutions;

- accountants, tax advisors, legal advisors and auditors;

- villa owners, property managers, cleaning teams, maintenance providers and service partners where needed for your stay;

- providers of requested additional services, such as car rental, catering, babysitting or event support;

- analytics, advertising or marketing service providers, only where legally permitted and subject to cookie consent where required;

- public authorities, courts, police, tax authorities, tourism authorities or regulators where required by law.

All service providers that process personal data on our behalf must process it only under our instructions and apply appropriate confidentiality and security measures.

6. International Data Transfers

Some service providers may process personal data outside the European Economic Area. Where this occurs, we will ensure that appropriate safeguards are in place, such as an adequacy decision by the European Commission, Standard Contractual Clauses or another valid transfer mechanism under the GDPR.

7. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Typical retention periods include:

- enquiry data: up to 12 months after the last communication, unless a booking or business relationship follows;

- booking and contract data: for the duration of the booking relationship and afterwards as required for accounting, tax, legal and dispute-resolution purposes;

- payment and invoice data: for the period required by applicable tax and accounting laws;

- marketing data: until you withdraw consent or unsubscribe;

- cookie data: according to the duration stated in the cookie settings or cookie banner;

- website security logs: for a limited period necessary for security and fraud-prevention purposes, unless longer retention is required to investigate incidents;

- owner and property management data: for the duration of the business relationship and afterwards as required by contract, law or legitimate business needs.

8. Your GDPR Rights

Subject to the conditions and limitations under the GDPR, you have the right to:

- request access to your personal data;

- request correction of inaccurate or incomplete data;

- request deletion of your personal data;

- request restriction of processing;

- object to processing based on legitimate interests;

- request data portability;

- withdraw consent at any time where processing is based on consent;

- object to direct marketing at any time;

- lodge a complaint with a supervisory authority.

If you withdraw consent, this does not affect the lawfulness of processing carried out before the withdrawal.

To exercise your rights, contact us at info@lenox.hr. We may need to verify your identity before responding to your request.

9. Supervisory Authority

You have the right to lodge a complaint with the supervisory authority in the EU Member State where you live, work or where you believe a GDPR infringement occurred.

In Croatia, the supervisory authority is:

Croatian Personal Data Protection Agency (AZOP)

Ulica Metela Ožegovića 16

HR-10000 Zagreb

Email: azop@azop.hr

Phone: +385 (0)1 4609 000

10. Security of Personal Data

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. These measures may include access controls, secure communication, website security tools, internal confidentiality rules and limiting access to personal data to persons who need it for their work.

No method of transmission or electronic storage is completely secure. However, we take reasonable steps to protect your data and continuously improve our security practices.

11. Payment Security

If online or card payments are available, payment data is processed through secure external payment service providers. We do not store full payment card numbers, CVV codes or other sensitive card authentication data on our website.

We may receive limited payment-related information, such as payment status, amount, transaction reference, date, billing details and partial card information where provided by the payment service provider for accounting, verification or customer support purposes.

12. Children’s Data

Our website and services are intended for adults making accommodation bookings. We do not knowingly collect personal data directly from children. If children are included in a booking, their data may be provided by a parent, guardian or other responsible adult only where necessary for the accommodation service or legal requirements.

13. Third-Party Links and Services

Our website may contain links to third-party websites, social media platforms, maps, booking platforms or communication tools. These third parties process personal data under their own privacy policies. We are not responsible for the privacy practices of third-party websites or services.

14. Automated Decision-Making

We do not use your personal data for automated decision-making that produces legal effects or similarly significant effects concerning you.

15. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, website, legal requirements or data processing practices. The updated version will be published on this page with a new “Last updated” date.

16. Contact

For any questions about this Privacy Policy or the processing of your personal data, please contact:

Lenox Villas

Email: info@lenox.hr

Address: ulica Valovine 34A, 52100 Pula, Croatia

Phone: +385 99 357 9930