Stari grad Hotel Dubrovnik


SOLES d.o.o., personal identification number (OIB): 45821000734, Od Sigurate 4, 20000 Dubrovnik, entered into the court registry of the Commercial Court Dubrovnik entry number Tt-12/1616-2, under identification number (MBS): 060280520. Bank account at the Raiffeisen Bank, Vukovarska 17, Dubrovnik, account number: IBAN: HR5324840081106109698 with share capital in the amount of 202.000,00 kuna paid in full, members of board Ganna Slabovska and Sedat Fetahi.


Privacy Policy

Last edited: 28.04.2020.

The company SOLES d.o.o., Dubrovnik, Od Sigurate 4, OIB: 45821000734 (hereinafter referred to as: “Controller”, “The company” or “we”) highly respects your privacy and undertakes to protect your privacy during and after your visit to our website (hereinafter referred to as: “The website” or “our website”), as well as during your stay with us, your visit at our locations and while using any of our services.

We have set up appropriate physical, electronic and management procedures to protect the processing of personal data. However, due to the inherent nature of the Internet, we cannot guarantee that communication between you and us or information stored on this Webpage or on our servers will be completely secure from unauthorized access by third parties. Therefore, we have policies in place to determine how your personal data shall be processed and protected.

By using any of our products or services and/or by  agreeing to this Policy, e.g. in the context of registering  for any services, you understand and acknowledge that we collect and use your personal data as specified in this Policy.

As Controller we, hereby, state that we process your personal data in accordance with the applicable rules on data processing, especially in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as: “GDPR”) and the General Data Protection Regulation Implementation Act (Official Gazette number 42/2018).

This Policy is subject to change, and the date of the last change is specified in the title of the Policy.


1. The personal data we collect and process

1.1. Which personal data we collect and for what purpose?

As data controller we process your personal data, that is information that can directly or indirectly identify you, in particular through identifiers such as your first name, last name, email address, phone number, date of birth, gender, identity card number, country of birth, citizenship,  photo and recording, credit card number, visa number if you are subject to visa regime, place of entry in the Republic of Croatia, date of arrival to the hotel and date of departure, personal expenses, information about the airline and the vehicle you use to come to our hotel, opinions about our services, IP address and other personal information when communicated with us when contracting, attending events, or accessing our business locations (“personal data”), especially when:

  • you contact us via email or connect with us via social networks,
  • make comments or ask questions,
  • fill out questionnaires on the Website
  • We process your job application
  • contact us for services complaints
  • you participate in prize competitions and sweepstakes that we organize
  • you access our Website
  • we photograph events and activities we organize,
  • you come to our premises
  • issue an "R1" invoice for products / services
  • provide us with your information in order to deliver the purchased products to you
  • contact us with a product complaint or request for a return on purchased goods
  • we work with you as our suppliers and business partners
  • organize an event in our premises
  • you are buying our gift voucher
  • authorizing your reservation

We do not collect or process data and information on your health, religious and political beliefs and other sensitive information unless it is volunteered by you. The purpose of data collection is to provide better service or to meet your special needs and requirements.

We process personal information on the basis of your consent, legitimate interest, for the performance of a contractual obligation, and on the basis of a legal obligation. The processing of personal data is restricted to the purpose for which it was collected in accordance with the terms of this Privacy Policy.

When we process data based on your preferences, we only process personal data that you voluntarily provided us with (when communicating with us, when answering questionnaires,  in your job application, when participating in prize competitions and awards games we organize as well as when you make a reservation and we ask for your authorization).

Based on a legitimate interest, we process personal data when you access our Website (IP address), when we photograph events and activities we organize, as well as surveillance camera data. If we organize events and other activities during which we photograph, we will do so either on the basis of legitimate interest, of which you will be informed beforehand or before entering the area where the photo-shooting will be taking place when you will be asked for your consent.

The purpose of this processing also includes the process of investigating suspected fraud, harassment, physical threats, or other violations of our policies or any suspicious behaviour that we consider to be problematic. Participants' recordings / images of our events are processed for the purpose of promoting the event.

In order to fulfil our contractual obligations, we are obliged to process your personal information when purchasing our products or using our services, based on legal and regulatory requirements. Business partners and suppliers data is processed separately (e.g., agreements on the provision of services), and we also process contact information of business partners who are natural persons and their employees (e.g. name and surname, business telephone / mobile number, e-mail address) ), as well as customers who request an "R1" invoice.

We use your personal data as well in order to confirm your reservation (booking). When making a reservation a letter of authorization will be provided by which you will be asked for your personal data and credit card number. This personal data is processed and shall be retained until your reservation date occurs.

1.2. Sources

We may collect your personal data

  1. directly from you (via email, telephone, mobile phone, web form, in person communication)
  2. from other persons, e.g., tourist agencies, online websites for reservation, event planners, credit card providers.

We undertake to inform all other persons of the rules and regulations of data protection as well as provisions of this Privacy Policy.

1.3. Third parties

We provide third party recipients with your personal data only for the abovementioned purposes and only in the necessary extent.

We make sure that our partners maintain confidentiality of personal data as required by the contractual obligations, the Law, this Privacy Policy.

We have a legal obligation to register you with the relevant authorities while you stay with us.

In order to provide certain services, we cooperate with external partners e.g. transport organization, excursion organization, wellness and SPA, car hire, yacht hire and hire of other equipment, event organization on our premises etc. When you want us to provide such a service, we may disclose your personal data to our partners we cooperate with to the extent necessary for them to provide a service for you (e.g. getting in touch with you,  assessing the compliance with travel regulations or being charged special rates).

In our business operations we use various software solutions and hire specialized companies for their maintenance, such as software solutions for booking and hotel business management, web page maintenance and provision of secure exchange of credit card numbers and payments. We use these solutions and companies when you make reservations for our rooms, our restaurant or massage treatments. As our partners may have access to your personal data when providing those services, they assume contractual obligations to conform to the highest standards of personal data protection.

Besides abovementioned cases, your data may be disclosed when required by law, to fulfil the  requirements of state authorities we are legally obliged to fulfil in order to protect our rights or the rights of our visitors, employees and the public, and to react in emergencies.

1.4. Duration

We retain your personal data no longer than is necessary for the purposes for which the personal data is processed.

Data about credit card shall be deleted 10 days after your check-out or 10 days after your arranged date of departure in case you do not come. Certain data shall be deleted after a one-year period, while some data shall be deleted five years after your stay is completed. Invoices (that include the extent of data required by law) shall be retained for eleven years, the minimum period we are obliged to retain them. 

Personal data are retained longer than the periods stated above when necessary to fulfil mutual legal requirements.

When the retention time expires the personal information printed on paper will be destroyed in a secure manner, such as by cross-shredding or incinerating and, if saved in electronic form, will be permanently erased to ensure the information may not be restored at a later time.


2. Video surveillance

We use video surveillance on our premises for the following purposes:

  • To protect our guests and other individuals who, for whatever reason, find themselves in the area supervised by the Company and to protect our property,
  • To supervise the entrance and exit from the premises and to make employees less exposed to the risk of robberies, break-ins, violence, thefts and similar events at work or related to work,
  • To protect the Company’s property,
  • To protect unauthorised entering the Company’s premises,

We base the application of video surveillance on our legitimate interest in protecting people and property.

We have introduced strict rules the purpose of which is to make sure that the recordings are automatically erased after 7 days by recording new content over the old one, that video surveillance can be accessed only by those who need it to do their jobs and that the recordings are to be viewed only in case when we find out there is a good reason for it, i.e. fulfilling one of the above stated purposes (and that only with the consent of the authorised person),  these being the only recordings to be kept longer, until there is a need for it.

Recordings obtained through video surveillance are not to be delivered to third parties, except in case there is a request or order of the competent state authority (e.g. the police, state attorney, courts, labour inspectorate). They may be used as evidence in court, administrative, arbitral or other equivalent proceedings, in accordance with current procedural rules applicable in such proceedings. The recordings are not to be transferred abroad.

The video surveillance we use does not belong to intelligent video surveillance systems, it is not connected with other systems nor shall we use video surveillance for profiling or automated decision making.


3. Marketing and social media

3.1 Marketing and social networks

If you decide to participate in events or offers that we sponsor through social media, we will be able to collect certain data from your account in the social media which are compatible with your settings within the social media service. We can enable you to participate in photography contests, for example photographs of your stay in our hotel, which you can share with your contacts on social networks for voting, sharing offers or other promotions.

If you participate in some of the prize-winning games or competitions your information can be exchanged with our sponsor or third-party sponsors.

With your consent, we can also use user-generated content (such as photographs) from social media for the purpose of advertising on websites or on our website and applications.

3.3. Facebook, Instagram, Pinterest, LinkedIn

On our website we have only links to Facebook, Instagram, Pinterest and LinkedIn.

Facebook and Instagram are social media outlets operated by the company Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. For persons not living in the United States or Canada, the controller is Facebook Ireland Ltd., 4 trg Grand Canal, Grand Canal, Dublin 2, Ireland.

Data protection rules that provide information on collection, processing and use of personal data can be found at

a) and


Pinterest is an online service dedicated to helping you find your preferences operated by the company Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Irska.

The privacy policy of Pinterest can be found at


LinkedIn is a business and employment-oriented service operated by the company LinkedIn Corporation 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA. For persons not living in the United States or Canada, the controller is LinkedIn Ireland Unlimited Company Wilton Plaza, Wilton Place, Dublin 2, Ireland.

The privacy policy of LinkedIn can be found at

3.4. Third countries

The information we collect is stored within the European Union (EU) and European Economic Area (EEA) except Switzerland but may also be transmitted and processed in a country outside the EU and EEA, in particular the USA.

Any such transfer of personal data will be carried out in accordance with applicable legal regulations. For transfers outside the EEA, we use Standard Contract Clauses, Eligibility Decisions, and appropriate safeguards, while any transfer to the US is covered by the EU-US Privacy Shield Agreement, which guarantees adequate protection of personal data.


4. Cookies

Our website uses cookies to provide better service.

We may, with your consent, use cookies to analyse the number of visits to our websites, parts of our web page you browse and the length of time you spent on them.

Cookies are text files that are stored on a computer, smart phone or any other device for accessing the Internet each time you visit these web pages.

The Electronic Communications Act states that we may store cookies on your device if they are strictly necessary for the operating of the site. For all other types of cookies, we need your consent. This site uses different types of cookies. Some cookies are set by third parties that use our site.

On our web page we use the following types of cookies:

4.1. Necessary & Performance cookies

We use page-request specific cookies, which is an anonymous timestamp of the page requested allowing the website to identify if the person accessing the website is an administrator or a public user. This cookie updates with the current encrypted timestamp, and expires in 3 hours (which is the default server's PHP session time).

These same cookies allow the system to enhance the performance of the website, as it contains a reference pointer to the cached view queries, in order to speed up load times instead of investing server resources to process scripts and queries on each request.

4.2. Analytics, marketing and third-party cookies

In order to gain better understanding of our users, we can also use information that we collected and combined or information received from third parties (for example, using Google Analytics in order to establish the percentage of our visitors who belong to a specific age group or are located in a specific area).

We use Google Analytics, which creates numerous first- party cookies. They enable us to make sure that later visits to our web page are assigned to the same (unique) visitor, and they tell us how you have found us.  Google Analytics is a tool that helps website owners measure the users’ behaviour when interacting with the web content.

To provide website visitors the ability to prevent their data from being used by Google Analytics, Google has developed the Google Analytics opt-out browser add-on for websites using the supported version of Google Analytics JavaScript (analytics.js, gtag.js).

If you want to opt-out, download and install the add-on for your web browser. The Google Analytics opt-out add-on is designed to be compatible with Chrome, Internet Explorer 11, Safari, Firefox and Opera. In order to function, the opt-out add-on must be able to load and execute properly on your browser. For Internet Explorer, 3rd-party cookies must be enabled.

Session Cookies: We use these cookies to assign a randomly generated unique identification number to your computer each time you visit one of our web pages. The validity of a session cookie automatically expires when you close the browser. Session cookies are used to support the functionality of our web pages and to find out more about your usage of our web page or pages you have visited, which links you use and how long you spend on each page, on which part of the page you decided to leave it etc.

Persistent Cookies: They allow web pages to recognise the user on their next visits and serve to speed up or optimise your online experience, the services or functions offered by the web page. Persistent cookies do not expire right after you close your browser, but rather remain on the hard drive until they expire after a certain period of time or are deleted by the user.


5. Job applicants, high school students, college students, scholarship recipients

5.1 Job applicants

You can send us your open job application to our email address or by mail to our abovementioned address. Providing data is voluntary. Personal data received in this way is processed only for recruitment purposes and is not exported to other countries nor to individuals outside of the Company. The received CVs will be retained no longer than one year and will be erased earlier upon your request.

In case you have applied for an advertised job and have not been selected, your data will be erased upon the completion of the selection procedure, unless you specifically agree that we retain them longer for possible future employment.

5.2 High school students and college students

In accordance with law, we can hire high school students and full-time college students in which case it is our obligation to collect the personal data of high school students and college students that is required by law as well as those required for the execution of the contract. The personal data may be shared with high school and the Student Job Centre through which the students are employed. Personal data of high school students and college students are not exported to other countries. We have legal obligation to retain their data for 6 years after the termination of the Contract of employment after which the data shall be erased. Personal data of high school students and college students who have not been hired are erased upon the completion of the selection procedure.

The above is also applied to personal data of high school students who do their apprenticeship in accordance with the curriculum for the organisation and provision of apprenticeship training.


6. Your rights

If  you have any questions regarding this Privacy Policy or you wish to exercise your rights stated in this Privacy Policy you can contact our data protection officer via e-mail or by post to the following address: Stari grad hotel Dubrovnik (Soles d.o.o.), Od Sigurate 4, 20000 Dubrovnik.

Your rights are as follows:

  1. the right to access your personal data i.e. the right to obtain information about which of your personal data are processed and the details about their processing
  2. the right to rectification of personal data,
  3. the right to erasure of personal data,
  4. the right to restriction of personal data,
  5. the right to object to processing of personal data,
  6. the right not to be subject to the decision based solely on automated processing, including profiling. (In this respect we emphasize that we do not apply such processing)
  7. The right to lodge a complaint with the supervisory authority in Croatia. (The Croatian Personal Data Protection Agency, Martićeva 14, 10 000 Zagreb, e-mail:

Exercising the abovementioned rights depends on the reasons and grounds of data processing (e.g. if we are required by law to keep data for a period of time, we cannot erase it).

Upon your request we shall act without delay and inform you about the undertaken activities. You can also contact us if you have any further questions related to your personal data processing.


7. Measures to protect your personal data

Data protection is very important to us and we undertake all measures needed for the protection of your personal data.

In order to prevent unauthorised access, disclosure, exchange, erasure or any other abuse of your personal data we provide certain technical, organizational and staff -related protection measures. The aim of these measures is to ensure that only those persons who need the information to perform their job tasks have access to that data in electronic or physical form, and only to the extent necessary for that purpose. We recognize  the importance an individual person has in personal data protection, we provide internal and external trainings to make sure that our employees and other persons we hire are well informed about the legal obligations and internal procedures related to personal data protection. Specific protection measures are detailed in rules and procedures we have set out for that purpose. Depending on technology advances, a regular review of technical protection measures will be carried out in order to adapt to market standards.

Our partners and service providers to whom we share personal data with are required to assume contractual obligations and to provide the same level of personal data protection that you expect from us. Before choosing partners, who will perform data processing for us (data processor) we take reasonable measures to ensure they do so in compliance with legal obligations related to personal data protection.

For online transactions, we use reasonable technological measures to protect the personal information that you transmit to us via our website (e.g. when you write a credit card number SSL encryption is used to provide secure transaction). Unfortunately, however, no security system or system of transmitting data over the Internet can be guaranteed to be entirely secure to prevent interception or other illegal use of personal data.

In order to protect your own privacy, do not send the number of credit cards by e-mail or excessive amount of personal data.

We shall not contact you by mobile phone, text message or email in order to request confidential personal data or credit card details. If you receive such a request, do not reply to it. We shall request credit card details by telephone only when you book your accommodation or promotional package. We kindly ask you to inform our data protection officer about such messages.


8. Terms of payment

Soles d.o.o. uses WSPay for online payments, payment by link.

WSPay is a secure system for online payments, real time credit and debit card payments, and other payment methods. WSPay ensures the buyer and the merchant with the secure card data entry and transfer, which is also confirmed by PCI DSS certificate. WSPay uses 256-bit SSL encryption and TLS 1.2 cryptographic protocol as the highest protection standards for data entry and transfer.

Payment terms and conditions

  • Credit card will be charged for the total amount according to the terms in accepted proposal.
  • We accept following credit cards: MasterCard, Maestro and Visa


  • Credit card will be charged in currency shown on the Proposal/Proforma Invoice and issued Invoice.
  • Refund can be done on certain conditions:
  • If the cancellation is done 72 hours before the time of the service , refund can be done on the same way transaction has been made
  • Your personal information, as well as your credit card details, are fully protected. Data transfer is taking place on a secured server.
  • If you have any questions, feel free to contact us at:


MERCHANT – Soles d.o.o.

Head office: od Sigurate 4, 20000 Dubrovik
VAT: 45821000734
T: +38520322244
F: +38520321256

More details about Soles d.o.o. are available at


Statement on Protection and Collection of Personal Data and their Use

Soles d.o.o. provides personal data protection by collecting only basic customer information necessary to meet business obligations. Collected customer personal data are safely stored and used only for the purposes for which they were collected.

Access to the collected personal data is restricted to the authorised employees only.

All Soles d.o.o. employees and business partners are responsible for respecting the principles of privacy protection.


Statement of WSPay usage

Soles d.o.o. uses WSPay for online payments.

WSpay - Web Secure Payment Gateway


WSPay is a secure online payment system, real-time payments, credit and debit cards, and other payment methods. The WSPay customer and the merchant ensure secure enrolment and transfer of the tab data entered, as well as the PCI DSS certificate that WSPay has. WSPay uses 256-bit encryption SSL certificate and TLS 1.2 cryptographic protocol as the highest degree of data protection and data security.


Statement on the Protection of Personal Data Transfer

Protection of personal data in accordance with the General Regulation on data protection of the European Parliament and Council No. 2016/679-Regulation and implementation of the General Data Protection Regulation.

WSPay as a credit card authorization and credit card performer processes personal data as a processing agent and processes personal data in accordance with the General Regulation on the Protection of Data of the European Parliament and Council No. 2016/679 and the strict rules of the PCI DSS L1 Regulations on Protection of Registrations and data transfer.

WSPay uses 256-bit encryption SSL certificate and TLS 1.2 cryptographic protocol as the highest degree of data protection and data security.

Personal data used for authorization and collection purposes, or for performance of the contract or contract obligations, are considered confidential.

WSPay does not process personal data except for the purpose of executing authorization and billing.

WSPay warrants compliance with all the terms and conditions laid down in the applicable personal data protection regulations for personal data processing executives, and in particular the taking of all necessary technical, organizational and security measures, in particular with the PCI DSS L1 Certified.


Online Dispute Resolution:


All payments will be effected in Croatian currency. The amount your credit card account will be charged for is obtained through the conversion of the price in Euro into Croatian kuna according to the current exchange rate of the Croatian National bank. When charging your credit card, the same amount is converted into your local currency according to the exchange rate of credit card associations. As a result of this conversion there is a possibility of a slight difference from the original price stated in our web site.

Data protection pursuant to the General Data Protection Regulation of the European Parliament and the Council no. 2016/679- Regulation and implementation of the GDPR

WSPay, being the processor of authorization and payment made by credit cards, uses personal data as the processor pursuant to the General Data Protection Regulation of the European Parliament and the Council no. 2016/679, and compliant with PCI DSS Level 1 Regulations for data transfers.

WSPay uses 256-bit SSL encryption and TLS 1.2 cryptographic protocol as the highest protection standards for data entry and transfer.

Personal data used for the purposes of authorization and payment are deemed to be confidential data.

The following customer's personal data are necessary to fulfil the Agreement (authorization and payment):

  • Name and Surname
  • E-mail
  • Telephone number
  • Address
  • City
  • Post Code
  • Country
  • Type of credit card
  • Credit card number
  • Expiry date (credit card)
  • CVV number for credit card

WSPay does not process or use these personal data except for the purpose of fulfilling the Agreement, the authorization and the payment.

WSPay ensures to meet the requirements determined by applicable personal data protection regulations, for the processors of personal data, especially taking all necessary technical, organizational or security measures confirmed by PCI DSS Level 1 certificate.