Privacy Policy

carrentalsplit.com is operated by Flarent d.o.o. ("Flarent", "we", "us", "our"), a licensed vehicle rental company and travel agency based in Split, Croatia. Through this website we provide car hire in Split, with additional services covering motorcycles, scooters, e-scooters, bikes, transfers, and tours for visitors travelling in Dalmatia.

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Croatian Act on the Implementation of the General Data Protection Regulation (Zakon o provedbi Opće uredbe o zaštiti podataka, OG 42/2018), Flarent d.o.o. is the data controller of personal data processed through this website.

Our details:

• Company name: Flarent d.o.o.
• Registered address: Križine 14, 21000 Split, Croatia
• Branch manager: Đani Ponoš
• Email: info@flarent.hr
• Phone (Tours & Transfers): +385 95 336 2332
• Phone (Rent a Car & two-wheel rentals): +385 95 321 0498

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at info@flarent.hr.

This Privacy Policy explains what personal data we collect about you when you use https://split-cityexcursions.com, why we collect it, how we use and share it, how long we keep it, and what rights you have under the GDPR.

It applies to:

• visitors who browse the website;
• customers who submit an inquiry, request a quotation, or book a vehicle rental (or other Flarent service) online;
• people who contact us by email, phone, WhatsApp, or social media using details published on this website;
• subscribers to any email communications we send.

It does not cover third-party websites we link to (for example, TripAdvisor, Facebook, Instagram, Google Maps). Those services have their own privacy policies, and we encourage you to read them.

We only collect data that we genuinely need to provide our services, run our website safely, and meet our legal obligations.

3.1 Data you give us directly

When you fill in an inquiry or booking form, contact us by email, or speak with us by phone or WhatsApp, we may collect:

• Identity & contact data — first and last name, email address, phone number, country of residence, nationality (where required by Croatian law for accommodation/transfer records).
• Booking details — service requested (tour, transfer, rental), date and time, pickup/drop-off locations, number of passengers, flight or cruise details, dietary or accessibility requirements you choose to share, message content.
• Driver data (for vehicle rentals only) — driving licence number, licence issue/expiry date, date of birth, passport or ID number. These are required under Croatian law and our insurance policy for vehicle lease contracts.
• Payment data — for online payments, your card data is entered directly into our payment processor's secure form. We do not see, store, or process your full card number, CVV, or expiry date on our servers. We retain only a transaction reference, amount, currency, and the masked last four digits of the card.

3.2 Data collected automatically

When you visit the website, our servers and analytics tools may automatically collect:

• IP address, approximate location (city/country) derived from it, and ISP;
• browser type and version, operating system, device type, screen resolution, and language settings;
• referring URL, pages viewed, time spent on each page, clicks, scrolls, and outbound links;
• date and time of your visit;
• cookie identifiers and similar device identifiers (see our Cookie Policy).

This data is collected through server logs and through the analytics and advertising cookies described in Section 6 and in our Cookie Policy. Analytics and advertising cookies are only set after you give consent in our cookie banner.

3.3 Data from third parties

We may receive data about you from:

• Booking partners and online travel agencies (for example, when a tour is booked through a partner platform) — your name, contact details, and booking details;
• Payment processors — confirmation that a payment has succeeded or failed, transaction reference, masked card details;
• Social media platforms — if you contact us through our Facebook or Instagram page, we receive the information your profile shares with us through that channel.

Under the GDPR, every processing activity must have a lawful basis. We rely on the following:

You are not required to give us your personal data, but if you choose not to provide the data marked as required in our forms, we will not be able to send you a quotation or fulfil a booking.

We do not sell your personal data. We only share it with third parties where we have a clear reason to do so, and we have a written data-processing agreement in place with each processor that handles data on our behalf, as required by Art. 28 GDPR.

The categories of recipients are:

• Service partners required to deliver the booking — for example, the boat operator, driver, licensed tour guide, or rental yard supplying the vehicle for your booking. They receive only the data they need (typically your name, contact number, pickup time, and pickup location).
• Payment processors — PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg) and the card payment processor used for the relevant transaction (e.g., WSPay operated by W2P d.o.o., Croatia, and/or Stripe Payments Europe Ltd, Ireland). They process your payment data on a strictly need-to-know basis and under their own privacy notices.
• Booking and software platforms we use to run the agency — for example, our reservation/CRM system, email service, and cloud hosting provider. These act as our processors.
• IT providers — our website hosting and email providers, who may have technical access to data on our systems.
• Professional advisers — our accountants, auditors, lawyers, and insurers where they need the data to advise us or defend a claim.
• Public authorities — tax authorities, police, courts, the State Inspectorate (Tourist Inspection, Šubićeva 29, 10000 Zagreb), or any other body where Croatian or EU law requires us to disclose data.
• Analytics and advertising providers (only with your consent) — Google Ireland Ltd (Google Analytics 4, Google Ads, Google Tag Manager) and Meta Platforms Ireland Ltd (Facebook/Instagram Pixel). These providers may process data in their own right; see Section 6.

Most of our processing happens inside the European Economic Area (EEA). However, some of our service providers — in particular Google and Meta — may transfer personal data to the United States or other countries outside the EEA.

Where this happens, the transfer is protected by one of the safeguards permitted under Chapter V GDPR, typically:

• the EU–U.S. Data Privacy Framework, where the recipient is certified under that scheme; or
• the European Commission's Standard Contractual Clauses (SCCs), supplemented by additional technical and organisational measures where required.

You can request a copy of the safeguards we rely on by emailing info@flarent.hr.

Our website uses cookies and similar technologies. Strictly necessary cookies (which keep the site working, remember your language, and store your cookie-consent choice) are set without consent because the website would not function without them.

Analytics cookies (Google Analytics 4), advertising and remarketing cookies (Google Ads, Meta/Facebook Pixel), and any other non-essential cookies are only set after you give consent through our cookie banner. You can withdraw or change your consent at any time by clicking the "Cookie settings" link in the website footer.

For a full list of the cookies we set, their purpose, provider, and lifetime, please read our separate Cookie Policy.

We keep personal data only for as long as is necessary for the purpose for which it was collected, plus any period required by law.

After the retention period ends, we securely delete or irreversibly anonymise the data.

We apply technical and organisational measures appropriate to the risk, including:

• HTTPS/TLS encryption for all data sent between your browser and our website;
• access controls so that only authorised Flarent staff can view personal data, and only the data they need for their job;
• secure password policies and (where available) two-factor authentication on staff accounts;
• regular software updates and security patches on our hosting infrastructure;
• backups stored in EU-based data centres;
• written confidentiality undertakings from staff and contractors;
• a procedure to detect, investigate, and where required notify personal data breaches within 72 hours, in line with Art. 33 GDPR.

No method of transmission over the internet is 100% secure, so while we do our best, we cannot guarantee absolute security. If you suspect a problem, please contact us immediately at info@flarent.hr.

As a data subject, you have the following rights in respect of your personal data:

• Right of access (Art. 15) — to ask us whether we hold personal data about you and to receive a copy of it.
• Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected.
• Right to erasure / "right to be forgotten" (Art. 17) — to have your data deleted, in the circumstances set out in the GDPR.
• Right to restriction of processing (Art. 18) — to ask us to limit how we use your data while we look into a request you have made.
• Right to data portability (Art. 20) — to receive the data you provided to us in a structured, commonly used, machine-readable format, or to have it sent directly to another controller, where technically feasible.
• Right to object (Art. 21) — to object to processing based on legitimate interests, including any profiling, and to object to direct marketing at any time.
• Right to withdraw consent (Art. 7(3)) — where we rely on your consent (e.g., for analytics, advertising cookies, or marketing emails), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right not to be subject to a solely automated decision (Art. 22) — we do not currently make decisions about you based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email info@flarent.hr with enough information for us to identify you and understand your request. We will reply within one month, in line with Art. 12(3) GDPR. We may extend this period by up to two further months for complex requests and will let you know if we do.

We may need to verify your identity before acting on a request, to make sure we do not disclose data to the wrong person.

Right to lodge a complaint

If you believe that our processing of your personal data does not comply with the GDPR, you have the right to lodge a complaint with a supervisory authority. In Croatia, this is:

Agencija za zaštitu osobnih podataka (AZOP) Selska cesta 136, 10000 Zagreb, Croatia Phone: +385 1 4609 000 Email: azop@azop.hr Website: https://azop.hr

You may also complain to the supervisory authority in your country of residence within the EEA.

This website and our services are not directed at children under 16. We do not knowingly collect personal data from a child under 16 without the consent of the holder of parental responsibility. Where a child is travelling as part of a booking made by a parent or guardian, the parent or guardian is responsible for providing any data we need (such as the child's name and date of birth).

If you believe a child has given us personal data without proper consent, please contact us at info@flarent.hr and we will delete the data.

We may update this Privacy Policy from time to time — for example, when we change our services, add a new processor, or to reflect changes in the law. The "Last updated" date at the top of this page always shows the date of the most recent version. For material changes, we will make a clear notice on the website and, where appropriate, contact you directly.