Legal

Privacy policy & cookies

This policy describes how your personal data and similar technologies are used when you visit this website presenting Caffe bar Paris and Apartments Paris. The legally responsible controller operating this online presence is Finida-bar (details below). Regulation (EU) 2016/679 (GDPR) and Croatian data protection rules apply.

Trade names shown on the pages (e.g. “Caffe bar Paris”, “Apartments Paris”) refer to your offers; data protection rights and requests are handled by Finida-bar as stated in section 1. You may still have your adviser confirm wording (legal form, subcontracting) where needed.

1. Who is responsible (controller)?

The controller responsible for processing personal data relating to this website is:

Finida-bar
OIB (identification number): 87494002866
Address: Trg Slobode 5, 52470 Umag, Croatia
Privacy & contact (incl. GDPR): apartments@apartment-lovelyparis.com

2. Scope

This policy applies solely to processing carried out via this informational website — not necessarily to contractual relations for accommodation or gastronomy concluded offline or via third-party platforms, unless those processes are expressly linked.

3. Which data categories do we process?

Server / connection data: e.g. IP address, approximate location, timestamps, referrer, browser type — typically via hosting infrastructure logs.
Consent records: your choices concerning cookies and preferences (stored in localStorage on your device, not on our cookies by default).
Form data: if you use the contact form, the fields you enter (name, email, message) are built into a mailto link so your own email client can send the message; this site does not store that content on our servers.
Communications data: content of enquiries if you email us separately.

We avoid collecting special categories of data (Art. 9 GDPR) via this site. Please do not send health information or other sensitive data through the contact form unless you have a clear legal justification.

4. Purposes and legal bases (Art. 6 GDPR)

Website provision & security — legitimate interests (Art. 6(1)(f)) in operating a stable, secure HTTPS site.
Mandatory consent storage — remembers your granular choices; legal basis consent for non-essential processing you activate (Art. 6(1)(a)); necessary storage for preference UI may constitute legitimate interest or contractual necessity depending on setup.
Fonts from Google Fonts (optional) — only loaded after explicit opt-in under “Preferences”; legal basis consent (Art. 6(1)(a)); Google operates as processor / independent controller for its own logs per their disclosures.
Analytics (optional, not wired by default) — solely if integrated later upon your explicit opt-in; typically Art. 6(1)(a) consent.
Marketing / remarketing (optional, not wired by default) — solely if integrated later upon explicit consent (Art. 6(1)(a)).
Handling contact enquiries — pre-contractual / contractual steps at your request (Art. 6(1)(b)) or legitimate interest in answering business requests (Art. 6(1)(f)); align with whichever applies when you attach a functioning mailbox.

6. Third-country transfers

Transfers outside the EU/EEA (e.g., US-based providers) require an adequacy decision, appropriate safeguards (Standard Contractual Clauses — SCCs — or the EU-U.S. Data Privacy Framework where applicable), and — where mandated — supplementary measures plus a Transfer Impact Assessment. You should document the exact mechanism chosen with your processors.

7. Storage duration

Consent record — configurable; default implementation stores your last selection with revision tag cafeparisConsent · CONSENT_VERSION 3 until overwritten or erased by you clearing site data.
Server logs — follow your hosting provider’s rotation policy (typically days to weeks unless security incident).
Contact messages — only as long needed to fulfil the request and statutory retention obligations (invoices etc. not covered here).

8. Your rights

You may invoke the following GDPR rights toward the controller, subject to conditions:

Access (Art. 15), rectification (Art. 16), erasure (“right to be forgotten”, Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21).
Withdraw consent at any time for processing based on consent, without affecting lawfulness prior to withdrawal.
Lodge a complaint with a supervisory authority — in Croatia: AZOP — Croatian Personal Data Protection Agency (azop.hr).

9. Cookies & local storage overview

This site loads no non-essential first-party cookies by default prior to consent. The consent toolkit stores preference data locally under the key shown below:

Name / technology	Type	Purpose	Duration
`cafeparisConsent` (localStorage)	Necessary (consent UX)	Stores versioned JSON of granular categories accepted (necessary, preferences, statistics, marketing) plus timestamp.	Until erased by user / overwritten by new consent / version mismatch reset
Optional Google Fonts stylesheet	Preferences (opt-in)	Loads typography files from Google; may entail IP disclosure to Google when approved.	Session / caching per browser/CDN TTL
Future analytics identifiers	Statistics (opt-in)	Reserved — only after explicit integration documented here.	Per vendor policy once enabled
Future marketing identifiers	Marketing (opt-in)	Reserved — only after explicit integration documented here.	Per vendor policy once enabled

You can reopen granular controls anytime via “Cookie settings” linked in the site footer.

10. Automated decision-making

This website performs no profiling or solely automated decisions with legal consequences under Art. 22 GDPR.

11. Children

This content is oriented towards adult guests planning visits. We do not knowingly collect children's data marketing-wise; guardians should supervise minors’ online disclosures.

12. Changes

We may revise this policy when offerings, technology stack, or supervisory practice evolve. Material changes merit increasing the consent script version (CONSENT_VERSION) to prompt reconsideration.