+382 67 479 026 WhatsApp
Book a tour
Legal document

Privacy Policy

Posljednje ažuriranje: 20.05.2026

Greben Boat Tours (hereinafter "we" or "us") values your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Personal Data Protection Law of Montenegro.

1. Who we are

Greben Boat Tours — a family business with 35+ years of experience in boat tours from Budva. Contact:

  • Email: info@grebenboattours.com
  • Phone: +382 67 479 026
  • Headquarters: Budva, Montenegro

2. Data we collect

  • Identification — first name, last name, date of birth (only for bookings with children)
  • Contact — email address, phone number
  • Booking data — selected tour, date, number of passengers, dietary needs (optional), passport number (optional, only if tour requires)
  • Payment data — payment method; we do NOT store card details (handled by payment provider)
  • Technical data — IP address, browser, language, cookies (see Cookie Policy)
  • Communication — content of messages via contact form and email

3. Legal basis for processing (GDPR Art. 6)

  • Contract performance — booking processing and tour delivery
  • Legal obligations — accounting, fiscal rules, passenger records
  • Consent — analytics (Google Analytics) and marketing communication (opt-in only)
  • Legitimate interest — site security, abuse prevention (rate limiting, security logs)

4. Purposes of processing

  • Booking processing and confirmation
  • Communication via email, phone, or contact form
  • Service improvement and anonymous site analytics
  • Compliance with legal obligations (accounting, fiscal)
  • Fraud prevention and security (security logging)

5. Third parties we share data with

  • Email provider — sending booking confirmations and contact messages
  • Payment provider — processing online payments (when active)
  • hCaptcha — bot verification (form submitter)
  • Google Maps — embedded map with departure location
  • Google Analytics — anonymous analytics (only with your consent via cookie banner)

All third parties have data processing agreements compliant with GDPR Art. 28.

6. Data retention period

  • Bookings — 5 years after tour completion (legal/fiscal requirement)
  • Contact messages — 12 months or until request resolved
  • Newsletter — until consent withdrawal (unsubscribe link in every email)
  • Security logs — 90 days (auto-rotated)
  • Analytics — 14 months (Google Analytics default)

7. Your rights (GDPR Art. 15-22)

  • Access — copy of all personal data we hold about you
  • Rectification — correction of inaccurate data
  • Erasure — "right to be forgotten" if no legal retention obligation
  • Restriction — temporary halt of data processing
  • Portability — structured export of your data (JSON/CSV)
  • Objection — against processing based on legitimate interest
  • Withdrawal of consent — at any time, without justification

For any request, contact us at info@grebenboattours.com. We respond within 30 days.

8. Data security

  • HTTPS encryption for all traffic (TLS 1.2+)
  • Hashed passwords (bcrypt)
  • Security headers (HSTS, CSP, X-Frame-Options)
  • Rate limiting and CSRF protection
  • Regular security updates of server and software
  • Access to personal data limited to authorized employees

9. Right to lodge a complaint

You have the right to lodge a complaint with the Montenegrin Personal Data Protection Agency:

Agencija za zaštitu ličnih podataka
Bul. Sv. Petra Cetinjskog 147, Podgorica
Phone: +382 20 234 095
Email: azlp@azlp.me
Web: www.azlp.me

10. Changes to this Policy

We may update this Privacy Policy periodically. Material changes will be posted on this page with a new effective date.

Effective date: May 17, 2026.