Privacy & data
Privacy and cookie notice
Last updated: May 2026. This notice is a practical summary for visitors. It follows common EU / GDPR transparency practice (see guidance from supervisory authorities such as Croatia’s AZOP at azop.hr). It is not legal advice—have it reviewed for your situation.
Who is responsible (controller)
Tiny Guests Places operates this website and, together with any entity legally responsible for it (“we”, “us”), decides how your personal data is used for the services described here. Contact us at tinyguestshospitality@gmail.com or via the contact form.
What data we process
Contact form: email address and message content. Account (if you sign up): data handled by our authentication provider (e.g. email, identifiers) for login and account security. Listings, reviews, and photos you submit: content you choose to send, including any personal details included in text. Technical data: standard server and security logs from our hosting provider; language preference stored in your browser (tgp-locale). Moderation: separate technical access for staff (admin session cookie on /admin only).
Purposes and legal bases (GDPR)
We process data to respond to messages, run the website, authenticate users, publish submissions you approve for listing, moderate content, and secure the service. Legal bases may include: performance of a contract or steps prior to it (e.g. handling your listing or account request); legitimate interests (operating and improving the platform, security, fraud prevention), balanced against your rights; consent where we ask it (e.g. optional analytics in the cookie banner).
Recipients and processors
Depending on configuration, data may be processed by: Supabase (authentication and database), Vercel (hosting and, if you consent, analytics / speed metrics), email delivery providers (e.g. Resend and/or Web3Forms), and other subprocessors they use under contract. We do not sell your personal data.
Cookies and similar storage
Essential: language preference (tgp-locale); session cookies if you log in; your cookie choice stored locally; admin session cookie for moderation staff. Optional analytics (Vercel Analytics, Speed Insights, and Plausible if configured) load only after you choose “Allow analytics too”. We do not use advertising or social media pixels on this site for tracking.
Transfers outside the EEA
Some providers may process data in the United States or other countries. Where required, we rely on appropriate safeguards (e.g. standard contractual clauses) through our agreements with vendors. You may request more detail about safeguards via the contact details above.
Retention
We keep information only as long as needed for the purposes described (e.g. account lifetime, resolving contacts, legal obligations). When no longer needed, we delete or anonymise data where reasonable.
Your rights
Subject to applicable law, you may have the right to access, rectify, or erase your data, restrict or object to certain processing, data portability where processing is based on contract or consent and automated means, and to withdraw consent where processing is based on consent. To exercise these rights, contact us. You may also lodge a complaint with a supervisory authority.
Supervisory authority
If you are in Croatia, the supervisory authority is the Croatian Personal Data Protection Agency (AZOP). Other EU/EEA residents may contact their local authority. Links and official materials: https://www.azop.hr/
Automated decisions and profiling
We do not use automated decision-making or profiling that produces legal or similarly significant effects concerning you.
Children’s data
The site is aimed at parents and adults. If you believe we have processed a child’s personal data inappropriately, please contact us so we can address it.
Templates and official guidance in Croatian are available from the Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka, AZOP) at azop.hr, including resources on privacy policies and GDPR steps.