Upad d.o.o.

Personal Data Protection and Privacy Policy

In the course of our business operations, we devote significant attention to the processing of personal data. We thank you for your trust, and in the event that you provide us with your personal data, we are fully aware of the responsibilities arising therefrom. For the purpose of defining the manner of personal data processing and ensuring the protection thereof, we have adopted this Privacy Policy of the Company, in which you may find detailed information regarding the processing of personal data, the methods of its protection, as well as all other relevant information.

We will be pleased to respond to any questions you may have regarding the protection and processing of your personal data.

The owner of the website www.upad.hr that you have visited is UPAD d.o.o.



Definitions

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”), personal data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.



Information to the Data Subject

Pursuant to Article 13 of the General Data Protection Regulation (GDPR), the following information is provided to you as the Data Subject:

  • Identity and contact details of the Data Controller: UPAD d.o.o., Petrinjska ulica 87, 10000 Zagreb, Croatia, [email protected], Tel: +385 97 6729 882
  • Contact details of the Data Protection Officer: [email protected]
  • Purposes of processing and legal basis for processing personal data: performance of a contract, delivery of purchased products and fulfillment of contractual obligations, protection of the vital interests of the Data Subject, delivery of newsletters, provision of customer support, and marketing purposes.
  • Recipients or categories of recipients of personal data: intermediaries and/or partners contractually engaged with UPAD d.o.o.
  • Transfers to third countries or international organizations: UPAD d.o.o. will not transfer personal data to third countries or international organizations without your explicit consent.
  • Data retention period or criteria used to determine such period: personal data shall be retained for a period of five (5) years.
  • Rights of the Data Subject: the Data Subject has the right to request access to and rectification or erasure of personal data, restriction of processing concerning the Data Subject, the right to object to processing, and the right to data portability.
  • Right to withdraw consent and lodge a complaint: where processing is based on the Data Subject’s consent, the Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. The Data Subject also has the right to lodge a complaint with the competent supervisory authority.
  • Provision of personal data: the provision of personal data is not a statutory or contractual requirement, and the Data Subject is not obliged to provide personal data. However, failure to provide certain personal data may affect the ability to perform the contract and/or the quality of its performance.
  • Automated decision-making: no automated decision-making, including profiling, is carried out.


Data Relating to Children

In accordance with the General Data Protection Regulation (GDPR), children deserve special protection in all respects, including the protection of their personal data. Pursuant to Article 19, paragraph 1 of the Act on the Implementation of the General Data Protection Regulation, children are defined as all persons under the age of 16. UPAD d.o.o. does not request or collect personal data from or about children without the consent of the holder of parental responsibility.

Accordingly, UPAD d.o.o. shall make all reasonable efforts to ensure that personal data obtained from children is processed only with the consent of the holder of parental responsibility.

If UPAD d.o.o. becomes aware that personal data relating to children has been submitted without valid consent from the holder of parental responsibility, UPAD d.o.o. shall take reasonable steps to:

  • delete such personal data from its records as soon as possible; and
  • ensure that, if deletion is not possible, such personal data is not further processed for any purpose;
  • and, in any event, such personal data shall not be disclosed to any third party.


Methods of Data Collection

Personal data is collected directly from the individual, including data provided for the purpose of concluding or performing a contract, by creating a user account on the Website, or through direct communication such as telephone conversations with the individual. UPAD d.o.o. collects Customers’ personal data only to the extent necessary to fulfill its obligations in accordance with the Customer’s request, where a legitimate interest exists, or where the Customer has provided consent for purposes such as information delivery, customer support, and marketing, to the extent necessary for the business operations of UPAD d.o.o.

UPAD d.o.o. undertakes to protect Customers’ personal data in accordance with the General Data Protection Regulation (GDPR) and undertakes not to disclose personal data to third parties without the Customer’s consent (except where disclosure of necessary data is required based on legitimate interest for the purpose of delivering purchased products), nor to use such data for unspecified purposes. Processing of personal data based on legitimate interest or contractual necessity is carried out in accordance with the highest standards of security and business practice. The Customer has the right, at any time, to object to the processing of their personal data based on their specific situation. The Customer also has the right to request the completion, rectification, or correction of inaccurate personal data.

This does not apply in cases where UPAD d.o.o. is required, pursuant to a valid order of competent public authorities and in accordance with applicable law, to provide or allow access to Customers’ personal data.



Categories of Personal Data Collected

The personal data collected by UPAD d.o.o. includes first name, last name, delivery address, telephone number, and email address.


  • We collect personal data during purchases made through the online store for the following purposes:
    • creating and maintaining your profile in our user account database;
    • contacting and identifying you for the purpose of purchasing tickets and delivering them to the specified address;
    • recording purchase information, including invoice amount and payment method;
    • providing support in relation to your inquiries, comments, and suggestions;
    • providing support in the complaint handling process and withdrawal from purchase, where applicable.

    During purchases made through the online store, we request certain personal data necessary for the provision of services and completion of the purchase. The provision of personal data for the purpose of sale is necessary for the performance of the contract, and failure to provide such data may affect the proper performance of the contract or render it impossible.

    • For the purpose of delivering products ordered through the online store, you are required to provide certain personal data (first name, last name, delivery address, telephone number, and email address). For the purchase of tickets for sporting events (such as football, basketball, tennis, skiing, and others), pursuant to the Act on the Prevention of Disorder at Sports Competitions, we are required to collect your identification data and share such data with the event Organizer. For sporting events governed by the aforementioned law, your consent for the processing of personal data will not be requested, as such processing is based on a legal obligation.

  • UPAD d.o.o. does not record your credit card number nor store transaction data.

    UPAD d.o.o. uses the services of a third party, an authorized banking institution, namely Stripe, Inc., for credit card processing. Stripe, Inc. protects your data through encryption and in accordance with applicable security standards.

  • Data Collected and Processed When You Contact Us Directly

    We collect and process personal data when you contact us directly:


    • via forms available on the Website;
    • by email; or
    • by telephone.

    Personal data collected in this manner is used solely for the purpose of responding to your inquiries and requests and ensuring a high-quality user experience. Such data is accessible only to employees who require it for the performance of contractual obligations. Customers and Website users may be asked to provide their consent to the processing of personal data in accordance with the General Data Protection Regulation (GDPR), where such processing is based on consent and necessary to respond to their inquiry.

  • Newsletters
    UPAD d.o.o. collects users’ email addresses for the purpose of sending newsletters, including electronic communications containing promotional messages, offers, and news related to our services and business activities.

  • Processing for Customer Support and Marketing Purposes
    With the Customer’s consent, UPAD d.o.o. may use personal data to provide information about new products, special offers, promotional materials, newsletters, and to improve customer relations.

  • Data Controller:
    UPAD d.o.o. is the Data Controller of personal data in accordance with applicable data protection laws and regulations. As the Data Controller, UPAD d.o.o. determines the purposes and means of processing personal data and is responsible for the storage and use of personal data in both paper and/or electronic form.

  • Data Protection Officer:
    Pursuant to Article 37 of the General Data Protection Regulation (GDPR), UPAD d.o.o., as the Data Controller, has appointed a Data Protection Officer, who may be contacted at: [email protected].

  • Personal Data Breach:
    In the event of a personal data breach, UPAD d.o.o. shall, without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, notify the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Where notification is not made within 72 hours, it shall be accompanied by reasons for the delay.


Recipients of Personal Data and Third Parties with Whom UPAD d.o.o. May Share Personal Data

  • Social Media Service Providers
    When creating an account on the online store, you are required to provide certain personal data (such as email address, first name, and last name). Such data may be processed in connection with services provided by social media platforms where applicable.

  • Email Communication and Marketing Service Providers
    UPAD d.o.o. cooperates with third-party service providers in order to carry out email communications, advertising activities, analysis of the use of our Website and applications, and monitoring the effectiveness of marketing campaigns.

    Personal data is shared only to the extent necessary for the provision of services on our behalf and in accordance with applicable data protection laws.

    Our third-party service providers include:

    • Google – Google Analytics

      We use Google Analytics, a web analytics service provided by Google Ireland Ltd., to collect information about Website usage, including statistical and demographic data, and user behavior. This information is used to monitor and improve the effectiveness of our marketing campaigns and Website performance.

      Service provider details:
      Google Ireland Ltd.
      Gordon House, Barrow Street
      Dublin 4, Ireland
      Fax: +353 (1) 436 1001

      You may review the applicable terms and policies at the following links:



      These websites use Google Analytics to analyze visitor traffic across devices, based on a unique user identification number (User ID). You may disable cross-device tracking in your Google account settings under “My Information” and “Personal Information.”

  • Service Providers Necessary for the Conclusion or Performance of a Contract
    In addition to UPAD d.o.o., access to the Customer database containing Customers’ personal data may be granted to third parties where necessary for the conclusion or performance of a contract, including purchases made through the online store and delivery of products. Such third parties include:
    • Event Organizers and access control service providers:

      Basic identification data required to ensure entry to a specific event will be shared with the event Organizer and the provider of entry control services.
    • Payment service providers:

      When making payment for purchased tickets, your personal data will be transmitted to our authorized payment partners to enable the successful processing of your payment.
    • Event Organizers:

      When you purchase a ticket for a specific event, your personal data will be shared with the event Organizer to ensure your authorized access to the event.
    • Delivery service providers:

      Where ticket delivery is requested, your personal data will be shared with delivery service providers for the purpose of delivering the purchased ticket.


Cookie Policy

„A “cookie” is a small piece of information stored on a user’s computer, mobile phone, or tablet (hereinafter referred to as the “Device”), which may be placed directly by the website you visit (first-party cookies) or by third parties in cooperation with and for the purposes of the website (third-party cookies). Cookies generally store user preferences, website settings, and similar information. When the user revisits the website, the user’s web browser sends back the cookies that belong to that website.

This enables the website to display information tailored to the user’s needs. Cookies may store a wide range of information, including certain personal data. Such data may be stored only if the user has given their consent. The website itself cannot access information that the user has not authorized, nor can it access any other files stored on the user’s Device.

In order for websites to function properly, they must store a small amount of cookies on the user’s Device. In accordance with the General Data Protection Regulation (GDPR), the Act on the Implementation of the General Data Protection Regulation, and the Electronic Communications Act, UPAD d.o.o. is required to obtain the user’s consent prior to storing cookies on the user’s Device, except for strictly necessary cookies.

Strictly necessary cookies are essential for the proper functioning of the Website and enable core functionalities, such as maintaining your shopping cart during the online purchase process. This type of cookie cannot be disabled by the user through the Website.

If the user does not consent to the use of cookies, other than strictly necessary cookies, certain functionalities of the online store may be limited or unavailable.

  • Purpose of Cookies

    The purpose of cookies stored on your Device, subject to your consent, is to save your preferences, website settings, preferred language, and other relevant configuration data. When you revisit the same website at a later time, your web browser sends information stored in cookies, enabling the website to provide content tailored to your preferences.

    Depending on their purpose, cookies may store a wide range of information, including certain personal data. However, you retain full control over which information cookies may store, as this is determined by your consent and browser settings.

    You may configure your web browser settings to accept or reject cookie requests, as well as to delete stored cookies at any time.

  • Types of Cookies

    Persistent cookies remain stored on your Device after you close your web browser. These cookies may remain on your computer or mobile device for days, months, or even years. Their purpose is to store persistent information, such as your username and password, so that you do not need to log in again each time you visit the Website.

    Session cookies are temporary cookies that are deleted from your Device when you close your web browser. They are used to store temporary information, such as data provided during the online purchase process.

    First-party cookies may be either persistent or session cookies and are set directly by the Website you are visiting. These cookies store information that will be used when you revisit the Website.

    Third-party cookies, also known as advertising cookies, are stored on your Device when you interact with advertisements or promotional content on the Website that redirects you to third-party websites. These cookies are used to monitor internet usage for marketing and advertising purposes.

    UPAD d.o.o. uses cookies to improve the user experience, ensure the proper functioning and security of the Website, and enable functionalities expressly requested by the user (such as submitting web forms or requesting services). Session cookies are deleted when you close your web browser. Their sole purpose is to enhance the user experience during your visit to the Website. Persistent cookies remain stored in your browser until they are manually deleted. Data collected through cookies is used exclusively for statistical purposes.

    Examples of third-party service providers that perform analytics and marketing data processing include:

    • Google Analytics is used to collect website statistics, demographic data, and information about user behavior. This information helps us monitor and improve the effectiveness of our marketing campaigns. If you wish to prevent Google Analytics from storing cookies on your Device, you may do so by installing the opt-out browser add-on available at:
      tools.google.com/dlpage/gaoptout

    • The Facebook social media platform collects data for the purpose of tracking and measuring the effectiveness of marketing campaigns, analyzing user behavior, and delivering personalized advertising.


    For more information regarding the purpose and scope of data collection and the processing of such data by third-party providers, please refer to the respective privacy policies of the following providers:

Rights of the Data Subject

UPAD d.o.o. – online store collects and processes personal data in accordance with the General Data Protection Regulation (GDPR) and the Act on the Implementation of the General Data Protection Regulation.
Each user, as a Data Subject, has the right, at any time, to:

  • request access to their personal data and request the update or correction of inaccurate or incomplete personal data;
  • request additional information regarding the manner in which their personal data is processed;
  • receive the personal data concerning them, which they have provided to us, in a structured, commonly used, and machine-readable format, and, where technically feasible, request the transfer of such data to another Data Controller without hindrance, where processing is based on consent and carried out by automated means (right to data portability);
  • request the erasure of personal data where there is no longer a legal basis for processing such data. For the protection of users, we may request verification of identity prior to fulfilling such requests;
  • withdraw their consent at any time, where processing is based on consent, including for direct marketing purposes, with effect for future processing;
  • object to any processing of personal data (including profiling) based on legitimate interest, on grounds relating to their particular situation, unless compelling legitimate grounds for processing override the interests, rights, and freedoms of the Data Subject;
  • request the restriction of processing of personal data, for example, while an objection or request is being reviewed.


UPAD d.o.o. reserves the right to refuse to act upon a request where doing so would adversely affect the privacy of the Data Subject or other individuals, where compliance with the request would be contrary to applicable law, or where such refusal is necessary for reasons of public interest (such as the prevention or detection of criminal offenses), legal obligations, or the protection of the rights and freedoms of others.

Requests for access, rectification, erasure, restriction, objection, or data portability may be submitted to:
Email: [email protected]
Address: UPAD d.o.o., Petrinjska ulica 87, 10000 Zagreb, Croatia

The processing of such requests may require a technically and administratively complex procedure. In complex cases or where multiple requests are submitted, additional time may be required to process the request, and you will be notified accordingly in a lawful and secure manner.



How We Protect the Security of Your Personal Data?

In order to ensure the security, integrity, and availability of Customers’ personal data, we implement a range of technical and organizational security measures, including encryption, authentication, and strictly controlled access to personal data. The security measures we apply include, but are not limited to, the following:


  • data minimization and limiting the processing of personal data to what is necessary for the intended purpose;
  • strictly restricted access to personal data based on the “need-to-know” principle;
  • processing personal data exclusively in accordance with a legitimate interest, contractual obligation, or the Customer’s consent;
  • secure data transmission using appropriate technical safeguards;
  • implementation of antivirus software and firewalls within IT systems to detect, prevent, and mitigate unauthorized access and misuse of personal data;
  • continuous improvement of information security systems and practices;
  • physical security measures to protect facilities and systems where personal data is stored;
  • employee training and awareness programs regarding data protection and information security;
  • organizational and personnel security measures designed to prevent unauthorized access, disclosure, or misuse of personal data.

Objectives of Security Measures


The security measures implemented by UPAD d.o.o. are designed to:

  • prevent unauthorized persons from gaining access to data processing systems in which personal data is processed;
  • prevent authorized users of data processing systems from accessing personal data beyond the scope of their authorization and operational requirements;
  • ensure that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or transfer;
  • ensure the availability of system logs to enable verification of when, by whom, and which personal data has been entered, modified, or deleted within data processing systems;
  • ensure that, where processing is carried out by a Data Processor, personal data is processed strictly in accordance with the instructions of UPAD d.o.o.;
  • protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access;
  • ensure that personal data collected for different purposes is processed separately in accordance with applicable legal requirements;
  • ensure that personal data is retained only for as long as necessary for the purposes for which it was collected and processed.


Data Retention Period

We store and retain personal data for a period of five (5) years from the date of the event for which the ticket was purchased, unless a longer retention period is required or permitted by applicable law for a specific purpose.

Where personal data is processed based on consent for marketing purposes, such data shall be retained for a period of five (5) years from the date the personal data was provided to UPAD d.o.o. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. Withdrawal of consent must be submitted in writing.

Personal data that is no longer required for the purposes for which it was collected shall be either irreversibly anonymized or securely destroyed.



Contact Information

For all information requests, feedback, complaints, claims, or other communications, Customers may contact UPAD d.o.o. at the following address: :
UPAD d.o.o.
Petrinjska ulica 87
10000 Zagreb, Croatia.

Telephone: +385 97 6729 882
Email: [email protected]