Privacy policy

Last updated: February 12, 2026

WebDesignbyTomi ("we", "us" or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, process and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and the Croatian Act on the Implementation of the General Data Protection Regulation.

1. Data controller

2. What data we collect

2.1 Data you provide directly

• Contact details: name, email address, phone number (when you contact us via our form or chat)
• Project data: information you provide about your website requirements
• Communications: content of messages you send us

2.2 Order and billing data

When you place an order for our services through our online ordering system, we collect the following data:

• Full name: for identification and invoicing
• Company name: (optional) if you are ordering as a legal entity
• Address: for billing and document delivery purposes
• Tax ID (OIB): (optional) for issuing business invoices to legal entities
• Email address: for sending order confirmation, invoices and access credentials for order status tracking

This data is processed on the basis of contractual obligation (order fulfillment) and legal obligation (maintaining business records and issuing invoices).

2.3 Automatically collected data

We do not use analytics tools and do not actively collect technical data about visitors. The only data we store:

• Cookies: exclusively technically necessary cookies for basic website functionality (e.g., language preference). We do not use tracking or advertising cookies.
• Server logs: our hosting provider may record standard server logs for security purposes, but we do not have access to this data and do not use it.

3. Legal basis and purpose of processing

We process your data on the following legal bases:

4. How long we retain data

• Order and invoice data: 11 years (legal obligation to retain accounting records under the Croatian Accounting Act)
• Client data: 5 years after the end of the business relationship
• Order tracking portal: 14 months from order creation, with possible extension depending on continued use of our services
• Contact form inquiries: 1 year from the last communication
• Chat messages: 6 months
• Technical logs: 30 days

5. Sharing data with third parties

We do not sell, rent or share your data with third parties for marketing purposes. We may only share data with:

• Hosting service providers: who process data exclusively according to our instructions and with appropriate safeguards
• Accounting services: for billing purposes (only data required for invoices)
• Government authorities: only when required by law

6. Data transfers outside the EU/EEA

As a general rule, we do not transfer your data outside the European Economic Area. If this were necessary, we would ensure appropriate safeguards in accordance with the GDPR (standard contractual clauses, adequacy decisions).

7. Your rights

Under the GDPR, you have the following rights:

• Right of access (Art. 15): request information about your data that we process
• Right to rectification (Art. 16): correct inaccurate or incomplete data
• Right to erasure (Art. 17): request deletion of your data ("right to be forgotten")
• Right to restriction of processing (Art. 18): restrict the processing of your data
• Right to data portability (Art. 20): receive your data in a structured format
• Right to object (Art. 21): object to data processing based on legitimate interest
• Right to withdraw consent: if processing is based on consent, you may withdraw it at any time

To exercise any of the above rights, contact us at info@webdesignbytomi.com. We will respond within 30 days.

8. Right to lodge a complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority:

9. Data security

We implement appropriate technical and organizational measures to protect your data:

• SSL/TLS encryption for all data transfers
• Secure servers with regular security updates
• Restricted access to data, limited to authorized personnel only
• Regular backups
• Two-factor authentication (2FA) for administrative access

10. Personal data breach notification

In the event of a personal data breach that may pose a risk to your rights and freedoms, we will take the following steps in accordance with Art. 33 and 34 of the General Data Protection Regulation (GDPR):

• We will notify the competent supervisory authority (Croatian Personal Data Protection Agency - AZOP) without undue delay and no later than 72 hours after becoming aware of the breach
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay
• The notification will include a description of the breach, possible consequences, measures taken and contact details for further information

11. Cookies

Our website uses exclusively technically necessary cookies required for the basic functionality of the site. We do not use:

• Tracking cookies
• Third-party analytics cookies
• Marketing or advertising cookies

Technically necessary cookies do not require your consent under Art. 5(3) of the ePrivacy Directive.

12. Changes to the privacy policy

We may update this Privacy Policy from time to time. All changes will be published on this page with the date of the last update. For significant changes that affect your rights, we will notify you by email (if we have your address) or by a prominent notice on the website.

13. Contact

For all questions related to this Privacy Policy or the processing of your personal data: