Skip to main content

Croatia by descent

Last updated: April 30,2026

1. INTRODUCTION……………………………………………………… 1

2. OUR CONTACT DETAILS………………………………………………. 2

3. DEFINITIONS………………………………………………………… 2

4. SOURCES AND METHODS OF DATA COLLECTION………………………… 2

5. OBLIGATION TO PROVIDE DATA……………………………………….. 3

6. WHAT PERSONAL DATA WE PROCESS, WHY AND ON WHAT LEGAL BASIS…… 3

6.1. Website Visitors…………………………………………………… 3

6.2. Customers……………………………………………………….. 3

6.3. Contract Performance……………………………………………… 4

6.4.  Other Communication……………………………………………… 5

6.5. Visitors to Our Social Media Profiles………………………………….. 5

6.6. Marketing and Advertising………………………………………….. 6

6.7. Reviews…………………………………………………………. 6

6.8. Statistics and Aggregated Data………………………………………. 6

7. MINORS AND CHILDREN………………………………………………. 7

8. SHARING OF PERSONAL DATA………………………………………… 7

9. DATA STORAGE AND SECURITY MEASURES…………………………….. 7

10. INTERNATIONAL DATA TRANSFERS…………………………………… 7

11. YOUR RIGHTS………………………………………………………. 8

1. INTRODUCTION

This Privacy Notice (hereinafter: Notice) explains how we process your personal data when you:

  • visit our website croatiabydescent.com (hereinafter: Website) — (see 6.1. Website Visitors);
  • engage our services — (see 6.2. Customers);
  • we perform services for our clients — (see 6.3. Contract Performance);
  • you contact us in matters unrelated to contract performance — (see 6.4. Other Communication)
  • you visit our social media profiles — (see 6.5. Social Media Profile Visitors);
  • we carry out marketing and advertising activities, you leave us reviews, or we conduct analyses to improve our business (see 6.6.–6.8.)

We note that, depending on the circumstances, you may hold multiple roles simultaneously — for example, being both a Customer and a Website Visitor.

This Notice is compliant with Regulation (EU) 2016/679 (GDPR) and applicable Croatian legislation. We will update it periodically to reflect changes in our practices or legal obligations. The current version is always available on our Website or through our usual communication channels.

In relation to the processing described in this Notice, our company acts as the controller, unless expressly stated otherwise for a specific type of processing.

2. OUR CONTACT DETAILS

Data Controller:

Company name: LDV Consulting d.o.o.

Address: Kosi 75/14, 51216, Viškovo, Croatia

E-mail: ask@croatiabydescent.com

For all questions related to data protection and the exercise of your rights, please contact us using the details above.

3. DEFINITIONS

In this Notice, we use the following terms:

  • “Additional Applicants” means living natural persons on whose behalf the Customer also requests our services, acting as their authorised representative or legal guardian, all as defined in our General Terms and Conditions
  • “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679).
  • “Data Subject” means any living natural person whose data we process.
  • “Processor” means a natural or legal person that processes personal data on behalf of the controller.
  • “Processing” means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, storage, access, use, disclosure, erasure, etc.
  • “Personal data” means any information by which you can be directly or indirectly identified (name, email address, postal address, etc.).
  • “Special category data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.
  • “Questionnaire” means a list of questions with fields and entry instructions, provided to the Customer when engaging the Research or Minimum Assistance service, depending on which service is requested first (for more on the service ordering process, see our General Terms and Conditions).
  • “Controller” means a natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.
  • “Joint controllers” means two or more controllers who jointly determine the purposes and means of processing.

4. SOURCES AND METHODS OF DATA COLLECTION

We generally collect your personal data directly from you, specifically when you:

  • send us e-mails, completed questionnaires, and other documents;
  • communicate with us via video call or telephone;
  • visit our profiles or interact with our posts on social media;
  • enter into a contract with us for the provision of our services;
  • provide us with data and documents in the course of contract performance;
  • make payments for our services;
  • submit complaints, requests, or terminate your contractual relationship with us;
  • leave us reviews.

In certain cases, we will also collect your data from third parties. Given the nature of our services, this will occur when:

  • another person (e.g. member of your family – your father, mother, or child) has contracted our services on your bahalf and they provide us with your data as your authorized representative or legal guardian (when you are in the role of an Additional Applicant),
  • when we collect your data for the purpose of providing our services (assistance in collecting documentation for citizenship applications and/or genealogical research) to our clients— when you are a third party;
  • we obtain your data ourselves, or through selected partners, from public archives and genealogical databases, for the purpose of providing the service.

When providing data on behalf of Additional Applicants or third parties (e.g. your parents), please ensure you do not share more than is strictly necessary. If the performance of our service requires the disclosure of special category data of other living persons (e.g. health data, data concerning religious beliefs), please only provide such data if you have the explicit consent of those individuals.

5. OBLIGATION TO PROVIDE DATA

Providing personal data is voluntary; however, if you choose not to share certain information, the purposes of processing may not be achievable. For example, we will not be able to enter into a contract with you if you do not provide all data required for that purpose, nor will we be able to perform the contract as effectively if you do not provide further documentation.

6. WHAT PERSONAL DATA WE PROCESS, WHY AND ON WHAT LEGAL BASIS

6.1. Website Visitors

We use cookies on our Website. Necessary cookies are set without your consent as they are essential for the Website to function. In addition to necessary cookies, with your consent we may use analytical and marketing cookies for the purposes of measuring Website traffic, advertising, and measuring advertising effectiveness. Consent is given via the cookie banner displayed on your first visit to the Website — you may withdraw it at any time by changing your cookie settings.

For more information on all types of cookies, please refer to our Cookie Notice.

6.2. Customers

You may order our services by sending an enquiry via e-mail, the contact form on our Website, or directly through our web shop on the Website (for certain services). For more information on our services and the ordering process, please refer to our General Terms and Conditions.

Depending on how you order our services and the type of service involved, we will process certain data about you. Details of the processing can be found in the table below.

Categories of dataPurpose of processingLegal basisRetention period
Basic identification data (name and surname) and contact data (e-mail address)   selected service  Processing of the order/enquiry, sending order confirmation and acceptance (if the order is placed via the web shop), or sending our response to your enquiry with an individualised offer, and entering into the contract.Art. 6(1)(b) GDPR – pre-contractual steps / performance of contract. 


5 years from completion of service.
Payment data: amount, type of service, time of payment.  Issuing invoices and collecting payment for our services, recording and monitoring payments.Art. 6(1)(b) GDPR – performance of contract, and Art. 6(1)(c) GDPR – legal obligation (Accounting Act).11 years (accounting documentation).
Invoice data: basic identification and contact details, type of service, fee and due date.Issuing and delivering invoices, in accordance with obligations under the Accounting Act.
Art. 6(1)(c) GDPR – legal obligation (Accounting Act).
11 years (accounting documentation)
Basic identification and contact dataorder / invoice numberdescription of the defectthe request and our response, bank account number for refund (if applicable)Handling complaints/claims, your requests, and requests for unilateral termination of contract.Art. 6(1)(b) GDPR – performance of contract. 

Art. 6(1)(c) GDPR – legal obligation (Consumer Protection Act, Obligations Act).
5 years from resolution of the complaint, 11 years for accounting documentation (e.g. credit notes, refunds, etc.)

6.3. Contract Performance

In order to perform our services, we will necessarily process certain personal data. This may include your data as our customer, as well as data of other individuals — for example, your parents, children, or grandparents — given the nature of our services.

Furthermore, given the nature of our services, performance may require processing of data constituting special category personal data (e.g. data revealing ethnic origin, religious affiliation, health status, or political opinion). For such processing, we will seek the explicit consent of the individual concerned, provided they are living.

Categories of dataPurpose of processingLegal basisRetention period
name and surname, date and place of birth, address of residence, telephone, e-mail of the Customer;name and surname, date and place of birth, address of residence of Additional Applicants;data on the Customer’s marriage and spouse, data on the Customer’s parents and other direct ancestors, data on the Customer’s children, data on divorces, all as per the Questionnaire;personal data from documentation provided by the Customer for the purpose of performing our services (e.g. birth certificates, death certificates, divorce judgments, etc.)personal data from documentation we obtain from archives and genealogical databases in the course of performing our servicespersonal data contained in exchanged e-mails and other communication through which we collected information from you for the purpose of performing our services. We store e-mails and all written correspondence; we do not record video communications or produce transcripts.Provision of the contracted service.Art. 6(1)(b) GDPR – performance of contract (for data of the Customer and Additional Applicants).

 Art. 6(1)(f) GDPR – legitimate interests (for data of persons who are not our Customers or Additional Applicants)   Where special category data are processed, the additional legal basis is Art. 9(2)(a) GDPR – explicit consent of the data subject (in relation to all categories of data subjects).
2 years from the end of the year in which the service was completed.

Retention periods are extended for the duration of any pending judicial or administrative proceedings.

6.4.  Other Communication

When you contact us and the communication is not related to the performance of our contractual obligations, we process your data as follows:

Categories of dataPurpose of processingLegal basisRetention period
e-mail address / social media profile data (depending on the communication channel used)content of the enquiry and all related communicationResponding to the enquiryArt. 6(1)(f) GDPR – legitimate interest in responding to the enquiry and communication.E-mail: 12 months from the end of the year in which the communication concluded. 

Social media: 3 months from the conclusion of the communication. 

If a business relationship or contract is established as a result of the enquiry, the retention periods applicable to clients apply.

6.5. Visitors to Our Social Media Profiles

We maintain profiles on Facebook, Instagram, TikTok, and LinkedIn. The personal data we process depends largely on what you choose to share with us and how you interact via social media.

Certain processing activities are automatically enabled by the social media platform and cannot be disabled (performance analytics).

Categories of dataPurpose of processingLegal basisRetention period
Direct messages (DMs) you send us via social mediaThe same as for “Other communication”, as explained under point 6.4. of this Privacy Notice
Comments, reactions, shares, follows, clicks, and other similar interactions.  Profile data you choose to share (username, name, profile picture, location, etc.)Managing interactions and maintaining effective two-way communication with followers. Art. 6(1)(f) GDPR – legitimate interests: timely communication, gathering feedback, and improving content relevance.While the content is visible (e.g. until you delete it or the profile exists).
Performance analytics and interactions with our content — aggregated, anonymous data on interactions on our profile (automatically generated by the social media platform for profile owners and cannot be disabled)Improving our posts and better understanding your interests Art. 6(1)(f) GDPR – legitimate interests: performance analysis, understanding audience interests, and strategic business development. Note: in relation to this data, we act as joint controllers with the social media platform operator.Subject to the social media platform’s rules and while data is available in the interface.    

We note that social media platforms may process your data in accordance with their own privacy policies, over which we have no control. Their privacy policies and data processing information can be found at the links below.

Facebook: https://www.facebook.com/privacy/policy/

Instagram: https://privacycenter.instagram.com/policy

Tik-tok: https://www.tiktok.com/legal/page/eea/privacy-policy/en

LinkedIn: https://www.linkedin.com/legal/privacy-policy

6.6. Marketing and Advertising

Using marketing cookies, which we only use if you have given your consent, we may track your behaviour on the Website in order to display relevant advertisements. We track standard e-commerce events (view_item, add_to_cart, begin_checkout, purchase) for the purpose of measuring advertising effectiveness, and only with your consent as set via the cookie banner. Processing of data for advertising purposes does not affect your rights or the services available to you.

We carry out targeted advertising (retargeting) through the Google Ads platform. Conversion tracking includes Purchase, Begin checkout, and Add to cart events, and where applicable, contact form interactions.

We may also periodically carry out advertising on Meta, within the platform itself (Facebook, Instagram).

Processing via marketing cookies involves profiling within the meaning of Art. 4(4) GDPR; however, this is not profiling that produces legal or similarly significant effects for you. Furthermore, the fact that you see one of our advertisements does not necessarily mean we have built a profile of you — you may see the advertisement if Google or Meta, based on your use of other websites to which we have no access, have determined that you match the target audience.

6.7. Reviews

If you leave us reviews or testimonials (by e-mail, Google form, or on our social media profiles), we may use such reviews/testimonials on the basis of our legitimate interest (Art. 6(1)(f) GDPR — legitimate interest to promote our business), but we will publish them primarily in anonymised form, so that the review/testimonial cannot be linked to you. In full, with all (or some of your data), only with your explicit consent.

6.8. Statistics and Aggregated Data

We may produce statistical data regarding your use of our services. We do this by aggregating data collected in the course of your orders, enquiries, or service performance into aggregate statistics, on the basis of legitimate interest (Art. 6(1)(f) GDPR) in business development and strategic planning. These statistical data no longer allow us to identify you.

7. MINORS AND CHILDREN

Our services are directed at adults; however, in the course of providing services, we may also process data of children or minors — particularly where, as a parent, you intend to use our services for your children as well (in which case the children are Additional Applicants). In such cases, you provide data on behalf of the children as their legal guardian. Should the children reach adulthood in the interim, the services contracted on their behalf remain valid; however, as adults they are entitled to terminate the contract with us and request the return and erasure of all their data, to the extent permitted by law.

8. SHARING OF PERSONAL DATA

We primarily process your personal data within our company. In certain cases, other persons or public authorities are also involved in processing. When we involve other persons, we enter into appropriate agreements with them and ensure the confidentiality and protection of your data.

We share your data with:

  • public authorities (in accordance with tax and accounting regulations and regulations governing the obtaining of documents from state registries and bodies);
  • an external associate in Croatia for research services in Croatian state archives and registries;
  • Translators / translation agencies;
  • Marketing agency (Croatia);
  • Google Ireland LLC and Meta Platforms Ireland Limited in the context of Google Ads and Meta Ads (where we act as joint controllers);
  • processors (see below);
  • third parties in the event of a merger, acquisition, insolvency, or similar business transaction.

Our processors (entities that process data exclusively on our instructions) are:

  • Accountant;
  • Google Ireland LLC (Google Workspace services: e-mail, Drive, Calendar, Meet; Google Analytics);
  • Hostinger International Ltd., 61 Lordou Vironos str., 6023 Larnaca, Cyprus (hosting Web stranice)
  • IT support.

9. DATA STORAGE AND SECURITY MEASURES

To ensure the privacy and security of your data, we implement various technical and organisational measures, including: storing equipment in access-restricted premises, regular backup of computer data systems, use of strong passwords, vetted service providers, and granting data access only to those who need it to fulfil the purpose of processing.

Your personal data is stored at our physical locations within the EU, digitally in Google Workspace (Drive, e-mail) and on local drives, and exceptionally on servers in the USA (see sections 8 and 10). We continuously update and enhance our technical and organisational measures in line with technological developments and the growth of our business.

10. INTERNATIONAL DATA TRANSFERS

Although our company is incorporated in the Republic of Croatia (EU) and we use EU-based processors wherever reasonably possible, in certain cases international data transfers will occur.

As we also use the services of global companies such as Google Ireland LLC and Meta Platforms Ireland Limited, those companies — while registered within the EU — will in certain cases share data with their affiliated companies in the USA, primarily their parent companies (Google LLC, USA and Meta Platforms Inc., USA respectively), and subsequently with other engaged processors and independent controllers engaged by those companies, some of which are located outside the EU. For the aforementioned transfers, Google and Meta rely on an adequacy decision, namely the EU–US Data Privacy Framework (DPF) (for entities certified under the DPF), or the Standard Contractual Clauses (SCCs) adopted by the European Commission for other entities..

Our hosting provider, Hostinger International Ltd., also uses sub-processors registered outside the EU, and for such transfers they rely on either an adequacy decision or the Standard Contractual Clauses (SCCs).

11. YOUR RIGHTS

As a data subject, you have the following rights:

Right of access — you may request confirmation of whether we are processing your data, access to that data, and information on the purpose of processing, the categories of data processed, recipients, data sources, retention periods, and the existence of automated decision-making.

Right to rectification — you may request the correction of inaccurate or incomplete personal data.

Right to erasure (right to be forgotten) — you may request erasure of data where it is no longer necessary for the original purpose, where processing was unlawful, where you have withdrawn consent, or where you have successfully objected. Legal obligations (tax regulations, etc.), the need to establish, exercise, or defend legal claims, or similar reasons may prevent full erasure.

Right to restriction of processing — you may request restriction of processing in the cases provided for under the GDPR (unlawful processing, the data being needed for legal claims, where you have contested the accuracy of data or objected to processing, pending resolution of such contestation or objection).

Right to object — where processing is based on legitimate interests (Art. 6(1)(f) GDPR), you may object. We will continue processing only if we demonstrate compelling legitimate grounds that override your interests. Where we process your data for direct marketing purposes, you may object at any time. If you object to processing for direct marketing purposes, we will no longer process your personal data for those purposes.

Right to data portability — for data you have provided on the basis of consent or contract, and which is processed by automated means, you may request delivery in a structured, machine-readable format or direct transfer to another controller, where technically feasible.

Right to withdraw consent — where processing is based on your consent, you have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Right to lodge a complaint with a supervisory authority — if you consider that your rights have been infringed, you may lodge a complaint with the Croatian Personal Data Protection Agency (AZOP), Ulica Metela Ožegovića 16, 10000 Zagreb, https://azop.hr. You also have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.

Note: in certain cases, your rights may be limited by obligations arising from other legislation (e.g. accounting or tax regulations).

To exercise the above rights or for further questions, please contact us at: ask@croatiabydescent.com

Last updated: April 30, 2026 | LDV Consulting d.o.o.