Privacy Policy

Introduction

Welcome to eddyletspaddle.com (the "Website"). This Privacy Policy explains how we, EDDY, operated by AQUA SPORT BUDVA d.o.o., collect, use, disclose, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable data privacy laws. It also explains how your personal data is shared with our authorised payment and financial protection provider, Trust My Travel Limited (trading as “Trust My Travel” and “Repayd”).

1. Who We Are

This Website and associated services are operated by:

AQUA SPORT BUDVA d.o.o.
ul: Popa Jola Zeca br:7, 85310 Budva, Montenegro
Company Registration No: 03132005
Email: privacy@eddyletspaddle.com
Phone: +382 (69) 71-99-04

EDDY is a brand fully owned and represented by AQUA SPORT BUDVA d.o.o.

2. Definitions

2.1. Personal Data: Any information relating to an identified or identifiable natural person.
2.2. Data Processing: Any operation performed on personal data, such as collection, recording, storage, use, disclosure, and erasure.
2.3. Data Subject: Any identified or identifiable individual whose personal data is processed by us.

3. What Personal Data We Collect

We collect and process the following categories of personal data:

• Identification and contact details: name and surname, email address, phone number;
• Booking and activity details: date and time of booking, type of Activity, number of participants, special requests, language preferences;
• Payment and transaction information: booking amount, currency, payment status, transaction identifiers, partial card information such as the last four digits or tokenised card details processed via our payment provider (we do not store full card numbers or CVV codes);
• Communication data: content of messages sent via our contact forms or by email, and our replies;
• Technical data: IP address, browser type and version, device information, and website usage data collected via cookies and analytics tools;
• Health information: any medical conditions or relevant health details that you voluntarily provide to us in order to assess whether it is safe for you to participate in a specific Activity.

We currently collect personal data primarily through:

• the “Corporate Adventures” form on the Home page
• booking widgets integrated on our Website (including Bokun and Trust My Travel-powered checkout)
• direct email communication and general enquiry forms
• your use of the Website (via cookies and analytics)

4. How We Collect Your Data

Your data is collected when you:

• Fill out the "Corporate Adventures" form on the Home page
• Book services via our integrated booking widgets (e.g. Bokun and Trust My Travel checkout forms)
• Contact us by email, phone, or other communication channels
• Browse our Website, where certain technical data is collected via cookies and analytics tools

In some cases, online travel agencies (such as GetYourGuide or Viator) may collect your data on their own platforms and then share relevant booking details with us so we can fulfil your Activity. In such cases, their privacy policies also apply.

5. Purpose of Data Collection

We process your data to:

• Respond to your inquiries submitted via the "Corporate Adventures" form or other contact channels
• Deliver booked services and manage reservations through our booking systems
• Process payments and provide financial protection for eligible bookings through our payment provider Trust My Travel (Repayd), including sharing necessary booking and payment details with them as our authorised payment and financial protection provider
• Handle cancellations, changes, refunds, and dispute resolution where necessary
• Provide essential service updates and communications related to your booking
• Prevent fraud and enhance the security and integrity of our services
• Enhance website functionality and user experience
• Comply with legal, tax, accounting, and regulatory obligations

6. Legal Basis for Processing

We rely on the following legal bases:

• Contractual necessity (Art. 6(1)(b) GDPR): to process your booking, arrange your Activity, handle payments and related customer support
• Consent (Art. 6(1)(a) GDPR): for inquiries submitted through our "Corporate Adventures" form where no booking is made, and for optional communications such as newsletters or certain cookies. You may withdraw your consent at any time
• Legal obligations (Art. 6(1)(c) GDPR): to comply with tax, accounting, financial, and regulatory requirements, including anti-money-laundering or sanctions checks where applicable
• Legitimate interests (Art. 6(1)(f) GDPR): improving user experience, ensuring network and information security, preventing fraud, and promoting our services to existing customers (direct marketing of similar activities)
• Where we process any health-related information that you voluntarily provide (for example, to assess fitness to participate in an Activity), we rely on your explicit consent (Art. 9(2)(a) GDPR). You may withdraw this consent at any time, but we may then be unable to allow you to participate in certain Activities for safety reasons

7. Data Sharing

We never sell your personal data. We only share your data with trusted third parties where necessary for the purposes described above or where required by law. These may include:

• Booking and operations platforms: Bokun and similar providers that manage our booking engine, inventory, and operational workflows
• Payment and financial protection provider: Trust My Travel Limited (trading as “Trust My Travel” and “Repayd”), who act as our authorised payment agent and financial protection provider. They process your booking and payment information, hold your funds in a segregated client account, and may contact you with a confirmation and a protection certificate or booking ID
• Acquiring banks and payment service partners of Trust My Travel, for processing card and alternative payments
• Online travel agencies and distribution partners (such as GetYourGuide or Viator), where you book through their platforms and they share booking details with us to fulfil your Activity
• Email, CRM, and IT service providers who host our email accounts, databases, and website infrastructure
• Regulatory, tax, or law enforcement authorities when required by applicable law

8. International Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including:

• The United Kingdom, where Trust My Travel Limited is established and where some of its partners operate
• Member States of the European Union/EEA, where some of our technology and booking providers are located

For any transfers of personal data outside the EEA and the UK, we rely on adequate safeguards such as adequacy decisions, standard contractual clauses (SCCs), or equivalent mechanisms to ensure an appropriate level of data protection in line with GDPR requirements.

9. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this Policy or as mandated by legal obligations.

In particular:

• Booking and payment records are typically retained for up to 7 years after your last transaction, in line with tax, accounting, and financial regulations and the retention practices of our payment provider
• Enquiry-only communications (where no booking is made) are usually retained for a shorter period, for example up to 2 years, for reference and service quality purposes
• Marketing and newsletter data is retained until you withdraw your consent or object to further processing

After the relevant retention period expires, your personal data will be securely deleted, anonymised, or archived in accordance with our internal policies.

10. Your Data Protection Rights

Under GDPR and applicable data protection laws, you have the right to:

• Access and obtain copies of your personal data
• Request rectification of inaccurate or incomplete data
• Request erasure of your data ("right to be forgotten"), subject to legal retention requirements
• Restrict or object to processing, including direct marketing
• Request data portability, where technically feasible
• Withdraw your consent at any time without affecting the lawfulness of prior processing
• Lodge a complaint with your local data protection authority or with the Montenegrin DPA (AZLP)

To exercise these rights, contact us at: privacy@eddyletspaddle.com

11. Updating Your Personal Data

You must inform us promptly if your personal details change to ensure accuracy and completeness.

12. Cookies and Tracking

We use essential, functional, and (where you consent) analytical cookies and similar technologies to:

• enable core Website functionality
• remember your preferences
• analyse Website usage and improve our services

You can manage your cookie preferences through our Cookie banner or via your browser settings. For more information, please see our separate Cookie Policy, which forms part of this Privacy Policy.

13. Data Security Measures

We employ technical and organisational security measures to protect your personal data, including:

• encrypted connections (TLS/SSL) for data transmitted via our Website
• tokenisation of card details and secure payment processing via certified payment providers such as Trust My Travel and its acquiring banks
• access controls and role-based access to customer data
• secure data storage and regular backups
• staff training and internal procedures on data protection and confidentiality

While we strive to protect your personal data, no method of transmission or storage is entirely risk-free, and we cannot guarantee absolute security.

14. Third-Party Websites

Our Website may include links to third-party sites (such as online travel agencies, social media platforms, or partner websites). We are not responsible for their data protection practices. We encourage you to review the privacy policies of those sites independently before providing any personal data.

15. Policy Updates

We may update this Privacy Policy periodically to reflect changes in our services, legal requirements, or data processing practices. Changes will be indicated by updating the effective date at the top of this page. Significant changes will be communicated via email to registered users and/or prominently displayed on our Website.