Privacy & cookie policy


Since 25. May 2018 european law EU 2016/679 from European parlament and council since 27. April 2016 is in place, about protection of individuals in relation to processing of personal data and free movement of such date, and about canceling directive 95/46/EZ.

These informations have a goal to provide you with the clear inside of how your private information is used, for what purpose and on what legal justification . Also, to inform you about your rights in terms of processing of your personal data.
Čarolija drva d.o.o. is processing personal data of individuals according to stated general declaration and according to all positive regulations for personal data protection which are in place in Republic of Croatia, by highest standards that we apply in our work practice.
According to article 13 of General Regulation, Čarolija drva d.o.o. , Bisko 56E, 21240 Trilj, OIB: 24509981841, as a Controller of processing of collected data ( in further text : Controller) inform you about the following :

Company representative contact

Contact data of the representative : Bisko 56E, 21240 Trilj, Hrvatska; e-mail:; tel: 00385 21 544 488; by using contact form:

Purpose of processing personal data

Controller is processing data for the following purposes:
- accepting orders;
- contacting of the orderer;
- communication with intrested parties;
- verification of payments;
- business communication;
- computing payrols and other necessary data;
- recruiting employees;
- sending news about products and services;
- delivery of ordered goods

Legal basis of processing personal data

Personal data of the individual is being processed based on :
- given acceptance - Art. 6/1(a) of General regulation;
- Need to fulfill a contract or necessary actions before entering into contract – Art. 6/1(b) of General regulation;
- Fulfillment of legal obligations – Art. 6/1(c) of General regulation.

Recievers of personal data

Due to fulfillment of above mentioned purposes, Your personal date is being shared/delivered to:
- DHL Croatia - in case DHL has been selected for delivery - purpose of addressing of shipments;
- DPD Croatia - in case DPD has been selected for delivery - purpose of addressing of shipments;
- Hrvatska pošta (Croatian postal service) - in case "Post" has been selected for delivery - purpose of addressing of shipments;
- E-RAČUNI d.o.o. - in purpose of issuing commercial invoices and bookkeeping of accounting data;
- SendinBlue - in purpose of sending newsletters in case customer approved to recieve these
- Paypal - in purpose of payment processor ( data processor, collector of payments);
- A2 Hosting - in purpose of providing hosting services they can in case of servicing have access to personal data;
- Goverment authorities in charge - whenever we are asked to provide data according to specific laws

about using WSPay

WSPay is a secure system for real time credit and debit card payments. WSPay ensures the buyer and the merchant with the secure card data entry and transfer, which is also confirmed by PCI DSS certificate. WSPay uses 256-bit SSL encryption and TLS 1.2 cryptographic protocol as the highest protection standards for data entry and transfer.
WSPay personal data protection

WSPay, being the processor of authorization and payment made by credit cards, uses personal data as the processor pursuant to the General Data Protection Regulation of the European Parliament and the Council no. 2016/679, and compliant with PCI DSS Level 1 Regulations for data transfers.

WSPay uses 256-bit SSL encryption and TLS 1.2 cryptographic protocol as the highest protection standards for data entry and transfer.

Personal data used for the purposes of authorization and payment are deemed to be confidential data.

The following customer's personal data are necessary to fulfil the Agreement (authorization and payment):

  • Name and Surname
  • E-mail
  • Telephone number
  • Address
  • City
  • Post Code
  • Country
  • Type of credit card
  • Credit card number
  • Expiry date (credit card)
  • CVV number for credit card

WSPay does not process or use these personal data except for the purpose of fulfilling the Agreement, the authorization and the payment.

WSPay ensures to meet the requirements determined by applicable personal data protection regulations, for the processors of personal data, especially taking all necessary technical, organizational or security measures confirmed by PCI DSS Level 1 certificate.

Processing of personal data in "third countries"

Processing of personal data is not being done in third countries, with exception of A2 Hosting company which in purpose of servicing can have access to data. With above mentioned company we have confideliality agreement and by no condition they will NOT share data with any 3rd party.

Source of personal data

We collect personal data directly from the subject on bases of above mentioned legal basis according to general regulation about data protection. If personal data is recieved from 3rd parties, individual has a right to be informed about identity of that source, and if needed, has right tobe informed if his/her personal info comes from publicly available sources.

Use of Cookies

At the time of accesing and using of website ( we use cookies. You can lear more about use of cookies below in this document.

Period of keeping data

- ACCOUNTING DATA - 11 years, according to accounting regulations
- EMPLOYEE DATA and other data collected during employer-employee relationship - PERMANENTLY, or according to legal obligations of keeping data and it's deletion
- CONTRACT DATA -5 years, according to legal overdue
- DATA ABOUT VISITORS OF OFFICIAL INTERNET WEBSITE - 4 days, except in a case of statistical date which we keep 26 months
We will collect personal date in ammount which is necessary to fulfill the purpose of processing and as long as it is necessary to fulfill the purpose of processing.
Therefore, personal data is being processed untill fulfillment of purpose or within boundary of legal overdue for obligations which might arrise from procesing of such personal data, when processing of personal data is necessary  in contekst of entering into or fulfilling a contract, except in cases where we are obligated by law to keep personal data. In those cases we keep data in accordance to article of the law.
When / if personal data is being processed on the basis of person's acceptance, it will be processed until the acceptance is withdrawn.

Rights of the individual

Individual whose data we process have following rights:
  • Right to be informed according to Art. 12., 13. i 14. General Data Protection RegulationIndividuals have the right to be informed and, therefore, may at any time request information and details on how the Processing Manager processes their personal data, which the Processing Manager will verbally communicate or provide in writing through the channel from which that right is claimed;
  • Right to access personal data according to Art.15. General Data Protection Regulation - At any time, an individual may request access to his or her personal data held by the Processing Manager in order to be informed about the processing of his or her personal data, or to ascertain whether or not his personal data are processed by the Processing Manager and to be informed of the purpose the processing, the legal basis and the conditions under which the processing manager processes his personal data;
  • Right for correction according to Art. 16. General Data Protection RegulationAt any time, individuals may request the correction of their personal information, including the completion of a supplementary statement, to ensure the accuracy, completeness or up-to-date of personal information;
  • Right for deletion (“to be forgotten”) according to Art.17. General Data Protection RegulationIndividuals may request the deletion of their personal information processed by the Processing Manager if (i) it no longer exists or the purpose for which it was collected is fulfilled; (ii) the individual withdraws the consent and the processing is done on the basis of that consent, and there is no other legal basis to continue the processing; (iii) the individual opposes the processing of the data and there are no other legitimate reasons for further processing; (iv) the personal data of individuals have been processed without a valid legal basis. The personal data for which the right of erasure has been requested may be further processed in the following situations: (i) for the fulfillment of the legal obligations governing the processing, (ii) as well as for the exercise / protection of rights in court proceedings.
  • Right to limitation of processing according to Art.18. General Data Protection Regulation;
  • Right for transfer personal data according to Art.20. General Data Protection Regulation;
  • Right to object on processing of personal data according to Art.1. General Data Protection Regulation- For reasons relating to the specific situation of individuals, they may object to the processing of their personal data based on the legitimate interest of the Processing Manager;
  • Right to withdraw acceptance- in cases where processing is based on the consent of individuals, the individual may withdraw the consent at any time. Withdrawal will only have effects for future processing. The processing performed before the withdrawal of the privilege remains valid.


Cookies are small data files that most online sites store on users' devices accessing the Internet, in order to identify the individual devices that users have used when accessing. Their storage is under the full control of the user-operated browser, and cookie storage can be restricted or disabled if desired.

Why are cookies needed?

Cookies are important for providing a better user experience. Most common e-commerce features would not be possible without cookies. Cookie-friendly interaction between internet users and website is faster and easier. With their help, the website remembers the individual's preferences and experiences, which saves time and makes searching the web pages more efficient and enjoyable.

Most websites use cookies because they are a convenient means of maintaining new and relevant content that is consistent with the interests and preferences of each internet user. There are several reasons for using cookies - the first reason is their ability to store information about the status of each website (details about the customizations of each website), and in addition, they help to perform various Internet services and help to collect various statistics on Internet users' habits - Cookies can be used to track the frequency of visits to a particular website. Organizations use cookies to evaluate the effectiveness of their websites, as well as the relevance of the type and number of ads they offer to users on their websites.
By using cookies, we collect the following information from website visitors:
   - Information about your login to the site, your chosen language and currency, and statistics using the google analytics cookie

We keep the information we collect with cookies for 4 days, except in the case of statistics that we keep for 2 years

In accordance with Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation, OJ EU 119 / 1) and the Electronic Communications Act (OG 73/08, 90/11, 133/12, 80/13, 71/14, 72/17) for functional, analytical and marketing cookies requires user consent before cookies are placed on the user's browser, while the necessary cookies are not required as they are essential for the functioning of the site.


How are cookies controlled?

You can control and / or delete cookies as you wish. For more information, visit: You can delete all cookies already stored on your computer, and most browser settings allow you to block cookies from being stored. If you block cookies, you may have to manually adjust some of the settings you want each time you visit the site, and certain services and features may not be available.