Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data – the General Data Protection Regulation – GDPR (hereinafter: the Regulation), ŽITO d.d., Osijek acts as the Data Controller of your personal data collected through this website.

ŽITO d.d., Đakovština 3, 31 000 Osijek, OIB: 03834418154, as the owner and operator of Hotel Materra and of ŽITO d.d. BRANCH ČEPIN, travel agency, is the data controller.
ŽITO d.d. respects your privacy and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable regulations, implements appropriate technical and organizational security measures, and ensures that all personal data of hotel guests are processed lawfully, fairly, and transparently.

You may book your stay at Hotel Materra directly via our website, by e-mail, by phone, or through partner booking platforms.

When you submit an inquiry or make a reservation, we process the data necessary to handle your request – first and last name, e-mail address, phone number, preferred arrival and departure dates, number of guests, number of children under 12 years of age, and any notes you may provide.
Upon arrival at the hotel, for the purpose of providing accommodation services, we process your personal data, including data related to your stay, services used, and method of payment.

During your stay, you may use various hotel services and facilities – wellness, bar, conference hall, TV content, room service, transport, excursions, and other services.
For the purpose of providing these services, we process data such as your first and last name, room number, time and type of service used, and any special requests or notes.

If, for certain services (e.g., room service), you voluntarily provide information relating to dietary habits or other special requests, such data are processed exclusively on the basis of your consent for the purpose of providing a personalized service.

For certain health and wellness treatments, it is necessary to obtain certain information about the guest’s health condition in order to assess whether the treatments are safe and appropriate. Such data are required solely for the protection of the guest’s health and proper provision of the service. If the guest withholds or omits relevant information, there is a risk that the selected treatment may not be suitable or could have adverse effects on their health; therefore, under such circumstances certain treatments may not be performed.

Legal basis: taking steps at the request of the data subject prior to entering into a contract and performance of a contract; guest consent for special requests.

Pursuant to special laws of the Republic of Croatia, all guests are registered in the Information System for the Registration and Deregistration of Tourists (eVisitor).

For this purpose, we collect data contained in an identity document – first and last name, date of birth, nationality, place and country of birth, gender, and the identity document number.

Legal basis: compliance with a legal obligation of the controller.

When confirming a reservation or checking in at the hotel reception, a bank card pre-authorization may be performed, i.e., a temporary hold of a certain amount as a guarantee of payment and to cover possible additional costs (e.g., minibar, wellness, property damage).

The pre-authorized amount is not a charge to the bank account but only a temporary reservation of funds. Final payment is processed upon guest check-out, and any unused portion of the pre-authorization is released immediately after the end of the stay. Payment card data are stored exclusively within a secure and certified payment system that meets international security standards for card transaction processing (PCI-DSS – Payment Card Industry Data Security Standard). All payment card data are encrypted and processed through an authorized payment processor, preventing unauthorized access, copying, or use of the data. Hotel Materra does not have access to full card details (e.g., the card number and security code – CVV); only an anonymized form of the data is available, enabling secure payment processing and cancellation of the pre-authorization.

During the stay and at check-out, we also process data necessary for payment, invoicing, and fiscalization (name/company name, address, OIB – where required, data on quantity and price of services used, and payment transaction data).

Legal basis: taking steps prior to entering into a contract and performance of a contract; compliance with a legal obligation of the controller.

We will use your e-mail address collected during the reservation and check-in process to send newsletters about Hotel Materra services, special offers, benefits, discounts, and news in our offer which we consider may be relevant and useful to you as a guest. In this case, we process your personal data on the basis of our legitimate interest.
You can unsubscribe from the newsletter recipients list at any time by selecting the appropriate option at the bottom of each message received.

If, as a website visitor, you subscribed to receive the newsletter, the legal basis for processing your e-mail data is your consent. Consent is entirely voluntary and may be withdrawn at any time via the unsubscribe link included in each message received or by sending a request to info@hotelmaterra.com.

A guest may also give consent to participate in surveys on satisfaction with Hotel Materra services. Data collected through questionnaires and ratings are used exclusively for analyzing the stay experience and improving service quality. Responses are processed statistically, without linking them to the identity of the guest.

Hotel Materra occasionally organizes prize contests, promotions, and giveaways via its official social media profiles. In such activities, we process personal data of participants who voluntarily register to participate – such as name and surname, social media username, contact details (e-mail address or phone number), and the content of posts, comments, or messages submitted as part of the contest.

Legal basis: consent of the guest/contest participant.

Data you provide via e-mail, website contact forms, by phone, or in person are used exclusively to provide the requested information and respond to inquiries.

Legal basis: depending on the content of the inquiry or the existing relationship with the person submitting the inquiry (guest, potential guest, etc.), processing is based on consent or on taking steps prior to entering into a contract and the performance of rights and obligations arising from a contractual relationship.

In the event of a written complaint or claim regarding a provided service, the hotel processes personal data required to handle the complaint (first name, last name, contact details, content of the complaint, and supporting documentation).
The data are used exclusively for resolving complaints and are retained in accordance with consumer protection regulations.

Legal basis: compliance with a legal obligation and performance of a contract.

Certain areas of the hotel, such as entrances/exits, reception, corridors, gym, parking area, and outdoor areas, are covered by a video surveillance system installed for the safety of guests, employees, and hotel property. Recordings are retained for a limited period, no longer than 60 days. Clear notices with basic information about recording and data processing are displayed in all monitored areas.

Legal basis: the controller’s legitimate interest in protecting persons and property.

The travel agency collects and processes personal data to the extent necessary for providing services related to organizing, selling, and implementing package arrangements; organizing, selling, and implementing excursions; organizing transportation and transfers of participants to the departure point, during excursions, and after completion of the service; organizing, selling, and implementing congress tourism services; organizing visits to cultural and historical landmarks; selling, mediating, and reserving tickets for all types of events, museums, etc.; selling, mediating, and reserving catering services; and mediating in the provision of tourism services of other service providers.

Legal basis: taking steps prior to entering into a contract and performance of a contract; compliance with a legal obligation of the controller.

Hotel Materra collects and processes children’s personal data only to the extent necessary for providing accommodation services and fulfilling legal obligations, for example when registering in the eVisitor system. Children’s data are collected from their parents or legal guardians.

Special categories of personal data are not required for reservation, provision, and payment of services; however, before and during the stay, a guest may, at their own discretion, provide certain data that fall within special categories of personal data – for example, information about health condition, dietary needs, allergies, or other circumstances relevant for a comfortable and safe stay. Such data are processed exclusively on the basis of the guest’s consent, for the purpose of providing tailored services and enhancing safety during the stay.

ŽITO d.d. acts as a potential employer and the data controller of personal data of interested candidates.

Information on the processing of personal data of job applicants for employment at Hotel Materra is available at: https://zito.talentlyft.com/

Hotel Materra’s website uses cookies to ensure proper functioning of the website, improve user experience, and analyze website traffic. Detailed information on the types of cookies used, their purpose, and options for managing settings are available in the Hotel Materra Cookie Policy.

Personal data of Hotel Materra guests are accessible only to authorized persons and partners and only to the extent necessary to provide a specific service. Processing involves reliable business partners – processors – who provide services necessary for regular operations on behalf of the hotel, such as reservation system management, execution of payment transactions through secure payment systems (payment gateway), website maintenance and administration, and IT support. The relationship between the Hotel and the above partners is governed by data processing agreements, under which partners are obliged to maintain confidentiality, apply appropriate technical and organizational security measures, and process personal data exclusively according to the instructions of the controller – ŽITO d.d.

In accordance with applicable regulations of the Republic of Croatia, the Hotel is required to provide certain personal data to competent public authorities.

For the purpose of fulfilling the legal obligation to register tourists’ stays, guest data are entered into the Information System for the Registration and Deregistration of Tourists – eVisitor – managed by the Croatian National Tourist Board.

In certain cases, when necessary to comply with legal obligations or to act upon a request of a competent authority (e.g., the Ministry of the Interior, a competent court, or another public authority), the Hotel will be obliged to provide personal data in a precisely defined scope and exclusively for the purpose specified in the request. Each such disclosure is carried out with appropriate safeguards and with documented records of the data transfer.

For sending newsletters, Hotel Materra uses the Mailchimp service, owned by Intuit Inc., headquartered in the United States of America. The transfer of personal data is carried out in accordance with the GDPR, as Intuit Inc. participates in the EU–US Data Privacy Framework, which constitutes an adequacy decision under Article 45 of the GDPR and ensures an adequate level of personal data protection.

Personal data are stored for the period necessary to achieve the purpose of processing or for the period prescribed by law.

• Reservation and guest stay data, including check-in and check-out data, are retained for a minimum of 2 years from guest check-out, in accordance with the Ordinance on the form, content, and manner of keeping the guest register and guest list (Official Gazette 1140/15).
• Invoices, accounting records, and fiscal documents are retained for 11 years after the end of the year in which the document was created, in accordance with the Accounting Act and tax regulations.
• Payment and bank card pre-authorization data are retained until the transaction is completed and all costs are settled, and for a maximum of 14 days from guest check-out, due to possible complaints or refunds.
• Data from inquiries and communication with potential guests are retained for up to 12 months after completion of communication.
• Data related to complaints and claims are retained for up to 12 months after completion of communication.
• Data related to complaints and claims are retained for 12 months from receipt of the complaint, in accordance with the Consumer Protection Act.
• Data processed on the basis of consent, such as for sending newsletters or participating in satisfaction surveys, are retained until consent is withdrawn.
• Data collected for the purpose of organizing prize contests are retained until the end of the contest.
• Video surveillance recordings are retained for a maximum of 60 days.

Upon expiry of the above periods, all personal data are deleted or anonymized, unless further retention is required by specific regulations or is necessary for the establishment, exercise, or defense of the Hotel’s legal claims.

Hotel Materra applies appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data. Measures include, among others, controlled access to systems, protection of computer and communication networks, regular security updates, access logs, backups, and other applicable measures depending on the sensitivity of the data and security risks.

All employees and partners with access to personal data are obliged to maintain confidentiality and act in accordance with internal data protection rules. Guests’ personal data are not transferred outside the European Union. If, in exceptional cases, such a transfer were necessary (e.g., due to use of external providers), the transfer would be carried out exclusively with appropriate safeguards, such as the European Commission’s Standard Contractual Clauses or another applicable protection mechanism.

Depending on the legal basis and purpose of processing, you have the following rights regarding the processing of personal data:

• Right to information and access – the right to obtain confirmation as to whether personal data are being processed and access to the data and information on the purpose, scope, and manner of processing
• Right to rectification – the right to request correction of inaccurate data or completion of incomplete data
• Right to erasure (“right to be forgotten”) – the right to request deletion of personal data if they are no longer necessary for the purpose of processing or if there is no other legal basis for their retention
• Right to withdraw consent – where processing is based on consent, it may be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal
Where applicable, depending on the processing circumstances and legal basis, you may also have the following rights:
• Right to restriction of processing – for example, where the accuracy of data is contested or where data are no longer needed for the original purpose but must be retained for legal claims
• Right to data portability – the right to receive personal data in a structured, commonly used, and machine-readable format if processing is based on consent or contract and is carried out by automated means only
• Right to object – the right to object at any time to processing based on the hotel’s legitimate interest, including processing for direct marketing purposes
• Right to object to automated decision-making – in cases where a decision about a guest would be made solely by automated processing, without human assessment

To exercise your rights or obtain additional information on personal data protection and processing, you may contact the Data Protection Officer at: dpo@zito.eu or send a written request to Hotel Materra, Ul. Ovčara 5, 31431 Čepin, with the note “For the Data Protection Officer”.

You may also submit a complaint to the Croatian Personal Data Protection Agency (AZOP) at: azop@azop.hr, if you believe that your rights have been infringed or your request has not been fulfilled.

This Personal Data Processing Notice is regularly updated to ensure compliance with applicable regulations, business practices, and Hotel Materra services.

Last revision: December 2025.