HomeSpecialistsAbout usBlog

Serenity Privacy Policy

Last updated: 01.04.2026.

1. Introduction

This Privacy Policy explains how Serenity d.o.o. processes personal data when a visitor browses the Serenity Platform, when a user opens a user account, books an appointment, uses Platform functionalities, communicates with Serenity, or when a specialist uses the Platform to publish a profile and provide their services.

Serenity d.o.o. pays particular attention to the protection of privacy and the processing of personal data in accordance with Regulation (EU) 2016/679, the Croatian Act on Implementation of the General Data Protection Regulation, and other applicable regulations.

2. Who is the Controller

The controller for the processing operations described in this Policy, except where expressly stated otherwise, is:

Serenity d.o.o., Kliški put 11, 21210 Solin, Republic of Croatia, OIB: 51521935414, Email: info@serenity.hr

3. Important Note on the Roles of Serenity and Specialists

3.1. Serenity and specialists do not necessarily process the same data for the same purposes.

3.2. Serenity is generally a separate controller for the data it processes for the purposes of:

  • a) managing the Platform and user accounts,
  • b) bookings and appointment administration,
  • c) organisation and records of billing,
  • d) customer support,
  • e) security, prevention of abuse, and proof of transactions,
  • f) publication and management of specialist profiles,
  • g) compliance with legal obligations.

3.3. The specialist is generally a separate controller for personal data they process within their professional relationship with the client, including the content of the professional service itself, professional assessments, notes they keep themselves, communications outside systems Serenity has no access to, and other data the specialist processes to provide their own service and fulfil their professional or legal obligations.

3.4. Serenity has no access to the content of sessions, messages between client and specialist, or documents they exchange with each other outside the Platform's administrative functionalities, and does not record sessions.

3.5. If, for a particular processing flow, it is determined in the future that Serenity and the specialist jointly determine the purposes and means of processing, their responsibilities will be governed by a separate contractual arrangement, and essential information about such a relationship will be made available to users in an appropriate manner.

4. Categories of Personal Data We Process

4.1. User/client data

Depending on the functionality the user uses, Serenity may process the following categories of data:

  • first name and last name,
  • email address,
  • data related to the user account,
  • data on bookings, appointments, and appointment status,
  • payment and transaction data to the extent necessary for processing payments and issuing invoices,
  • technical and log data such as IP address, access time, device identifiers, log records, and data necessary for the security and operation of the Platform,
  • the content of inquiries submitted to customer support.

4.2. Specialist data

For the purposes of application, validation, and publication of specialist profiles, Serenity may process:

  • first name and last name,
  • profile photo,
  • biography and description of professional experience,
  • data on education, certifications, diplomas, and other professional credentials,
  • contact and administrative data necessary for entering into cooperation and using the Platform,
  • data on availability, appointment prices, and the specialist's profile,
  • data on completed bookings and related administrative records.

4.3. Reviews and ratings

If the Platform allows reviews and ratings, Serenity processes data related to the review in anonymised or pseudonymised form to the extent technically feasible and reasonably necessary for the operation of the review system.

5. Special Categories of Personal Data

5.1. As a rule, Serenity does not request or require users to provide special categories of personal data, including data on health, political opinions, religious beliefs, racial or ethnic origin, sex life, or sexual orientation.

5.2. Serenity has no access to the content of sessions between user and specialist and does not process the content of professional work as part of the Platform's regular business model.

5.3. If a user voluntarily submits sensitive data to Serenity, for example through a free-form inquiry to customer support, complaint, request, or incident report, Serenity will process such data only to the minimum extent necessary to handle the specific request, protect rights, and fulfil legal obligations.

5.4. Users are advised not to send special categories of personal data to Serenity through general contact channels except where necessary.

6. How We Collect Personal Data

We collect personal data:

  • directly from users and specialists when they open an account, fill in their profile, book an appointment, send an inquiry, or use the Platform,
  • automatically through the technical operation of the Platform and security logs,
  • from payment service providers and other contractual partners to the extent necessary to confirm the transaction, settle accounts, prevent fraud, and fulfil legal obligations,
  • from publicly available or trustworthy sources where it is necessary to verify the specialist's identity, qualifications, or credentials.

7. Purposes of Processing and Legal Bases

7.1. Opening and managing the user account

Purpose: creating the user account, authentication, basic account administration, and enabling use of the Platform. Legal basis: performance of a contract or taking steps at the request of the data subject prior to entering into a contract.

7.2. Booking and administration of appointments

Purpose: enabling search of available appointments, booking, confirmation, rescheduling, and cancellation of appointments and related administration. Legal basis: performance of a contract.

7.3. Payment organisation, invoicing, and accounting records

Purpose: processing payments, transaction confirmation, fiscal and accounting records, issuing invoices, and resolving chargebacks or other payment disputes. Legal basis: performance of a contract and compliance with legal obligations.

7.4. Customer support and complaint handling

Purpose: responding to inquiries, technical assistance, handling complaints, disputes, and user requests. Legal basis: performance of a contract, legitimate interest in managing the relationship with users, and where applicable, compliance with legal obligations.

7.5. Platform security, prevention of abuse, and proof of transactions

Purpose: protecting systems, detecting and preventing fraud, abuse, unauthorised access, and other security incidents. Legal basis: Serenity's legitimate interest in the security of systems and operations, and where necessary, compliance with legal obligations.

7.6. Verification and publication of specialist profiles

Purpose: verifying specialists' credentials, conducting the approval process, and publishing professional profiles on the Platform. Legal basis: taking steps at the request of the data subject prior to entering into a contract, performance of a contract, and Serenity's legitimate interest in maintaining trust and quality of the Platform.

7.7. Compliance with applicable regulations and establishment or defence of legal claims

Purpose: keeping records, fulfilling regulatory, tax, accounting, and other statutory obligations, and establishing, defending, or asserting legal claims. Legal basis: compliance with legal obligations and Serenity's legitimate interest.

7.8. Newsletter and promotional messages

If Serenity introduces a newsletter or similar promotional messages, personal data for that purpose will be processed on the legal basis applicable in the specific case, in particular on the basis of consent where required. If a user receives marketing messages on the basis of consent, they may withdraw consent at any time.

7.9. Cookies and similar technologies

For necessary cookies, the legal basis is legitimate interest or technical necessity for operation of the Platform. For analytics, marketing, or other non-essential cookies, the legal basis is consent where required by applicable rules.

8. Recipients and Categories of Recipients of Personal Data

We may share personal data with recipients only where necessary and on a valid legal basis, including:

  • providers of hosting and infrastructure services,
  • providers of payment services and technical payment processors,
  • providers of email and communication services,
  • providers of video calling services where their technology is used to hold appointments,
  • accounting, legal, audit, and similar professional advisors,
  • competent authorities where required by law,
  • specialists, to the extent necessary for booking and execution of appointments.

Currently relevant service providers include in particular:

  • Hostinger as a hosting/infrastructure service provider,
  • Stripe as a payment service provider,
  • Google Workspace as an email and business communication tool provider,
  • Google Meet as a video call technology provider.

When it comes to booking appointments, only the client's first and last name are generally disclosed to the specialist; the email address is not shared unless necessary for the operation of the service or unless the user independently decides otherwise.

9. International Transfers of Personal Data

9.1. Serenity strives to use service providers and organisational settings that allow data processing within the European Economic Area where reasonably possible.

9.2. Some service providers Serenity uses may be part of international company groups or may, to a limited extent, allow access to data outside the EEA. In such cases, Serenity will ensure an appropriate legal basis for the transfer, for example an adequacy decision, standard contractual clauses, or another appropriate mechanism under applicable regulations.

9.3. Additional information on appropriate safeguards may be requested via info@serenity.hr.

10. How Long We Keep Personal Data

10.1. We keep personal data only for as long as necessary for the purpose for which it was collected, except where longer retention is required due to a legal obligation or for the establishment, exercise, or defence of legal claims.

10.2. Indicatively, we retain data as follows:

  • user account data while the account is active and for a reasonable period after closure of the account for handling requests, security, and proof,
  • data on bookings and transactions during the term of the contractual relationship and thereafter for as long as necessary for accounting, tax, and legal obligations,
  • invoices and related accounting documentation within periods prescribed by accounting and tax regulations,
  • logs and security records for a period proportionate to the purpose of security and prevention of abuse,
  • specialist credential documentation for the duration of the cooperation and a reasonable time thereafter for proof of lawfulness and Platform security.

10.3. When a particular category of data is no longer needed, we delete the data, anonymise it, or securely restrict processing, unless further retention is required by law.

11. Data Subject Rights

The data subject, under the conditions provided by applicable regulations, has the right to:

  • request access to their personal data,
  • request correction of inaccurate or completion of incomplete data,
  • request erasure of data,
  • request restriction of processing,
  • object to processing based on legitimate interest,
  • request data portability where applicable,
  • withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal,
  • lodge a complaint with the supervisory authority.

To exercise their rights, the data subject can contact info@serenity.hr.

12. Right to Lodge a Complaint with the Supervisory Authority

If the data subject believes that their personal data is being processed contrary to applicable regulations, they have the right to lodge a complaint with the competent supervisory authority. In the Republic of Croatia, this is the Croatian Personal Data Protection Agency (AZOP).

13. Personal Data Security

Serenity applies appropriate technical and organisational measures to protect personal data from unauthorised access, loss, destruction, abuse, or unauthorised modification, taking into account the nature of the data, the risks of processing, and available technology.

Such measures may include access rights management, authentication, security logs, contractual confidentiality obligations, vendor verification, security procedures, and other appropriate measures.

14. Automated Decision-Making and Profiling

As a rule, Serenity does not make decisions that produce legal effects or similarly significantly affect the user solely on the basis of automated processing of personal data.

The Platform may use limited automated elements to display and rank specialists based on parameters listed in the Terms and Conditions, but such ranking is not a decision based solely on automated processing within the meaning of Article 22 GDPR.

15. Cookies and Similar Technologies

More detailed information on cookies, their types, duration, and how to manage consent should be available in a separate cookie policy or within a cookie banner / cookie preference centre, where applicable.

16. Changes to This Privacy Policy

Serenity may from time to time amend or supplement this Privacy Policy in order to comply with the law, changes in Platform functionalities, providers, or internal processing processes.

The updated version will be published on the Platform with the date of entry into force.

17. Contact

For questions about this Privacy Policy or to exercise rights related to personal data, you may contact:

  • Serenity d.o.o.
  • info@serenity.hr

18. Date of Application

This Privacy Policy applies from the date of its publication on the Platform, unless a different date of application is stated upon publication.