HomeSpecialistsAbout usBlog

Serenity Privacy Policy

Last updated: 22.05.2026.

1. Introduction

This Privacy Policy explains how Serenity d.o.o. processes personal data when a visitor browses the Serenity Platform, when a user opens a user account, books an appointment, uses the Platform's functionalities, communicates with Serenity, or when a specialist uses the Platform to publish a profile and provide their services.

Serenity d.o.o. devotes particular attention to privacy and the processing of personal data in accordance with Regulation (EU) 2016/679 (GDPR), the Act on Implementation of the General Data Protection Regulation, and other applicable regulations of the Republic of Croatia and the European Union.

This Privacy Policy applies to the Serenity Platform and related services, except where a separate privacy notice has been published for a specific service, partnership, or processing.

2. Who is the Controller

The controller for the processing described in this Policy, unless expressly stated otherwise, is:

  • Serenity d.o.o.
  • Kliški put 11, 21210 Solin, Republic of Croatia
  • OIB: 51521935414
  • General contact: info@serenity.hr
  • Personal data protection contact: privacy@serenity.hr

At the time of publication of this Policy, Serenity d.o.o. has not appointed a Data Protection Officer (DPO) within the meaning of Article 37 GDPR. For matters relating to personal data protection and the exercise of data-subject rights, a designated contact person for data protection is available at privacy@serenity.hr.

3. Important Note on the Roles of Serenity and Specialists

Serenity and specialists do not necessarily process the same data for the same purposes.

Serenity is, as a rule, a separate controller for data that it processes for the purpose of:

  • managing the Platform and user accounts;
  • appointment booking and administration;
  • organisation and records of billing;
  • customer support;
  • security, abuse prevention, and evidencing transactions;
  • publication and management of specialist profiles;
  • compliance with legal obligations.

The specialist is, as a rule, a separate controller for personal data they process in the course of their professional relationship with the client, including the content of the session itself, professional assessments, diagnoses where they establish or process them within their activity, notes they keep themselves, therapeutic or other professional documentation, communication outside the system to which Serenity has no access, and other data the specialist processes for the purpose of providing their own service and fulfilling their professional or legal obligations.

Serenity has no access to the content of sessions, messages between client and specialist, or documents they exchange with one another outside the Platform's administrative functionalities, and does not record sessions.

If a particular processing flow is in the future found to involve joint determination of purposes and means by Serenity and the specialist, their responsibilities will be governed by a separate contractual arrangement, and material information about such a relationship will be made available to users in an appropriate manner.

4. Categories of Personal Data We Process

4.1. User/Client Data

Depending on the functionality used, Serenity may process the following categories of data:

  • first and last name;
  • email address;
  • mobile phone number where required for identification, booking, vouchers, or security verification;
  • data related to the user account;
  • data on bookings, appointments, and appointment status;
  • payment and transaction data to the extent necessary for billing and invoicing;
  • technical and log data such as IP address, access time, device identifiers, log records, and data necessary for Platform security and operation;
  • the content of inquiries sent to customer support.

4.2. Specialist Data

For the purposes of application, validation, and publication of specialist profiles, Serenity may process:

  • first and last name;
  • profile photograph;
  • biography and description of professional experience;
  • data on education, certificates, diplomas, and other professional credentials;
  • contact and administrative data required for contracting cooperation and using the Platform;
  • data on availability, appointment prices, and the specialist's profile;
  • data on completed bookings and related administrative records.

4.3. Reviews and Ratings

If the Platform enables reviews and ratings, Serenity processes data related to a review in anonymised or pseudonymised form to the extent technically feasible and reasonably necessary for the functioning of the review system.

5. Special Categories of Personal Data (Article 9 GDPR)

Serenity does not, as a rule, seek or require users to provide Serenity with special categories of personal data, including data on health, political opinions, religious beliefs, racial or ethnic origin, sexual life, or sexual orientation.

Serenity itself does not process the content of sessions, professional assessments, diagnoses, specialists' notes, or therapeutic documentation as part of the Platform's ordinary business model.

However, the user may, on their own initiative, provide data that may constitute special categories of personal data, for example in free text when booking, in a message to customer support, in a complaint, request, or incident report. In such cases, Serenity will process such data only to the minimum extent necessary to handle the specific request, carry out the booking, protect rights, ensure Platform security, or fulfil legal obligations.

Users are advised not to provide diagnoses, details of their health condition, session content, or other sensitive data in communications with Serenity unless necessary for a specific purpose of communication.

For session content, diagnoses, therapeutic documentation, professional notes, and the professional relationship with the client, the specialist is a separate controller and is independently responsible for the processing of such data in accordance with applicable regulations and the rules of their profession.

6. How We Collect Personal Data

  • directly from users and specialists when they open an account, complete a profile, book an appointment, send an inquiry, or use the Platform;
  • automatically through the technical operation of the Platform and security logs;
  • from payment service providers and other contractual partners to the extent necessary for transaction confirmation, settlement, fraud prevention, and fulfilment of legal obligations;
  • from publicly available or trustworthy sources where it is necessary to verify the identity, qualifications, or credentials of a specialist;
  • from B2B or B2G partners solely to the extent necessary to implement the agreed model, for example to issue or validate vouchers, whereby the identity of the end user is not shared with the customer unless there is a clear legal basis and the user has been informed in advance.

7. Models of Use: B2C, B2B, and B2G

7.1. B2C Users

Under B2C use, the user independently opens an account, books an appointment, pays for the service where applicable, and manages their relationship with the Platform. Serenity processes data to perform the contract with the user, administer the booking and payment, ensure security, and fulfil legal obligations.

7.2. B2B Model - Employee Benefits

Under the B2B model, an employer or other organisation may provide its employees with access to Serenity services as a benefit or wellbeing programme. Serenity does not disclose to the employer the identity of the employee using the Platform, the content of sessions, the reason for using the service, the specialist the employee chose, diagnoses, notes, or other individual data.

The employer may receive only aggregated and anonymised reports, for example the total number of appointments used or general usage indicators, if this has been agreed and if such reports do not enable identification of an individual. If the number of users or the sample is too small, Serenity may restrict or withhold reporting to prevent re-identification.

The legal basis for processing user data under the B2B model depends on the specific data flow. As a rule, Serenity processes end-user data to perform the relationship with the user, ensure Platform security, and fulfil legal obligations, while special categories of data are processed only if the user provides them themselves and where there is an appropriate legal basis under GDPR.

7.3. B2G Model - Vouchers and Programmes for Citizens

Under the B2G model, a city, public authority, or other customer may purchase a package of services or vouchers for citizens. Serenity takes care that the identity of a user who redeems a voucher is not shared with the customer, unless such sharing has been expressly agreed, is necessary, is lawful, and has been transparently explained to the user before use of the service.

As of the date this Policy enters into force, the B2G model is not operationally active on the Platform. The first B2G programme is planned with the City of Supetar; users will be informed in advance about the activation of any specific B2G programme through an appropriate amendment to this Policy or a separate privacy notice for that programme.

Under the voucher model, the mobile phone number may be used as an identifier to prevent abuse, for example a rule of one voucher per mobile phone number. Such processing is carried out to the minimum extent necessary for voucher validation, prevention of multiple use, and programme administration.

The customer of a B2G programme is, as a rule, provided only with aggregated and anonymised data on programme usage, for example the total number of vouchers redeemed, the total number of appointments, or general usage indicators, without user identities and without session content.

8. Purposes and Legal Bases of Processing

8.1. Opening and Managing the User Account

Purpose: creating the user account, authentication, basic account administration, and enabling use of the Platform. Legal basis: performance of a contract, or taking steps at the request of the data subject prior to entering into a contract.

8.2. Appointment Booking and Administration

Purpose: enabling search of available appointments, booking, confirmation, rescheduling, cancellation, and related administration. Legal basis: performance of a contract. If the user provides special categories of data themselves, such data are processed only to the minimum extent necessary for the specific purpose and on an applicable legal basis under GDPR.

8.3. Payment Organisation, Invoicing, and Accounting Records

Purpose: carrying out billing, transaction confirmation, fiscal and accounting records, issuing invoices, and resolving chargebacks or other payment disputes. Legal basis: performance of a contract and compliance with legal obligations.

8.4. Customer Support and Handling of Complaints

Purpose: responding to inquiries, technical assistance, handling of complaints, disputes, and user requests. Legal basis: performance of a contract, legitimate interest in managing the relationship with users, and, where applicable, compliance with legal obligations.

8.5. Platform Security, Abuse Prevention, and Evidencing Transactions

Purpose: system protection, detection and prevention of fraud, abuse, unauthorised access, and other security incidents. Legal basis: Serenity's legitimate interest in the security of its systems and operations, and, where necessary, compliance with legal obligations.

8.6. Verification and Publication of Specialist Profiles

Purpose: verifying specialist credentials, conducting the approval process, and publishing professional profiles on the Platform. Legal basis: taking steps at the request of the data subject prior to entering into a contract, performance of a contract, and Serenity's legitimate interest in maintaining the trust and quality of the Platform.

8.7. B2B and B2G Administration

Purpose: implementation of contracts with employers, cities, public authorities, or other customers, validation of the right to use the service, voucher administration, monitoring of package utilisation, and preparation of aggregated reports. Legal basis: performance of a contract, legitimate interest in programme implementation and security, compliance with legal obligations, and, with regard to end users, the legal basis depends on the specific processing flow and the information provided by the user.

8.8. Compliance with Applicable Regulations and Establishment or Defence of Legal Claims

Purpose: keeping records, fulfilling regulatory, tax, accounting, and other legal obligations, and establishing, defending, or asserting legal claims. Legal basis: compliance with legal obligations and Serenity's legitimate interest.

8.9. Newsletter and Promotional Messages

If Serenity introduces a newsletter or similar promotional messages, personal data for that purpose will be processed on the legal basis applicable in the specific case, in particular on the basis of consent where required. If the user receives marketing messages on the basis of consent, the consent may be withdrawn at any time.

8.10. Cookies and Similar Technologies

For necessary cookies, the legal basis is legitimate interest, that is, the technical necessity of operating the Platform. For analytical, marketing, or other non-essential cookies, the legal basis is consent where required under applicable rules.

9. Minors

The Platform is not intended for independent use by minors without the involvement of a parent or legal guardian.

Services for minors may be used only through a parental or guardian account, or with the appropriate involvement and consent of a parent or legal guardian, where such use is enabled on the Platform and in accordance with the terms of the specific service.

Serenity may request additional information or confirmations where necessary to verify that the parent or legal guardian is authorised to act on behalf of the minor.

10. Recipients and Categories of Recipients of Personal Data

We may share personal data with recipients only where this is necessary and on a valid legal basis, including:

  • providers of hosting and infrastructure services;
  • payment service providers and technical payment processors;
  • providers of email and communication services;
  • providers of video-call services where their technology is used to hold appointments;
  • accounting, legal, audit, and similar professional advisers;
  • competent authorities where we are required by law;
  • specialists, to the extent necessary for booking and execution of appointments.

An up-to-date list of processors and relevant service providers is maintained in the Processor Register document. This list includes at least the provider's name, the purpose of processing, categories of data, location of processing, status of the data processing agreement, and information on any transfers outside the EEA.

Currently relevant service providers include, in particular, Hostinger as the provider of hosting and infrastructure services, Stripe as the payment services provider, Google Workspace as the provider of email and business communication tools, Google Meet as the provider of video-call technology where used to hold appointments, Tawk.to as the provider of chat functionality for customer support, Twilio as the provider of SMS and telephony services, eRačuni as the provider of e-invoicing and fiscalisation services, and the contracted accounting service for accounting processing.

With regard to appointment booking, the specialist is, as a rule, disclosed only the data necessary for identifying the client and executing the appointment, for example first and last name or another necessary identifier, while the email address is not shared unless necessary for the functioning of the service or unless the user independently decides otherwise.

11. International Transfers of Personal Data

Serenity strives to use service providers and organisational settings that enable data processing within the European Economic Area where reasonably possible.

Certain service providers Serenity uses may be part of international groups of companies or may, to a limited extent, enable access to data outside the EEA. In such cases, Serenity will ensure an appropriate legal basis for the transfer, for example an adequacy decision, standard contractual clauses, or another appropriate mechanism under applicable regulations.

Further information on appropriate safeguards may be requested via privacy@serenity.hr.

12. How Long We Retain Personal Data

We retain personal data only for as long as necessary for the purpose for which they were collected, except where longer retention is required by a legal obligation or for the establishment, exercise, or defence of legal claims. Detailed retention periods for each category of data are set out in a separate internal Serenity d.o.o. Personal Data Retention Schedule, which forms an integral part of the personal data protection system and is updated as needed. On request via privacy@serenity.hr, the data subject may obtain information on the retention period for a specific category of their data.

Broadly, we retain data as follows:

  • user account data while the account is active and for a reasonable period after the account is closed, for the purpose of handling requests, security, and evidencing;
  • data on bookings and transactions for the duration of the contractual relationship and thereafter for as long as necessary for accounting, tax, and legal obligations;
  • invoices and related accounting documentation within the periods prescribed by accounting and tax regulations;
  • logs and security records for a period proportionate to the purpose of security and abuse prevention;
  • specialist credentials documentation for the duration of the cooperation and a reasonable time after the cooperation ends, for the purpose of evidencing lawfulness and Platform security;
  • voucher data for the scope and duration necessary for voucher validation, abuse prevention, programme administration, and evidencing performance to the customer, after which they are deleted or anonymised when no longer needed.

When a category of data is no longer needed, we delete, anonymise, or securely restrict processing of the data, unless further retention is required by law.

13. Rights of the Data Subject

Under the conditions provided for in applicable regulations, the data subject has the right to:

  • request access to their personal data;
  • request rectification of inaccurate data or completion of incomplete data;
  • request erasure of data;
  • request restriction of processing;
  • object to processing based on legitimate interest;
  • request data portability where applicable;
  • withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal;
  • lodge a complaint with the supervisory authority.

To exercise their rights, the data subject may contact privacy@serenity.hr. Serenity will respond to the request without undue delay, and at the latest within 30 days of receipt of a duly submitted request. If the request is complex or there is a large number of requests, the deadline may be extended in accordance with the GDPR, in which case the data subject will be informed.

To protect personal data, Serenity may request additional information necessary to confirm the identity of the requester, but only to the extent proportionate to the nature of the request and the risk of processing.

14. Right to Lodge a Complaint with the Supervisory Authority

If the data subject considers that their personal data are being processed contrary to applicable regulations, they have the right to lodge a complaint with the competent supervisory authority. In the Republic of Croatia, this is the Personal Data Protection Agency (AZOP).

15. Security of Personal Data

Serenity applies appropriate technical and organisational measures to protect personal data from unauthorised access, loss, destruction, abuse, or unauthorised alteration, taking into account the nature of the data, the risks of processing, and available technology.

Such measures may include management of access rights, authentication, security logs, role-based access restrictions, masking of certain identifiers where applicable, contractual confidentiality obligations, supplier verification, security procedures, and other appropriate measures.

16. Automated Decision-Making and Profiling

Serenity does not, as a rule, make decisions that produce legal effects concerning the user or similarly significantly affect the user based solely on automated processing of personal data.

The Platform may use limited automated elements to display and rank specialists on the basis of parameters set out in the Terms and Conditions, but such ranking is not a decision based solely on automated processing within the meaning of Article 22 GDPR.

17. Cookies and Similar Technologies

The Platform may use cookies and similar technologies for technical functioning, security, remembering user preferences, analytics, or other purposes, depending on the Platform's configuration.

Necessary cookies are used for the technical operation of the Platform. Analytical, marketing, or other non-essential cookies are used only where there is an appropriate legal basis, for example user consent where required.

On the user's first visit to the Platform, a cookie banner is displayed through which they may give, refuse, or adjust consent for setting non-essential cookies. The user may change their settings at any time through the cookie preference centre available on the Platform. More detailed information on cookies, their types, duration, and the manner of managing consent is available in a separate Cookie Policy, if published.

18. Serenity is Not an Emergency Service

Serenity is not an emergency medical service, crisis intervention service, or a substitute for emergency psychiatric, medical, or other crisis assistance.

If the user is in immediate danger, has suicidal thoughts, is at risk of self-harm or harming others, or needs urgent assistance, they should immediately contact the relevant emergency services or crisis lines, including 112, 194, 116 123, Hrabri telefon, Plavi telefon, or other locally available helplines.

Serenity may publish additional information and links to relevant emergency and crisis contacts on the Platform. Such information serves as general assistance to users and does not constitute medical advice.

19. Changes to this Privacy Policy

Serenity may from time to time amend or supplement this Privacy Policy in order to comply with the law, changes to the Platform's functionalities, suppliers, or internal processing processes.

The updated version will be published on the Platform with an indication of the date of application. If the changes are material, Serenity may also notify users by additional appropriate means, for example by email or notice within the Platform.

20. Contact

For questions about this Privacy Policy or to exercise rights relating to personal data, you may contact:

  • Serenity d.o.o.
  • Kliški put 11, 21210 Solin, Republic of Croatia
  • OIB: 51521935414
  • General contact: info@serenity.hr
  • Personal data protection contact: privacy@serenity.hr

Serenity d.o.o. has not appointed a Data Protection Officer (DPO) but has designated a contact person for personal data protection available via the address above.

21. Date of Application

This Privacy Policy v2.0 applies from the day of its publication on the Platform.