SportHoliday d.o.o. Last updated: April 2026
SportHoliday d.o.o. ("SportHoliday", "we", "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we keep it, and your rights under the EU General Data Protection Regulation (GDPR) and Slovenian data protection law.
For questions about this Policy or to exercise your rights, contact privacy@sportholiday.com.
1. Who We Are (Data Controller)
SportHoliday d.o.o. Mala Loka 17, 1230 Domžale, Slovenia
Registration No.: 7399383000 | VAT ID: SI38890500
Email: hello@sportholiday.com | Privacy: privacy@sportholiday.com
Website: sportholiday.com
SportHoliday d.o.o. is the data controller for personal data processed in connection with our website and services, within the meaning of Article 4(7) GDPR. We have not appointed a Data Protection Officer as we are not required to do so under Article 37 GDPR, but privacy@sportholiday.com is monitored and our response time for privacy requests is 30 days or less.
2. What Data We Collect
2.1 Data you provide directly
When you make a booking enquiry or reservation:
- Full name (as shown on your passport, required for hotel registration and race registration)
- Email address
- Phone number
- Date of birth and nationality (required by most European hotels and race organisers)
- Home address (for invoice and insurance purposes)
- Any dietary preferences (non-medical) you voluntarily share
- Emergency contact name and phone number
- Any additional message or information you include in your enquiry
- Name and email address
- Preferences you express about sports, destinations, or event types
- Content of your emails and messages, including any personal data they contain
- Payment card details. Payments are processed by Stripe (for deposits via Payment Links) and by bank transfer to our Revolut Business account (for balance invoices). We never see or store your card number, CVV, or expiry date.
- Health or medical data. Our booking forms do not collect medical conditions, chronic illness details, blood type, disability information, or similar. Where a specific race organiser or tour requires health information (for example, a race-day medical declaration), we collect this outside our website via a Google Forms questionnaire sent to you after booking is confirmed, and handle it under Article 9(2)(a) GDPR explicit consent.
- Special categories of data as defined in Article 9 GDPR (race, ethnicity, religion, political opinion, sexual orientation, genetic, biometric data).
When you visit the Website, we and our sub-processors collect:
- IP address, browser type and version, device type, operating system, screen resolution
- Referring URL, pages visited, time spent on pages, clicks
- Date and time of the visit
- Cookies and similar technologies (see Section 7 and the separate Cookie Policy)
Purpose | Categories of data | Legal basis (GDPR) |
Respond to your enquiry; process and fulfil your booking | Identity, contact, booking details | Article 6(1)(b) — performance of a contract |
Send booking confirmations, payment reminders, pre-departure information | Identity, contact, booking details | Article 6(1)(b) — performance of a contract |
Share data with hotels, race organisers, local suppliers to deliver your trip | Identity, contact, booking details, dietary prefs | Article 6(1)(b) — performance of a contract |
Send marketing newsletters about future tours | Contact, preferences | Article 6(1)(a) — consent (opt-in) |
Use your photograph or video in marketing materials | Image, likeness | Article 6(1)(a) — consent (separate opt-in at booking) |
Operate and secure the Website; detect fraud and abuse | Technical, IP, browsing data | Article 6(1)(f) — legitimate interest |
Analytics: understand how visitors use the Website to improve it | Browsing data | Article 6(1)(a) — consent via cookie banner |
Advertising and remarketing on Google and Meta platforms | Browsing data, hashed email in some campaigns | Article 6(1)(a) — consent via cookie banner |
Internal event documentation (photo / video at tours for safety, insurance, training) | Image, likeness | Article 6(1)(f) — legitimate interest |
Comply with accounting, tax, and travel-operator record obligations | Booking and financial records | Article 6(1)(c) — legal obligation (ZGD-1, ZSRT-1) |
Defend legal claims, respond to regulatory requests | All relevant data | Article 6(1)(f) — legitimate interest / Article 6(1)(c) |
4. Who We Share Your Data With
We do not sell or rent your personal data. We share it only as necessary to deliver our services, operate our business, and comply with law. The following third parties act either as our data processors (processing on our instructions under a data processing agreement) or as separate / joint controllers (processing on their own account for their own purposes).
Processor | Role | Location | Safeguard |
Tilda Platform Cloud Services Co. LLC (controller: Tilda Publishing Ltd., Dublin, Ireland — EU representative) | Website hosting, content management, and CRM storage of enquiry and booking form submissions | UAE (data centres via Hetzner GmbH in Germany and G-Core Labs S.A. in Luxembourg; Google Cloud EMEA Ltd. in Ireland; customer support by Tilda Publishing Kaz LLC in Kazakhstan) | Data Processing Agreement (tilda.cc/dpa) + Standard Contractual Clauses for EU→UAE transfer (tilda.cc/files/scc.pdf) |
Google Ireland Limited (Google Workspace) | Corporate email (hello@/privacy@sportholiday.com), Drive, Sheets used as internal CRM; Google Forms used to collect participant details (passport data, emergency contact, health notes) after booking confirmation | Ireland (EU), with US transfers to Google LLC | DPA (admin.google.com → Legal → DPA) + EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses |
Cybot A/S / Usercentrics GmbH (Cookiebot) | Cookie consent management platform; stores and audits consent records | Denmark / Germany (EU) | GDPR-compliant, EU location; DPA via Cookiebot account dashboard |
Stripe Technology Europe Limited | Deposit payment processing via Stripe Payment Links | Ireland (EU), with US transfers to Stripe, Inc. for fraud and risk processing | DPA (stripe.com/legal/dpa) + EU-US Data Privacy Framework (DPF) + Standard Contractual Clauses; PCI-DSS certified |
Revolut Bank UAB | Receiving balance payments by bank transfer | Lithuania (EU) | EU-licensed bank (Bank of Lithuania); GDPR-compliant |
These parties need your data to perform their part of your trip. They process on their own legal basis under their own privacy terms. We share only the minimum necessary.
Party | Data shared | Purpose |
Race organisers (Run 4 Wales / Cardiff Half; RunCzech / SuperHalfs; SCC Events / Berlin Half; Maratona dles Dolomites; Marcialonga; others) | Name, email, date of birth, nationality, estimated finish time, T-shirt size | Race entry registration (often via Let's Do This platform) |
Let's Do This (LDT) | Name, email (for the partner invitation link) | Hosting the race registration flow on behalf of the organiser |
Hotels and accommodation providers | Name, contact, dates, dietary preferences, room preferences | Booking your stay |
Local transport and tour service providers | Name, group manifest, contact of group leader | Delivering transfers and local services |
Eco Inn d.o.o. (our accounting firm) | Invoicing and financial records | Accounting and tax compliance |
GENERALI zavarovalnica d.d. (insolvency guarantor) | Booking and payment records, as needed | Providing the mandatory insolvency protection under Article 17 Directive 2015/2302 |
Public authorities (courts, tax authority FURS, market inspectorate, data protection authority IP RS) | As required by law | Legal compliance |
Party | Data shared | Purpose |
Google Ireland Limited (Google Analytics 4, Google Tag Manager, Google Ads) | Browsing behaviour, device info, IP (anonymised where possible), conversion events | Website analytics and remarketing. US transfers covered by DPF + SCC |
Meta Platforms Ireland Limited (Meta Pixel) | Browsing behaviour, conversion events, hashed email in Advantage+ / Custom Audiences flows | Remarketing and lookalike audiences on Facebook and Instagram. US transfers covered by DPF + SCC |
5. International Transfers
Some of our processors transfer personal data outside the European Economic Area (EEA):
- Tilda Platform Cloud Services Co. LLC is established in the United Arab Emirates. Storage sub-processors used for our website are located in the EU (Hetzner, G-Core Labs, Google Cloud EMEA). Technical support and data-subject requests may additionally be handled by Tilda Publishing Kaz LLC (Kazakhstan). Transfers to UAE and Kazakhstan are protected by Standard Contractual Clauses (SCC) adopted by the European Commission — see tilda.cc/files/scc.pdf, referenced in Tilda's DPA at tilda.cc/dpa.
- Stripe, Inc., Google LLC, and Meta Platforms, Inc. process data in the United States. These companies are self-certified under the EU-US Data Privacy Framework (DPF), and additional safeguards are in place through Standard Contractual Clauses (SCC).
Category | Retention period |
Booking and financial records | 7 years after the tour end date (required by Slovenian accounting law, ZGD-1) |
Enquiries that do not result in a booking | 12 months from the last interaction, then deleted |
Newsletter subscription data | Until you unsubscribe, plus 30 days to process removal |
Photographs and video with marketing consent | Until you withdraw consent or 5 years after the tour, whichever is earlier. After withdrawal we remove future use and make reasonable efforts to remove existing public use within 30 days |
Website analytics (Google Analytics 4) | 14 months (default GA4 retention setting) |
Cookie consent records (Cookiebot) | 12 months (standard audit trail) |
Email correspondence for customer support | 3 years from the last message |
Records retained for legal defence | For the duration of the applicable statute of limitations (typically 5 years under Slovenian general obligations law) |
7. Cookies and Similar Technologies
We use cookies and similar technologies on the Website. Details on what cookies are used, their purposes, duration, and how to manage them are set out in our Cookie Policy. You can change or withdraw your cookie consent at any time by clicking the "Cookie preferences" link in the Website footer, which opens the Cookiebot consent manager.
8. Your Rights Under GDPR
You have the following rights in relation to your personal data:
- Access (Art. 15) — request a copy of the personal data we hold about you
- Rectification (Art. 16) — ask us to correct inaccurate or incomplete data
- Erasure / "right to be forgotten" (Art. 17) — ask us to delete your data, subject to legal retention obligations (e.g., accounting records)
- Restriction of processing (Art. 18) — ask us to limit how we use your data, for example while a rectification request is being investigated
- Data portability (Art. 20) — receive the data you provided to us in a structured, commonly used, machine-readable format, or have it transferred to another controller where technically feasible
- Object (Art. 21) — object to processing based on legitimate interest (we will assess and respond); object to direct marketing at any time (we will stop immediately)
- Withdraw consent (Art. 7(3)) — at any time for processing based on consent, without affecting lawfulness of prior processing
- Automated decision-making and profiling (Art. 22) — we do not make decisions about you based solely on automated processing
9. Complaints
If you believe we have not handled your data correctly, we would like to hear from you at privacy@sportholiday.com so we can address it. You also have the right to lodge a complaint with the Slovenian supervisory authority:
Informacijski pooblaščenec (Information Commissioner of the Republic of Slovenia) Dunajska cesta 22, 1000 Ljubljana, Slovenia Web: www.ip-rs.si Email: gp.ip@ip-rs.si
EU residents may also lodge a complaint with the supervisory authority in their country of residence.
10. Security
We take appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, or destruction. These include:
- TLS / HTTPS encryption on all Website pages and forms
- Access controls on our CRM and administrative systems (role-based, two-factor authentication on Google Workspace)
- Data processing agreements with all sub-processors imposing equivalent security standards
- Regular backups and tested recovery procedures (handled by our hosting sub-processors)
- Awareness of data protection obligations among staff handling personal data
11. Children
Our services are designed for adults (18 years and older). We do not knowingly collect personal data from children under 16 without verifiable parental consent. If a traveller under 18 is participating in a tour, the booking is made by a parent or legal guardian who provides the minor's data on the basis of Article 6(1)(b) and, where applicable, Article 8 GDPR. If you believe we have collected data from a minor without appropriate consent, please contact privacy@sportholiday.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The current version is always available at sportholiday.com/legal/privacy with the "Last updated" date at the top. If we make material changes, we will notify you by email where we hold your contact details and, where legally required, seek renewed consent.
13. Contact
SportHoliday d.o.o.
Privacy queries and requests: privacy@sportholiday.com
General: hello@sportholiday.com
Address: Mala Loka 17, 1230 Domžale, Slovenia VAT ID: SI38890500