Privacy Policy
Last updated: 26.05.2026.
Book A Service (hereinafter: "BAS") respects your privacy. This document describes the information we collect, how we use it, and when and with whom we share it. This Privacy Policy (hereinafter: "Policy") applies to the website/product, mobile applications, and other online services (hereinafter: "Platform") made available by BAS. The Policy applies only to information collected on or through the Platform. It does not apply to information collected or obtained in any other way (including, without limitation, information collected offline, in person, by phone and/or mail, or from third parties outside the Platform). Undefined terms used in this Policy are defined in our Terms of Service.
Please read this Privacy Policy carefully before registering and starting to use the Platform. By registering and accessing or using the Platform, you agree to this Privacy Policy and confirm that you have read and understood the terms under which we process your personal data and that you accept this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use the Platform.
1. PROCESSING OF PERSONAL DATA (General Data Protection Regulation)
BAS declares that certain legal provisions governing data protection apply to it, including, without limitation:
Personal Data Protection Act of the Republic of Serbia
("Official Gazette of RS", No. 87/2018 — hereinafter: Personal Data Protection Act). Personal data is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, in particular on the basis of an identity marker such as a name and identification number, location data, identifiers in electronic communications networks, or one or more characteristics of his physical, physiological, genetic, mental, economic, cultural, or social identity.
European Union legislation
based on Article 16 of the Treaty on the Functioning of the European Union and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, namely:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR");
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;
- Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (to a limited extent);
- Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, including, without limitation, electronic commerce, in the Internal Market (to a limited extent).
Council of Europe legislation
- Council of Europe Convention No. 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data.
Legal basis for processing. We process your personal data on the basis of one or more of the following legal bases: your consent, performance of a contract to which you are a party, compliance with our legal obligations, or the legitimate interests of BAS or a third party. A detailed overview of processing purposes and corresponding legal bases is provided in Section 5 of this Policy.
Automated decision-making. We do not carry out automated decision-making that produces legal effects or significantly affects you within the meaning of Article 22 of the GDPR, nor do we engage in profiling for such purposes.
Controller (data controller):
GOLUB IMV
Registration number: 54882963
Tax ID (PIB): 103525264
Address: Solunskih boraca 5a
Contact e-mail: support@bookaservice.rs
Data Protection Officer (DPO): Not appointed, as BAS is not required to appoint a DPO under Article 37 of the GDPR or the corresponding provisions of the Personal Data Protection Act of the Republic of Serbia.
Transfer of personal data to a third country or international organization. If BAS transfers your personal data to countries outside the European Union, compliance with Article 44 et seq. of the GDPR is always ensured and we require data processors to fulfill all obligations arising from these provisions. We will only transfer data to countries outside the European Union that are able to ensure the level of protection required by the GDPR. This level of protection is ensured, in particular, by an adequacy decision issued by the European Commission or by standard data protection clauses in accordance with Article 46(2)(c) of the GDPR.
BAS will not transfer personal data to third countries or international organizations, except to the following processors (from the activation date):
- Monri Payments d.o.o. Belgrade, Serbia — payment processing provider. Privacy policy: https://www.wspay.rs/cd/305/politika-privatnosti Activation date: 01.09.2026.
- Stripe Payments Company, USA — payment processing provider. Privacy policy: https://stripe.com/privacy Activation date: 01.09.2026.
Until the stated activation dates, BAS does not transfer any personal data to these processors.
2. RIGHTS OF THE DATA SUBJECT
You have the right to access, correct, or delete your personal data by logging in to the Platform and going to the "Profile" and "Settings" pages. You can update your Profile information at any time through your Account settings. We may retain information from closed Accounts in order to comply with the law, prevent fraud, resolve disputes and issues, assist with user investigations, enforce our Terms of Service, and/or for any other purposes otherwise permitted by law and that we deem necessary in our sole discretion. Once you have exchanged content through a reservation on the Platform, you will not be able to change or remove it. To request data deletion, please contact us. When we deactivate or close your Account, you agree that BAS has no obligation to you to retain information related to your Account.
As a data subject whose personal data we process, you have certain rights regarding such processing, under the conditions and in the cases provided for by the Personal Data Protection Act and the GDPR:
- Right to be informed about the processing of your personal data (Art. 13 and 14 GDPR);
- Right of access to your personal data and the right to request a copy thereof (Art. 15 GDPR) — in accordance with the Personal Data Protection Act, the data subject has the right to request from the controller information about whether it processes their personal data, access to such data, and the following information:
- on the purpose of processing;
- on the categories of personal data being processed;
- on the recipient or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in other countries or international organizations;
- on the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- on the existence of the right to request from the controller rectification or erasure of personal data, the right to restriction of processing, and the right to object to processing;
- on the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection;
- any available information about the source of the personal data, if the personal data were not collected from the data subject;
- Right to rectification, supplementation, and erasure of your personal data (Art. 16 and 17 GDPR), in which case we are obliged to act without delay upon receipt of such a request;
- Right to restriction of processing (Art. 18 GDPR), in cases where you contest the accuracy of the data;
- Right to data portability (Art. 20 GDPR) — the right to receive and transmit data in a structured, commonly used, and electronically readable format (the right of the data subject to transmit data to another controller without hindrance from the controller to whom the data have been provided, if the processing is based on consent in accordance with the Personal Data Protection Act or on a contract, and if the processing is carried out by automated means);
- Right to object to the processing of your personal data (Art. 21 GDPR), where we base processing on legitimate interest or where we process for direct marketing purposes, including profiling for such purposes, and the right to stop such processing;
- Right to legal remedies provided by the Personal Data Protection Act, including the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection and the right to judicial protection;
- Right to withdraw consent for the processing of personal data (subject to the limitation that the withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal).
To exercise the above-mentioned rights (where applicable in a specific case), as well as if you have any questions regarding this Policy, you may contact us using the contact details provided in Section 12.
In the case of a legal obligation, we reserve the right to disclose data about you to competent state authorities, all in accordance with Article 12(1)(3) of the Personal Data Protection Act of the Republic of Serbia, which prescribes that processing is lawful if it is necessary for compliance with the controller's legal obligations.
3. INFORMATION WE COLLECT
We collect personal data that you provide during registration, including your first name, last name, e-mail address, phone number, country, city, address, and the customer address where the service is performed, if you enter it when making a reservation. We also collect data about your use of the platform, such as reservations, reviews, favorite providers, and browsing activity.
Mandatory data provision. Providing personal data at registration (first name, last name, e-mail, password) is a prerequisite for using the Platform. Without this data we cannot create your account or enable you to make reservations. Other data (phone, address) is optional, but may be necessary for certain features (e.g. booking a service at the customer's address).
Special categories of data. We do not collect special categories of personal data, such as data concerning your race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, nor do we collect your genetic or biometric data, data concerning your health, sexual life, or sexual orientation.
This list is illustrative, not exhaustive. The Policy applies to every use of the Platform.
E-mail address verification. After completing the registration form, we will send you an e-mail with a link to confirm that you are the owner of the specified e-mail address. If you do not confirm in this way that you have completed the registration form, the data is not stored permanently and the registration is not completed.
Messaging with Providers. Through the Platform, you can exchange messages with Providers, to which only you and the Provider you are communicating with have access.
Data from social networks (Social Login). We may collect information about you through Book A Service affiliates or unaffiliated third parties. You can access the Platform via your social network account (Google, Facebook). If you access the Platform via a Google or Facebook account, you may grant us permission to access certain information on your profile (first name, last name, profile picture, user ID, e-mail address).
Social networks such as Google and Facebook have their own policies for managing your information. For a description of how these platforms may use and disclose your information, including any information you make public, please refer to the privacy policies of those sites. We have no control over how a third party uses or discloses personal data it collects about you.
Provider data. BAS will not perform any operations on the data of Providers, including personal data, other than storing it on servers, and will not in any way interfere with, modify, make available, or transfer it to third parties (except for disclosure to state authorities in accordance with law), unless otherwise specified in a concluded agreement. The sole purpose of handling personal data is its storage and potential disclosure to the executor for the provision of the requested service.
4. COOKIES
When you visit and use our Platform, cookies or other technologies such as pixels (hereinafter "Cookies") are stored on your device. Cookies are small text files that your internet browser stores on your device in order to save certain data. The next time you visit our website on the same device, the information stored in the Cookies will be transmitted either to our website ("First-party Cookies") or to another website to which the Cookie belongs ("Third-party Cookies"). Through the stored and retrieved data, the relevant website recognizes that you have already accessed and visited it via the internet browser you use on that device.
Types of cookies we use:
- Temporary or session cookies — temporary cookies that are stored in the cookie file of the user's browser until the end of the browser visit. These cookies are required for the proper functioning of certain applications or features on the website.
- Persistent cookies — the operator may use them to improve the user experience (e.g. to store registration data, page language settings, etc.). These cookies remain in the cookie file in the user's browser for a longer period until they are deleted. This time period depends on the choices the user makes in the settings of their Internet browser.
- Own cookies (First-party Cookies) — small text files placed by the website or application you are directly visiting. They are essential for functionality and user experience, and primarily serve to remember information about you between different pages or visits.
- Third-party cookies — originate from other, partner websites (which measure traffic, for example). In this way, third parties can collect user data from various websites and use it for a variety of purposes.
Specific cookies we use:
| Name | Type | Purpose |
|---|---|---|
| laravel_session | Session, first-party | Session cookie that stores a random unique session identifier for the duration of the session and ensures the identification of the logged-in user during the session. |
| XSRF-TOKEN | Session, first-party | Protection against CSRF (Cross-Site Request Forgery) attacks. |
| cookie_consent | Persistent (12 months), first-party | Remembers your choice regarding consent to the use of cookies. |
Managing cookies. You can configure your internet browser so that cookies cannot be stored on your device or so that it asks each time whether you agree for cookies to be enabled. You can also delete already stored cookies at any time. You can change your consent for non-essential cookies at any time by clicking on the "Cookie Settings" option in the footer of the Platform.
We do not use cookies for tracking for advertising purposes.
5. HOW WE USE YOUR INFORMATION
We use your data exclusively for clearly defined purposes, based on an appropriate legal basis:
| Processing purpose | Legal basis |
|---|---|
| Creating and managing the user account | Performance of a contract (Art. 6(1)(b) GDPR) |
| Processing reservations and communication with Providers | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sending transactional notifications (reservation confirmations, reminders, cancellations) | Performance of a contract (Art. 6(1)(b) GDPR) |
| E-mail address verification | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sending marketing e-mails and notifications about promotions | Consent (Art. 6(1)(a) GDPR) — you may withdraw it at any time |
| Prevention of fraud and abuse of the Platform | Legitimate interest (Art. 6(1)(f) GDPR) |
| Analysis of Platform usage to improve services (at an aggregated level) | Legitimate interest (Art. 6(1)(f) GDPR) |
| Compliance with legal obligations (accounting, taxes) | Legal obligation (Art. 6(1)(c) GDPR) |
| Responding to requests from competent state authorities | Legal obligation (Art. 6(1)(c) GDPR) |
We may use aggregated and anonymized data for statistical analyses and to improve our services.
6. INFORMATION SHARING
We share your information with service Providers when you make a reservation. We do not sell your personal data to third parties. We may share information with law enforcement when required by law.
How is personal data transferred to Providers?
We transfer Customer personal data to Providers with whom Customers are interested in making a reservation. Customers would not be able to make a reservation with a Provider without the transfer of their personal data. In relation to the personal data thus obtained, Providers act as independent data controllers, and therefore the transfer of personal data requires the informed consent of the Customer.
Providers are prohibited from providing Terms of Service to third parties, unless this is specifically provided for in a cooperation agreement.
7. DATA SECURITY AND RETENTION
We store the data we collect about you in a secure environment. We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, or destruction, including:
- Encryption of data transmission using the TLS protocol (HTTPS);
- Hashing of passwords using industry standards (bcrypt);
- Encryption of sensitive data in the database (e.g. two-factor authentication secret keys);
- Mechanisms to prevent brute-force attacks (rate limiting on login endpoints);
- Two-factor authentication (2FA) option for additional account protection.
Data retention periods. BAS retains data for as long as is necessary to fulfill the processing purpose, in accordance with applicable laws and regulations:
| Data type | Retention period |
|---|---|
| Data on an active user account | While the account is active |
| Deleted (anonymized) user accounts | The e-mail address is reserved for 10 days after deletion as protection against abuse; other identifying data is anonymized immediately |
| Reservation data | Anonymized data is kept for up to 5 years (statute of limitations for contractual obligations) |
| Accounting and financial documentation | 10 years (Accounting Act) |
| Access logs and session data | 90 days |
| Marketing contacts | Until withdrawal of consent |
Notification of a personal data breach. In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will notify the Commissioner for Information of Public Importance and Personal Data Protection within 72 hours of becoming aware of it, and we will notify you without undue delay, in accordance with Articles 33 and 34 of the GDPR.
8. LINKS TO EXTERNAL PLATFORMS
The Platform may contain links to other websites or resources over which BAS has no control. BAS is not responsible for the content of such external sites or for the protection or privacy of the information you provide when visiting external sites.
9. MINOR USERS
Our services are not intended for minors under the age of 18. Only persons over 18 years of age may use the Platform. If we discover that a person under the age of 18 has provided us with personal data, we will close the account and delete the personal data. We may, where permitted by law, retain certain information for internal purposes described in this Policy.
10. DATA PROTECTION AUTHORITY
The competent data protection authority in Serbia is the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia, to whom you may submit a complaint in accordance with the Personal Data Protection Act.
You can contact the Commissioner's office at:
Address: Bulevar kralja Aleksandra No. 15, 11000 Belgrade, Republic of Serbia
E-mail: office@poverenik.rs
Phone: +381 11 3408 900
11. CHANGES TO THIS PRIVACY POLICY
This Privacy Policy may be changed or updated. If the information available in the Privacy Policy is changed in any way, we will publish the updated version on our Platform. We recommend that all users check the Platform from time to time to stay informed of any changes. All changes to the Privacy Policy take effect upon publication on the website. In the event that amendments to the Privacy Policy require new ways of processing your personal data that require your consent, we will contact you separately for the purpose of obtaining such consent.
12. CONTACT US
For questions about this Privacy Policy, please contact us at: