Skip to main content

Privacy Policy

Last updated: 30 May 2026

This Privacy Policy explains how Ekstremac collects, uses and protects personal data when you visit our website or contact us about an adventure. We follow the EU General Data Protection Regulation (GDPR) and the Serbian Law on Personal Data Protection.

1.Who we are (Data Controller)

The controller of your personal data is Ekstremac, based in Kragujevac, Republic of Serbia. You can reach us at:

  • Email: contact@ekstremac.com
  • Phone / WhatsApp / Viber: +381 64 39 59 736
  • Instagram: @ekstremac

2.What personal data we collect

We only collect what we need to talk to you and arrange your adventure:

  • Identifiers you share when you reach out: first name, last name or handle, phone number, email address.
  • Booking inputs: travel dates, group size, activity preference, level of experience, dietary or medical notes you choose to share.
  • Communications: the content of your messages to us (Instagram DM, WhatsApp, Viber, SMS, email).
  • Technical data, only with your consent: IP address, browser and device type, pages visited, referrer, approximate city-level location. Collected via Google Analytics when you accept analytics cookies.

3.Why we use this data (purposes and legal basis)

  • To respond to your inquiry, book your adventure, coordinate with the partner camp and confirm logistics. Legal basis: performance of a contract or pre-contractual steps (Art. 6(1)(b) GDPR).
  • To send service updates about a booking you have made (changes, weather, meeting point). Legal basis: performance of the contract (Art. 6(1)(b) GDPR).
  • To respond to legal requests, defend against legal claims and keep records required by Serbian tax and consumer law. Legal basis: legal obligation (Art. 6(1)(c) GDPR) and legitimate interest (Art. 6(1)(f) GDPR).
  • To improve our website with anonymised analytics. Legal basis: your consent (Art. 6(1)(a) GDPR), withdrawable at any time via the cookie banner.

4.Who we share data with

We do not sell personal data. We share only what is needed, and only with:

  • Partner adventure camps we match you with, so they can deliver the activity you booked.
  • Payment processors when you pay online. We do not store card numbers ourselves.
  • Email and messaging providers whose servers carry our communications with you.
  • Analytics providers (Google Analytics), only with consent and with IP anonymisation.
  • Public authorities when we are legally required to disclose.

5.International transfers

Some of our service providers (analytics, email, messaging) are based outside the European Economic Area, primarily in the United States. These transfers rely on the European Commission Standard Contractual Clauses or an adequacy decision where one applies.

6.How long we keep your data

  • Inquiries that did not result in a booking: 12 months from your last message.
  • Booking records and related communications: 3 years from the date of the activity, in line with consumer-law retention.
  • Accounting and tax records: 10 years, as required by Serbian law.
  • Analytics data: 26 months, then automatically deleted by Google Analytics.

7.Your rights

Under the GDPR and Serbian law you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten") where the legal basis no longer applies.
  • Restrict or object to processing in certain situations.
  • Receive your data in a portable, machine-readable format.
  • Withdraw consent at any time, where consent is the legal basis. Withdrawal does not affect the lawfulness of prior processing.
  • Lodge a complaint with the Serbian Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti).

8.Cookies and similar technologies

We use a small number of cookies. Essential cookies keep the site working and are not optional. Analytics cookies load only after you accept them via the cookie banner. You can change or withdraw your choice at any time by clicking "Cookie settings" in the footer.

9.Children

Our services are intended for adults. For activities open to minors (rafting from 7+, canyoning from 14+, paragliding from 16+), a parent or legal guardian must consent and provide the necessary information. We do not knowingly process personal data of children under 16 outside that booking context.

10.Security

We apply reasonable technical and organisational measures: TLS encryption in transit, access controls and periodic review of partners. No system is perfectly secure. If a breach happens that is likely to affect your rights, we will notify you and the supervisory authority in line with Art. 33 and 34 GDPR.

11.Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes are communicated by email to people who have an active booking with us.

12.How to contact us

For privacy questions, complaints or to exercise your rights, email contact@ekstremac.com. We respond within 30 days.