Privacy Policy

Last updated: 1 January 2026

1. Introduction

RiftLantern d.o.o. ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services or visit our website at riftlantern.world. We are the data controller for the purposes of data protection law.

2. Data Collection

The data we collect includes personal information you provide directly to us and information collected automatically when you use our services. We collect the following types of personal data:

• Contact information (name, email address, phone number, postal address)
• Consultation booking details and preferences
• Skin care concerns and health-related information relevant to our services
• Communication records with our team
• Website usage data and analytics information
• Cookie and tracking technology data
• Payment and billing information

3. How We Use Your Information

How we use your information depends on the services you use and your preferences. We use your personal data for the following purposes:

• Providing skincare consultation services and personalised treatment guidance
• Scheduling and managing appointments
• Communicating with you about our services
• Processing payments and maintaining billing records
• Improving our website and services through analytics
• Complying with legal obligations and regulatory requirements
• Protecting against fraud and ensuring security

4. Cookies and Tracking Technologies

We may use cookies and tracking technologies for analytics, advertising, and remarketing purposes, including Google Ads. These technologies help us measure campaign effectiveness, deliver relevant advertisements, and improve our services. You can manage your cookie preferences at any time through our cookie consent banner.

For detailed information about the cookies we use, please refer to our Cookie Policy.

5. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

• Consent: When you have given clear consent for specific processing activities
• Contract: When processing is necessary for the performance of our service contract with you
• Legitimate interests: When we have legitimate business interests that are not overridden by your privacy rights
• Legal obligation: When we need to comply with legal requirements

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your data in the following limited circumstances:

• With service providers who assist us in operating our business (under strict confidentiality agreements)
• When required by law or to comply with legal processes
• To protect the rights, property, or safety of RiftLantern, our clients, or others
• In connection with a business transfer or merger (with appropriate safeguards)

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Generally, we retain consultation records for 7 years, contact information for 3 years after last contact, and website analytics data for 26 months. You may request deletion of your data at any time, subject to legal requirements.

8. Your Rights

Under GDPR and applicable data protection laws, you have the following rights regarding your personal data:

• Right of access: Request copies of your personal data
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data
• Right to restrict processing: Request limitation of how we use your data
• Right to data portability: Request transfer of your data to another organisation
• Right to object: Object to certain types of processing
• Right to withdraw consent: Withdraw consent for consent-based processing

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. This includes encryption, access controls, regular security assessments, and staff training. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

10. International Data Transfers

Your personal data is primarily processed within the European Union. If we transfer data outside the EU, we ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses approved by the European Commission.

11. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete such information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

13. Contact Information

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

14. Supervisory Authority

You have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or your local data protection authority if you believe we have not handled your personal data in accordance with applicable law.

15. Governing Law

This Privacy Policy is governed by Croatian law and EU data protection regulations, including the General Data Protection Regulation (GDPR). Any disputes arising from this policy shall be subject to the exclusive jurisdiction of Croatian courts.