My account
Login Registration
LNG
Srpski Magyar English Српски
Currency
RSD EUR CHF USD

Privacy Policy

PRIVACY POLICY

  1. INTRODUCTION

This Privacy Policy (hereinafter: "Policy") explains how the company Rail Estate d.o.o. Beograd, business registration number 20916834 (hereinafter: "Company", "Data Controller", "we", or "our") collects, uses, stores, and protects your personal data (user/passenger data) when using the Polazak online platform for purchasing bus tickets.

The Policy aims to provide users/passengers with clear, comprehensive, and transparent information about:

  • what data we collect,
  • how we process it,
  • the purposes for which the data is used,
  • the rights users have regarding data processing,
  • and how those rights can be exercised.

This Policy applies to all passengers, users of the website (hereinafter: "Website"), mobile application, and other services provided by the Data Controller, regardless of whether users/passengers are registered or use the service occasionally, as well as all forms of communication with the Data Controller (e.g., via customer support).

The Company is the data controller of your personal data under the (Serbian) Law on Personal Data Protection ("Official Gazette of Republic of Serbia", No. 87/2018, hereinafter: "ZZPL") and, where applicable, the General Data Protection Regulation, hereinafter: “GDPR”.

If specific data processing rules require additional explanations (e.g., processing via cookies), these are governed by a separate Cookie Policy, located at the end of this Policy and forming an integral part of it.

Note: If a user provides personal data of third parties (e.g., other passengers) while using the services, the user guarantees that they are authorized to provide such data and that those individuals have been informed of this Privacy Policy prior to data submission. The Data Controller shall not be responsible if the user fails to fulfill this obligation. In certain cases, users/passengers may be offered a limited selection of tickets or services from other platforms via the Website. If the user selects such an option, they will be automatically redirected to the third-party website, and further data processing will be subject exclusively to that third party's privacy policy and terms of use. Therefore, the Company has no control over the data processing performed by those third parties and is not responsible for how they handle the data. Users are advised to carefully read the privacy policies and terms of use of third parties before using their services. From the moment of redirection, the third party's rules and privacy policy apply, not this Policy.

  1. DATA CONTROLLER INFORMATION AND CONTACT

The data controller of user/passenger data is:

  • Company Name: Rail Estate d.o.o. Beograd
  • Registered Address: Ljubljanska 32, Zvezdara, Beograd
  • Business Registration Number: 20916834
  • Tax ID: 108018053
  • Contact Phone: +381 63 471 119
  • General Contact Email: info@polazak.com
  • E-mail for Data Protection Inquiries: privatnost@polazak.com

 

  1. CATEGORIES OF DATA WE PROCESS

Depending on how our services are used, we process the following categories of user/passenger data:

  • Basic Identification Data: first name and last name;
  • Contact Data: email address, phone number, residential address (only if provided by the user during payment via bank transfer);
  • Transaction and Ticket Purchase Data: departure and destination station, date and time of travel, carrier, route, ticket type (regular, student, child of various ages, pupils, persons over 65, etc.), reservation number (if paying via bank transfer), selected seat (if provided by the carrier), price and selected payment method, transaction status;
  • Data Related to Communication, Complaints, or Refunds: The Company processes data from inquiries and complaints submitted by users/passengers via email (primary communication method), regular mail, or phone. The Company does not process payment card data as payments are handled by an external fintech provider. If a refund request is approved and payment was made via bank transfer, the bank account number and residential address (if provided) are processed for refund purposes;
  • User Account Data: username, password, data on previous purchases via our Website or mobile application, favorite destinations (optional);
  • Technical Data on Website or Mobile App Usage: IP address, device and browser information, cookie data, and interaction with the Website and similar technologies (detailed in the Cookie Policy section at the end of this Policy).

Note: Our Company does not collect special categories of data (e.g., health, political opinions, religious beliefs, or similar sensitive data). However, users may voluntarily provide such information when submitting refund or complaint requests (e.g., reasons for trip cancellation). If such information is provided, the Company will not use or further process it and will delete it as soon as possible.

Personal data may also be entered by users on behalf of other passengers.

 

  1. PURPOSES AND LEGAL BASES FOR PROCESSING

The Data Controller processes personal data of users/passengers solely in accordance with the principles of lawfulness, fairness, transparency, and limited purpose, for the following purposes:

  1. Purchase and Issuance of Tickets via the Polazak Platform
    • Purpose: Enabling the purchase and issuance of tickets, sending confirmation and reservation information (for bank transfer payments), and notifying about any travel changes (e.g., schedule changes).
    • Legal Basis: Fulfillment of a contract between the user/passenger and the Company responsible for ticket sales.
  2. Forwarding Data to Carriers for the fulfillment of the Transport Contract
  3. Purpose: Enabling the fulfillment of the transport contract between the user/passenger and the selected carrier.
  4. Legal Basis: Fulfillment of a contract between you and the carrier; the Company’s role is to forward the data to the carrier as the Data Controller. In cases involving third parties (when a user enters data for other passengers), the Data Controller relies on legitimate interest and fulfillment of a contract (the transport contract is concluded for the benefit of third parties).
  5. Purpose: Providing data to carriers required to keep passenger records; processing is necessary for issuing invoices, maintaining business records, and fulfilling obligations under applicable regulations (Accounting Law, Value Added Tax Law).
  6. Legal Basis: Legal obligation, the Data Controller’s legal duty.
  7. Purpose: Processing data to respond to inquiries, handle complaints, and process refunds.
  8. Legal Basis: Legitimate interest of the Data Controller, ensuring that the interests of users/passengers prevail.
  9. Purpose: Protecting the system from misuse, maintaining stability, monitoring system performance, and ensuring platform security.
  10. Legal Basis: Legitimate interest of the Data Controller, ensuring that the interests of users/passengers prevail.
  11. Purpose: Displaying relevant advertisements and statistical tracking of website visitors.
  12. Legal Basis: User consent, which can be withdrawn at any time.
  13. Compliance with Legal Obligations
  14. Customer Support and Communication with Users
  15. Improving Website Functionality and Security
  16. Marketing and Consent-Based Cookies

Note: By purchasing a ticket through our platform, you enter into a ticket purchase contract with our Company, while the transport contract is concluded directly between you and the selected carrier. Our role is to forward the data necessary for the fulfillment of the transport contract to the carrier.

Marketing activities are conducted solely based on the user’s explicit consent, provided voluntarily during registration or ticket purchase, and can always be withdrawn. For detailed rules on cookies and how we use statistical and marketing technologies, see the Cookie Policy section at the end of this document.

 

  1. RECIPIENTS OF DATA

The Data Controller, as part of its operations, collaborates with certain third parties and may share users’/passengers’ personal data, only to the extent necessary to achieve the purposes of processing, as follows:

  1. Carriers – Data necessary for the fulfillment of the transport contract (passenger’s first and last name, departure and destination station, ticket type, reservation number (if applicable), and, depending on the carrier, other contact data mentioned above).
  2. Fintech Providers/Payment Service Providers – For electronic payments, certain transaction data (e.g., minimal card data required for authorization, transaction ID) is shared with banks, card systems, and other payment service providers, in accordance with applicable regulations. The Company does not have access to this data as it is encrypted by the external partner during communication with us.
  3. Legal and Accounting Support – To fulfill accounting and tax obligations and legal rights.
  4. Technical Partners and IT Service Providers – The Data Controller uses IT support, system protection, hosting, platform maintenance, and other technical services, where these providers may have limited access to personal data, only to the extent necessary to provide the contracted service and with an obligation to maintain confidentiality and apply appropriate protection measures.
  5. Other Authorized Partners or Institutions – If required by law (e.g., courts, law enforcement, regulatory bodies) or necessary to protect the Data Controller’s legitimate interests, based on the appropriate legal basis and within the scope prescribed by law.

Note: The Data Controller does not sell or transfer users’ personal data to third parties for marketing or other purposes not explicitly stated in this Policy. Appropriate data processing agreements (Data Processing Agreements) are concluded with all external partners to ensure data is handled in accordance with ZZPL/GDPR.

 

6. TRANSFER OF DATA ABROAD

6.1. Data within the Republic of Serbia and the EU: As a rule, users’/passengers’ personal data is processed and stored in the Republic of Serbia. However, since certain service providers used by the Data Controller (e.g., hosting providers, IT partners, payment service providers) may have their headquarters or servers in EU member states, data transfer to these countries is considered as a transfer to “safe countries” as they comply with GDPR data protection standards.

6.2. Data Transfer Outside the EU/Republic of Serbia: In some cases, certain data may be transferred to countries that do not provide an adequate level of personal data protection under the ZZPL (e.g., when a carrier is based outside the EU, such as in Bosnia and Herzegovina, Montenegro, Turkey). Such transfers will occur only:

  • if necessary for the fulfillment of a contract between the user/passenger and the Data Controller or carrier (e.g., when the carrier is based outside the EU and data transfer is needed to facilitate travel), or
  • if the user/passenger provides explicit consent after being informed of potential risks, or
  • if appropriate safeguards are provided as required by law (e.g., standard contractual clauses for data protection).

6.3. Security Measures for Transfers: In all cases of data transfer, the Data Controller takes all reasonable legal, technical, and organizational measures to ensure personal data is processed in accordance with this Policy and applicable regulations, including limiting the scope of transferred data to what is strictly necessary for the specific purpose.

Note: All international data transfers are conducted in compliance with legal requirements and contractual clauses to ensure an appropriate level of protection for your data.

 

7. PERIODS AND CRITERIA OF DATA RETENTION

7.1. General Principle of Minimization and Retention Limitation: Personal data is stored in a form that allows identification only for as long as necessary to achieve the purposes outlined in this Policy or as required by applicable regulations. After the relevant retention periods expire, data is deleted, anonymized, or aggregated (depending on the nature of the data and technical capabilities), with anonymization permanently removing the possibility of identifying an individual.

7.2. Specific Retention Periods:

a) Data on Purchases and Travel (e.g., first and last name, email, phone, departure/destination station, travel date and time, ticket type, reservation number, selected seat – if applicable): stored for up to 3 (three) years from the reservation/purchase, after which it is fully anonymized (only business/statistical data is retained without identification).
b) User Accounts (first and last name, email, purchase history, settings, “favorite destinations”): stored until the account is deleted upon the user’s request. After deletion, identifiable data is deleted or anonymized, except for data required to meet legal obligations or protect legal interests (see point 7.3).
c) Complaints and Refunds (including bank account numbers for refunds in case of bank transfer payments and related communication): stored until the procedure is completed, then for an additional 2 (two) years for record-keeping and legal protection, after which they are archived and retained in accordance with accounting regulations.

Note: The Company does not request or process health or other special categories of data; if provided voluntarily by the user, such data is not processed for decision-making and will be deleted as soon as circumstances allow.
d) Payment Data: The Company does not process payment card data – this is handled by an external payment processor (fintech provider). Data necessary for transaction identification (e.g., payment reference/ID, transaction status; for bank transfer payments – address if provided) is stored within the periods outlined in point (a) and/or applicable accounting documentation retention periods.
e) Technical Logs (IP address, system logs): stored as long as necessary for system security and troubleshooting, up to a maximum of 12 months, unless a longer period is required for a specific security investigation or procedure. Cookie details are provided in the Cookie Policy.
f) Backup Copies: stored in rotational cycles as part of standard data backup policies and accessible only to authorized personnel; after the cycle expires, backups are overwritten/deleted per internal rules (daily backups are performed).

7.3. Retention for Legal Obligations and Legal Interests: Regardless of the above periods, certain data may be retained to the extent and within periods prescribed by applicable regulations (e.g., accounting, tax regulations) or until the expiration of limitation periods for claims and proceedings to exercise, enforce, or defend legal claims. In such cases, access to data is strictly limited, and the data is not used for other purposes.

7.4. Deletion/Anonymization Process: Deletion involves permanently removing records from active databases and, where applicable, from backup copies after the rotational cycle expires. Anonymization involves technical measures to prevent linking data to an individual (e.g., pseudonymization with separate key storage, aggregation).

Note: The rights outlined in this section also apply to third parties (passengers) whose data was entered by a user during ticket purchase.

 

8. RIGHTS OF USERS AND HOW TO EXERCISE THEM

8.1. Overview of Rights: In accordance with ZZPL and, where applicable, GDPR, you have the following rights:

a) Right to be Informed about processing and access to your data;

b) Right to Rectification of inaccurate or incomplete data;

c) Right to Deletion (“right to be forgotten”) – when data is no longer needed for processing purposes, when consent is withdrawn (if applicable), when an objection is successfully lodged, or when erasure is required by law;

d) Right to Restriction of Processing – in cases of disputed accuracy, unlawful processing, need for data for legal claims, or pending a decision on an objection;

e) Right to Data Portability – for data processed based on a contract or consent, and processed automatically;

f) Right to Object – when processing is based on our legitimate interest; in such cases, we will cease processing unless we demonstrate overriding legitimate grounds;

g) Right Not to Be Subject to Automated Decision-Making producing legal effects or significantly affecting you – the Company does not make such decisions;

h) Right to Withdraw Consent at any time (when processing is based on consent), without affecting the lawfulness of prior processing;

i) Right to Lodge a Complaint with the supervisory authority – the Ombudsman for Information of Public Importance and Personal Data Protection (contact details available on the Ombudsman’s official website: https://www.poverenik.rs/sr-yu/kontakt.html).

8.2. How to Exercise Rights: You can submit a request via email or mail to the Data Controller’s contact address:

  • General Contact E-mail: info@polazak.com
  • Email for Privacy Inquiries: privatnost@polazak.com
  • Postal Address: Ljubljanska 32, Zvezdara, Beograd

To protect your privacy, we may request reasonable proof of identity (e.g., confirmation via the account/email used for purchase or another appropriate identification mechanism) before processing your request.

8.3. Response Deadlines and Fees: We will respond to your request without undue delay, no later than 30 days from receipt (initial period); this may be extended by an additional 60 days, if necessary, due to the complexity or number of requests, with prior notification before the initial period expires. Processing requests are free of charge, except where requests are manifestly unfounded or excessive (including repeated requests), in which case we may charge a reasonable fee (necessary administrative costs) or refuse to act.

8.4. Limitations of Rights: Certain rights may be limited when necessary to:

a) Fulfill the Company’s legal obligations,

b) Exercise or defend legal claims, or

c) Protect the rights and freedoms of others.

In such cases, processing will involve the minimum necessary scope of data.

8.5. Account Deletion and Consequences: You may request account deletion at any time. Deletion does not affect the processing or retention of data required by legal obligations or within the periods specified in point 7, nor does it affect already anonymized data.

Note: Third parties (passengers whose data was entered by a user for ticket purchase) can independently exercise the rights outlined in this section, even if they are not direct users of the Polazak platform.

 

9. DATA PROTECTION MEASURES

The Data Controller implements appropriate technical, organizational, and personnel measures, as well as relevant standards and best practices, to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

The measures include:

  • Technical Measures: Storing data on servers within the European Union (Frankfurt, Germany) with a reputable cloud provider, securing access to administrative consoles and databases via multi-factor authentication and SSH keys, using secure servers and data encryption (TLS/SSL) for communication protection, firewalls, and other security mechanisms to prevent unauthorized access, attacks, and malicious activities (brute-force, DDoS, port-scanning, etc.), regular software updates, monitoring and alert systems for detecting and preventing security incidents, protection against malicious software.
  • Organizational Measures: Restricting data access to authorized personnel only, implementing authentication and access controls for employees and partners, regular data backups on a separate server with physical security and restricted access, procedures for secure storage and deletion of old data copies (clearly defined internal policies and procedures), confidentiality obligations for employees and collaborators (training and awareness-raising on data protection obligations), use of pseudonymized or anonymized data.
  • Risk Assessments: Regular monitoring, evaluation, and improvement of protection measures in line with technological developments and identified risks.

Despite these measures, the Data Controller notes that no information system or internet data transfer is entirely risk-free, but all reasonably expected measures are taken to minimize risks.

 

10. AMENDMENTS TO THE PRIVACY POLICY

The Data Controller reserves the right to periodically amend this Privacy Policy to align with legal changes, recommendations from the competent authority, or changes in business processes.

All amendments take effect upon publication of the updated Policy on the Controller’s official website. Users will be appropriately notified of significant changes (via the Website or a pop-up notification on the platform) and continued use of services after publication constitutes acceptance of the new Policy version.

 

11. ENTRY INTO FORCE AND APPLICATION

This Privacy Policy takes effect on August 29, 2025, and applies to all personal data processing by the Data Controller from that date.

The Privacy Policy remains in effect until revoked or replaced by a new version. The current and valid version of the Privacy Policy will always be available to users on the Data Controller’s website.

 

12. COOKIE POLICY

12.1. Introduction: This Cookie Policy explains what cookies are, how we use them on the Polazak platform, the types of cookies used, and users’ rights and options regarding their settings.

The Cookie Policy applies in conjunction with the Privacy Policy and forms an integral part of it. Its purpose is to provide users with clear and transparent information about tracking technologies used to ensure proper functioning of the Website, mobile applications, and to enhance user experience and analyze usage.

12.2. What Are Cookies?: Cookies are small text files stored on the user’s device (computer, mobile phone, tablet) when visiting a website. They enable recognition of the device during subsequent visits and may contain various data, including personal data when necessary for specific purposes (e.g., remembering login details, language selection). Cookies can be:

  • Session Cookies: Deleted after closing the browser.
  • Persistent Cookies: Remain on the device until they expire or are deleted by the user.

12.3. Types of Cookies We Use: The Data Controller uses the following main categories of cookies:

a) Essential Cookies: Ensure basic Website/mobile app functions (e.g., adding tickets to the cart, payment process, security). These cannot be disabled as they are necessary for the platform’s proper functioning.

b) Statistical Cookies: Help us understand how users interact with the Polazak platform (e.g., number of visits, most visited pages) to improve services.

c) Marketing Cookies: Used to track users across websites and display ads relevant to their interests.

12.4. List of Cookies and Purpose of Use: The Polazak platform may use cookies from:

  • Us (First-Party Cookies): Set directly by our Website/mobile app for functionality (e.g., storing session data during ticket purchase).
  • Third Parties (Third-Party Cookies): Set by partners and service providers (e.g., analytics or advertising tools).

Examples of purposes for using cookies:

  • Enabling users to add and purchase tickets via the cart,
  • Remembering user choices (language, currency, preferences),
  • Analyzing website traffic to improve services,
  • Displaying personalized ads, if the user consents.

Information about the types of cookies used by the Data Controller, their purposes, and options to accept or reject specific categories (essential, statistical, marketing) is available to users via the cookie banner displayed upon visiting the Website.

12.5. Legal Basis for Using Cookies:

  • Essential Cookies: Processed based on our legitimate interest to ensure the Polazak platform’s functionality and fulfill obligations to users.
  • Analytical and Marketing Cookies: Processed solely based on the user’s explicit consent.

Users can withdraw consent at any time via the cookie settings on the Polazak platform or through browser options, without affecting the ability to use the platform’s core functionalities.

12.6. Data Transfer Abroad: Third-party cookies (e.g., Google Analytics, Google Ads, and similar tools) may result in the transfer of certain usage data to other countries, including those outside the European Economic Area and the Republic of Serbia. In such cases, appropriate safeguards are implemented in accordance with ZZPL, such as:

  • Data protection contractual clauses,
  • Technical and organizational protection measures,
  • Compliance with mechanisms provided by relevant regulatory authorities.

12.7. Cookie Retention Periods:

  • Session Cookies: Automatically deleted after closing the browser.
  • Persistent Cookies: Remain on the user’s device until their expiration or manual deletion.
  • Third-Party Cookies: Retention periods depend on the cookie type and are determined by the partner whose services we use. Detailed retention information is available in our partners’ privacy policies, and users can adjust or withdraw consent at any time via the cookie banner.

In all cases, data collected via cookies is stored only as long as necessary for the purpose for which it was collected, after which it is automatically deleted or anonymized.

12.8. User Rights: Users have the following rights regarding cookie usage and data processing:

  • Right to be informed about which cookies are used and for what purposes,
  • Right to accept or reject specific cookies,
  • Right to withdraw consent at any time,
  • Right to access, rectify, or delete data processed via cookies (to the extent it can be linked to the user),
  • Right to object and lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection.

12.9. Amendments to the Cookie Policy: The Data Controller reserves the right to periodically amend this Cookie Policy to align with applicable regulations, technological developments, and practices. All amendments will be published on the Polazak platform and take effect upon publication, unless otherwise specified.

 

This website uses cookies
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic.
We use cookies to personalise content and ads.
What are cookies? Necessary cookies Statistic cookies Marketing cookies

Cookies are small text files that can be used by websites to make a user's experience more efficient.
The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.
This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
We share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.
Your consent applies to the following domains: polazak.com

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.