If you are a user of the museum’s services and have registered through the system for that purpose and purchased a museum ticket, please read this Privacy Statement on the Processing of Personal Data (hereinafter referred to as: “Privacy Statement”), which aims to provide you with all necessary information regarding the manner in which your personal data is processed.
This Privacy Statement has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “General Data Protection Regulation” and/or “GDPR”), as well as in accordance with all other applicable personal data protection regulations.
Zagreb, 6 November 2025
1. ABOUT US
We are METAMORFOZA d.o.o., company headquartered at Radnička cesta 21, Zagreb (Grad Zagreb), Republic of Croatia, Tax number: 24880192958, registered with the Commercial Court in Zagreb under Company Registration Number: 080714251 hereinafter referred to as “MoI” and/or the “Controller” and/or “We”).
Our company acts as the franchisor of the Museum of Illusions concept and is responsible for overseeing the implementation of contractual obligations by franchisees, including the verification of the accuracy of reported ticket sales. We operate within a franchise business model that enables you, as a museum visitor, to access Museum of Illusions services through independently operated franchise locations. Within this model, a ticketing system is used for the purchase and management of museum admission tickets, ensuring a secure, transparent, and consistent visitor experience across all franchise locations.
| Data Controller | METAMORFOZA Ltd. |
| Address (street and number) | Radnička cesta 21 |
| Postal code and city | 10000 Zagreb |
| Email address of the Data Protection Officer: | [email protected] |
2. WHAT IS PERSONAL DATA AND HOW DO WE PROCESS IT
Personal data refers to any information relating to an identified or identifiable natural person. This includes data such as name, surname, address, personal identification number (OIB), email address, as well as information related to your behavior and interaction with digital services — for example, location data, IP address, access logs to specific electronic services, technical device identifiers, and data related to online purchases.
In the context of the Museum of Illusions franchise network, your personal data is collected when you use our online ticketing system — for example, when you purchase tickets through a franchisee’s website, use a mobile application, or register for special offers or promotional activities. The data you provide is entered into the ticketing system operated by the franchisee. Metamorfoza d.o.o., Zagreb, as the franchisor and operator of the franchise network, also has access to certain data entered into the ticketing system.
The Controller processes the following personal data:
- name and surname
- email address
- number of tickets purchased
- ticket type (e.g., adult, child, group)
- date and time of purchase
- method of purchase (online or physical location)
- method of payment (cash, card — without processing card number)
- language of the interface used during purchase
- transaction identifier or order number
- technical access log (e.g., IP address, device, browser)
- address, city and postal code if provided
- phone number if provided
- information on frequency and recurrence of visits
- indicators of visitor type and attendance patterns
- demographic indicators derived from ticketing data.
Your personal data is not collected directly from you by the Controller but is entered into the ticketing system by the franchisee, who acts as an independent controller for the sale.
The Controller does not apply automated decision-making within this processing activity.
Purpose of processing
Metamorfoza d.o.o. processes the above data for the following purposes:
1.Franchise oversight and financial verification:
- verifying the accuracy of ticket sales reported by franchisees; and
- calculating and monitoring the applicable franchise (royalty) fee under the franchise business model.
2.Network-level analytics and business development (typically on an aggregated and trend basis):
- analyzing visitor behavior, attendance patterns, and frequency of visits across the network;
- identifying demographic trends and customer segments;
- assessing demand and forecasting visitor trends;
- measuring sales and attendance performance;
- evaluating pricing strategies, promotional offers, and campaign effectiveness;
- supporting strategic planning and operational improvements, including geographic distribution of customers (e.g. by postcode or region).
3.Marketing communications.
Legitimate interest
The processing of your personal data is necessary for the operation of the Museum of Illusions franchise model and to achieve the purposes described above (in particular: verification of ticket sales reported by franchisees, calculation and monitoring of franchise/royalty fees, and obtaining network-level insights and analytics to support business planning and marketing activities across the franchise network). This processing is carried out on the basis of the Controller’s legitimate interests.
Such processing is technically performed via the ticketing system operated by the relevant franchisee. Depending on the specific setup, the Controller may access the data in the following ways:
- through review of reports generated by the ticketing system;
- through access to transaction records maintained by the franchisee; and/or
- through contractual cooperation with the franchisee, which in certain processing activities may act as a processor on behalf of the Controller in relation to customer data.
The Controller has conducted a Legitimate Interest Assessment (LIA), which confirms that the Controller’s interests in operating the franchise model and ensuring accurate reporting, fee calculation, network-level analysis and marketing activities, are not overridden by the interests or fundamental rights and freedoms of data subjects. Any potential risks are further reduced through appropriate technical and organisational measures, including strict access controls, encryption, and contractual arrangements that clearly allocate roles and responsibilities and regulate processing instructions.
The ticketing system is not used for automated decision-making that produces legal effects concerning you or similarly significantly affects you. Where any analytics are performed, they are intended to support network-level business insights and are applied with safeguards designed to minimize impact on individuals. Franchisees are required to ensure that data subjects are appropriately informed, at the point of data collection, about the processing of their personal data within the ticketing system.
Compliance with Our Legal Obligations
If you contact us to exercise your rights in relation to the processing of personal data, we will process your personal data as necessary to comply with our legal obligations and to enable you to exercise your data protection rights in accordance with applicable data protection laws and other relevant regulations.
3. TRANSFER OF YOUR PERSONAL DATA
Personal data collected through the ticketing system during the purchase of museum tickets may be made available to the Controller for the abovementioned purposes.
In certain circumstances, the Controller may transfer personal data to the following categories of recipients:
- technical partners and service providers responsible for maintaining the ticketing system and supporting its functionality, strictly in the capacity of processors;
- legal advisors, auditors, and other professionals who assist the Controller in fulfilling its contractual and legal obligations;
- competent public authorities, courts, and other governmental bodies, where necessary for compliance with legal obligations, conducting proceedings, or protecting the Controller’s interests.
For the purpose of carrying out marketing activities directed at existing customers, the Controller may provide contact information such as email addresses or phone numbers to external marketing agencies acting exclusively as processors and strictly in accordance with the Controller’s instructions.
In all such cases, the transfer of personal data is carried out with the application of appropriate technical and organizational safeguards, and strictly within the scope of the processing purpose defined in this Privacy Statement.
4. RETENTION PERIOD FOR YOUR PERSONAL DATA
Personal data processed within the ticketing system, including data relating to ticket purchases, is retained only for as long as necessary to fulfil the purpose of processing.
Upon expiry of the statutory retention period, the data is deleted unless another legal obligation or legitimate interest justifies extended retention (e.g., in the context of legal proceedings, audits, or inspections).
Personal data shall generally be retained until the expiry of the applicable statute of limitations period relevant to the contractual relationship or potential legal claims. However, as certain ticket transaction data also serve as the basis for accounting and financial reporting, the Controller is required to retain such data for a minimum period of 11 years, in accordance with Article 10(2)(3) of the Accounting Act (Official Gazette, Nos. 85/24 and 145/24).
In cases where personal data is shared with collaborators (technical partners, legal advisors), such recipients process the data exclusively on behalf of the Controller for the purpose of maintaining the ticketing system and retain it only for as long as technically necessary to ensure system functionality.
Data used for analytical, strategic or marketing purposes is retained for five years, unless a shorter retention period is appropriate due to the nature of the data.
After the statutory retention period expires, personal data is deleted or anonymized, unless another legal obligation or legitimate interest justifies extended retention (e.g., pending legal proceedings, audits, or inspections).
When data is shared with collaborators (technical partners or legal advisors), such recipients process the data exclusively on behalf of the Controller and retain it only for as long as necessary to fulfil the technical or contractual purpose for which it was collected.
Personal data processed on the basis of legal obligations — in connection with the exercise of your rights or ours — is retained for as long as we are legally required to do so, in accordance with applicable regulations.
5. YOUR RIGHTS REGARDING PERSONAL DATA PROTECTION
| Your Rights | What It Means |
| Right to be Informed | You have the right to receive clear, transparent, and easily understandable information about how we use your personal data and what your rights are in relation to our processing. This is why we provide the information contained in this Privacy Statement. |
| Right of Access | You have the right to access and receive a written report on the personal data we have collected about you. |
| Right to Rectification | In certain cases, you have the right to correct your personal data if it is inaccurate or incomplete. You may request correction by contacting us on the email address. |
| Right to Erasure (Right to be Forgotten) | In certain cases, you have the right to have your personal data erased. We may delete your personal data if we no longer have a legal or legitimate basis to retain and/or further process it. |
| Right to Restriction of Processing | In certain cases, you may request that the processing of your personal data be restricted. This means that during the restriction period, your personal data will be stored but processed only for purposes that do not require unrestricted use. |
| Right to Object | You may object to our processing of your personal data at any time. |
| Right to Lodge a Complaint with the Supervisory Authority and to an Effective Legal Remedy Against Its Decision | Anyone may submit a request to the Croatian Personal Data Protection Agency (AZOP) to determine a violation of rights. Website: www.azop.hr You have the right, in accordance with applicable laws and regulations, to seek legal remedy against a decision of the Agency. |