This Privacy Statement has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “General Data Protection Regulation” and/or “GDPR”), as well as in accordance with all other applicable personal data protection regulations. 

Zagreb, 6 November 2025

1. ABOUT US

We are METAMORFOZA d.o.o., company headquartered at Radnička cesta 43, Zagreb (Grad Zagreb), Republic of Croatia, Tax number: 24880192958, registered with the Commercial Court in Zagreb under Company Registration Number: 080714251 hereinafter referred to as “MoI” and/or the “Controller” and/or “We”). 

Our company acts as the franchisor of the Museum of Illusions concept and is responsible for overseeing the implementation of contractual obligations by franchisees, including the verification of the accuracy of reported ticket sales. We operate within a franchise business model that enables you, as a museum visitor, to access Museum of Illusions services through independently operated franchise locations. Within this model, a ticketing system is used for the purchase and management of museum admission tickets, ensuring a secure, transparent, and consistent visitor experience across all franchise locations.

Data Controller	METAMORFOZA Ltd.
Address (street and number)	Radnička cesta 43
Postal code and city	10000 Zagreb
Email address of the Data Protection Officer:	[email protected]

2.WHAT IS PERSONAL DATA AND HOW DO WE PROCESS IT

Personal data refers to any information relating to an identified or identifiable natural person. This includes data such as name, surname, address, personal identification number (OIB), email address, as well as information related to your behavior and interaction with digital services — for example, location data, IP address, access logs to specific electronic services, technical device identifiers, and data related to online purchases.

In the context of the Museum of Illusions franchise network, your personal data may be collected when you use the online ticketing system — whether you purchase a ticket via the website of a franchisee, use a mobile application, or register for special offers or promotional activities. The data you provide is entered into the ticketing system operated by the franchisee. The Controller (Metamorfoza d.o.o., Zagreb), as franchisor, has access to this data solely for the purpose of verifying the accuracy of ticket sales reported by franchisees and calculating the applicable franchise (royalty) fee within the franchise business model.

The Controller processes the following personal data:

• name and surname
• email address
• number of tickets purchased
• ticket type (e.g., adult, child, group)
• date and time of purchase
• method of purchase (online or physical location)
• method of payment (cash, card — without processing card number)
• language of the interface used during purchase
• transaction identifier or order number
• technical access log (e.g., IP address, device, browser)

The legal basis for processing your personal data is the legitimate interest of the Controller. This legitimate interest consists of ensuring the accuracy of ticket sales reported by franchisees, verifying the calculation of the applicable franchise fee, and protecting the contractual and financial interests of the Controller within the franchise business model

Your personal data is not collected directly from you by the Controller but is entered into the ticketing system by the franchisee, who acts as an independent controller for the sale. The Controller accesses this data exclusively for the purpose of verifying the accuracy of reported ticket sales and calculating the applicable franchise fee, in accordance with contractual obligations established with the franchisee.

The Controller does not apply automated decision-making or profiling within this processing activity.

Legitimate interest

The processing of your personal data is necessary for the functional implementation of the franchise model, specifically to verify the accuracy of ticket sales reported by franchisees, calculate the applicable franchise (royalty) fees, and protect the contractual and financial interests of the Controller. Such processing constitutes a legitimate interest of the Controller and is technically executed via the ticketing system operated by the franchisee, to which the Controller may have access in the following cases:

• through review of reports generated by the ticketing system;
• through access to transaction records maintained by the franchisee;
• through contractual cooperation with the franchisee acting as processor in relation to customer data.

The Controller has conducted a Legitimate Interest Assessment (LIA) confirming that the benefits of processing clearly outweigh any potential adverse effects on data subjects. Potential risks are further minimized through the application of technical and organizational safeguards, including strict access control, encryption, and contractual regulation of processing responsibilities.

The ticketing system does not employ automated decision-making or profiling. Franchisees are required to ensure that data subjects are informed about the processing of their personal data upon entry into the ticketing system.

Compliance with Our Legal Obligations

If you contact us to exercise your rights in relation to the processing of personal data, we will process your personal data on the basis of our legal obligation to enable you to exercise your data protection rights in accordance with applicable laws and other regulations.

3.TRANSFER OF YOUR PERSONAL DATA

Personal data collected through the ticketing system during the purchase of museum tickets may be made available to the Controller solely for the purpose of verifying the accuracy of reported ticket sales and calculating the applicable franchise fee.

Within this processing activity, personal data is not disclosed to third parties for commercial purposes, nor is it used for direct communication with data subjects.

In certain circumstances, the Controller may transfer personal data to the following categories of recipients:

• technical partners and service providers responsible for maintaining the ticketing system and supporting its functionality, strictly in the capacity of processors;
• legal advisors, auditors, and other professionals who assist the Controller in fulfilling its contractual and legal obligations;
• competent public authorities, courts, and other governmental bodies, where necessary for compliance with legal obligations, conducting proceedings, or protecting the Controller’s interests.

In all such cases, the transfer of personal data is carried out with the application of appropriate technical and organizational safeguards, and strictly within the scope of the processing purpose defined in this Privacy Statement.

4.RETENTION PERIOD FOR YOUR PERSONAL DATA

Personal data processed within the ticketing system, including data relating to ticket purchases, is retained only for as long as necessary to fulfill the purpose of processing — namely, to verify the accuracy of reported ticket sales and calculate the applicable franchise fee.

Upon expiry of the statutory retention period, the data is deleted unless another legal obligation or legitimate interest justifies extended retention (e.g., in the context of legal proceedings, audits, or inspections).

Personal data shall generally be retained until the expiry of the applicable statute of limitations period relevant to the contractual relationship or potential legal claims, that is up to 3 or 5 years depending on the applicable statute of limitations. However, as certain ticket transaction data also serve as the basis for accounting and financial reporting, the Controller is required to retain such data for a minimum period of 11 years, in accordance with Article 10(2)(3) of the Accounting Act (Narodne novine, Nos. 85/24 and 145/24).

In cases where personal data is shared with collaborators (technical partners, legal advisors), such recipients process the data exclusively on behalf of the Controller for the purpose of maintaining the ticketing system and retain it only for as long as technically necessary to ensure system functionality.

After the statutory retention period expires, personal data is deleted or anonymized, unless another legal obligation or legitimate interest justifies extended retention (e.g., pending legal proceedings, audits, or inspections).

When data is shared with collaborators (technical partners or legal advisors), such recipients process the data exclusively on behalf of the Controller and retain it only for as long as necessary to fulfill the technical or contractual purpose for which it was collected

Personal data processed on the basis of legal obligations — in connection with the exercise of your rights or ours — is retained for as long as we are legally required to do so, in accordance with applicable regulations.

5.YOUR RIGHTS REGARDING PERSONAL DATA PROTECTION

Your Rights	What It Means
Right to be Informed	You have the right to receive clear, transparent, and easily understandable information about how we use your personal data and what your rights are in relation to our processing. This is why we provide the information contained in this Privacy Statement.
Right of Access	You have the right to access and receive a written report on the personal data we have collected about you.
Right to Rectification	In certain cases, you have the right to correct your personal data if it is inaccurate or incomplete. You may request correction by contacting us on the email address.
Right to Erasure (Right to be Forgotten)	In certain cases, you have the right to have your personal data erased. We may delete your personal data if we no longer have a legal or legitimate basis to retain and/or further process it.
Right to Restriction of Processing	In certain cases, you may request that the processing of your personal data be restricted. This means that during the restriction period, your personal data will be stored but processed only for purposes that do not require unrestricted use.
Right to Object	You may object to our processing of your personal data at any time.
Right to Lodge a Complaint with the Supervisory Authority and to an Effective Legal Remedy Against Its Decision	Anyone may submit a request to the Croatian Personal Data Protection Agency (AZOP) to determine a violation of rights. Website: www.azop.hr You have the right, in accordance with applicable laws and regulations, to seek legal remedy against a decision of the Agency.