Serklaž
Sophisticated Luxury
Rijeka, Croatia
Privacy Notice—Serklaž, A brand of Konsiteo Ltd
Effective date: 22 June 2026
Serklaž is a brand of Konsiteo Ltd, a company registered in England and Wales, with its registered office at 71–75 Shelton Street, London WC2H 9JQ (company number 9835328, VAT number GB226792289, ICO registration ZA150392, and Croatian tax identification HR99353656457). The data controller for all processing described in this notice is Konsiteo Ltd. Alen Karlović, Founder and Director, may be contacted by email at alen@konsiteo.com—OpenPGP-encrypted correspondence is encouraged, using the public key published at konsiteo.com, fingerprint 74E5 1E59 C219 E13C A611 4E4A 2966 8E19 C842 C2E3. All client enquiries and data-related communications addressed to the controller should be directed to croatia@serklaz.com—the same encryption is welcomed for this address, using the public key published at serklaz.com, fingerprint D351 6159 4E17 A30F 9301 0157 E647 7412 9973 36EA—by voice message at +385 91 566 66 89, or by end-to-end encrypted Signal communication. This notice satisfies the transparency obligations set out in Articles 12, 13, and 14 of the UK General Data Protection Regulation and the Data Protection Act 2018. It is written in the same spirit in which the practice itself was built: not because the law requires words, but because the Karlović family's understanding of what it means to hold something on behalf of another person—whether a client's legacy, a villa's structural record, or their personal information—runs prior to and independent of any regulatory obligation. What follows is a complete and honest account of how that understanding is applied to the data that reaches this practice.
What this website does not do
This website is hosted on servers located within the European Union in Amsterdam, The Netherlands. As is standard with all web hosting, the hosting infrastructure may generate server access logs—recording technical data such as IP addresses and page requests—as a routine function of delivering web pages. This technical logging is an inherent function of internet infrastructure, is not used by this practice for any analytical or commercial purpose, and is governed by the hosting provider's own data processing terms. This practice does not access, analyse, or use data collected in this way for any purpose relating to individual visitors—not because it could not, but because the same discipline that governs every other decision here applies equally to what could be done and is not. This website collects no tracking data, employs no analytics platform, and sets no cookies of any kind—not functional, not analytical, not marketing, not statistical. No third-party script is loaded on page render, with the exception of a font stylesheet served from an external typography provider solely for the purpose of rendering the typeface used on this site. No data transmitted in this way is used by this practice for any purpose, and the provider's handling of technical request data is governed by their own terms. No device fingerprinting takes place. No pixel, tag, session recorder, beacon, or link-decoration mechanism is used to observe, record, or transmit any aspect of your presence here to any party—including to Serklaž or Konsiteo Ltd. You arrive, you read, and you leave, without leaving a trace that this practice has authored, permitted, or retained. The absence of tracking is not a concession to regulation, nor a response to the inconvenience of consent management. It is what Curare aude—the third imperative of this practice—demands of anyone who holds the obligation of another person's trust: that nothing is gathered which is not genuinely needed, and that nothing is held which cannot be defended before a standard rigorous enough to matter.
What personal data is collected, and how
The only personal data processed in connection with Serklaž is information you choose to transmit directly: your name, your telephone number or email address, and the substance of your communication, whether transmitted by email to croatia@serklaz.com, by voice message at +385 91 566 66 89, or by encrypted Signal message. No web form, submission engine, session token, or behavioural tracking mechanism captures visitor information. Data reaches this practice only because you sent it, through a channel you selected, with a purpose you formed independently and entirely on your own terms. End-to-end encrypted communication—whether by Signal communication or by OpenPGP-encrypted email—is not a technical option offered alongside others. It is the preferred and actively encouraged mode of all correspondence with this practice, and the natural preference of the clients for whom Serklaž was built. These measures are not features of a privacy programme. They are the expression of a disposition: that information shared in confidence deserves to travel under conditions worthy of that confidence.
Why that data is processed and on what legal basis
Personal data transmitted to this practice is processed for one purpose: to receive and consider your communication and, where appropriate, to respond to it in accordance with the character and terms of this practice. The lawful basis is the legitimate interest of both parties in conducting a private, considered, and substantive exchange—an interest that clearly outweighs any privacy intrusion, given that no profiling, third-party data sharing, or behavioural analysis of any kind takes place. Where a formal advisory engagement follows from an initial approach—the commencement of an engagement under the terms of the Serklaž advisory relationship—the additional processing required to perform that engagement will be conducted on the basis of contractual necessity, and will be described in the engagement documentation provided at that stage.
How long personal data is retained
Correspondence transmitted to this practice is retained for as long as the relationship it documents remains active, and thereafter for such period as is necessary to protect the legitimate interests of both parties—a period not exceeding seven years from the conclusion of the relevant engagement or exchange, consistent with applicable statutory and professional obligations. Where no formal advisory engagement follows from an initial approach, correspondence is retained only for as long as is reasonably necessary to conclude that exchange and, in any event, for no more than two years. No personal data is retained beyond these periods without a renewed purpose that can be independently justified. The governing principle here is the same that applies to every other judgment this practice makes: nothing is held beyond the point at which holding it serves a purpose answerable to conscience.
With whom personal data is shared
Personal data transmitted to Serklaž is not shared with any third party for any purpose. It is not sold, licensed, or passed to data brokers, analytics providers, marketing platforms, or any entity engaged in the secondary use of personal information. Our advisory fee structure—fixed, non-commission-based, and settled entirely by the client—means that no incentive exists, within this practice, to share a client's information with any party whose interest is other than the client's own. Where legal or regulatory obligations compel disclosure—to a regulator, a court, a financial institution in the ordinary course of compliance—such disclosure will be made to the minimum extent required and will not be treated as a matter of routine. The legal counsel and banking relationships through which Konsiteo Ltd operates are bound by confidentiality obligations that reflect the standards this practice applies at every level of its conduct.
International transfers
Konsiteo Ltd's registered office is in England and Wales; the practice operates exclusively from Rijeka, Croatia, within the European Union. Personal data may therefore move between these two jurisdictions in the ordinary course of correspondence and engagement. The United Kingdom holds an adequacy decision under EU GDPR, renewed in December 2025, meaning that data flowing between Croatia and the UK travels under conditions recognised as providing equivalent protection—without the need for additional transfer safeguards. Where data moves beyond these two jurisdictions, such transfers are conducted in accordance with the requirements of UK GDPR Article 46 and EU GDPR Article 46, under appropriate safeguards, and subject to the same principle of necessity that governs all processing within this practice.
Your rights
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you hold rights in relation to personal data that this practice holds about you. These include the right to be informed—which this notice fulfils—the right of access to the data held, the right to rectification of any inaccuracy, the right to erasure where the data is no longer necessary for the purpose for which it was collected, the right to restriction of processing in certain circumstances, and the right to object to processing conducted on the basis of legitimate interest. No automated decision-making or profiling occurs within this practice; your data is held by a person who read what you wrote, listened to what you said, and responded with the same attention with which it was received. To exercise any of these rights, or to raise a concern about the processing of your personal data, please write to croatia@serklaz.com. All data protection complaints will be acknowledged within thirty days of receipt and investigated without undue delay, with the complainant kept informed of progress throughout. If you remain unsatisfied following the conclusion of that process, you have the right to lodge a complaint with the Information Commissioner's Office.
Changes to this notice
This notice reflects the practice as it stands at the effective date shown above. Should the processing activities described here change in any material respect, this notice will be updated and the revised effective date shown accordingly. The governing disposition—the absence of tracking, the commitment to encrypted communication, the refusal to hold data beyond what is genuinely necessary—will not change, because it does not originate in regulation. It originates in the same place as everything else in this practice: in a formation that preceded the brand, and in the values that the brand was built to reflect.
22 Years
of Tradition