Terms of Use

1. Introduction

These Terms of Use ("Terms") govern the use of the website www.feedback-NOTFINAL.eu ("Service") operated by INFO NETWORK d.o.o., with its registered office at Valturska 78/1, 52100 Pula, Croatia ("we", "us", or "our"). The Service enables users to create, manage, and share Forms and surveys, as well as collect and process respondent data. By using the Service, you accept these Terms in their entirety, together with our Privacy Policy and Cookie Policy. If you do not agree with these Terms, please refrain from using the Service.

These Terms are compliant with the Croatian Electronic Commerce Act (NN 173/2003, 67/2008), the Consumer Protection Act (NN 19/2022), the Obligations Act (NN 35/2005, 41/2008, 125/2011, 78/2015, 29/2018), and the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679). We reserve the right to amend these Terms at any time, with notification to users via the website or email. Continued use of the Service following amendments constitutes acceptance of the revised Terms.

2. Eligibility

The Service may only be used by individuals aged 16 or older or by legal entities represented by authorized persons. By using the Service, you declare that you meet this requirement and that all information you provide is accurate, complete, and up-to-date. If you use the Service on behalf of a legal entity, you warrant that you have the authority to do so.

We reserve the right to refuse to provide the Service or suspend access to any user without prior notice if we believe they violate these Terms, applicable laws, or jeopardize the security of the Service or other users.

3. Registration and Account

To access certain functionalities of the Service (e.g., creating and managing Forms), account registration is required. During registration, you are obligated to provide accurate and complete information, including:

• Full name
• Email address
• Password
• Additional information as required (e.g., company name)

You are responsible for maintaining the confidentiality of your login credentials (username and password) and for all activities conducted under your account. If you suspect unauthorized use of your account, promptly notify us at prodaja@gtnet.hr or +385 52 637 000. We are not liable for any loss or damage resulting from unauthorized use of your account if you fail to take reasonable measures to protect your credentials.

We reserve the right to deactivate or delete your account if we determine that these Terms have been violated, including providing inaccurate information, misusing the Service, or engaging in unauthorized use.

4. Use of the Service

The Service enables the creation, sharing, and management of Forms and surveys, as well as the collection of respondent data. Users are responsible for the content of the Forms they create and for compliance with applicable laws, including GDPR and Croatian data protection regulations.

Permitted Use:

• Creating Forms to collect data in accordance with legal bases (e.g., respondent consent).
• Using the Service for legitimate business, personal, or non-commercial purposes.
• Adhering to all technical instructions and guidelines available on the website.

Prohibited Use:

• Creating Forms to collect sensitive data (e.g., health, political, or religious information) without explicit respondent consent.
• Using the Service for illegal activities, including fraud, harassment, distribution of malicious software, or violation of third-party rights.
• Attempting unauthorized access to the system, including hacking, data theft, or overloading servers.
• Copying, distributing, or modifying parts of the Service without our explicit permission.

Users who violate these Terms may face account suspension, legal consequences, or other measures in accordance with applicable laws.

5. User Responsibilities

As a user, you are responsible for:

• Ensuring that all Forms you create comply with GDPR, including obtaining respondent consent for data processing.
• Providing clear information to respondents about the purpose of data collection and their rights.
• The accuracy and legality of the content you enter into Forms or share via the Service.
• Respecting the intellectual property rights of third parties (e.g., not using protected logos or texts without permission).

We are not liable for the content created or collected by users through the Service, nor for the consequences arising from illegal or unethical use of the Service.

6. Intellectual Property

All content of the Service, including software, design, logos, texts, graphics, and code, is protected by the intellectual property rights of INFO NETWORK d.o.o. or our licensors. Users are granted a limited, non-transferable license to use the Service solely for the purposes specified in these Terms. Copying, distributing, modifying, or creating derivative works based on our content without explicit written permission is prohibited.

Content entered by users into the Service (e.g., form texts, designs) remains their property, but you grant us a non-exclusive, royalty-free license to process and store such content for the purpose of providing the Service. You warrant that you have all necessary rights to the content you upload.

7. Paid Services

If the Service includes paid features (e.g., premium plans, additional functionalities), the payment terms will be clearly stated at the time of purchase. Prices, payment methods, and refund conditions are specified on our website or in a separate agreement. Payments are processed through secure payment service providers compliant with PCI DSS standards.

Under the Consumer Protection Act (NN 19/2022), consumers are entitled to a refund within 14 days of purchasing digital services if the service has not commenced with their explicit consent. Contact us at prodaja@gtnet.hr for refund requests.

All payments are subject to fiscalization in accordance with the Cash Transactions Fiscalization Act (NN 133/2012). Invoices are issued electronically and delivered to the user’s email address.

8itazione:8. Limitation of Liability

The Service is provided "as is" and "as available," without any warranties, express or implied, including warranties for accuracy, reliability, or uninterrupted operation. We do not guarantee that the Service will be free of errors, viruses, or other harmful components.

INFO NETWORK d.o.o. is not liable for:

• Data loss caused by improper use of the Service or external factors (e.g., cyberattacks).
• Damage resulting from unauthorized access to your account if you fail to protect your login credentials.
• Consequences arising from illegal or unethical use of the Service by users.

Under the Obligations Act (NN 35/2005), our liability is limited to direct damage caused by our gross negligence or intentional breach. Total liability will not exceed the amount you paid for the Service in the preceding 12 months.

9. Termination of Use

We reserve the right to terminate or restrict access to the Service without prior notice if:

• You violate these Terms.
• You use the Service in an illegal or unethical manner.
• There is a security risk to the Service or other users.

Users may terminate their use of the Service at any time by deleting their account or contacting us at prodaja@gtnet.hr. Upon account deletion, data will be erased in accordance with our Privacy Policy.

10. Dispute Resolution

All disputes arising from these Terms or the use of the Service will be resolved amicably. If this is not possible, the competent court in Pula, Croatia, shall have jurisdiction, applying Croatian law. Consumers have the right to alternative dispute resolution under the Consumer Protection Act (NN 19/2022) through the European Commission’s Online Dispute Resolution (ODR) platform: ec.europa.eu/consumers/odr.

11. Contact

For any questions, complaints, or requests regarding these Terms, contact us at:

• Email: prodaja@gtnet.hr
• Phone: +ggbb+385 52 637 000
• Post: INFO NETWORK d.o.o., Valturska 78/1, 52100 Pula, Croatia

12. Amendments to the Terms

We reserve the right to amend these Terms at any time. The updated version will be published on this page, with the effective date. We will notify you of significant changes via email, website notifications, or other appropriate channels. Continued use of the Service following amendments constitutes acceptance of the revised Terms.

Effective Date: 7 July 2025.

Privacy Policy

1. Introduction

INFO NETWORK d.o.o., with its registered office at Valturska 78/1, 52100 Pula, Croatia ("we", "us", or "our"), is committed to protecting the privacy of users of our website www.feedback-NOTFINAL.eu ("Service"). This Privacy Policy comprehensively outlines how we collect, process, store, and protect personal data in compliance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Croatian Act on the Implementation of the General Data Protection Regulation (NN 42/2018), the Electronic Commerce Act (NN 173/2003, 67/2008), and other relevant national and European regulations. Our aim is to ensure the highest level of transparency, security, and compliance with legal obligations while providing a reliable platform for creating and managing Forms and surveys.

This Privacy Policy explains which data we collect, the purposes for which we use it, how we protect it, and your rights as a data subject. It applies to all users of the Service, including those who create Forms and respondents who complete them.

2. Data Controller

INFO NETWORK d.o.o.
Valturska 78/1, 52100 Pula, Croatia
Email: prodaja@gtnet.hr
Phone: +385 52 637 000

For any questions, requests, or complaints regarding data processing, please contact us via email at prodaja@gtnet.hr, by phone at +385 52 637 000, or by post at the address above. If you believe that the processing of your personal data violates GDPR, you may lodge a complaint with the Croatian Personal Data Protection Agency (AZOP):

• Address: Selska cesta 136, 10000 Zagreb, Croatia
• Email: azop@azop.hr
• Website: www.azop.hr

3. Types of Data

In accordance with the principles of data minimization and purpose limitation, we collect the following categories of personal data:

• User Data: When registering, creating an account, or using the Service to create and manage Forms, we collect data such as:
  • Full name
  • Email address
  • Username and password (if an authentication system is used)
  • Additional data voluntarily provided during account or form configuration (e.g., company name, preferences, contact details)
• Respondent Data: When third parties complete Forms created through our Service, we collect data entered into the Forms, which may include:
  • Personal data such as name, email address, phone number, address, or other identifiers, depending on the form design created by the user
  • Sensitive data (e.g., health data, political opinions, religious beliefs) if included in the Forms, subject to explicit respondent consent and compliance with Article 9 of GDPR
• Technical Data: We automatically collect data to ensure the functionality and security of the Service, including:
  • IP address
  • Browser type and version (e.g., Chrome, Firefox)
  • Operating system and device type (e.g., Windows, iOS)
  • Time and date of visits
  • Visited pages, interactions with the Service (e.g., clicks, time spent on a page), and usage statistics (e.g., number of Forms created)
• Cookies and Similar Technologies: We use cookies, tracking pixels, and similar technologies to enhance functionality, analytics, and personalization, subject to your explicit consent. Details are available in our Cookie Notice.

4. Purpose and Legal Basis

We process personal data for the following purposes and based on the following legal bases under Article 6 of GDPR:

• Provision and Maintenance of the Service: Enabling the creation, sharing, management, and processing of Forms and storage of submissions via our platform (Article 6(1)(b) GDPR – performance of a contract).
• Communication with Users: Sending notifications about account status, technical updates, changes to the Service, security alerts, or responses to user inquiries (Article 6(1)(b) GDPR – performance of a contract or Article 6(1)(f) GDPR – legitimate interest in ensuring seamless use of the Service).
• Service Improvement: Analyzing usage data (e.g., form usage patterns, website traffic analytics, user behavior) to optimize functionality, user experience, and security (Article 6(1)(f) GDPR – legitimate interest).
• Marketing Activities: Sending promotional notifications, newsletters, personalized offers, or information about new features, solely with your explicit consent (Article 6(1)(a) GDPR – consent).
• Compliance with Legal Obligations: Fulfilling regulatory requirements, including tax, accounting, or legal obligations (e.g., payment records, responding to requests from competent authorities) (Article 6(1)(c) GDPR – legal obligation).
• Prevention of Fraud and Security Threats: Processing data to detect and prevent unauthorized access, misuse, or cyberattacks on the Service (Article 6(1)(f) GDPR – legitimate interest).
• Sensitive Data: If users create Forms that collect special categories of personal data (e.g., health data, political opinions, religious beliefs, criminal records), processing is based on explicit respondent consent (Article 9(2)(a) GDPR) and additional security measures.

5. Recipients

Personal data may be shared with a limited group of recipients to ensure the provision of the Service and compliance with legal obligations:

• Internal Recipients: Our employees and contractors who manage the Service or provide technical support (e.g., system administrators, customer support), subject to strict confidentiality obligations and GDPR compliance.
• External Third Parties: Service providers supporting our Service, including:
  • Cloud hosting providers (e.g., Amazon Web Services, Google Cloud, Microsoft Azure) compliant with GDPR and with whom we have Data Processing Agreements (DPAs).
  • Analytics platForms (e.g., Google Analytics, Hotjar) for processing usage data, solely with your consent.
  • Email communication service providers (e.g., Mailchimp, SendGrid) for sending notifications or newsletters, with consent.
• Competent Authorities: Regulatory bodies (e.g., Tax Administration, Croatian Personal Data Protection Agency) or courts, if required by law, including for tax inspections, legal proceedings, or security investigations.

Users creating Forms are responsible for ensuring respondent data complies with GDPR, including informing respondents about the purpose of processing and their rights.

6. Transfer of Data Outside the EU

Personal data is primarily processed and stored within the European Union or European Economic Area (EEA) to ensure maximum protection. In exceptional cases, if data is transferred outside the EU/EEA (e.g., when using service providers based outside the EU), we ensure GDPR compliance through:

• Standard Contractual Clauses (SCC) approved by the European Commission.
• Transfers to countries with an adequate level of data protection (e.g., Canada, Japan, per EU decisions).
• Binding Corporate Rules (BCR) or other approved protection mechanisms.

Users will be informed of any data transfers outside the EU/EEA via an updated Privacy Policy or direct notification.

7. Retention Period

We store personal data only for as long as necessary to fulfill the purpose of processing, in accordance with the principle of storage limitation:

• User Data: Stored while your account is active. Upon deactivation or a request to delete your account, data is deleted within 30 days, unless longer retention is required by law (e.g., for tax or accounting purposes under the Accounting Act, NN 78/15, which mandates retention for up to 11 years).
• Respondent Data: Stored according to the terms set by the user who created the form. If a user deletes a form or account, respondent data is deleted within 30 days, unless the respondent requests earlier deletion or longer retention is required by law.
• Technical Data: Stored for up to 12 months for analytical purposes, unless you consent to longer retention. Anonymized data may be retained indefinitely for statistical purposes.
• Legal Data: Data required for compliance with tax, accounting, or legal regulations (e.g., payment records) is stored in accordance with Croatian law, typically for 11 years.

8. Security

We implement comprehensive technical and organizational measures to protect personal data, including:

• SSL/TLS encryption for data transmission and AES-256 encryption for data storage.
• Storage of data on servers within the EU, protected by firewalls, intrusion detection systems (IDS), and regular security updates.
• Restricted access to data, limited to authorized employees with signed confidentiality agreements.
• Anonymization and pseudonymization of data where possible.
• Regular security audits, vulnerability testing, and Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
• Notification of personal data breaches to users and AZOP within 72 hours, in accordance with Article 33 of GDPR, with measures to mitigate harm.

9. User Rights

As a data subject, you have the following rights under GDPR:

• Right of Access: Obtain information about which of your data is processed, for what purpose, who has access, and how long it is stored (Article 15 GDPR).
• Right to Rectification: Correct inaccurate or incomplete personal data (Article 16 GDPR).
• Right to Erasure: Request deletion of your data ("right to be forgotten"), unless there is a legal obligation to retain it (Article 17 GDPR).
• Right to Restriction of Processing: Restrict processing in certain situations, e.g., if you contest the accuracy of the data (Article 18 GDPR).
• Right to Data Portability: Receive your data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON) or request its transfer to another controller (Article 20 GDPR).
• Right to Object: Object to processing based on legitimate interests, including for marketing purposes (Article 21 GDPR).
• Right to Withdraw Consent: Withdraw consent for data processing at any time, without affecting the lawfulness of prior processing (Article 7 GDPR).
• Right to Lodge a Complaint: File a complaint with a supervisory authority (AZOP) if you believe processing violates GDPR.

To exercise these rights, contact us at prodaja@gtnet.hr, by phone at +385 52 637 000, or by post at Valturska 78/1, 52100 Pula, Croatia. We will respond within 30 days, except in complex cases where the deadline may be extended by an additional 60 days, with prior notification. Requests are processed free of charge, unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

10. Processing of Sensitive Data

If users create Forms that collect special categories of personal data (e.g., health data, political opinions, religious beliefs, criminal records), we implement additional safeguards, including:

• Requiring explicit respondent consent prior to collection, in accordance with Article 9(2)(a) GDPR.
• Limited storage and processing with strict security protocols.
• Notifying users of their responsibility to comply with GDPR when collecting sensitive data.

Users creating forms are responsible for ensuring respondents are properly informed about the purpose of collection and have provided consent.

11. Contact

For any questions, requests, or complaints regarding this Privacy Policy, contact us at:

• Email: prodaja@gtnet.hr
• Phone: +385 52 637 000
• Post: INFO NETWORK d.o.o., Valturska 78/1, 52100 Pula, Croatia

If you believe the processing of your data violates GDPR or other regulations, you may lodge a complaint with the Croatian Personal Data Protection Agency (AZOP):

• Address: Selska cesta 136, 10000 Zagreb, Croatia
• Email: azop@azop.hr
• Website: www.azop.hr

12. Changes

We may periodically update this Privacy Policy to reflect changes in our practices, legal obligations, or Service functionalities. The updated version will be published on this page, with the effective date. We will notify you of significant changes via email, website notifications, or other appropriate channels. We recommend regularly reviewing this Policy to stay informed about our data processing practices.

Effective Date: 7 July 2025.

Cookie Policy

1. Introduction

INFO NETWORK d.o.o., with its registered office at Valturska 78/1, 52100 Pula, Croatia ("we", "us", or "our"), uses cookies and similar technologies on the website www.feedback-NOTFINAL.eu ("Service") to enhance functionality, user experience, and analytics. This Cookie Policy explains what cookies are, how we use them, what data they collect, how you can manage cookie settings, and your related rights. This Policy is compliant with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Croatian Electronic Commerce Act (NN 173/2003, 67/2008), and the Act on the Implementation of the General Data Protection Regulation (NN 42/2018).

By accepting cookies via our consent banner or continuing to use the Service, you agree to the use of cookies as described in this Policy. If you do not agree with the use of cookies, you may disable them through your browser settings or our cookie management tool.

2. What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, or smartphone) when you visit a website. They enable the website to "remember" your settings, behavior, or preferences during your visit or for future visits. Similar technologies, such as tracking pixels, web beacons, or local storage, serve comparable purposes.

Cookies are categorized as follows:

• Session Cookies: Temporary cookies that are deleted when you close your browser.
• Persistent Cookies: Remain on your device until they expire or are manually deleted.
• First-Party Cookies: Set by us, INFO NETWORK d.o.o., for the purposes of the Service.
• Third-Party Cookies: Set by our partners (e.g., analytics or marketing platforms).

3. Types of Cookies We Use

We use the following categories of cookies:

• Necessary Cookies: Essential for the operation of the Service, enabling core functionalities such as navigation, account login, and security. These do not collect personal data for marketing purposes and do not require your consent (Article 6(1)(b) GDPR – performance of a contract). Example: session authentication cookies.
• Functional Cookies: Enhance user experience by remembering your preferences (e.g., language, form settings). These are used with your consent (Article 6(1)(a) GDPR). Example: cookies for storing selected language preferences.
• Analytical Cookies: Collect anonymized data about Service usage (e.g., visited pages, time spent on pages) for performance analysis and improvement. These are used with your consent (Article 6(1)(a) GDPR). Example: Google Analytics cookies.
• Marketing Cookies: Enable personalized advertisements and tracking of marketing campaign effectiveness. These are used exclusively with your consent (Article 6(1)(a) GDPR). Example: cookies for displaying targeted ads.

4. List of Cookies

The following cookies may be used on our Service (this list is not exhaustive and may be updated):

• Necessary Cookies:
  • Name: session_id | Purpose: User authentication | Duration: Session | Type: First-party
  • Name: csrf_token | Purpose: Protection against CSRF attacks | Duration: Session | Type: First-party
• Functional Cookies:
  • Name: user_prefs | Purpose: Storing user preferences (e.g., language, theme) | Duration: 1 year | Type: First-party
• Analytical Cookies:
  • Name: _ga | Purpose: Tracking website visits (Google Analytics) | Duration: 2 years | Type: Third-party
  • Name: _hjSession | Purpose: Analyzing user behavior (Hotjar) | Duration: Session | Type: Third-party
• Marketing Cookies:
  • Name: _fbp | Purpose: Tracking advertisements (Facebook Pixel) | Duration: 3 months | Type: Third-party

5. Purpose and Legal Basis

We use cookies for the following purposes and based on the following legal bases:

• Necessary Cookies: Ensuring core functionality and security of the Service (Article 6(1)(b) GDPR – performance of a contract; Article 6(1)(f) GDPR – legitimate interest).
• Functional Cookies: Enhancing user experience through personalization (Article 6(1)(a) GDPR – consent).
• Analytical Cookies: Analyzing Service usage to optimize performance and user experience (Article 6(1)(a) GDPR – consent).
• Marketing Cookies: Displaying personalized ads and measuring campaign effectiveness (Article 6(1)(a) GDPR – consent).

Necessary cookies do not require your consent as they are essential for the Service’s operation. For all other cookie categories, we request your explicit consent via the cookie banner upon your first visit to the site.

6. Managing Cookies

You can manage cookies through:

• Consent Banner: Upon your first visit to the Service, you can choose which cookie categories to accept (except necessary cookies, which are always active). You can modify your settings at any time via our cookie management tool on the website.
• Browser Settings: Most browsers allow you to block or delete cookies. For example:
  • Google Chrome: Settings > Privacy and Security > Cookies and Other Site Data
  • Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data
  • Safari: Settings > Privacy > Cookies and Website Data

Note: Blocking necessary cookies may affect the functionality of the Service, such as preventing login or form saving.

7. Data Transfer Outside the EU/EEA

Data collected via third-party cookies (e.g., Google Analytics, Facebook Pixel) may be transferred outside the EU/EEA, e.g., to the USA. In such cases, we ensure GDPR compliance through:

• Standard Contractual Clauses (SCC) approved by the European Commission.
• Transfers to countries with an adequate level of data protection.
• Binding Corporate Rules (BCR) or other approved mechanisms.

For more information on data transfers, refer to our Privacy Policy.

8. User Rights

Under GDPR, you have the following rights regarding data collected via cookies:

• Right of Access: Obtain information about which data is collected and how it is processed (Article 15 GDPR).
• Right to Rectification: Correct inaccurate data (Article 16 GDPR).
• Right to Erasure: Request deletion of data collected via cookies (Article 17 GDPR).
• Right to Restriction of Processing: Restrict processing in certain situations (Article 18 GDPR).
• Right to Data Portability: Receive data in a machine-readable format (Article 20 GDPR).
• Right to Object: Object to data processing for analytical or marketing purposes (Article 21 GDPR).
• Right to Withdraw Consent: Withdraw consent for cookies at any time via our cookie management tool (Article 7 GDPR).

To exercise these rights, contact us at prodaja@gtnet.hr, by phone at +385 52 637 000, or by post at Valturska 78/1, 52100 Pula, Croatia. We will respond within 30 days, with a possible extension of up to 60 days for complex requests.

9. Contact

For any questions, complaints, or requests regarding this Cookie Policy, contact us at:

• Email: prodaja@gtnet.hr
• Phone: +385 52 637 000
• Post: INFO NETWORK d.o.o., Valturska 78/1, 52100 Pula, Croatia

If you believe data processing violates GDPR, you may lodge a complaint with the Croatian Personal Data Protection Agency (AZOP):

• Address: Selska cesta 136, 10000 Zagreb, Croatia
• Email: azop@azop.hr
• Website: www.azop.hr

10. Policy Updates

We may periodically update this Cookie Policy to reflect changes in technologies, practices, or legal requirements. The updated version will be published on this page, with the effective date. We will notify you of significant changes via email, website banners, or other appropriate channels. We recommend regularly reviewing this Policy.

Effective Date: 7 July 2025.

GDPR Compliance

1. Introduction

INFO NETWORK d.o.o., with its registered office at Valturska 78/1, 52100 Pula, Croatia ("we", "us", or "our"), is committed to protecting the personal data of users of our website www.feedback-NOTFINAL.eu ("Service") in accordance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the Croatian Act on the Implementation of the General Data Protection Regulation (NN 42/2018), the Electronic Commerce Act (NN 173/2003, 67/2008), and other relevant Croatian and European regulations. This page provides a comprehensive overview of our GDPR compliance practices, including the collection, processing, storage, and protection of personal data, as well as the rights of users and respondents utilizing our platform for creating and managing Forms and surveys.

Our objective is to ensure the highest level of transparency, security, and legal compliance while adhering to the principles of lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability as stipulated in Article 5 of GDPR. This page complements our Privacy Policy, Terms of Use, and Cookie Policy, offering detailed insight into our GDPR obligations.

2. Data Controller

The data controller for personal data is:

• INFO NETWORK d.o.o.
• Address: Valturska 78/1, 52100 Pula, Croatia
• Email: prodaja@gtnet.hr
• Phone: +385 52 637 000

For any questions, requests, or complaints regarding data processing, please contact us via email at prodaja@gtnet.hr, by phone at +385 52 637 000, or by post at the address above. If you believe that the processing of your data violates GDPR, you may lodge a complaint with the Croatian Personal Data Protection Agency (AZOP):

• Address: Selska cesta 136, 10000 Zagreb, Croatia
• Email: azop@azop.hr
• Website: www.azop.hr

3. Types of Data Collected

In accordance with the principle of data minimization (Article 5(1)(c) GDPR), we collect only the data necessary to fulfill defined purposes. The categories of data include:

• User Data: Collected during registration, account creation, or use of the Service, including:
  • Full name
  • Email address
  • Username and password (if authentication is used)
  • Additional data voluntarily provided (e.g., company name, contact details)
• Respondent Data: Collected from Forms created by users through the Service, including:
  • Personal data such as name, email address, phone number, or address, depending on the form design
  • Special categories of data (e.g., health data, political opinions) if included in Forms, subject to explicit respondent consent (Article 9(2)(a) GDPR)
• Technical Data: Automatically collected to ensure functionality and security, including:
  • IP address
  • Browser type and version (e.g., Chrome, Firefox)
  • Operating system and device type (e.g., Windows, iOS)
  • Date and time of visits
  • Visited pages and interaction patterns (e.g., clicks, time spent on pages)
• Cookies and Similar Technologies: We use cookies, tracking pixels, and local storage for functionality, analytics, and personalization, subject to your consent. Details are available in our Cookie Policy.

4. Purposes and Legal Bases for Processing

We process personal data based on the following legal bases under Article 6 of GDPR:

• Performance of a Contract (Article 6(1)(b)): Providing the Service, including creating, sharing, and managing Forms, and storing submissions.
• Legitimate Interest (Article 6(1)(f)): Improving functionality, security, and user experience; preventing fraud; analyzing Service usage (e.g., traffic statistics).
• Consent (Article 6(1)(a)): Sending marketing notifications, newsletters, or personalized offers; using analytical and marketing cookies.
• Legal Obligation (Article 6(1)(c)): Fulfilling regulatory requirements, including tax and accounting obligations under the Accounting Act (NN 78/15) or responding to requests from competent authorities.
• Special Categories of Data (Article 9(2)(a)): Processing sensitive data (e.g., health, political opinions) is based on explicit respondent consent and additional security measures.

Users creating Forms are responsible for ensuring a legal basis for processing respondent data, including obtaining consent where required.

5. Recipients of Data

Personal data may be shared with a limited group of recipients to provide the Service and comply with legal obligations:

• Internal Recipients: Employees and contractors managing the Service or providing technical support, subject to strict confidentiality obligations.
• External Third Parties:
  • Cloud hosting providers (e.g., Amazon Web Services, Google Cloud) compliant with GDPR, with whom we have Data Processing Agreements (DPAs).
  • Analytics platforms (e.g., Google Analytics, Hotjar) for processing usage data, with consent.
  • Email communication service providers (e.g., Mailchimp, SendGrid) for sending notifications, with consent.
• Competent Authorities: Tax Administration, Croatian Personal Data Protection Agency (AZOP), or courts, as required by law (e.g., for tax inspections or legal proceedings).

All recipients are obligated to comply with GDPR and Croatian data protection regulations.

6. Data Transfer Outside the EU/EEA

Personal data is primarily processed and stored within the European Union or European Economic Area (EEA) to ensure maximum protection. In exceptional cases, if data is transferred outside the EU/EEA (e.g., when using service providers like Google Analytics), we ensure GDPR compliance through:

• Standard Contractual Clauses (SCC) approved by the European Commission.
• Transfers to countries with an adequate level of data protection (e.g., Canada, Japan).
• Binding Corporate Rules (BCR) or other approved mechanisms.

Users will be notified of any data transfers outside the EU/EEA via an updated Privacy Policy or direct notification.

7. Data Retention Period

We store personal data only for as long as necessary to fulfill the purpose of processing, in accordance with the storage limitation principle (Article 5(1)(e) GDPR):

• User Data: Stored while the account is active. Upon deactivation or a deletion request, data is erased within 30 days, unless longer retention is required by law (e.g., 11 years for accounting purposes under the Accounting Act, NN 78/15).
• Respondent Data: Stored based on the terms set by the user creating the form. Upon deletion of a form or account, data is erased within 30 days, unless the respondent requests earlier deletion or longer retention is required by law.
• Technical Data: Stored for up to 12 months for analytical purposes. Anonymized data may be retained indefinitely for statistical purposes.
• Legal Data: Data required for tax or legal compliance is stored in accordance with Croatian law, typically for 11 years.

8. Security Measures

We implement comprehensive technical and organizational measures to protect personal data, in accordance with Article 32 of GDPR:

• Encryption: SSL/TLS for data transmission and AES-256 for data storage.
• Secure Servers: Data is stored on servers within the EU, protected by firewalls, intrusion detection systems (IDS), and regular security updates.
• Restricted Access: Access to data is limited to authorized employees with signed confidentiality agreements.
• Anonymization and Pseudonymization: We apply anonymization for analytical data and pseudonymization for user data where possible.
• Regular Audits: Conducting security audits, vulnerability testing, and Data Protection Impact Assessments (DPIAs) for high-risk processing activities, per Article 35 of GDPR.
• Incident Response Plan: In case of a personal data breach, we will notify users and AZOP within 72 hours (Article 33 GDPR) and take measures to mitigate harm.

9. Data Subject Rights

Under GDPR, users and respondents have the following rights:

• Right of Access (Article 15): Obtain information about which data is processed, for what purpose, and who has access.
• Right to Rectification (Article 16): Correct inaccurate or incomplete data.
• Right to Erasure (Article 17): Request data deletion ("right to be forgotten"), unless there is a legal obligation to retain it.
• Right to Restriction of Processing (Article 18): Restrict processing in certain situations (e.g., if you contest data accuracy).
• Right to Data Portability (Article 20): Receive data in a machine-readable format (e.g., CSV, JSON) or request transfer to another controller.
• Right to Object (Article 21): Object to processing based on legitimate interests, including for marketing purposes.
• Right to Withdraw Consent (Article 7): Withdraw consent for data processing at any time, without affecting prior processing.
• Right to Lodge a Complaint (Article 77): File a complaint with a supervisory authority (AZOP) if you believe processing violates GDPR.

To exercise these rights, contact us at prodaja@gtnet.hr, by phone at +385 52 637 000, or by post at Valturska 78/1, 52100 Pula, Croatia. We will respond within 30 days, with a possible extension of up to 60 days for complex requests. Requests are processed free of charge, unless manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

10. Processing of Sensitive Data

If users create Forms collecting special categories of personal data (e.g., health data, political opinions, religious beliefs, criminal records), we implement additional safeguards:

• Explicit respondent consent prior to collection (Article 9(2)(a) GDPR).
• Limited storage and processing with strict security protocols.
• Notifying users of their responsibility to comply with GDPR.

Users creating Forms must ensure respondents are informed about the purpose of processing, their rights, and provide consent where required.

11. User Obligations

Users collecting respondent data through the Service act as data controllers under GDPR and are responsible for:

• Ensuring a legal basis for data processing (e.g., consent, contract).
• Informing respondents about the purpose of processing, their rights, and the identity of the data controller.
• Implementing security measures to protect respondent data.
• Responding to respondents’ requests to exercise their GDPR rights.

INFO NETWORK d.o.o. acts as a data processor for respondent data, processing it solely according to user instructions and in compliance with a Data Processing Agreement (DPA).

12. Data Protection Impact Assessment (DPIA)

In accordance with Article 35 of GDPR, we conduct Data Protection Impact Assessments (DPIAs) for processing activities that may pose a high risk to individuals’ rights and freedoms, such as processing sensitive data or using third-party analytics tools. DPIAs include:

• Description of processing operations and purposes.
• Assessment of necessity and proportionality.
• Analysis of risks to data subjects.
• Measures to mitigate risks, including security protocols.

DPIA results are available upon request, subject to confidentiality of business information.

13. Data Breach Notifications

In the event of a personal data breach, we follow the procedures outlined in Articles 33 and 34 of GDPR:

• We will notify AZOP within 72 hours of becoming aware of a breach if it is likely to result in a risk to individuals’ rights and freedoms.
• We will inform affected users and respondents without undue delay if the breach is likely to result in a high risk, unless measures have been taken to neutralize the risk.
• We maintain records of all data breaches, including their causes, consequences, and remedial actions.

14. Contact and Complaints

For any questions, requests, or complaints regarding GDPR compliance, contact us at:

• Email: prodaja@gtnet.hr
• Phone: +385 52 637 000
• Post: INFO NETWORK d.o.o., Valturska 78/1, 52100 Pula, Croatia

If you believe data processing violates GDPR, you may lodge a complaint with the Croatian Personal Data Protection Agency (AZOP):

• Address: Selska cesta 136, 10000 Zagreb, Croatia
• Email: azop@azop.hr
• Website: www.azop.hr

15. Updates to This Page

We may periodically update this page to reflect changes in our practices, legal requirements, or Service functionalities. The updated version will be published on this page, with the effective date. We will notify you of significant changes via email, website notifications, or other appropriate channels. We recommend regularly reviewing this page.

Effective Date: 7 July 2025