Summary for Data Subjects
This Privacy & Cookie Policy describes how VISION COMPLIANCE d.o.o. processes your personal data. Before reading in detail, here are the key points:
- Data Controller: VISION COMPLIANCE d.o.o., OIB: 82941998009, Ulica Republike Austrije 23, 10000 Zagreb
- Data Protection Contact: contact@visioncompliance.eu
- Processing Purposes: responding to inquiries, service delivery, marketing (with consent), website analytics
- Legal Bases: consent, contract performance, legitimate interest, legal obligation
- Your Rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent
- Complaints: Croatian Data Protection Agency (AZOP), www.azop.hr
- International Transfers: USA (Standard Contractual Clauses)
- Cookies: necessary, analytics, and marketing (with consent)
1. Data Controller
Pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR), we inform you that the controller of your personal data is:
Company Information
| Field | Value |
|---|---|
| Company Name | VISION COMPLIANCE d.o.o. |
| Legal Form | Limited Liability Company |
| Registered Address | Ulica Republike Austrije 23, 10000 Zagreb, Republic of Croatia |
| OIB (Tax ID) | 82941998009 |
| MBS (Registration No.) | 05256968 |
| Registry Court | Commercial Court in Zagreb |
| Business Activity | 70.22 – Management consultancy activities |
| Year of Establishment | 2020 |
| contact@visioncompliance.eu | |
| Website | www.visioncompliance.eu |
Data Protection Contact
For all questions regarding the processing of your personal data, exercising your rights, or complaints, you may contact us at: contact@visioncompliance.eu. We undertake to respond to each inquiry within 30 days of receipt.
2. Scope of Application
This Privacy & Cookie Policy applies to:
- The website visioncompliance.eu and all its subpages
- Communication via email, telephone, and contact forms
- Use of our consulting services
- Subscription to our newsletter
- Registration for our trainings, webinars, and events
- All other interactions with VISION COMPLIANCE d.o.o.
This policy does not apply to third-party websites to which we may link. We recommend reading the privacy policies of those websites before providing them with your personal data.
3. Legal Framework
When processing your personal data, we comply with the following regulations:
European Regulations
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR)
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive)
National Legislation of the Republic of Croatia
- Act on the Implementation of the General Data Protection Regulation (OG 42/18)
- Electronic Communications Act (OG 73/08, 90/11, 133/12, 80/13, 71/14, 72/17)
- Electronic Commerce Act (OG 173/03, 67/08, 36/09, 130/11, 30/14, 32/19)
- Consumer Protection Act (OG 41/14, 110/15, 14/19)
4. Categories of Personal Data We Collect
Depending on how you interact with us, we may collect different categories of personal data. Below are all categories of data we may process:
4.1. Identification Data
- First and last name
- Company / organization name
- Position / job title
- OIB (if required for contractual relationships)
4.2. Contact Data
- Email address
- Phone number (landline and/or mobile)
- Postal address
- Social media profiles (if provided by you)
4.3. Company / Organization Data
- Company name and legal form
- Registered address
- Industry and business activity
- Company size (number of employees)
- Contact person details
4.4. Communication Data
- Content of your inquiries via contact form
- Content of email messages
- Notes from telephone conversations (with your consent)
- Meeting minutes
- Feedback and evaluations
4.5. Technical Data (automatically collected)
- IP address (anonymized/truncated where possible)
- Browser type and version
- Operating system and platform
- Screen resolution and device type
- Browser language settings
- Referral source (referrer URL)
- Date and time of visit
- Pages visited and time spent on them
- Interactions with page elements (clicks, scrolling)
4.6. Cookie and Similar Technology Data
- Unique device identifiers
- Session data
- User preferences (language, theme)
- Advertising conversion data
5. Processing Purposes and Legal Bases
In accordance with the principle of lawfulness under Article 5 of GDPR, we process personal data exclusively on the basis of one of the legal grounds set out in Article 6 of GDPR. Below are all processing purposes and corresponding legal bases:
5.1. Responding to Inquiries and Communication
When you send us an inquiry via contact form, email, or telephone, we process your data to respond to your inquiry and provide you with the requested information.
- Legal basis: Article 6(1)(b) GDPR – taking steps prior to entering into a contract at the request of the data subject
- Data: name, email, phone, inquiry content
- Retention period: 2 years from last communication
5.2. Providing Services
When you enter into a contract with us for the use of our consulting services, we process your data for the performance of the contract.
- Legal basis: Article 6(1)(b) GDPR – performance of a contract
- Data: identification data, contact data, company data, communication data
- Retention period: duration of contractual relationship + 10 years (legal obligation to retain business documentation)
5.3. Sending Newsletters and Marketing Materials
With your explicit consent, we may send you newsletters with news about regulatory changes, professional articles, and information about our services.
- Legal basis: Article 6(1)(a) GDPR – consent of the data subject
- Data: name, email address
- Retention period: until withdrawal of consent
- Note: You may withdraw your consent at any time by clicking the 'Unsubscribe' link in each newsletter or by contacting us at contact@visioncompliance.eu
5.4. Website and User Experience Improvement
We use analytical tools to understand how visitors use our website and identify areas for improvement.
- Legal basis: Article 6(1)(a) GDPR – consent (for analytics cookies)
- Data: technical data, behavioral data on site (anonymized)
- Retention period: 14 months (Google Analytics)
5.5. Advertising Effectiveness Measurement
With your consent, we use marketing cookies to track the effectiveness of our advertising campaigns on platforms such as Google Ads, Facebook, and LinkedIn.
- Legal basis: Article 6(1)(a) GDPR – consent of the data subject
- Data: cookie data, conversion data
- Retention period: according to duration of each cookie (see cookie table)
5.6. Fulfilling Legal Obligations
We may process your data when necessary to fulfill legal obligations to which we are subject, including accounting, tax, and regulatory requirements.
- Legal basis: Article 6(1)(c) GDPR – compliance with a legal obligation
- Data: data necessary to fulfill the specific legal obligation
- Retention period: in accordance with statutory periods (e.g., 11 years for accounting documentation)
5.7. Protection of Legitimate Interests
In limited cases, we may process your data on the basis of our legitimate interests, where those interests do not override your fundamental rights and freedoms.
- Legal basis: Article 6(1)(f) GDPR – legitimate interest
- Examples: fraud prevention, IT system security, establishment or defense of legal claims
- Note: You have the right to object to processing based on legitimate interest
6. Recipients of Personal Data
We do not sell your personal data or share it with third parties for marketing purposes without your explicit consent. We may share data with the following categories of recipients, solely to the extent necessary to achieve processing purposes and with appropriate safeguards:
6.1. IT Service and Infrastructure Providers
| Provider | Location | Purpose | Safeguards |
|---|---|---|---|
| Vercel Inc. | USA | Website hosting, CDN, serverless functions | Standard Contractual Clauses (SCC) |
| SendGrid (Twilio Inc.) | USA | Transactional email delivery, contact form processing | Standard Contractual Clauses (SCC) |
| Sentry (Functional Software Inc.) | USA | Application error tracking, performance diagnostics | Standard Contractual Clauses (SCC) |
6.2. Analytics and Marketing Service Providers
The following service providers process data only with your cookie consent:
| Provider | Location | Purpose | Safeguards |
|---|---|---|---|
| Google LLC (Analytics, Ads, Tag Manager) | USA | Website analytics, conversion measurement, tag management | Standard Contractual Clauses (SCC) |
| Meta Platforms Inc. | USA | Facebook Ads pixel – advertising effectiveness measurement | Standard Contractual Clauses (SCC) |
| LinkedIn Corporation | USA | LinkedIn Insight Tag – conversion tracking from LinkedIn ads | Standard Contractual Clauses (SCC) |
6.3. Consent Management Service Providers
| Provider | Location | Purpose | Safeguards |
|---|---|---|---|
| Cybot A/S (Cookiebot) | Denmark (EU) | Cookie consent management, consent logging | Processing within EU/EEA |
6.4. Other Bodies and Institutions
In cases provided by law, we may disclose your data to:
- Competent regulatory bodies and supervisory institutions
- Courts and other bodies in judicial and administrative proceedings
- Tax authorities and other state bodies when legally required
- Auditors and legal advisors under confidentiality agreements
7. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), particularly in the United States. When transferring personal data to third countries, we ensure an adequate level of protection through the following mechanisms:
7.1. Standard Contractual Clauses (SCC)
For transfers to the USA, we use Standard Contractual Clauses (SCC) adopted by the European Commission through Implementing Decision (EU) 2021/914. These clauses ensure that data recipients in third countries provide a level of protection equivalent to that in the EU.
7.2. Additional Technical and Organizational Measures
In addition to SCCs, we apply supplementary measures in accordance with EDPB recommendations:
- Encryption of data in transit (TLS 1.3)
- Pseudonymization and anonymization where possible
- Minimization of transferred data
- Contractual obligations regarding notification in case of access requests from authorities
7.3. Your Rights
You have the right to request a copy of the Standard Contractual Clauses and information about additional safeguards by contacting us at contact@visioncompliance.eu.
8. Data Retention Periods
In accordance with the storage limitation principle under Article 5 of GDPR, we retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Below are specific retention periods:
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Contact form and email communication data | 2 years from last communication | Legitimate interest (Art. 6.1.f GDPR) |
| Newsletter subscriptions | Until consent withdrawal + 30 days for technical processing | Consent (Art. 6.1.a GDPR) |
| Contractual data and business documentation | Duration of contract + 10 years | Legal obligation (Accounting Act, General Tax Act) |
| Invoices and financial documentation | 11 years from issuance | Legal obligation (Art. 10 Accounting Act) |
| Analytics data (Google Analytics) | 14 months | Consent (Art. 6.1.a GDPR) |
| Cookie consent data | 12 months from consent | Legal obligation to prove consent |
| Data for defense of legal claims | Until expiration of limitation periods (5-10 years) | Legitimate interest (Art. 6.1.f GDPR) |
Upon expiration of the above periods, data is permanently deleted or anonymized so that you can no longer be identified.
9. Your Rights as a Data Subject
Under GDPR, you have the following rights regarding the processing of your personal data. All rights may be exercised free of charge, and we will respond to your request without undue delay, and no later than within 30 days.
9.1. Right of Access (Article 15 GDPR)
You have the right to obtain confirmation as to whether we process your personal data and, if so, access to that data and the following information: purposes of processing, categories of data, recipients, retention period, your rights, source of data, existence of automated decision-making.
9.2. Right to Rectification (Article 16 GDPR)
You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of processing, you have the right to have incomplete personal data completed.
9.3. Right to Erasure – 'Right to be Forgotten' (Article 17 GDPR)
You have the right to obtain the erasure of personal data concerning you if:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds for processing
- The data has been unlawfully processed
- The data must be erased for compliance with a legal obligation
9.4. Right to Restriction of Processing (Article 18 GDPR)
You have the right to obtain restriction of processing if:
- You contest the accuracy of the data – for a period enabling verification of accuracy
- Processing is unlawful and you oppose erasure
- We no longer need the data but you need it for legal claims
- You have objected to processing – pending verification whether our legitimate grounds override yours
9.5. Right to Data Portability (Article 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller. This right applies where processing is based on consent or contract and is carried out by automated means.
9.6. Right to Object (Article 21 GDPR)
You have the right to object to the processing of your personal data based on legitimate interest, including profiling. In case of objection, we will no longer process your data unless we demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
9.7. Right to Withdraw Consent (Article 7(3) GDPR)
If processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You may withdraw consent by sending an email to contact@visioncompliance.eu or by clicking the unsubscribe link in the newsletter.
9.8. Right to Lodge a Complaint with a Supervisory Authority (Article 77 GDPR)
If you believe that the processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority:
- Name: Croatian Personal Data Protection Agency (AZOP)
- Address: Selska cesta 136, 10000 Zagreb, Republic of Croatia
- Phone: +385 1 4609 000
- Email: azop@azop.hr
- Website: www.azop.hr
9.9. How to Exercise Your Rights
To exercise any of the above rights, contact us at:
- Email: contact@visioncompliance.eu
- Post: VISION COMPLIANCE d.o.o., Ulica Republike Austrije 23, 10000 Zagreb
Please include your name, email address, and a clear description of which right you wish to exercise. We may request additional information to verify your identity. We will respond to your request within 30 days. In case of complex requests or a large number of requests, this period may be extended by an additional 60 days, of which we will inform you.
10. Cookies and Similar Tracking Technologies
Our website uses cookies and similar technologies to ensure functionality, analyze traffic, and, with your consent, for marketing purposes. This section explains in detail the types of cookies we use and how you can manage them.
10.1. What Are Cookies?
Cookies are small text files stored on your device (computer, tablet, smartphone) when you visit a website. Cookies allow the website to 'remember' your actions and preferences over a period of time, so you do not have to re-enter them each time you visit the site or navigate from one page to another.
10.2. Legal Basis for Using Cookies
- Necessary cookies: Article 6(1)(f) GDPR – legitimate interest (necessity for site operation)
- Analytics and marketing cookies: Article 6(1)(a) GDPR – your consent
10.3. Managing Cookies
On your first visit to our website, you will see a cookie consent banner. You may choose to:
- Accept all cookies – all cookies will be activated
- Reject non-essential cookies – only necessary cookies will be activated
- Customize settings – you can select individual cookie categories
You can change your settings at any time by clicking 'Cookie Settings' in the footer or by deleting cookies in your browser settings.
10.4. Cookie Categories
We use the following cookie categories on our website:
| Cookie Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| CookieConsent | Cookiebot (Cybot A/S) | Stores user's cookie consent status for the current domain. Necessary for GDPR compliance. | 12 months | HTTP cookie |
| NEXT_LOCALE | Vision Compliance | Stores user's preferred language version of the site (HR/EN). | 12 months | HTTP cookie |
| __cf_bm | Cloudflare | Cloudflare Bot Management – distinguishes humans from bots to protect the site. | 30 minutes | HTTP cookie |
| Cookie Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| _ga | Google Analytics | Registers a unique ID used to generate statistical data about how the visitor uses the website. | 14 months | HTTP cookie |
| _ga_* | Google Analytics | Used to maintain session state and track user interactions on the site. | 14 months | HTTP cookie |
| _gid | Google Analytics | Registers a unique ID used to generate statistical data about how the visitor uses the website. | 24 hours | HTTP cookie |
| _gat | Google Analytics | Used to throttle request rate to Google Analytics servers. | 1 minute | HTTP cookie |
| Cookie Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| _gcl_au | Google Ads | Used to store and track conversions from Google Ads. | 90 days | HTTP cookie |
| _gac_* | Google Ads | Contains campaign information for the user. | 90 days | HTTP cookie |
| _fbp | Meta (Facebook) | Used to store and track visits across websites for Facebook Ads. | 90 days | HTTP cookie |
| _fbc | Meta (Facebook) | Stores the last click from a Facebook ad (fbclid parameter). | 90 days | HTTP cookie |
| li_sugr | Used to identify browser for off-LinkedIn tracking. | 90 days | HTTP cookie | |
| bcookie | LinkedIn Browser ID cookie to identify device accessing LinkedIn. | 1 year | HTTP cookie | |
| lidc | LinkedIn Data Center cookie for server selection optimization. | 24 hours | HTTP cookie | |
| UserMatchHistory | LinkedIn Ads ID synchronization. | 30 days | HTTP cookie |
11. Data Security
The security of your personal data is of utmost importance to us. We implement appropriate technical and organizational measures to protect data from unauthorized access, loss, destruction, or disclosure.
11.1. Technical Measures
- SSL/TLS encryption (HTTPS) for all data in transit
- Encryption of data at rest (AES-256) for sensitive data
- Regular security audits and vulnerability testing
- Automatic software component updates
- Intrusion detection and prevention systems (IDS/IPS)
- Multi-factor authentication for system access
- Regular encrypted backups
11.2. Organizational Measures
- Data access restricted to authorized personnel on a 'need-to-know' basis
- Regular employee training on data protection
- Policies and procedures for handling personal data
- Data processing agreements (DPA) with all service providers
- Confidentiality obligations for all employees and contractors
- Security incident management procedures
11.3. Security Incident Reporting
Despite all measures, no system is 100% secure. If a personal data breach occurs that may result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR. If you notice any suspicious activity related to your data, please contact us immediately at contact@visioncompliance.eu.
12. Automated Decision-Making and Profiling
Pursuant to Article 22 GDPR, we inform you that on our website we do NOT use automated decision-making that would produce legal effects or significantly affect you. We do not create user profiles for the purpose of automated decision-making. The analytical and marketing tools we use (with your consent) serve exclusively to measure aggregate statistics and optimize advertising, without making individual automated decisions.
13. Protection of Children's Data
Our website and services are intended exclusively for business users and persons over 18 years of age. We do not knowingly collect personal data from children under 18 years of age. If you are a parent or guardian and learn that a child has provided us with personal data without your consent, please contact us immediately at contact@visioncompliance.eu. We will take all reasonable steps to delete such data from our systems.
14. Links to Third-Party Websites
Our website may contain links to third-party websites that are not under our control. This Privacy Policy applies exclusively to our website (visioncompliance.eu). We are not responsible for the privacy policies or practices of other websites. We recommend reading the privacy policy of each website you visit.
15. Changes to This Privacy Policy
We reserve the right to amend this Privacy & Cookie Policy at any time. All changes will be posted on this page with a new 'Effective date' and version number. In case of significant changes affecting your rights, we will notify you by email (if you are subscribed to the newsletter) or a prominent notice on the website. We recommend periodically reviewing this page to stay informed of any changes.
16. Contact
If you have any questions, comments, or requests regarding this Privacy & Cookie Policy or the way we process your personal data, please contact us:
| Contact Details | |
|---|---|
| Company Name | VISION COMPLIANCE d.o.o. |
| Address | Ulica Republike Austrije 23, 10000 Zagreb, Republic of Croatia |
| contact@visioncompliance.eu | |
| Website | www.visioncompliance.eu |
Business Hours for Inquiry Processing
Monday – Friday: 09:00 – 17:00 (CET/CEST)
We undertake to respond to each inquiry regarding personal data protection within 30 days of receipt.