Privacy Policy / Politika zasebnosti
Last updated: [DATE] · Version 1.0
⚠️ Draft template — review with counsel and localize to Slovenian before use.
1. Who we are (Controller)
This service (“Potni Nalog”, “nalog.si”, “we”) is operated by [LEGAL ENTITY — naziv, organizacijska oblika], [naslov / registered address], registration no. [matična številka], VAT [ID za DDV / SI…]. Privacy contact: [privacy@nalog.si]. We have [not appointed / appointed] a Data Protection Officer: [DPO contact, if any].
We process personal data in accordance with the GDPR (EU 2016/679) and the Slovenian ZVOP-2.
2. Controller vs. processor
- For individual users and s.p. accounts, we act as controller of your account and content.
- For business and accounting-firm customers, where you upload data about your employees or your clients, you are the controller and we act as your processor. In that case our Data Processing Addendum (DPA) in Section 13 governs, and you are responsible for having a lawful basis and informing your data subjects.
3. What we collect
| Category | Examples |
|---|---|
| Account & identity | name, email, password hash or Google account identifier (Google Sign-In) |
| Organisation data | company/legal-entity name, address, tax ID, accountant email, seats/clients |
| Travel & document content | the natural-language descriptions you type or speak to create a nalog, trips, routes, locations, dates, distances, purposes, per-diems, drivers, vehicle registrations |
| Voice input | audio you record for speech-to-text (processed to text, see §5) |
| Uploaded files | receipts/računi, Excel templates |
| AI usage ledger | for each AI/STT/Maps call: the prompt text and AI output, model, token counts, cost, timestamp, the user/company it belongs to |
| Billing | plan, seats, subscription status, and payment identifiers held by our payment processor |
| Technical/log | IP address, device/browser, session tokens, timestamps, error logs |
4. Why we process it (purposes & legal bases)
- Provide the service — accounts, creating nalogi from your input, calculating kilometrina/dnevnice, exports, emailing the obračun. Legal basis: performance of a contract — Art. 6(1)(b).
- AI processing of your prompts/voice to turn them into structured travel orders. Art. 6(1)(b). The text is your own service input.
- Storing prompts & AI output in our usage ledger for debugging, quality, abuse prevention, cost/usage analytics, and support. Legitimate interests — Art. 6(1)(f). You may object (§9).
- Billing & tax records. Legal obligation — Art. 6(1)(c) and contract.
- Security, fraud/abuse prevention, service integrity. Legitimate interests — Art. 6(1)(f).
- Product analytics & improvement (aggregated/limited). Art. 6(1)(f).
- Marketing email (only if applicable). Consent — Art. 6(1)(a), withdrawable anytime.
5. AI and automated processing
To convert your input into a nalog we use third-party AI sub-processors via the OpenRouter gateway:
- Text parsing: Anthropic Claude Haiku (via OpenRouter).
- Speech-to-text: OpenAI Whisper (via OpenRouter).
- Distances: Google Maps Platform (Routes).
We instruct OpenRouter/providers to deny use of your data for model training (data_collection: deny). Providers process the input transiently to return a result. The prompt text and the AI output are also stored in our own database (the usage ledger) under §4, restricted to platform administrators, and deleted within 90 days (§7).
No legally or similarly significant solely automated decisions under Art. 22 are made about you; AI output is a draft you review and confirm.
6. Who we share data with (sub-processors)
We don’t sell your data. Your personal data rests in the EU — account, organisation, trip and AI-usage-ledger data live in our EU-hosted database, and uploaded files in EU storage. The AI and maps providers below receive input transiently to return a result; we instruct them not to train on or retain it (§5). We share data only with vendors who process it on our behalf:
| Sub-processor | Purpose | Data location |
|---|---|---|
| [Hosting / database provider] | application & Postgres hosting + backups — where your account, trip and usage-ledger data rest | EU region (e.g. [Hetzner DE / Scaleway FR]) |
| Bunny.net (BunnyCDN) | encrypted, token-protected receipt & file storage (at rest) | EU — Bunny is a Slovenian company; storage region [Falkenstein, DE] |
| [Email/SMTP provider] | sending the obračun to your accountant | EU region |
| OpenRouter | AI gateway/routing (transient) | US — data_collection: deny, not retained by provider |
| Anthropic (Claude Haiku) | LLM text parsing (transient) | US — no training, not retained by provider |
| OpenAI (Whisper) | speech-to-text (transient) | US — no training, not retained by provider |
| Google (Maps Platform) | distance/route lookup (transient) | US / EU |
| Google (Sign-In/OAuth) | authentication handoff | US / EU |
| Stripe | payment processing | EU entity (Stripe Payments Europe, IE) + US |
7. Retention
- AI prompt text & voice transcripts (usage ledger): 90 days, then deleted/anonymised.
- Account, organisation & trip data: for the life of your account, then deleted within [e.g. 30–90 days] of closure, unless we must keep it.
- Invoices & accounting documents: retained as required by Slovenian law (generally up to [10 years] per ZDDV-1/ZGD-1).
- Backups: rolling, overwritten within [e.g. 30 days].
8. International transfers
Personal data at rest — database, file storage and backups — is stored in the EU. Some sub-processors used for transient AI/speech/maps processing and for payments are outside the EEA (e.g. US). Such transfers rely on EU Standard Contractual Clauses and/or an adequacy decision (EU–US Data Privacy Framework, where the vendor is certified), with supplementary measures. Copies available on request.
9. Your rights
Under the GDPR you may: access, rectify, erase (“right to be forgotten”), restrict, object (including to legitimate-interest processing), request portability, and withdraw consent. Email [privacy@nalog.si]; we respond within one month. You may also lodge a complaint with the Slovenian supervisory authority: Informacijski pooblaščenec RS, www.ip-rs.si, Dunajska 22, 1000 Ljubljana.
10. Security
Encryption in transit (HTTPS), hashed passwords, token-protected file URLs (signed, expiring), access controls, admin-only access to the usage ledger, and least-privilege sub-processors. No method is 100% secure.
11. Cookies / local storage
We use strictly-necessary storage (session token, active company). [If you add analytics/marketing cookies, add a consent banner and list them here.]
12. Children
Not directed to anyone under 16. We don’t knowingly process such data.
13. Data Processing Addendum (business/accounting customers)
Where we act as your processor: we process only on your documented instructions; ensure confidentiality; apply the security measures above; use the sub-processors in §6 (you authorise them); assist with data-subject requests and breaches; and delete/return data on termination. Full DPA: [link].
14. Changes
We may update this policy; material changes will be notified in-app or by email. Continued use means acceptance.