Data Protection Policy

Last Updated: 26.06.2025

Introduction

MISS obrt za usluge, operating under the brand name Concepta Digital, is committed to protecting the personal data of all individuals we engage with. This includes clients, employees, partners, suppliers, and service users. We process personal information in accordance with the EU General Data Protection Regulation (GDPR) and the Croatian Act on the Implementation of the General Data Protection Regulation.

This policy outlines our responsibilities and standards for handling personal data and the measures we take to protect it.

Why This Policy Exists

This Data Protection Policy ensures that Concepta Digital:

Complies with applicable data protection laws and industry best practices

Protects the rights and freedoms of data subjects

Promotes transparency in how data is collected, processed, and stored

Minimizes the risk of data breaches and regulatory non-compliance

1. Policy Statement

We collect, use, and store personal data as part of our business operations. We are committed to lawful, fair, and transparent data processing and take our legal and ethical responsibilities seriously.

2. About This Policy

This policy describes how personal data is collected and processed by Concepta Digital. It is an internal governance document and may be updated to reflect legal, regulatory, or operational changes.

The company as a whole is responsible for compliance, with oversight led by our Data Protection Officer. For any questions, please contact [email protected].

3. What Is Personal Data?

"Personal Data" means any information that identifies or can be used to identify a living individual. This may include, but is not limited to:

Full name, address, email, and phone number

Payment and billing information

Device and browser identifiers

IP address and location data

Interaction history and preferences

"Processing" includes collection, recording, storage, use, sharing, alteration, or deletion.

Sensitive personal data, such as device tracking or session data, must be handled with heightened protection.

4. Data Protection Principles

We adhere to GDPR’s seven core principles:

Lawfulness, fairness, and transparency

Purpose limitation

Data minimisation

Accuracy

Storage limitation

Integrity and confidentiality (security)

Accountability

5. Fair and Lawful Processing

We process personal data only when permitted by one or more lawful bases:

Consent from the data subject

Contractual necessity

Legal obligations

Legitimate interests (balanced with data subject rights)

Collection of Information

We collect data via:

Direct interactions (e.g., forms, service use, communications)

Automated technologies (e.g., cookies, session tracking, analytics)

Types of data collected:

Identity and contact data

Financial and billing data

Technical data (IP, browser, session activity)

Usage and preference data

Use of Information

We process personal data to:

Deliver and improve our services

Manage customer relationships and communications

Handle billing and account management

Conduct analytics and performance monitoring

6. Processing for Limited Purposes

All data is collected for specific, explicit, and legitimate purposes. This may also include data shared through integrations or partner platforms in accordance with our contracts.

7. Notifying Individuals

When we collect data, we inform the data subject about:

The purpose and legal basis of processing

Any third-party disclosures

Whether international transfers occur

The data retention period

Rights of access, correction, erasure, and objection

The right to withdraw consent at any time

How to lodge a complaint

8. Adequate, Relevant, and Non-Excessive Processing

We only collect data that is strictly necessary to fulfill the stated purposes.

9. Accurate Data

We maintain accurate records and implement procedures to promptly correct inaccurate or outdated data.

10. Timely Processing and Retention

Data is retained only as long as necessary for the purpose for which it was collected. When no longer needed, data is securely deleted or anonymized.

11. Rights of Data Subjects

Data subjects may exercise the following rights:

Right to be informed

Right of access

Right to rectification

Right to erasure ("right to be forgotten")

Right to restrict processing

Right to data portability

Right to object

Rights related to automated decision-making and profiling

12. Data Security

We implement the following security measures:

Role-based access controls and user authentication

Encryption of data in transit and at rest

Regular software updates and vulnerability scans

Confidentiality agreements with staff and vendors

Secure deletion of digital and physical records

3. International Transfers

If personal data is transferred outside the EEA, we ensure:

The destination has an adequacy decision; or

Standard Contractual Clauses are signed; or

The data subject has provided explicit consent

All transfers are done in compliance with GDPR safeguards.

14. Disclosure and Sharing

We may share data with:

Internal personnel who need it for operational purposes

Service providers, partners, or Subprocessors under GDPR-compliant contracts

Authorities or regulators where legally required

15. Subject Access Requests

Data subjects may request a copy of their data by contacting [email protected]. Proof of identity may be required. Requests will be processed within 30 days.

16. Changes to This Policy

We reserve the right to update this policy. Where changes are significant, we will notify users by email or in-app notifications. The most current version will always be available on our website.

Contact Information

MISS obrt za usluge

Kolhiđanska ulica 10

52100 Pula, Croatia

Email: [email protected]