Kolanis7

Privacy Policy

General data and Data Controller

Introduction and purpose of the Privacy Policy

This Privacy Policy (hereinafter: Policy) defines the manner in which Kolanis7, as a digital marketing service provider, collects, uses, processes, stores and protects the personal data of users and clients (hereinafter: Respondents), in accordance with the General Data Protection Regulation (GDPR) and the applicable laws of the Republic of Croatia. The aim of this Policy is to ensure transparency and security in the processing of personal data.

Data about the controller

The controller of personal data processing within the meaning of this Policy is.

  • Agency/brand name: Kolanis7 – Digital marketing agency
  • Legal Entity: Obrt Gira, vl. Mateo Šupraha
  • OIB: 64608904411
  • Headquarters Address: Put Girenice 1, 23251 Mandre, Republic of Croatia
  • Website: www.kolanis7.com

Official data protection contact

For all questions related to the processing of personal data, exercising the rights of the Data Subject (in accordance with point VII of this Policy) or filing a complaint, the Data Subject may contact.

  • E-mail: info@kolanis7.com
  • By post: Obrt Gira, Put Girenice 1, 23251 Mandre, with the indication “Protection of personal data”.

Scope of Application

This Policy applies to all personal data collected by the Agency through:

a) the official website www.kolanis7.com (including contact forms and cookies),

b) communication for the purpose of providing services (e-mail, telephone),

c) conclusion and execution of the Service Agreement.

Types of data collected, purpose and legal basis for processing. The Agency collects and processes the personal data of the Respondent exclusively for the purposes specified below, based on the appropriate legal basis in accordance with Article 6 of the General Data Protection Regulation (GDPR).

Data processing for the purpose of executing contracts and legal obligations

The Agency collects and processes personal data that are necessary for the establishment, execution and management of the contractual relationship with the Client.

  • Data categories: Identification data (name, surname, OIB/VAT ID), address, contact details (e-mail, telephone), and payment information.
  • Purpose of Processing: Conclusion and execution of the Service Agreement, issuance of proforma invoices and bills, and legal preservation of accounting documents.
  • Legal basis: Execution of the contract (for the provision of services) and legal obligation (for preserving financial documents in accordance with the tax and accounting regulations of the Republic of Croatia).

Data processing via the website and communication channels

The Agency processes data collected through the website and other communication channels.

Data from the contact form: name, e-mail address and message entered by the Respondent.
  • Purpose of processing: responding to inquiries, providing information about services and establishing a pre-contractual relationship.
  • Legal basis: the Agency's legitimate interest in the efficient management of business inquiries or pre-contractual actions at the request of the Data Subject.
Digital data / usage data: IP address, time of visit, browser type, sources of visits and geolocation data.
  • Purpose of processing: analysis and measurement of website traffic (via Google Analytics), maintaining security and optimizing website functionality.
  • Legal basis: the Agency's legitimate interest in improving the service i security. For analytical and marketing cookies, the legal basis is consent of the Respondent.

Data processing for the purpose of marketing activities

  • Data categories: e-mail address.
  • Purpose of processing: sending newsletters, information about new services and promotional offers of the Agency.
  • Legal basis: consent of the Respondent. The Respondent has the right to withdraw consent at any time (e.g. by clicking on the “unsubscribe” link), without affecting the lawfulness of the processing that was based on consent before its withdrawal.

The role of the Agency as a data processor

When the Agency accesses the Client’s platforms (e.g. Google Analytics, Facebook Business Manager, Client’s email lists) to provide contracted SEO, Ads or other services, the Agency processes personal data on behalf of and for the Client’s account.
In such a case:

  • The client is the controller, and
  • The Agency is a data processor, which processes data exclusively according to the Client's written instructions.

Legal basis of processing

The processing of personal data is carried out in accordance with the General Data Protection Regulation (GDPR), and the Agency processes data exclusively on the basis of one of the following legal grounds, explained in detail in point II. of this Policy:

Consent of the data subject (Article 6, paragraph 1, point a)

Processing is lawful if the data subject has given consent to the processing of their personal data for one or more specific purposes (e.g. sending marketing communications or newsletters). The data subject has the right to withdraw consent at any time.

Performance of the contract (Article 6(1)(b))

The processing is necessary for the performance of a Service Contract to which the data subject (client) is a party, or to take steps at the data subject’s request prior to entering into a contract.

Legal obligation (Article 6, paragraph 1, point c)

The processing is necessary to comply with the Agency’s legal obligations (e.g. issuing and keeping invoices in accordance with the tax and accounting laws of the Republic of Croatia).

Legitimate interest (Article 6(1)(f))

Processing is necessary to protect the legitimate interests of the Agency, except where these interests are overridden by the rights and freedoms of the data subject. Legitimate interests include: maintaining the security of the website, optimizing the services, and responding to business inquiries.

Use of cookies

What are cookies?

Cookies are small text files that are stored on your device (computer, mobile phone, tablet) when you visit a website. Cookies allow the website to remember your actions and settings over a certain period of time, thus improving the user experience, while allowing the Agency to analyze the use and performance of the website.

Consent and types of cookies

The Kolanis7 Agency uses cookies for various purposes. In accordance with the General Data Protection Regulation (GDPR) and the ePrivacy Directive, the Agency requests the consent of the data subject for all cookies that are not necessary for the basic functioning of the website.
The Agency uses the following categories of cookies:

a) Necessary (mandatory) cookies – These cookies are necessary for the basic functionality of the website. The legal basis for their use is the legitimate interest of the Agency.

Disabling these cookies may affect the proper functioning of the website.

b) Analytical (statistical) cookies – They allow the Agency to count visits and traffic sources in order to measure and improve the effectiveness of the website (e.g. Google Analytics). They are used solely on the basis of the consent of the data subject.

c) Functional cookies – They allow the website to remember your choices (e.g. interface language) and provide improved and personalized features. They are used on the basis of the consent of the data subject.

d) Marketing cookies – Used to track visitors on various websites and social networks (e.g. Meta Pixel) in order to display relevant advertisements. They are used exclusively with the consent of the data subject.

Cookie management and settings

The respondent may refuse or revoke consent to the use of cookies at any time via the cookie banner on the website or by changing the settings in their internet browser (e.g. Chrome, Firefox, Safari). In the event of withdrawal of consent, certain functionalities of the website may not be available or may function partially.

Additional information

For more detailed information on all cookies used by the Agency, their duration and how to manage them, please see the Cookie Policy, available at the Agency’s official website.

Sharing data with third parties

General principle of sharing

The Kolanis7 Agency undertakes not to sell, rent or disclose personal data of respondents to third parties, except in cases provided for in this Policy or by law.

Processors and external collaborators (white-label)

In order to perform the contracted services, the Agency may engage trusted external collaborators and partners who process personal data on behalf of the Agency. These entities (processors) may include:

  • White-label service providers for the technical execution of part of the contracted services (e.g. SEO, coding).
  • IT support, hosting and communication platform providers.
  • Accounting services for financial processing and bookkeeping needs.

The Agency ensures that all processors act exclusively in accordance with the Agency’s instructions and that they have signed a Personal Data Processing Agreement with the Agency, whereby they commit to confidentiality and the application of high security standards in accordance with the GDPR.

Data transfer outside the European Economic Area (EEA)

Since the Agency uses external collaborators and software tools that may be located outside the EEA (e.g. the USA, the UK or Asia), the Agency guarantees that the transfer of personal data outside the EEA is only carried out if one of the following conditions is met:

  • The transfer is made to a country for which the European Commission has adopted an Adequacy Decision.
  • The Agency and the processor have signed the Standard Contractual Clauses (SCC) adopted by the European Commission, ensuring an adequate level of data protection.

Legal obligation and legal protection

Personal data may be disclosed to competent state authorities (e.g. courts, police, Tax Administration, AZOP) if required by law or if necessary to protect the legitimate interests, property or security of the Agency.

Security and data retention

Security measures

The Kolanis7 Agency takes appropriate technical, physical and organizational measures to ensure the confidentiality, integrity and availability of personal data and to prevent unauthorized access, loss, destruction or accidental alteration of data. The measures applied include, but are not limited to:
  • Data encryption where applicable.
  • Strict access control to digital and physical files.
  • Use of strong passwords and two-factor authentication.
  • Regular data backups.

Principle of storage limitations (retention periods)

Personal data is kept only for as long as is necessary to fulfill the purpose for which it was collected, or as long as required by law. Specific retention periods are determined by the type of data:

  • Legal obligation: Data contained in accounting and financial documents (including OIBs, addresses and payment data of the Client) are kept is at least eleven (11) years old, in accordance with the Law on Accounting and tax regulations of the Republic of Croatia.
  • Contractual relationship: Data collected for the execution of the Contract are stored for the duration of the Agreement and an additional five (5) years after its termination, due to the possibility of obtaining legal protection (general limitation period).
  • Consent: Data collected on the basis of consent (e.g. e-mail address for newsletter) are kept until the consent is revoked by the Respondent or until the Agency does not determine that the data is no longer current.
  • Inquiries and communication: Data from contacts and inquiries are kept for a maximum of 12 months after the last communication, except in the case of concluding a contract.

Action after the deadline has expired

After the retention period expires, the Agency will permanently delete the personal data or make it anonymous so that it can no longer be linked to the Respondent.

Rights of the Respondent and the complaint resolution procedure

General rights

Each Data Subject whose personal data is processed has the right to exercise his or her rights stipulated in Chapter III of the General Data Protection Regulation (GDPR). The request for exercising the rights shall be submitted to the Agency in writing, to the contact e-mail address specified in point I of this Policy. The Agency shall respond to the request without delay, and no later than within 30 days of receipt of the request.

Detailed list of Respondent's rights

The data subject has the following rights:

a) Right to access: The right to obtain confirmation as to whether or not his or her personal data are being processed and to access those data (Art. 15 GDPR).

b) Right to rectification: The right to request the rectification of inaccurate personal data relating to him or her (Art. 16 GDPR).

c) Right to erasure (“Right to be forgotten”): The right to request the erasure of personal data relating to him or her, except for data that the Agency must keep in accordance with legal obligations, e.g. financial documents (Art. 17 GDPR).

d) Right to restriction of processing: The right to request the restriction of processing in certain cases (Art. 18 GDPR).

e) Right to data portability: The right to receive personal data relating to him or her in a structured, commonly used and machine-readable format and to transmit those data to another controller (Art. 20 GDPR).

f) Right to object: The right to object to the processing of personal data based on the legitimate interest of the Agency (Art. 21 GDPR). g) Right to withdraw consent: The right to withdraw consent at any time, where consent is the basis for the processing, without affecting the lawfulness of the processing based on consent before its withdrawal.

Right to lodge a complaint with the supervisory authority

If the Data Subject believes that the processing of his/her personal data has violated the General Data Protection Regulation (GDPR), he/she has the right to file a complaint with the supervisory authority in the Republic of Croatia.

  • Croatian Agency for Personal Data Protection (AZOP)
  • Address: Selska cesta 136, 10 000 Zagreb
  • E-mail: azop@azop.hr

Privacy Policy Changes and Respondent Notifications

The Agency's right to change the Policy

The Kolanis7 Agency reserves the right to unilaterally amend this Privacy Policy, especially in the event of changes in the legal framework, new technologies, changes in the manner of providing Services, or changes in the Agency’s business policy.

Notification of changes

All changes to the Policy will be published on the Agency’s website (www.kolanis7.com) and Respondents will be notified via e-mail at least 15 days before the amended Policy comes into force.

Acceptance of new terms

By continuing to use the Services after the amended Policy comes into effect, the Respondent is deemed to unconditionally accept the amended provisions.

Official Notices

All official notifications from the Agency to the Respondent shall be deemed to have been duly delivered if they are sent by e-mail to the address listed in the Agency’s records. The Respondent undertakes to deliver all official notifications to the Agency to the e-mail address info@kolanis7.com.