Privacy Policy
This Policy describes the principles of processing and protecting personal data on SmartKartica
Last updated: June 2, 2025
Effective from: June 2, 2025
GDPR Compliance
We fully comply with the General Data Protection Regulation (GDPR) requirements and ensure the highest level of protection for your personal data.
Table of Contents
1. GENERAL PROVISIONS
1.1. This Privacy Policy (hereinafter referred to as the "Policy") establishes the principles and conditions for processing personal data of users of the SmartKartica website.
1.2. We deeply respect the right to privacy and are committed to protecting personal data in accordance with:
- EU General Data Protection Regulation (GDPR) 2016/679;
- Personal Data Protection Act of the Republic of Serbia;
- Other applicable national and international legal provisions.
1.3. Using our website means consent to this Policy.
1.4. If you do not agree with the data processing principles outlined in this Policy, please do not use our website.
2. DATA CONTROLLER
2.1. The controller of your personal data is:
- Name: VMTech DOO Beograd
- Registration number: 22069152
- Tax ID: 114779614
- Address: 11050, Serbia, Belgrade, Topalovićeva 4
- Email: privacy@smartkartica.rs
- Website: https://smartkartica.rs
2.2. The controller determines the purposes and means of personal data processing and is responsible for compliance with data protection legislation requirements.
2.3. For personal data protection matters, you can contact our Data Protection Officer (DPO) at: dpo@smartkartica.rs
3. WHAT DATA WE COLLECT
3.1. Personal data provided by you:
- Registration data: first name, last name, email address, phone number;
- Company data: organisation name, tax identification number, legal address;
- Payment information: bank card data processed through secure payment systems;
- Contact details: address, city, country, postal code;
- Professional information: job title, industry.
3.2. Automatically collected data:
- Technical data: IP address, browser type, operating system;
- Usage data: pages visited, session time, referral sources;
- Cookies: session identifiers, user preferences;
- Device data: screen resolution, time zone, language settings.
3.3. Special categories of data:
We do not collect special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health status, etc.) without explicit consent.
4. LEGAL BASIS FOR PROCESSING
4.1. We process your personal data on the following legal bases:
Performance of contract (Art. 6(1)(b) GDPR)
Processing necessary for providing our services, managing your account, processing payments.
Consent (Art. 6(1)(a) GDPR)
Marketing communications, analytics, improving user experience.
Legitimate interests (Art. 6(1)(f) GDPR)
Website security, fraud prevention, service improvement.
Legal compliance (Art. 6(1)(c) GDPR)
Compliance with tax and accounting legislation requirements.
5. PURPOSES OF DATA PROCESSING
5.1. Your personal data is processed for the following purposes:
Service Provision
- • Account creation and management
- • Service access provision
- • Payment processing
- • Technical support
Communications
- • Service notifications
- • Query responses
- • Marketing materials
- • Product updates
Service Improvement
- • Usage analysis
- • Research and development
- • Experience personalisation
- • New feature testing
Security
- • Fraud prevention
- • Cyber attack protection
- • Terms of use compliance
- • Violation investigation
6. METHODS OF DATA COLLECTION
6.1. We collect personal data through the following methods:
- Direct provision: during registration, form completion, subscription;
- Automatic collection: through cookies, web beacons, analytics systems;
- Interaction: when contacting support, participating in surveys;
- Partners: from payment systems, advertising networks (GDPR compliant);
- Public sources: from publicly available company databases.
7. DATA SHARING WITH THIRD PARTIES
7.1. We may share your personal data with the following categories of recipients:
Service Providers
- • Hosting providers (Amazon Web Services, Google Cloud)
- • Payment systems (Stripe, PayPal)
- • Email services (Mailchimp, SendGrid)
- • Analytics services (Google Analytics)
Government Authorities
When there are legal obligations or lawful requests from competent authorities.
Business Partners
With your explicit consent for providing additional services or integrations.
7.2. All recipients are required to ensure adequate data protection and comply with GDPR requirements.
8. INTERNATIONAL TRANSFERS
8.1. Some of our service providers may be located outside the European Economic Area (EEA).
8.2. International transfers are carried out with the following safeguards:
- European Commission adequacy decisions;
- Standard Contractual Clauses (SCCs);
- Certification programmes (e.g., Privacy Shield successors);
- Binding Corporate Rules (BCRs).
8.3. You can obtain copies of the relevant safeguards by contacting us at: privacy@smartkartica.rs
9. DATA RETENTION PERIODS
9.1. We retain your personal data no longer than necessary to achieve the processing purposes:
9.2. After retention periods expire, data is deleted or anonymised.
10. YOUR RIGHTS
10.1. Under GDPR, you have the following rights:
Right of access (Art. 15)
Obtain confirmation of processing and a copy of your data
Right to rectification (Art. 16)
Correct inaccurate or complete incomplete data
Right to erasure (Art. 17)
Request deletion of data under certain conditions
Right to restriction (Art. 18)
Restrict processing in certain cases
Right to portability (Art. 20)
Receive data in machine-readable format
Right to object (Art. 21)
Object to data processing
10.2. To exercise your rights, contact us at: privacy@smartkartica.rs
10.3. We respond to requests within 30 days of receipt.
10.4. You also have the right to lodge a complaint with a data protection supervisory authority.
11. DATA SECURITY
11.1. We implement modern technical and organisational security measures:
Technical measures:
- • SSL/TLS encryption
- • Database encryption
- • Regular backups
- • 24/7 security monitoring
- • Two-factor authentication
- • DDoS attack protection
Organisational measures:
- • Staff training
- • Access control
- • Confidentiality agreements
- • Regular security audits
- • Incident response procedures
- • Periodic penetration testing
11.2. In case of a data security breach, we will notify you and supervisory authorities in accordance with GDPR requirements.
12. COOKIES
12.1. We use various types of cookies:
Necessary cookies
Ensure basic website functions. Cannot be disabled.
Functional cookies
Remember your preferences and settings.
Analytics cookies
Help understand how you use the website (Google Analytics).
Marketing cookies
Used to display relevant advertising.
12.2. You can manage cookies through browser settings or our consent panel.
13. CHILDREN'S RIGHTS
13.1. Our service is intended for persons over 16 years of age (in accordance with GDPR).
13.2. We do not knowingly collect personal data of children under 16 without parental consent.
13.3. If we become aware of collecting a child's data without proper consent, we will immediately delete such information.
13.4. If you believe we may have collected a child's data, contact us at: privacy@smartkartica.rs
14. POLICY CHANGES
14.1. We may periodically update this Policy to reflect changes in our practices or legislation.
14.2. We will notify you of material changes by:
- Posting a notice on the website;
- Sending email notifications;
- Requesting new consent when necessary.
14.3. We recommend periodically reviewing this page to stay informed of the current Policy version.
15. CONTACT INFORMATION
15.1. For all matters related to personal data processing, contact:
Data Controller:
VMTech DOO Beograd
Topalovićeva 4
11050 Belgrade, Serbia
Email: privacy@smartkartica.rs
Phone: +381 11 XXX XXXX
Data Protection Officer:
Email: dpo@smartkartica.rs
Response time: up to 5 business days
Supervisory Authority:
Commissioner for Information of Public Importance and Personal Data Protection
Website: www.poverenik.rs