1. Who we are

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

Data Controller Contact:
David Marinović
Email: david [at] shapedsystems [dot] com
Website: shapedsystems.com

For the purposes of the General Data Protection Regulation (GDPR), we are the data controller responsible for your personal data.

2. What data we collect

We collect information that you provide directly and information collected automatically when you interact with our website and services.

Information you provide directly

• Contact information: Name, email address, phone number (if provided)
• Communication content: Messages, inquiries, and correspondence you send us
• Business information: Company name, job title, project requirements when requesting our services
• Form submissions: Information submitted through contact forms, consultation requests, or system audit applications

Information collected automatically

• Device information: Browser type, operating system, device type, screen resolution
• Usage data: Pages visited, time spent on pages, click patterns, navigation paths
• Technical data: IP address (anonymized where possible), referring URLs, access times

For information about cookies and tracking technologies, please see our Cookie Policy.

Information we do not collect

We do not collect or store payment card details, bank account information, or other financial data. All payment processing is handled directly and securely by Stripe, Inc., which maintains its own privacy practices and PCI-DSS compliance.

3. How we use your data

We process your personal data only for specific, legitimate purposes:

To provide our services

• Responding to your inquiries and requests
• Delivering contracted services (website development, system integration, consulting)
• Communicating about project progress, deliverables, and support
• Processing transactions through our payment processor

To improve our website and services

• Analyzing website performance and user experience
• Identifying technical issues and optimizing functionality
• Understanding how visitors interact with our content

For marketing and communications (with consent)

• Sending relevant updates about our services
• Measuring advertising effectiveness
• Personalizing content and recommendations

Legal bases for processing (GDPR Article 6)

• Contract performance: Processing necessary to fulfill our contractual obligations to you
• Legitimate interests: Processing necessary for our legitimate business interests (communication, security, service improvement) where these are not overridden by your rights
• Consent: Processing based on your explicit consent (marketing communications, non-essential cookies)
• Legal obligation: Processing necessary to comply with legal requirements

4. Third-party processors and data sharing

We work with trusted service providers who process data on our behalf. These providers are contractually bound to protect your data and use it only for specified purposes.

Categories of third-party processors

• Website hosting: Secure hosting infrastructure for our website and client projects
• Analytics providers: Google Analytics for understanding website usage patterns
• Advertising platforms: Meta (Facebook) Pixel for measuring advertising effectiveness
• Payment processing: Stripe, Inc. for secure payment handling
• Email services: Email delivery and management services for business communications
• Automation tools: Workflow automation platforms for service delivery

Data sharing principles

We do not sell, rent, or trade your personal information to third parties. We share data only when:

• Necessary to provide our services through trusted processors
• Required by law, regulation, or legal process
• Necessary to protect our rights, property, or safety
• You have given explicit consent

All third-party processors are required to implement appropriate technical and organizational measures to protect your data in compliance with GDPR requirements.

5. Data retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Retention periods

• Contact form submissions: Up to 2 years from the date of submission, or until you request deletion
• Client project data: Duration of the business relationship plus 5 years for legal and accounting purposes
• Analytics data: According to provider retention settings (typically 14-26 months)
• Email correspondence: As long as necessary for ongoing communication or legal obligations

Data deletion

When data is no longer needed, we securely delete or anonymize it. You may request earlier deletion of your data at any time by contacting us (subject to legal retention requirements).

6. Your rights under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your data ("right to be forgotten") under certain circumstances
• Right to restriction: Request that we limit how we use your data
• Right to object: Object to processing based on legitimate interests or for direct marketing
• Right to data portability: Request your data in a structured, machine-readable format
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent
• Right to lodge a complaint: File a complaint with a supervisory authority

Exercising your rights

To exercise any of these rights, contact us at david [at] shapedsystems [dot] com. We will respond to your request within 30 days. We may need to verify your identity before processing certain requests.

These rights are not absolute and may be subject to limitations under applicable law.

7. Data security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Security measures include

• SSL/TLS encryption for all data transmitted between your browser and our servers
• Secure hosting infrastructure with regular security updates
• Access controls limiting data access to authorized personnel only
• Regular security assessments and monitoring
• Secure password policies and authentication practices

While we take reasonable precautions to protect your data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

8. International data transfers

Some of our third-party service providers may process your data outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

• Adequacy decisions: Transfers to countries recognized by the European Commission as providing adequate data protection
• Standard contractual clauses: EU-approved contractual terms ensuring data protection
• Data Privacy Framework: For US-based providers certified under the EU-US Data Privacy Framework

You may request information about the specific safeguards applied to international transfers by contacting us.

9. Children's privacy

Our website and services are intended for business use and are not directed at individuals under 16 years of age. We do not knowingly collect personal data from children under 16.

If you believe we have inadvertently collected data from a child under 16, please contact us immediately at david [at] shapedsystems [dot] com, and we will take steps to delete such information.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Post the revised policy on this page
• Where appropriate, notify you via email or website notice

We encourage you to review this policy periodically. Your continued use of our website and services after changes are posted constitutes acceptance of the revised policy.

11. Questions and complaints

Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: david [at] shapedsystems [dot] com
Website: shapedsystems.com

Supervisory authority

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP):

Croatian Personal Data Protection Agency (AZOP)
Selska cesta 136, 10000 Zagreb, Croatia
Website: azop.hr
Email: azop@azop.hr
Phone: +385 1 4609 000

You may also contact the supervisory authority in your country of residence if you are located in another EU/EEA member state.