Privacy Policy

The data controller is Megatrend Redok d.o.o. (part of OMNIZON NETWORKS GROUP, the REDOK), established in the Republic of Croatia.

• Tax ID (OIB): (specified in the Contract)
• Privacy email: privacy@redok.hr
• DPO (Data Protection Officer): reachable at the same address

With respect to personal data contained within the Customer's business documents (Customer Content), REDOK acts as a processor, while the Customer itself is the data controller of that content. This Policy describes both roles — controller for REDOK platform data, processor for Customer Content.

REDOK processes the following categories of data:

• Account data — first and last name, business email, phone, company name, tax ID, GLN, role within the organisation.
• Usage data — IP address, login time, device type, user agent, log records of actions performed within the portal. Used for security and analytics.
• Billing data — invoice reference, transaction history, bank account (only for payments to REDOK).
• Customer Content — the content of business documents transiting the REDOK platform. May contain personal data (e.g. the contact person's name on a purchase order, the delivery email). REDOK processes this data only for routing, fiscalization, and legally mandated archiving — without reading the content for other purposes.
• Communications — content of emails sent to the helpdesk channel, transcripts of phone calls with the helpdesk team (only when call recording is announced).

Personal data processing is based on the following legal grounds from Article 6 GDPR:

• Contract (Art. 6(1)(b)) — for data necessary to perform the Contract and provide the Service (account data, billing, Customer Content as processor).
• Legal obligation (Art. 6(1)(c)) — for retaining e-invoices in the e-archive for at least 11 years (statutory), for fiscalization reporting to the Tax Authority, for AML/KYC obligations.
• Legitimate interest (Art. 6(1)(f)) — for usage data (logs, security, fraud detection), and for general platform usage analytics that does not profile individuals.
• Consent (Art. 6(1)(a)) — for marketing communications (newsletter, webinars). Consent can be withdrawn at any time.

REDOK processes personal data for the following purposes:

• Providing, maintaining, and improving the Service.
• Communicating with the Customer about the Contract, invoices, incidents, planned maintenance, and regulatory notices.
• Fulfilling legal obligations, including tax, accounting, and regulatory ones (Fiscalization 2.0, Peppol Access Point duties).
• Security: detecting unauthorised access, preventing abuse, forensics in case of incident.
• Marketing (only with consent): newsletter about new functionality and regulatory changes in the EDI/e-invoice domain.

REDOK uses the following sub-processors to provide the Service. All sub-processors operate under a Data Processing Agreement (DPA) aligned with GDPR:

• Amazon Web Services EMEA SARL (cloud hosting, eu-central-1 region — Frankfurt, Germany). Data does not leave the EU.
• Vercel Inc. (public website and Studio interface hosting). EU regions by default.
• Sanity.io ApS (CMS for website content). EU region.
• Resend Inc. (transactional email). Standard Contractual Clauses for any transfers outside the EU.
• Cloudflare Inc. (CDN and DNS). Standard Contractual Clauses.

A current list of sub-processors with processing locations and contractual mechanisms is available on request at privacy@redok.hr. The Customer may raise a reasonable objection to a new sub-processor; in that case REDOK and the Customer will seek an alternative solution, and if none is feasible the Customer may terminate the Contract without penalty.

Data retention periods:

• E-invoices in the e-archive: 11 years (statutory under the Croatian General Tax Act).
• Other business documents (purchase orders, dispatch notes, ASN): at least the duration of the Contract + 6 years, unless the Customer requests earlier deletion. At most until the expiry of the statutory period for business records.
• Access and security logs: 12 months, except in case of an open incident where they are retained until closure.
• Invoices and billing records: 11 years (accounting regulations).
• Marketing communications (newsletter): until consent withdrawal; the record of consent itself is kept 5 years after withdrawal as evidence.

Under GDPR the data subject has the following rights:

• Right of access — to know whether your data is being processed and to obtain a copy.
• Right to rectification — to request correction of inaccurate data.
• Right to erasure — to request deletion, subject to statutory retention obligations (e.g. 11 years for e-invoices).
• Right to restriction of processing — to request a pause in processing pending resolution of an objection.
• Right to data portability — to receive your data in a structured, machine-readable format.
• Right to object — to processing based on legitimate interest.
• Right to withdraw consent — at any time for marketing communications.
• Right to lodge a complaint with the supervisory authority — the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, azop.hr.

Send requests to privacy@redok.hr. We respond within 30 days as required by GDPR; for complex requests the period may be extended by an additional 2 months with prior notice.

REDOK implements technical and organisational measures aligned with the ISO/IEC 27001 standard:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Least-privilege access, MFA for all administrative accounts.
• Regular penetration testing (at least once a year).
• Incident management procedure with notification to the Customer within 72 hours in case of a personal data breach.
• Regular backups in geographically separated AWS regions (EU).
• Employee data protection training at least once a year.

REDOK uses the following cookie categories on its websites and portal:

• Necessary — session, security, CSRF protection. Set without consent because they are technically required.
• Analytics — Plausible Analytics (privacy-friendly, no individual tracking, EU hosting). Active only with consent via the cookie banner.
• Functional — remembering language and accessibility settings.

You can control consent through the cookie banner on first visit or via your browser settings.

This Policy may be amended to comply with regulations or to reflect business changes. Material changes are announced at least 30 days in advance by email to registered Customers and via banner notification on the portal.

The current version is always available on this page. Historical versions and a changelog are available on request at privacy@redok.hr.