Legal

Privacy Policy

GDPR notice for itfrombit.biz visitors and contacts.

Last updated: 2026-05-07

This page explains what personal data It From Bit d.o.o. processes when you use itfrombit.biz or contact the firm, the legal basis for that processing, and the rights you have under Regulation (EU) 2016/679 (GDPR) and the Croatian Act on the Implementation of GDPR (NN 42/2018).

1. Data controller

The controller of personal data under Article 4(7) GDPR is:

  • IT FROM BIT d.o.o. (registered as IT FROM BIT društvo s ograničenom odgovornošću za računalne djelatnosti)
  • Siječanjska ulica 17, 10000 Zagreb, Croatia
  • OIB: 69525885637 · EU VAT: HR69525885637 · MBS: 081321835
  • Court of registration: Trgovački sud u Zagrebu (Commercial Court in Zagreb)
  • Email: info@itfrombit.biz
  • See also the full Imprint.

The firm has not appointed a Data Protection Officer (DPO) because it does not meet the criteria of Article 37(1) GDPR (no large-scale processing of special categories or systematic monitoring). The Director (Mario Brčić) is the responsible point of contact for data-protection matters and reachable at the address above.

2. What we collect, why, and on what legal basis

2.1 Site visit data

This site sets no cookies, runs no analytics scripts, no tag managers, no advertising pixels, no session-replay tools, and embeds no third-party JavaScript. Pages are static HTML served from Cloudflare's CDN.

Cloudflare, our hosting provider and processor (Article 28 GDPR), logs standard HTTP request metadata — IP address, user agent, timestamp, URL — for delivery, caching, abuse prevention, and security. We do not access, retain, or analyze that data. Cloudflare's processing is governed by their Privacy Policy and the Customer Data Processing Addendum .

Legal basis: Article 6(1)(f) GDPR — legitimate interest in delivering the site and protecting it from abuse. Retention: per Cloudflare's published policies.

2.2 Contact and inquiry data

When you email us at info@itfrombit.biz or submit the contact form, we receive:

  • Your name
  • Your email address
  • Your organization, if you state it
  • The contents of your message and any attachments

Form submissions are processed server-side and the resulting briefing email is delivered to our company mailbox. Submission also triggers a brief automated bot-protection check provided by Cloudflare (see Recipients below); no profiling or tracking cookies are set.

Purpose: responding to your inquiry; deciding whether to enter into a professional engagement; record-keeping if an engagement begins.

Legal basis: Article 6(1)(b) GDPR — steps prior to entering a contract at your request, and contractual performance if a contract follows. Where no contract is concluded, Article 6(1)(f) — our legitimate interest in administering the inquiry, balanced against your reasonable expectation that you would receive a reply.

Retention: inquiries that do not lead to engagement are retained for up to 24 months and then deleted, unless you request earlier deletion. Engagement-related correspondence is retained for the duration of the engagement plus the statutory limitation period applicable under the Croatian Obligations Act (typically 5 years for professional services), and longer where tax or accounting law requires it (Article 82 of the Croatian General Tax Act, typically 11 years for tax records).

2.3 Engagement data

If you become a client, we process the personal data necessary to deliver the engagement (signatories, invoicing contacts, project team members) on the basis of the engagement contract (Article 6(1)(b)) and the legal obligations applicable to a Croatian d.o.o. (Article 6(1)(c)) — accounting, tax, AML where applicable.

3. Recipients and processors

Personal data is not sold, rented, or shared for marketing. Recipients are limited to:

  • Cloudflare, Inc. — hosting and CDN. Site is served via Cloudflare Pages. Standard Contractual Clauses (SCCs) cover any transfers outside the EEA.
  • Microsoft Ireland Operations Ltd. — email service (Microsoft 365 / Exchange Online). Data processed within the EU per Microsoft's EU Data Boundary commitments.
  • Croatian tax and accounting authorities — when legally required (e.g. invoice records under Article 82 of the General Tax Act).
  • Engagement-specific subprocessors — disclosed in the engagement contract before processing begins. No subprocessor receives engagement data without a written DPA.

4. International transfers

Where a processor (e.g. Cloudflare) operates infrastructure outside the EEA, transfers rely on the European Commission's Standard Contractual Clauses (Decision 2021/914/EU) and supplementary technical safeguards (encryption in transit, encryption at rest, no cleartext content stored on the static site).

5. Your rights as a data subject

Under Articles 15–22 and 77 GDPR you have the right to:

  • Access — confirm whether we hold your data and obtain a copy.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion where the legal basis no longer applies.
  • Restriction — request processing be paused while a dispute is resolved.
  • Portability — receive data you provided in a structured, machine-readable format.
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent (Article 6(1)(a)). Withdrawal does not affect the lawfulness of prior processing.
  • Not be subject to automated decision-making with legal or similarly significant effects (Article 22). We do not run such decisioning on personal data.

To exercise any right, write to info@itfrombit.biz. We respond within one month (Article 12(3) GDPR), extendable by two further months for complex requests with notice to you.

6. Right to lodge a complaint

You have the right under Article 77 GDPR to lodge a complaint with a supervisory authority. The competent authority for It From Bit d.o.o. is:

Agencija za zaštitu osobnih podataka (AZOP)
Croatian Personal Data Protection Agency
Selska cesta 136, 10000 Zagreb, Croatia
azop.hr · azop@azop.hr

If you reside or work in another EU/EEA Member State, you may also lodge a complaint with your local supervisory authority.

7. Security

Site transport secured with TLS (HTTPS), HSTS preload, strict Content-Security-Policy, and other defense-in-depth headers. Email secured via TLS in transit, SPF, and DMARC. Engagement-related data stored on Microsoft 365 with encryption at rest. We apply the measures appropriate to the risk under Article 32 GDPR. We will notify you and the supervisory authority of any personal data breach as required by Articles 33 and 34 GDPR.

8. Children

This site is not directed to children under 16 and we do not knowingly process their personal data.

9. Changes to this policy

Material changes will be reflected in the “Last updated” date above and, where appropriate, communicated directly to active engagement contacts.

10. Contact

Questions about this policy or a data-protection request: info@itfrombit.biz.