Privacy policy

Effective: 20 May 2026

This policy explains how Alatis collects, uses and protects your data when you visit our website or use our application. We comply with the General Data Protection Regulation (GDPR) and the Croatian act implementing it.

Who we are (Data Controller)

Alatis is a service provided by:

  • WIDGET, sole proprietorship for IT services, owner Eduard Ravnić
  • Registered seat: Dršćevka 7, 52000 Pazin, Croatia
  • OIB (tax ID): 81377241097
  • Obrt registration number (MBO): 98821083
  • Registered with: Upravni odjel za gospodarstvo, izdvojeno mjesto rada Pazin
  • Legal status: paušalni obrt (flat-rate craft business), outside the VAT system
  • Privacy contact: [email protected]

What we collect and the legal basis

We collect data in three ways, each on the matching GDPR legal basis:

  • Website visits: page viewed, anonymised IP address, country (via Cloudflare headers), browser type, referrer, session ID. Legal basis: legitimate interest in the security and stability of the site.
  • Forms (contact, free demo): name, email, phone (if you choose), company name, your message. Legal basis: entering into or performing a contract (responding to your request).
  • Application account: email, password (stored as a secure hash), workshop info, the machines and tools you enter yourself. Legal basis: performance of a contract (providing the service).

Why we use it

  • Providing the service: the application does not work without it.
  • Traffic analytics: which pages work, where visitors come from, based on anonymous aggregate statistics (consent only).
  • Communication: answers to your questions, account notices, transactional emails (verification, activation, invoices).
  • Marketing: only with your consent, which you can withdraw at any time.

Cookies and analytics

We use Google Analytics 4 to measure page traffic. GA4 sets cookies that track in-session behaviour. We ask for your explicit consent via the cookie bar at the bottom of the page before setting them.

Essential cookies (for example, login state in the application) do not require consent because they are technically necessary for the service to work.

Who we share with (sub-processors)

Your data stays with us. The exceptions are technical service providers who process it on our behalf, under DPA / Standard Contractual Clauses where applicable. A DPA document is available to business customers on request.

  • Hetzner Online GmbH (Germany / Finland): application + database hosting.
  • Cloudflare, Inc. (USA): DNS, CDN, web application firewall, bot protection (relying on the EU-U.S. Data Privacy Framework).
  • Sendinblue SAS / Brevo (France): transactional email delivery (verification, invoices, reminders).
  • Google Ireland Ltd. (Ireland): Google Analytics 4, only with your consent, anonymised statistics.

How long we keep it

  • Form submissions: up to 2 years, or until you request deletion.
  • Accounts and tool data: while the account is active, plus 30 days after cancellation.
  • Analytics logs: 14 months (GA4 default retention).
  • Email delivery logs: 12 months.

Your rights

Under GDPR you have the right to:

  • Request access to your data and correction of inaccurate data.
  • Request deletion ("right to be forgotten").
  • Request restriction of processing of your data.
  • Request data portability in a structured format.
  • Object to processing.
  • Withdraw consent for marketing or analytics at any time.
  • File a complaint with your national data protection authority (in Croatia, AZOP).

Contact

For any question or request related to this policy, write to [email protected]. We reply within one business day.