I. CloudCrafters respects the privacy and protects personal information of our users, employees, business partners, and other individuals with whom a business cooperation has been entered and whose personal data is processed as part of our daily business activities. Privacy Policy is a fundamental act that describes the purpose and objectives of processing and managing personal data within CloudCrafters company. This Policy defines basic principles and rules for the protection of personal data in accordance with business and security requirements of CloudCrafters as well as legal regulations, best practices, and internationally accepted standards. To ensure fair and transparent data processing, CloudCrafters strives to provide clear information regarding processing and protection of collected personal data, and to ensure control and management of personal data and privacy. This Privacy Policy provides an adequate level of data protection in accordance with the EU General Data Protection Regulation (GDPR) and other applicable privacy protection laws and regulations.
II. WHAT ARE THE OBJECTIVES OF THIS PRIVACY POLICYThe objective of this Privacy Policy is to explain to our users, employees, business partners, and other individuals with whom members of CloudCrafters have a business cooperation, the following: • How we collect personal data, for what purpose and what are our reasons for doing so • Which personal data we process • How long do we store such data and with whom do we share it • What rights do the data subjects have and what are the implemented security controls
III. WHICH PRINCIPLES WE HAVE ADOPTED? Data processing principles are the basic rules that CloudCrafters adheres to when processing personal data collected from data subjects. CloudCrafters processes personal data in accordance with the following principles of data processing: • Lawfulness, fairness, and transparency – CloudCrafters shall process personal data lawfully, fairly and in a transparent manner in relation to data subjects and all their rights, and in accordance with applicable laws and regulations. CloudCrafters shall ensure transparent processing of personal data as well as provide data subjects with all required information, upon request, and give access to such data, reasons for processing, basis for processing and ensure all other rights are respected in accordance with relevant regulations. CloudCrafters shall ensure that data subjects are give information on how personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. Data subjects will be given all relevant information in a timely manner, that is before their data is collected. • Purpose limitation – personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. • Data minimization – CloudCrafters uses only those personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. • Storage limitation - CloudCrafters ensures that the personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which data are processed and deletes such data from all records after defined period. • Accurate and up to date - CloudCrafters ensures a fair and transparent processing of personal data that have to be accurate, complete and up to date to avoid any possible misuse. It is extremely important that the data subject informs CloudCrafters of any changes to his/her personal data. CloudCrafters has implemented a transparent communication process with data subjects that enables them to request rectification or deletion of inaccurate data. • Integrity and confidentiality - CloudCrafters collects and processes personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Personal data are made available to CloudCrafters employees depending on their authorization and position, as well as other legal persons solely on the basis of legitimate interest pursued by CloudCrafters and, if necessary, for the fulfilment contractual obligations, all in accordance with specific purposes for which the personal data have been collected and the purposes of the intended processing. CloudCrafters adopted appropriate technical and organizational protection measures and implemented systems for the purpose of detecting and preventing data leaks, data access control methods, and so on.
IV. WHICH PERSONAL DATA DO WE COLLECT AND PROCESS? Within the scope of their business activities, members of CloudCrafters may collect the following categories of personal data according to categories of data subjects: Interested parties: • contact information (e.g. first name, last name, e-mail address, etc.); • data required for concluding contracts (e.g. first name, last name, address, PIN (OIB), etc.). Users: • contact information (e.g. first name, last name, e-mail address, etc.); • data required for concluding contracts (e.g. first name, last name, address, PIN (OIB), etc.); • data required for usage of CloudCrafters services (e.g. first name, last name, e-mail address, authorized person’s name and last name and position etc.); • data required for the execution of contracts (e.g. first name, last name, e-mail address, IBAN, etc.). Job candidates: • contact information (e.g. first name, last name, e-mail address, mobile phone number, etc.); • data included in the curriculum vitae (e.g. education information, previous employment, work experience, photograph, etc.); • test results. Former and current employees: • all data prescribed by positive regulations related to employment-legal relationships, accounting, and bookkeeping regulations (e.g. first name, last name, address, PIN (OIB), year of birth, etc.); • data required for internal company communications (e.g. official company photos, etc.); • data required to perform job-related tasks and activities such as organizing travel to a foreign country, obtaining job-related benefits, etc. (e.g. first name, last name, employment status, travel document number, number of children, etc.). External associates and business partners: • contact information (e.g. first name, last name, e-mail address, mobile phone number, etc.); • data included in the curriculum vitae (e.g. education information, previous employment, work experience, etc.); • data required for the execution of contracts (e.g. first name, last name, e-mail address, IBAN, etc.); • data required to meet legal conditions for entering the Republic of Croatia or another country (first name, last name, employment status, travel document number, etc.).
V. WHICH PERSONAL DATA WE DO NOT COLLECT? CloudCrafters members do not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or data concerning an individual's sex life or sexual orientation. Processing the aforementioned special categories of personal data will be carried out by CloudCrafters only under following conditions: • the data subject has given explicit consent to the processing of those personal data for one or more specified purposes. • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of CloudCrafters or of the data subject in the field of employment and social security and social protection law in so far as it is authorized by European Union law or law of the Republic of Croatia or a collective agreement pursuant to law of the Republic of Croatia providing for appropriate safeguards for the fundamental rights and the interests of the data subject. • processing is necessary to protect the vital interests of the data subject or of another natural person. • processing relates to personal data which are manifestly made public by the data subject. • processing is necessary for the establishment, exercise or defense of legal claims.
VI. HOW DO WE COLLECT PERSONAL DATA? CloudCrafters collects personal data in various ways, including: • As part of our business processes and during the discharge of obligations laid down by law or obligations under the sales contract for our services. • When viewing our website. • When engaging in e-mail communication addressed to and from CloudCrafters. • When using CloudCrafters online services which require sign-up procedure. • When data subject complete our surveys or online questionnaires, or when applying for a job opening. • When data subject provide CloudCrafter member with information by posting content on our website or platforms or through direct communication with CloudCrafter members, including private communication and online communication via the website or e-mail. • When CloudCrafter members use digital platforms and applications containing data of business subjects which may include personal data of the representatives of the business subject.
VII. FOR WHICH PURPOSES DO WE PROCESS PERSONAL DATA? CloudCrafters may process personal data for the following purposes: • Compliance with legal and regulatory provisions and regulations within and outside the territory of the Republic of Croatia. • Contracting and using products and services provided by CloudCrafters. • discharging obligations under the sales contract for the provision of services and products of CloudCrafters. • Offering services and products of CloudCrafters on the market. • Website analysis and administration, and website monitoring, improving the services and products of CloudCrafters, measuring your satisfaction with provided services. • Relationship management with data subjects (users of websites and/or services) and other individuals as part of regular business activities. • Selecting candidates for employment or other educational courses. • Marketing activities, including: ◦ webinars ◦ events ◦ sending newsletters
VIII. WHAT ARE THE BASIS FOR PROCESSING PERSONAL DATA? CloudCrafters processes personal data on the following basis: • Executing a sales contract for the provision of CloudCrafters services or any other contract concluded between data subjects and CloudCrafters members. • Legitimate interest in providing access and managing the website for statistical purposes, for the purposes of identifying, resolving disputes and conducting proceedings between the data subject and CloudCrafters, for the purpose of sharing personal data with members and third parties in accordance with this Privacy Policy, for the purpose of selecting candidates for employment. • Explicit consent given by data subjects to receive marketing messages, newsletters, email notifications regarding services, or service satisfaction surveys, for processing your inquiries. • Meeting legal obligations of CloudCrafters, in particular with regard to accounting, bookkeeping, labor law regulations, stock market regulations and other legal obligations.
IX. HOW LONG DO WE STORE PERSONAL DATA? CloudCrafters members store personal data as long as they are necessary in relation to the purposes for which they are collected, that is, for the purpose of discharging contractual or statutory obligations, and no longer then defined by the following criteria: • Personal data collected for the purpose of meeting legal and regulatory obligations are stored according to the prescribed deadlines. • Personal data collected for the purpose of sale of our products and services are stored for the duration of the contractual relationship. • Personal data collected for the purpose of marketing activities are stored until you withdraw your consent, cancel your subscription or request that your subscription be terminated, or until a specific period of inactivity has passed. • Personal data will be deleted upon termination of contractual or employment relationship, and no later than the expiration of any statutory obligation to store such data, except in the event of court proceedings or other similar proceedings being initiated which require data retention. Upon the expiration of aforementioned deadlines regarding data storage, we will remove them from our systems and archives or convert them into anonymous information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
X. WITH WHOM MAY WE SHARE PERSONAL DATA? Based on our legitimate interest, CloudCrafters may share personal data between CloudCrafters members, which may also process such data for the purposes of meeting legal obligations, preventing misuse, improving products and services, or on the basis of received consent. CloudCrafters members will exchange personal data with each other only if such action is required based on legitimate grounds. CloudCrafters may share your personal data with third parties only in following situations: • If there is a statutory obligation or explicit authorization pursuant to the law. • If another person is used to carry out specific activities as a so-called subcontractor, i.e. the processor, who acts solely pursuant to orders given by CloudCrafters members, whereby CloudCrafters is responsible for the implementation of all data protection measures as if CloudCrafters itself is carrying out said activities. • If the data have to be forwarded to third parties for the purpose of executing the contract with the data subject. • Should the ownership structure of enterprises associated with CloudCrafters change in the future, CloudCrafters may transfer personal data to new associated enterprises or third parties for the purpose of carrying out business activities. • On the basis of consent given by the data subject. Such third parties include: • Legislative, supervisory, and regulatory bodies within and outside the territory of the Republic of Croatia. • Financial institutions with which CloudCrafters cooperates. • Internal and external auditors of CloudCrafters, as well as other authorized audit bodies. • Suppliers used by the CloudCrafters to carry out services in the name and on behalf of CloudCrafters members, for the purpose of discharging contractual obligations with data subjects. • Other agencies, institutions, associations, insurance companies and partner enterprises with whom CloudCrafters has concluded a business cooperation agreement based on which enterprise users may contract and use products and services provided by CloudCrafters, etc. When transferring personal data provided by data subjects, CloudCrafters strictly adheres to the principle of restriction of processing which stipulates that only the minimum set of data needed to provide the requested service is transferred, as well as all other relevant data protection principles. Relationships between the CloudCrafters and its partners are governed by data processing agreements, whereby partners have to ensure a minimum level of personal data protection. We process personal data in the EU borders. We may exceptionally process personal data in other countries (e.g. should a specific service or part of a service which involves the processing of personal data be carried out by a subcontractor from another country), and such country is generally a Member State of the European Union. Exceptionally, personal data may be processed in third countries as well, but in such situations, appropriate personal data protection measures are always applied, at least in the way that personal data are processed in the Republic of Croatia (e.g. using the so-called Standard EU contract clauses for third-country processors, other legally binding and enforceable instruments, binding corporate rules, certification, etc.).
XI. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM? CloudCrafters respects the right to privacy and collects and processes data only on legitimate grounds for processing whereby data subjects always retain specific rights in relation to the processing of their data. Data subjects have the following rights: Right to erasure (“right to be forgotten”) – The data subject shall have the right to obtain from CloudCrafters the erasure of personal data concerning him or her without undue delay and CloudCrafters shall have the obligation to erase personal data without undue delay where one of the following grounds applies: • Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. • Data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing. • Data subject objects to the processing and the legitimate grounds for pursuing the right to erasure supersede the legitimate grounds to process and/or store personal data. • Personal data have been unlawfully processed. • Personal data have to be erased for compliance with a legal obligation. Right of access – The data subject shall have the right to obtain from CloudCrafters confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and purposes of the processing, categories of personal data concerned, possible recipients to whom the personal data have been or will be disclosed, etc. Right to rectification – The data subject shall have the right to obtain from CloudCrafters without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. In addition, data subjects are required to update their personal data used in their business relationship with the CloudCrafters. Right to data portability – The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to CloudCrafters, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller. It should be considered that the right to data portability relates exclusively to the personal data of the data subject. Right to object – The data subject shall have the right to object, on grounds relating to his or her situation, at any time to processing of personal data concerning him or her. CloudCrafters shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Furthermore, where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Right to restriction of processing – The data subject shall have the right to obtain from CloudCrafters restriction of processing where the accuracy of the personal data is contested by the data subject, the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, and if the data subject objected to the processing and expects conformation that the legitimate grounds of the controller supersede the legitimate grounds of the data subject. The data subject has the right at any time to request that the aforementioned rights be exercised.
XII. PROTECTION OF PERSONAL DATA In order to protect collected personal data, CloudCrafters implements appropriate physical, technical and organizational security measures, taking into account the nature, context, scope and purposes of the processing, as well as varying likelihood and severity of the risk to the rights and freedoms of the data subject. We continuously update and test our security technologies and improve them at CloudCrafters. We use advanced tools to protect and prevent data leakage, constantly monitor critical systems, encrypt sensitive data, and protect data from unauthorized access, alteration, loss, theft, and any other violations and misuse. Access to data within CloudCrafters is limited only to data required for performing specific business tasks, and exclusively given to authorized persons directly involved in providing or maintaining services, and improving the quality and payment of services, in accordance with clearly defined roles and responsibilities. All CloudCrafters employees are bound by confidentiality agreements, and we exclusively cooperate with and use partners with whom appropriate protection measures are contracted. CloudCrafters cannot guarantee security of data transferred over the internet, websites, mobile apps, computer systems or any other public network.