This Privacy Policy explains how Civis Mundi d.o.o. ("Civis Mundi", "we", "us") processes personal data of visitors, clients and prospective clients in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applicable Croatian data protection law. This page is maintained by Civis Mundi d.o.o. to answer common privacy questions about our website and services.
1. Data controller
Civis Mundi d.o.o., Trdice 26, Zagreb, Croatia. OIB: 34670389714. Contact: Civis.mundi.doo@gmail.com. If you have questions about this policy or want to exercise your rights, contact us using the details above.
2. Data we collect
- Contact data you submit through forms or email: name, company, email, phone, project brief.
- Contract data: information necessary to prepare offers, contracts, invoices and to deliver services.
- Technical data: IP address, browser type, device, referring page, pages visited — collected via server logs and, with consent, analytics cookies.
- Payment data (when we accept online payments): handled by our regulated payment processors (Stripe Payments Europe, Ltd. and Klarna Bank AB). We do not store full card numbers on our servers.
3. Purposes and legal bases
- Responding to inquiries and providing quotes — Art. 6(1)(b) GDPR (pre-contractual steps) and 6(1)(f) (our legitimate interest to reply).
- Performing contracts and delivering construction and consulting services — Art. 6(1)(b).
- Invoicing, accounting and legal record-keeping — Art. 6(1)(c) (legal obligation).
- Processing payments through Stripe or Klarna — Art. 6(1)(b) and 6(1)(c). Stripe and Klarna act as independent controllers for fraud prevention and regulatory compliance.
- Website analytics — Art. 6(1)(a) (your consent, via our cookie banner). You can withdraw consent at any time.
- Securing our site and preventing abuse — Art. 6(1)(f).
4. Sharing your data
We share personal data only with processors and partners that support our services, under written agreements:
- Hosting and infrastructure providers within the EU / EEA.
- Payment providers: Stripe Payments Europe, Ltd. (Ireland) and Klarna Bank AB (publ) (Sweden), for payment processing, fraud prevention and, in Klarna's case, credit and identity checks where applicable.
- Accountants, auditors and legal advisors bound by professional confidentiality.
- Public authorities where required by law.
We do not sell personal data. Where a transfer outside the EEA is necessary, we rely on adequacy decisions or Standard Contractual Clauses.
5. Retention
- Inquiry emails and unsuccessful proposals: up to 24 months.
- Contract, invoice and accounting records: 11 years, as required by Croatian tax and accounting law.
- Website analytics: up to 14 months.
- Cookie consent choices: up to 12 months, then re-prompted.
6. Your rights
Under the GDPR you have the right to:
- Access your personal data and receive a copy;
- Request rectification or erasure;
- Restrict or object to processing based on our legitimate interests;
- Data portability where processing is based on consent or contract;
- Withdraw consent at any time, without affecting prior lawful processing;
- Lodge a complaint with the Croatian Personal Data Protection Agency (AZOP, azop.hr) or your local supervisory authority.
7. Security
We apply appropriate technical and organisational measures — encryption in transit, access controls, least-privilege administration, regular backups — to protect personal data against loss, misuse or unauthorised access.
8. Payments
When online payment is offered, checkout is handled by Stripe and/or Klarna. These providers process your payment data as independent controllers for purposes required by financial regulation (KYC, AML, fraud prevention). Their privacy notices apply in addition to this one: stripe.com/privacy and klarna.com/international/privacy-notice.
9. Changes
We may update this policy. The "Last updated" date at the top reflects the current version.