Slikaj Račun
Legal

GDPR — Personal Data Protection Statement

Last updated: May 2026

1. Data Controller

The controller of your personal data is:

Sport Group d.o.o.
Osojnikova 4, 2000 Maribor, Slovenia
VAT ID: SI72133449
Email: info@posljiracun.si
Phone: +386 41 580 250

This statement explains how we process personal data in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 — “GDPR”) and the Slovenian Personal Data Protection Act (ZVOP-2).

2. Categories of personal data processed

We process the following categories of personal data:

  • Identification data: first name, last name, email address
  • Authentication data: hashed password, sign-in history (via Clerk)
  • Company contact data: company names and OCR email addresses of accounting programs
  • Document content: photos and PDFs of invoices you upload
  • Technical data: IP address, device type, browser, access timestamps
  • Payment data: processed via Apple In-App Purchase or Paddle (we never store card numbers ourselves)
  • Statistical data: number of sent invoices, delivery status, monthly usage

3. Lawful bases for processing (Art. 6 GDPR)

We process your personal data on the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)): processing is necessary to deliver the service you subscribed to — account registration, invoice forwarding, archiving, billing.
  • Legal obligation (Art. 6(1)(c)): tax and accounting laws require us to retain certain data (e.g. issued invoices for 5–10 years).
  • Legitimate interests (Art. 6(1)(f)): service security (preventing abuse, fraud detection), product improvement, and user communication.
  • Consent (Art. 6(1)(a)): for marketing communications and non-essential cookies (analytics). You may withdraw consent at any time.

4. Purposes of processing

  • Providing the service of forwarding invoices to accounting software
  • Managing user accounts and authentication
  • Processing subscription payments and issuing receipts
  • Customer support and communication
  • System security and abuse prevention
  • Compliance with legal obligations (tax law)
  • Anonymous analytics for product improvement

5. Retention periods

We keep your data only as long as necessary:

  • User account and settings: for as long as your account is active. Upon account deletion, data is purged within 30 days.
  • Invoice images and PDFs in your archive: until you delete them yourself or request account deletion.
  • Payment records: 10 years (Slovenian tax law).
  • Security logs: at most 12 months.
  • Marketing consent: until you withdraw consent.

6. Sharing data with third parties

We share your data only with contractual processors bound by data-processing agreements:

  • Clerk Inc. (USA): authentication and user management
  • Neon Inc. (EU): database hosting (PostgreSQL in EU region)
  • Vercel Inc. (USA / EU): application hosting, CDN
  • Resend Inc. (USA): email delivery (invoices, system emails)
  • Apple Inc. (USA): payment processing in the iOS app (In-App Purchase)
  • Paddle.com Market Ltd (UK): payment processing on the website
  • Your accounting program: we forward the invoice image to the email address you configured (e.g. import@minimax.si)

We do not sell your data to third parties for marketing. We may share it only when explicitly required by law, in response to lawful requests from competent state authorities.

7. International data transfers

Some of our processors are located outside the EU/EEA (e.g. USA). In such cases we ensure an adequate level of protection through:

  • European Commission Standard Contractual Clauses (SCCs)
  • EU-US Data Privacy Framework (where the processor is certified)
  • Encryption in transit (TLS 1.2+) and at rest (AES-256)

8. Your rights (Art. 15–22 GDPR)

As a data subject you have the following rights:

  • Right of access (Art. 15): the right to know whether we process your personal data and to receive a copy.
  • Right to rectification (Art. 16): the right to request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17, “right to be forgotten”): the right to request deletion of your personal data.
  • Right to restriction of processing (Art. 18): the right to ask us to restrict processing (e.g. while accuracy is being verified).
  • Right to data portability (Art. 20): the right to receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): the right to object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.
  • Right not to be subject to automated decision-making (Art. 22): we do not use automated decision-making with legal effects.

To exercise these rights, write to info@posljiracun.si. We will respond within 30 days (extendable by a further 2 months in complex cases — we will let you know).

9. Right to lodge a complaint

If you believe we are infringing data protection rules, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner of the Republic of Slovenia
Dunajska 22, 1000 Ljubljana, Slovenia
Phone: +386 (0)1 230 97 30
Email: gp.ip@ip-rs.si
Website: www.ip-rs.si

10. Technical and organisational security measures

To protect your data we use:

  • Encrypted connections (HTTPS / TLS 1.2 or higher)
  • Encryption of data at rest (AES-256)
  • Strictly limited database access (authenticated only)
  • Authentication via Clerk with two-factor support
  • Regular security updates and code reviews
  • Separated environments (development, staging, production)
  • Access auditing and monitoring of suspicious activity

11. Cookies and tracking

Details about the cookies we use are available in the separate cookie policy. We do not use marketing cookies or third-party advertising trackers.

12. Children

The service is intended for business use and is not marketed to children. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has created an account, please contact us so we can delete it.

13. Changes to this statement

We may update this statement from time to time. We will notify you by email or in-app of material changes at least 30 days in advance. The date at the top of this page reflects the last update.

14. Data protection contact

For all questions related to the processing of your personal data, contact us:

Email: info@posljiracun.si
Sport Group d.o.o.
Osojnikova 4, 2000 Maribor, Slovenia