01 Who we are
Xiphias d.o.o. is the data controller responsible for your personal data collected through the Requestador website and application.
Address
Frana Supila 7B, HR-42000 Varaždin, Croatia
02 Data we collect
Contact form
When you reach out via the contact form on our website, we collect:
Full name
Work email address
Company name
Phone number
The content of your message ("Tell us about your needs")
Application sign-in & account
When you register for or use the Requestador application, we collect:
Full name
Email address (used as your account identifier / username)
Company name
Password — stored exclusively as a one-way hash; never in plain text
In-app activity and usage data
IP address and browser information (technical logs)
03 Purpose & legal basis
Every processing activity is grounded in one of the legal bases listed in Article 6 GDPR:
Purpose
Data involved
Legal basis
Responding to contact form enquiries
Name, email, company, phone, message
Art. 6(1)(f) Legitimate interest, or Art. 6(1)(a) Consent
Providing the Requestador application
Name, email, company, password (hash)
Art. 6(1)(b) Performance of a contract
Security, diagnostics & abuse prevention
IP address, log data, in-app activity
Art. 6(1)(f) Legitimate interest
Compliance with legal obligations
Accounting & tax records
Art. 6(1)(c) Legal obligation
04 Retention periods
We keep your personal data only for as long as necessary for the purposes described above or as required by law:
Data category
Retention period
Notes
Contact form enquiries
2 years
From the date of the enquiry
Active user accounts
Duration of the contract
While the account remains active
Closed user accounts
1 year
From the date of account closure
Accounting & tax records
11 years
Statutory obligation under Croatian Accounting Act
Technical logs (IP, activity)
90 days
Security & diagnostics only
05 Your rights
Under the GDPR, you have the following rights with respect to your personal data. You can exercise any of them by contacting us at support@requestador.com — we will respond within 30 days.
Art. 15 Right of access
Request confirmation of whether we process your data and obtain a copy of it.
Art. 16 Right to rectification
Ask us to correct inaccurate or incomplete personal data we hold about you.
Art. 17 Right to erasure
Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Art. 18 Right to restriction
Ask us to temporarily suspend processing of your data in certain circumstances.
Art. 20 Right to portability
Receive your data in a structured, machine-readable format and transfer it to another controller.
Art. 21 Right to object
Object to processing based on our legitimate interests at any time.
Withdraw consent
Where processing is based on your consent, you may withdraw it at any time without affecting prior lawful processing.
Lodge a complaint
You have the right to complain to a supervisory authority — see Section 6 below.
06 Supervisory authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority. In Croatia, that is:
Authority
Agencija za zaštitu osobnih podataka (AZOP)
Address
Martićeva ulica 14, 10000 Zagreb, Croatia
You may also contact the supervisory authority in your country of residence or place of work within the EU/EEA.
07 Third parties & processors
We may share your data with trusted third-party service providers solely to the extent necessary to deliver our services:
Hosting & infrastructure providers — servers and databases on which data is stored, contractually bound to protect your data.
Email delivery services — used exclusively to send transactional emails and reply to enquiries.
Analytics tools — anonymised or pseudonymised usage data to help us improve the service.
All processors have signed Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR. We do not sell your data to any third party, nor do we use it for direct marketing without your explicit consent.
08 International data transfers
Where your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place under Chapter V GDPR, including:
Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
Transfers to countries covered by an EU adequacy decision.
For more information, contact us at support@requestador.com.
09 Security
We apply appropriate technical and organisational measures to protect your data, including:
Encryption of data in transit (HTTPS / TLS)
One-way hashing of passwords — credentials are never stored in plain text
Access controls and authentication mechanisms
Regular security reviews and system updates
In the unlikely event of a data breach affecting your rights, we will notify you and the relevant supervisory authority as required by law.
10 Cookies
Our website may use strictly necessary cookies required for the site to function correctly. For detailed information on how we use cookies, please refer to our Cookie Consent policy.
11 Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements. Where changes are material, we will notify you by email or by posting a prominent notice on our website. The date of the last revision is always shown at the top of this page.
12 Contact us
For any questions, requests, or concerns regarding the processing of your personal data, please get in touch:
Address
Frana Supila 7B, HR-42000 Varaždin, Croatia
Subject line
GDPR — Data Subject Request
We aim to respond to all requests within 30 calendar days. In complex cases, this period may be extended by a further 60 days, of which we will inform you in a timely manner.
