Legal & Policies

Terms, Privacy & Cookies

01 Who we are

Xiphias d.o.o. is the data controller responsible for your personal data collected through the Requestador website and application.

Company
Xiphias d.o.o.
Address
Frana Supila 7B, HR-42000 Varaždin, Croatia
VAT / OIB
HR86325173761
02 Data we collect
Contact form

When you reach out via the contact form on our website, we collect:

Full name
Work email address
Company name
Phone number
The content of your message ("Tell us about your needs")
Application sign-in & account

When you register for or use the Requestador application, we collect:

Full name
Email address (used as your account identifier / username)
Company name
Password — stored exclusively as a one-way hash; never in plain text
In-app activity and usage data
IP address and browser information (technical logs)
03 Purpose & legal basis

Every processing activity is grounded in one of the legal bases listed in Article 6 GDPR:

Purpose
Data involved
Legal basis
Responding to contact form enquiries
Name, email, company, phone, message
Art. 6(1)(f) Legitimate interest, or Art. 6(1)(a) Consent
Providing the Requestador application
Name, email, company, password (hash)
Art. 6(1)(b) Performance of a contract
Security, diagnostics & abuse prevention
IP address, log data, in-app activity
Art. 6(1)(f) Legitimate interest
Compliance with legal obligations
Accounting & tax records
Art. 6(1)(c) Legal obligation
04 Retention periods

We keep your personal data only for as long as necessary for the purposes described above or as required by law:

Data category
Retention period
Notes
Contact form enquiries
2 years
From the date of the enquiry
Active user accounts
Duration of the contract
While the account remains active
Closed user accounts
1 year
From the date of account closure
Accounting & tax records
11 years
Statutory obligation under Croatian Accounting Act
Technical logs (IP, activity)
90 days
Security & diagnostics only
05 Your rights

Under the GDPR, you have the following rights with respect to your personal data. You can exercise any of them by contacting us at support@requestador.com — we will respond within 30 days.

Art. 15 Right of access

Request confirmation of whether we process your data and obtain a copy of it.

Art. 16 Right to rectification

Ask us to correct inaccurate or incomplete personal data we hold about you.

Art. 17 Right to erasure

Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Art. 18 Right to restriction

Ask us to temporarily suspend processing of your data in certain circumstances.

Art. 20 Right to portability

Receive your data in a structured, machine-readable format and transfer it to another controller.

Art. 21 Right to object

Object to processing based on our legitimate interests at any time.

Withdraw consent

Where processing is based on your consent, you may withdraw it at any time without affecting prior lawful processing.

Lodge a complaint

You have the right to complain to a supervisory authority — see Section 6 below.

06 Supervisory authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority. In Croatia, that is:

Authority
Agencija za zaštitu osobnih podataka (AZOP)
Address
Martićeva ulica 14, 10000 Zagreb, Croatia
Website
Email
Phone
+385 (0)1 4609 000

You may also contact the supervisory authority in your country of residence or place of work within the EU/EEA.

07 Third parties & processors

We may share your data with trusted third-party service providers solely to the extent necessary to deliver our services:

Hosting & infrastructure providers — servers and databases on which data is stored, contractually bound to protect your data.
Email delivery services — used exclusively to send transactional emails and reply to enquiries.
Analytics tools — anonymised or pseudonymised usage data to help us improve the service.
All processors have signed Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR. We do not sell your data to any third party, nor do we use it for direct marketing without your explicit consent.
08 International data transfers

Where your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place under Chapter V GDPR, including:

Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
Transfers to countries covered by an EU adequacy decision.

For more information, contact us at support@requestador.com.

09 Security

We apply appropriate technical and organisational measures to protect your data, including:

Encryption of data in transit (HTTPS / TLS)
One-way hashing of passwords — credentials are never stored in plain text
Access controls and authentication mechanisms
Regular security reviews and system updates

In the unlikely event of a data breach affecting your rights, we will notify you and the relevant supervisory authority as required by law.

10 Cookies

Our website may use strictly necessary cookies required for the site to function correctly. For detailed information on how we use cookies, please refer to our Cookie Consent policy.

11 Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements. Where changes are material, we will notify you by email or by posting a prominent notice on our website. The date of the last revision is always shown at the top of this page.

12 Contact us

For any questions, requests, or concerns regarding the processing of your personal data, please get in touch:

Company
Xiphias d.o.o.
Address
Frana Supila 7B, HR-42000 Varaždin, Croatia
Subject line
GDPR — Data Subject Request
We aim to respond to all requests within 30 calendar days. In complex cases, this period may be extended by a further 60 days, of which we will inform you in a timely manner.
Last updated ·
01 What are cookies?

Cookies are small text files placed on your device when you visit a website. They allow the site to remember your preferences, keep you logged in, and understand how you interact with our pages.

This policy covers cookies and similar technologies used on requestador.com (our marketing website). The Requestador application at app.requestador.com does not use cookies — it relies exclusively on session storage and localStorage to maintain your authenticated session.

02 Cookie categories

We use four categories of cookies. Strictly necessary cookies are always active. All other categories require your explicit consent.

Always active Strictly Necessary

Required for the website to function. These cannot be disabled. They include session management, authentication, and security protections.

Consent required Functional

Enhance your experience by remembering your preferences, dismissed notifications, and personalising content.

Consent required Performance & Analytics

Help us understand how visitors use our website so we can improve it. Data collected is anonymised or pseudonymised.

Consent required Advertising & Targeting

Used to show you relevant ads and measure the effectiveness of our advertising campaigns across platforms such as Google Ads, Reddit, and Bing.

03 Cookies we use
Strictly Necessary
Cookie
Provider
Purpose
Duration
uc_session
.usercentrics.eu
Manages your active session and authenticated status (login)
~1 day
AEC
.google.com
Prevents malicious sites from mimicking user actions (security)
~6 months
SID / SIDCC
.google.com
Security cookies to protect user data from unauthorized access
~1 year
HSID / SSID
.google.com
Securely sign user requests and prevent fraudulent login use
~1 year
APISID / SAPISID
.google.com
Protect against cross-site request forgery (CSRF)
~1 year
SEARCH_SAMESITE
.google.com
Ensures requests originate from the same site
~1 year
SOCS
.google.com
Stores user consent preferences for Google services
~1 year
NID
.google.com
Remembers language preferences and helps with security
~6 months
Functional
Cookie
Provider
Purpose
Duration
_hjSessionUser_6365071
.usercentrics.eu
Hotjar: Persists user ID for heatmaps and session recordings
1 year
accessibilityNotification­Dismissed
.usercentrics.eu
Stores that you dismissed the accessibility notification
~1 year
_BEAMER_USER_ID_*
.usercentrics.eu
Identifies you for news/update announcements (Beamer)
~2 years
_BEAMER_NPS_LAST_SHOWN_*
.usercentrics.eu
Prevents showing the same NPS survey repeatedly
~1 year
Performance & Analytics
Cookie
Provider
Purpose
Duration
_ga
.usercentrics.eu
Google Analytics: Distinguishes unique users
2 years
_ga_*
.usercentrics.eu
Google Analytics: Persists session state (multiple properties)
2 years
FPID
.usercentrics.eu
Server-side Google Tag identifier for analytics
~1 year
AMP_*
.usercentrics.eu
Google AMP Client ID for cross-page behaviour tracking
~1 year
dd_anonymous_id
.usercentrics.eu
RudderStack anonymous event tracking
~1 year
Advertising & Targeting
Cookie
Provider
Purpose
Duration
_gcl_au
.usercentrics.eu
Google Ads: Ad efficiency experimentation
3 months
_rdt_uuid
.usercentrics.eu
Reddit Ads: Ad personalisation and retargeting
1 year
_uetvid
.usercentrics.eu
Bing Ads: Conversion tracking and retargeting
~1 year
Security
Cookie
Provider
Purpose
Duration
_GRECAPTCHA
www.google.com
Google reCAPTCHA: Protects forms from spam and bots
~6 months
_ga_J1K4E6HRL7
.google.com
Google Analytics for reCAPTCHA usage statistics
2 years
04 Managing your cookie preferences

You can manage or withdraw your consent for non-essential cookies at any time using the cookie preference centre available via the banner on our website.

You can also control cookies directly through your browser settings. Please note that disabling strictly necessary cookies may affect the functionality of our website.

05 Changes to this policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use or for other operational, legal, or regulatory reasons. We encourage you to review this page periodically. The date of the last revision is always shown at the top of this page.

06 Contact us

If you have any questions about our use of cookies, please contact us:

Company
Xiphias d.o.o.
Last updated ·
Please read these Terms of Service carefully before accessing or using the Requestador platform. By creating an account or using the service, you agree to be bound by these Terms. If you do not agree, do not use the service.
01 The service

Requestador is a middleware platform operated by Xiphias d.o.o. that provides validation, transformation, and output mapping of responses from third-party AI systems.

Requestador is not an AI provider. We do not host, own, train, or control any AI models. Users connect their own AI providers using their own API credentials. Requestador performs deterministic validation and transformation of data — not AI inference.

We reserve the right to modify, suspend, or discontinue the service at any time with reasonable prior notice.

02 Accounts

You are responsible for maintaining the confidentiality of your account credentials and for all activity that occurs under your account. You must immediately notify us of any unauthorised use at support@requestador.com.

You must provide accurate and complete information when registering and keep it up to date.

03 Your responsibility for AI providers

You are solely responsible for:

Your agreements and contracts with third-party AI providers.
The content and legality of the prompts you submit to those providers.
Compliance with the terms of service of each AI provider you connect.
Xiphias d.o.o. has no visibility into, and accepts no responsibility for, the content of prompts sent to third-party AI providers or the outputs those providers return.
04 Regulatory compliance

You are responsible for assessing and ensuring compliance with all applicable laws and regulations governing your use of AI systems, including but not limited to:

The EU AI Act (Regulation EU 2024/1689) and all applicable obligations arising from your use case and risk classification.
The General Data Protection Regulation (GDPR) and applicable national data protection laws.
All sector-specific regulations relevant to your industry and jurisdiction.

Requestador provides tooling infrastructure. It does not constitute legal, compliance, or regulatory advice.

05 No warranty for AI-generated content

Requestador validates the structure and format of outputs returned by third-party AI models. We do not warrant, and expressly disclaim any warranty regarding, the accuracy, completeness, fitness for purpose, or legality of AI-generated content.

You are solely responsible for reviewing, validating, and taking any decisions based on AI-generated outputs before acting upon them.

06 Acceptable use

You agree not to use Requestador to:

Process or facilitate AI applications prohibited under applicable law, including those listed in Article 5 of the EU AI Act.
Attempt to gain unauthorised access to any part of the platform or its underlying systems.
Reverse engineer, decompile, or copy any part of the service.
Upload malicious code or otherwise interfere with the platform or other users.
Resell or sublicense access to the service without our prior written consent.
07 Intellectual property

All content, trademarks, and software comprising the Requestador platform are the property of Xiphias d.o.o. or its licensors. Nothing in these Terms grants you any ownership of intellectual property rights in the service.

You retain ownership of any data you submit to the platform. By using the service, you grant Xiphias d.o.o. a limited licence to process that data solely for the purpose of providing the service to you.

08 Privacy & data

Your use of the service is also governed by our Privacy Policy. By using Requestador, you acknowledge that we process your personal data as described therein.

09 Limitation of liability

To the maximum extent permitted by applicable law, Xiphias d.o.o. shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of, or inability to use, the service — including damages arising from AI-generated outputs, third-party AI provider failures, or regulatory non-compliance on your part.

Our total aggregate liability to you shall not exceed the amount you paid us in the twelve (12) months immediately preceding the event giving rise to the claim.

10 Termination

We may suspend or terminate your access to the service immediately if you breach these Terms, if required by law, or for other legitimate operational reasons. We will provide reasonable prior notice where possible.

You may cancel your account at any time by contacting support@requestador.com. Upon termination, your data will be handled in accordance with our Privacy Policy.

11 Governing law & disputes

These Terms are governed by and construed in accordance with the laws of the Republic of Croatia, without regard to its conflict of law provisions.

Any disputes arising out of or in connection with these Terms shall be subject to the exclusive jurisdiction of the competent courts in Varaždin, Croatia.

12 Changes to these Terms

We may update these Terms from time to time. Where changes are material, we will notify you by email or via a prominent notice in the application at least 14 days before the changes take effect.

Continued use of the service after the effective date constitutes acceptance of the revised Terms.

13 Contact us

If you have any questions about these Terms, please contact us:

Company
Xiphias d.o.o.
Address
Frana Supila 7B, HR-42000 Varaždin, Croatia
Last updated ·