Privacy Policy

Xiphos d.o.o.
Effective Date: 26.07.2025.
Fabijanićeva 60, 10040 Zagreb, Croatia
OIB/VAT: HR39402063665
Contact: in**@****os.hr

1. Introduction

Xiphos d.o.o. (“Xiphos”, “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how we collect, use, process, store, and share your personal data when you interact with us via our website, SaaS platform, online services, or other communications. It also explains your privacy rights and how the law protects you.

This Policy applies to all visitors, customers, users, affiliates, partners, and any individual whose personal data we process in the course of providing our services, including consulting, compliance tools, eLearning, webinars, and support.

2. Who We Are

Xiphos d.o.o. is a leading provider of cybersecurity, compliance, resilience, and advisory services, including SaaS-based solutions and training for small and medium-sized businesses.
We are registered in Croatia and operate in accordance with EU data protection laws, including the General Data Protection Regulation (GDPR).

3. What Personal Data We Collect

Depending on your interaction with Xiphos, we may collect and process the following types of personal data:

a) Identity and Contact Data

  • Name and surname

  • Company name and job title

  • Business address

  • Email address and telephone number

b) Account and Authentication Data

  • Usernames and (hashed) passwords

  • Multi-factor authentication tokens (email magic link, code)

  • Account roles, permissions, and profile preferences

c) Subscription and Payment Data

  • Billing information (company, address, VAT ID)

  • Payment method (no card details stored; handled via Stripe or other certified processors)

  • Subscription plan, start/end dates, status, invoices

d) Service Usage Data

  • Usage logs from SaaS platforms, training portals, and knowledge bases

  • Activity records, user actions (e.g., quiz completions, module access, document downloads)

  • Session identifiers, login times, and access logs

e) Device and Technical Data

  • IP address, browser type/version, operating system, device identifiers

  • Cookie data and analytics (see Section 7)

  • Referring/exit URLs, clickstream data

f) Communications and Support

  • Emails, support tickets, live chat transcripts, feedback forms

  • Webinar registrations, Q&A submissions, poll results, survey responses

g) Marketing and Preferences

  • Newsletter subscription status and communication preferences

  • Event registrations and consent records

h) Affiliate and Referral Data

  • Referral codes, tracking IDs, affiliate account details, payout data

i) Other Data

  • Data provided via contact forms, uploads, feedback, or during calls/webinars

  • Job applications and CVs (when applicable)

We do not collect sensitive categories of personal data (such as health, biometric, or political information), unless explicitly required by law or for a specific service with clear notice and consent.

4. How We Collect Personal Data

We collect your data in several ways:

Directly from You

  • When you register for an account or subscribe to a service

  • When you request a demo, consultation, or contact us via a form, chat, or email

  • When you participate in webinars, training, or eLearning modules

  • When you sign up for newsletters, marketing updates, or events

  • When you join our affiliate or referral programs

  • When you provide feedback or respond to surveys

Automatically

  • Through cookies and analytics tools when you browse our websites or use our platforms

  • Via service logs, error reports, and usage data from our SaaS and support systems

From Third Parties

  • Payment processors (Stripe, PayPal, banks)

  • Referrals from affiliates, business partners, or existing clients

  • Public sources such as business directories or social media, where permitted by law

5. Why We Process Your Data (Purpose and Legal Basis)

We process your personal data only when we have a valid legal basis, including:

  • Performance of a contract: To provide, manage, and support your subscription or requested services.

  • Legal obligation: To comply with legal and regulatory requirements (tax, accounting, anti-fraud, security, GDPR, NIS2, DORA).

  • Legitimate interests: To operate and improve our business, ensure security, perform analytics, manage customer relationships, and prevent abuse.

  • Consent: For marketing communications, use of non-essential cookies, event invitations, and optional data collection.
    (You can withdraw consent at any time.)

  • Vital interest: To notify you about incidents affecting your data security.

6. How We Use Your Personal Data

We use your personal data for the following purposes:

  • Account Management: Creating and managing your account(s) on our platforms.

  • Service Delivery: Providing access to SaaS tools, consulting, eLearning, webinars, training, and support.

  • Subscription & Billing: Managing subscriptions, invoicing, payment processing (handled by Stripe/partners).

  • Communication: Responding to inquiries, sending confirmations, and providing customer service/support.

  • Security: Authenticating users, enforcing MFA, monitoring access, protecting our platforms from unauthorized use, and logging security events.

  • Compliance: Fulfilling regulatory, legal, and contractual obligations, including audits and certifications.

  • Marketing (with consent): Sending newsletters, educational content, invitations to webinars/events, and promotional offers.

  • Analytics: Measuring usage, improving products/services, and producing anonymized reports for business insights.

  • Affiliate/Referral Program: Tracking referrals, managing affiliate accounts, and processing commission payments.

  • Incident Notification: Informing users of relevant security events or data breaches.

We do not use your personal data for automated decision-making, profiling with legal effects, or sale to third parties.

7. Cookies and Tracking Technologies

What Are Cookies?

Cookies are small text files stored on your device when you visit a website.
They may be “essential” (strictly necessary for site operation) or “non-essential” (e.g., analytics, marketing).

Our Cookie Use

  • Essential cookies: For security, authentication, session management, and language preferences. These are always active.

  • Analytics cookies: Used (e.g., Google Analytics, Matomo, or Plausible) only if you consent via the cookie banner. We use privacy-focused settings (IP anonymization, no tracking for advertising).

  • No third-party ad cookies are set.

  • Preference management: You can accept/reject non-essential cookies at any time via our cookie banner or settings page.

Do Not Track and Other Signals

We respect browser “Do Not Track” signals for analytics cookies.

For more details, see our Cookie Policy (if applicable).

8. Data Sharing and International Transfers

Who Has Access to Your Data

  • Only authorized Xiphos staff and subcontractors who need the data to provide our services, and who are bound by strict confidentiality and security obligations.

  • Subprocessors/service providers for hosting (EU-based or GDPR-compliant), email/SMS (e.g., AWS, OVH, Mailersend), payment processing (Stripe), analytics, support, and infrastructure.

  • All subprocessors are required by contract to comply with the GDPR and to process your data only as instructed.

Legal Disclosure

  • We may disclose personal data to public authorities, courts, or law enforcement if required by law, legal process, or to defend legal claims.

  • If required, you will be notified unless legally prohibited.

No Data Sales

  • We do not sell your personal data.

International Transfers

  • If data must be transferred outside the EEA, we ensure that adequate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions) to protect your data.

  • A list of subprocessors and their jurisdictions is available upon request.

9. Data Security

We implement robust technical and organizational measures to safeguard your personal data:

  • Encryption: All data in transit is encrypted (TLS 1.3); data at rest is encrypted (e.g., MySQL TDE, secure backups).

  • Access Controls: Role-based access and the principle of least privilege; all staff and admins use MFA.

  • Physical Security: Data centers and office premises are protected by appropriate measures.

  • Monitoring and Logging: Regular security monitoring, audit logs of access and changes, anomaly detection.

  • Incident Response: Documented response plan for data breaches; affected users are notified in accordance with GDPR.

  • Regular Testing: Security audits, vulnerability scanning, and penetration testing.

  • Privacy by Design: Secure development practices embedded in our software lifecycle.

10. Data Retention

We retain your personal data only as long as necessary for the purposes set out in this Policy, or as required by law.

  • User accounts: Retained for the duration of the subscription and up to 2 years after termination (for tax, audit, and legal compliance).

  • Support tickets and communications: Retained up to 2 years.

  • Marketing consent records: Until you withdraw consent or unsubscribe.

  • Affiliate/referral program: Account and payout data kept for up to 2 years post-closure.

  • Audit and security logs: Kept for 24 months, after which personal identifiers are masked/anonymized.

  • Job applications: Retained for 6 months unless you consent to a longer period.

After these periods, data is securely deleted or anonymized unless further retention is required by law.

11. Your Rights (GDPR & Applicable Laws)

You have the following rights regarding your personal data:

  1. Right to Access: Obtain a copy of your personal data held by us.

  2. Right to Rectification: Correct incomplete or inaccurate data.

  3. Right to Erasure: Request deletion of your data (“right to be forgotten”) where legally permissible.

  4. Right to Restriction: Ask us to limit processing if you contest its accuracy or legality.

  5. Right to Data Portability: Receive your data in a structured, machine-readable format.

  6. Right to Object: Object to processing for direct marketing or based on our legitimate interests.

  7. Right to Withdraw Consent: At any time, for processing based on consent.

  8. Right to Lodge a Complaint: With the Croatian Data Protection Authority (AZOP) or your national supervisory authority.

How to Exercise Your Rights

  • Contact us by email: in**@****os.hr

  • We may need to verify your identity before fulfilling requests.

  • We aim to respond within 30 days.

12. Children’s Privacy

Our services are not intended for children under 16. We do not knowingly collect data from minors.
If you believe a child has provided us with personal data, please contact us immediately at in**@****os.hr. We will promptly delete such data.

13. Affiliate, Referral, and Partner Data

If you participate in our affiliate or referral programs:

  • We collect your contact, account, payout, and referral data to manage your participation, track referrals, and process commissions.

  • All data is processed as described above and retained as required for compliance and taxation.

  • Affiliates are responsible for their own tax obligations, and must comply with our Terms of Affiliate Participation and Terms of Payout.

14. Data Protection Officer (DPO) and Contact Information

We have appointed a Data Protection Officer (DPO) responsible for overseeing privacy matters:

Darie Maric
Data Protection Officer (DPO)
Xiphos d.o.o.
Fabijanićeva 60, 10040 Zagreb, Croatia
Email: in**@****os.hr

15. Changes to This Policy

We may revise this Privacy Policy from time to time.

  • The most current version will always be posted at [your domain]/privacy-policy.

  • Material changes will be communicated via email to registered users and/or a website notice.

  • Previous versions of this Policy are archived and available upon request.

  • The effective date of the latest version will be displayed at the top of the page.

16. Additional Information

If you have any questions about this Policy, your data, or wish to exercise your rights, please contact our DPO at in**@****os.hr.

If you disagree with any part of this Policy, please do not use our website or services.

Xiphos d.o.o. – Secure Your Business, Simplify Your Compliance

This Privacy Policy is reviewed and updated regularly to maintain compliance with applicable laws and best practices. Last updated: [Insert Date].

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None