Xiphos d.o.o. logo
Xiphos d.o.o. Business Security and Resilience

Privacy and Data Protection

This privacy policy explains how we process personal data in connection with our website and related online services. Last updated: 20 November 2025.

Controller and contact

Controller: Xiphos d.o.o., Republic of Croatia. Email: info@xiphos.hr. Phone: [insert phone number].

If you have questions about this policy or how we process your data, contact us using the details above. We have not appointed a Data Protection Officer (DPO) at this time.

Scope

This policy applies to visitors to our website, individuals who contact us by form, email or phone, newsletter subscribers and users of free resources, registered users of our learning portals and tools, and representatives of our business clients, partners and prospects. It does not cover processing carried out by our clients in their own systems.

Personal data we process

  • Website visitors: technical and log data (IP address, time, URL, status code, data volume, referrer, browser, operating system, device) and cookies or similar identifiers.
  • Contact requests and business communication: name, job title, employer, email, phone, the content of your communication and related metadata.
  • Newsletter and free educational resources: name, email, company, role, interests you choose to share, subscription preferences and interaction data (opens and clicks if enabled).
  • Online portals, LMS and compliance tools: account data (name, email, username, password hash), company and role, enrolments, progress, quiz or exam results, certificates, usage data and support interactions.
  • Client and partner relationships: contact data for client representatives, contract and billing data, and project documentation that may contain stakeholder personal data.

We do not intentionally offer services to children and our website and services are not directed to persons under 16.

Purposes and legal bases

  • Operate the website and ensure security (technical and log data, necessary cookies) – legitimate interests (Article 6(1)(f) GDPR).
  • Respond to contact requests and inquiries (contact details, content, metadata) – contract or pre-contract steps (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)).
  • Newsletter and free educational content (contact data, subscription data, interests, interaction data) – consent (Article 6(1)(a)) or legitimate interests where permitted (Article 6(1)(f)). You can withdraw consent at any time.
  • Operate online portals, LMS and compliance tools (account, usage, course and support data) – contract (Article 6(1)(b)) and legitimate interests to improve services (Article 6(1)(f)).
  • Client relationship management, consulting and compliance services (contact, contract, billing and project data) – contract (Article 6(1)(b)), legal obligation where records must be kept (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)).
  • Marketing and business development (basic contact data, professional role, interaction history) – legitimate interests (Article 6(1)(f)), subject to applicable e-privacy rules.
  • Compliance, legal claims and regulatory obligations (any relevant data) – legal obligation (Article 6(1)(c)) and legitimate interests to protect our rights (Article 6(1)(f)).

If we intend to use personal data for a new purpose that is not compatible with the original purpose, we will inform you separately as required by GDPR.

Cookies and similar technologies

We use technically necessary cookies to operate the website. Where we use additional cookies for analytics or marketing, we will request your consent through a cookie banner or settings and you can withdraw it at any time.

Sources of personal data

We primarily obtain personal data directly from you when you visit the site, fill out a contact form, subscribe to the newsletter, register for a portal or communicate with us as a client. We may also receive data from your employer if they register you for a portal or course, or from public sources such as business registers or professional networking sites where appropriate for B2B relationship building and permitted by law.

Recipients

We share personal data only where lawful and necessary with typical categories such as IT and hosting providers, email and newsletter services, learning management, video hosting or webinar platforms, professional advisers (for example accountants or lawyers), payment service providers and banks, and public authorities, courts or regulators where required. Processors are bound by data processing agreements in line with Article 28 GDPR or act as separate controllers where they determine their own purposes and means.

International transfers

Some service providers may be located outside the European Economic Area. Where transfers occur, we ensure an adequate level of protection in line with Chapter V GDPR, for example through European Commission adequacy decisions or standard contractual clauses. You can request more information and a copy of relevant safeguards using the contact details above.

Retention

We keep personal data only as long as necessary for the purposes described or as required by law, considering business relationships, statutory retention periods, limitation periods and the nature of the data. Typical retention logic includes: short retention for website log data; retaining contact inquiries for handling and a reasonable follow-up period; keeping newsletter data until you unsubscribe plus a short period to document the request; retaining portal accounts for the duration of the contract or account activity and then deleting or anonymising; and keeping contract and billing data for statutory periods under Croatian and EU law.

Your rights

You have the rights of access, rectification, erasure, restriction of processing, data portability (where processing is based on consent or contract and by automated means), and to object to processing based on legitimate interests. You can object at any time to direct marketing. Where processing is based on consent, you can withdraw it at any time with future effect.

To exercise your rights, contact us using the details in the controller section.

Complaints

If you believe we process your personal data in breach of data protection law, you have the right to lodge a complaint with a supervisory authority. In Croatia the competent authority is the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10 000 Zagreb, Croatia, website: azop.hr.

Obligation to provide data

Where we request personal data, we will indicate whether it is required by law or contract and whether you must provide it. In general: technical data and necessary cookies are required to operate the website; contact data is required to respond to your request or enter into a contract; account data is required for portals and courses; and newsletter data is required if you wish to receive newsletters.

Automated decision-making

We do not use personal data for automated decision-making that produces legal effects or similarly significant effects. If this changes, we will inform you separately and update this policy.

Changes to this policy

We may update this privacy policy from time to time to reflect changes in processing activities or legal requirements. The current version is available on our website, and we may also inform you by email or through our portals where appropriate.