logo Režije 🇭🇷 Hr

Privacy Policy for the Utility Bill Tracking Web App

1. Introduction

This Privacy Policy ("Policy") explains how rezije.app ("we", "us", "our") collects, uses, and protects personal data in connection with the use of the utility bill tracking web application (the "Application"). This Policy applies to personal data of users of the Application.

2. Data Controller and Contact

The data controller for personal data processed in connection with the Application is rezije.app. The Application is published and maintained by a private individual (not a company).

For privacy-related questions and to exercise your rights, you can contact us at [email protected].

3. Personal Data We Collect

We may collect the following categories of data:

  1. Account data (Google OAuth): your email address and the identifier (OAuth ID) assigned by Google, and other basic data necessary for authentication and account management.
  2. Data you enter in the Application: billing locations, account names, amounts, dates, notes, and any other data you voluntarily enter.
  3. Uploaded documents: documents and files you upload (e.g., bills, PDFs, photos). Such documents may contain personal data (yours or third parties'), depending on their content.
  4. Technical data and logs: basic technical data required for operation and security (e.g., login logs, error logs, and security event logs).
  5. Aggregated analytics data (cookie-less): aggregated usage data (e.g., visit counts, page views, session duration) collected via self-hosted web analytics that does not use cookies.

4. How We Use Your Data and Legal Bases

We process personal data only when we have a lawful basis, for the following purposes:

  1. Providing and maintaining the Service (performance of a contract / steps prior to entering into a contract): enabling login, providing Application features, storing and displaying your data.
  2. Security and abuse prevention (legitimate interests): protecting the Application, detecting and preventing fraud, incidents, and unauthorized access.
  3. Improving the Application (legitimate interests): analyzing aggregated usage to improve performance and user experience.
  4. User communications (legitimate interests and/or performance of a contract): sending account-related communications, security notices, and important updates about the Application or this Policy.
  5. Legal obligations (legal obligation): retaining and disclosing data where necessary to comply with applicable law or lawful requests by authorities.

5. Cookies and Similar Technologies

The Application uses cookies and/or similar technologies that are necessary for functionality (e.g., authentication/session and security).

For analytics, we use cookie-less, self-hosted web analytics. We do not use analytics for advertising purposes or to build marketing profiles of users.

6. Hosting and Processing Location (EU)

The Application is hosted on infrastructure located within the European Union. Data is processed and stored in the EU.

7. Data Sharing and Recipients

We do not sell your personal data. We may share data only in the following cases:

  1. EU infrastructure/hosting provider: we use an infrastructure/hosting provider to operate, keep available, and secure the Application. That provider may have technical access to data only to the extent necessary to deliver the service and under confidentiality obligations.
  2. Authentication: login via Google OAuth involves exchanging data necessary for authentication with Google, in accordance with Google’s policies.
  3. Legal requirements: where necessary to comply with law, a court order, or a lawful request by authorities, or to protect our rights and the safety of users.

8. Transfers Outside the EU/EEA

As a rule, we do not transfer personal data outside the EU/EEA as part of operating the Application. However, certain processing related to Google OAuth is performed in accordance with Google’s policies and may involve transfers outside the EU/EEA. In such cases, Google’s safeguards and rules apply.

9. Security

We implement reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, and disclosure. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Data Retention

We retain data only as long as necessary for the purposes for which it was collected:

  1. Account data: while your account is active and until the account is deleted, unless retention is required to comply with legal obligations or resolve disputes.
  2. Data you enter and uploaded documents: until you delete them or until the account is deleted, with a reasonable period for technical removal from active systems.
  3. Technical logs: retained for a limited time for security and diagnostics and then deleted or anonymized, unless longer retention is needed to investigate an incident or comply with legal obligations.
  4. Backups: backups are retained for up to 7 days and then automatically overwritten or deleted. Due to the nature of backups, deleted data may remain in backups until the retention period expires.

11. Your Rights (GDPR)

Depending on applicable law, you may have the following rights:

  1. Right of access: request confirmation whether we process your data and obtain a copy.
  2. Right to rectification: request correction of inaccurate data or completion of incomplete data.
  3. Right to erasure ("right to be forgotten"): request deletion of your data where the conditions are met.
  4. Right to restriction: request restriction of processing in certain cases.
  5. Right to data portability: request your data in a structured, commonly used, machine-readable format, where applicable.
  6. Right to object: object to processing based on legitimate interests, including analytics, where applicable.
  7. Right to withdraw consent: if processing is based on consent, you may withdraw it at any time (withdrawal does not affect the lawfulness of processing before withdrawal).

12. How to Exercise Your Rights

To exercise your rights, contact us at [email protected]. To protect personal data, we may request additional information to verify your identity before responding to your request.

13. Right to Lodge a Complaint

If you believe that the processing of your personal data violates applicable law, you have the right to lodge a complaint with a supervisory authority. In the Republic of Croatia, the supervisory authority is the Croatian Personal Data Protection Agency (AZOP).

14. Children’s Privacy

The Application is not intended for persons under 18 years of age, and we do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us so we can take appropriate measures.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices or to comply with law. If we make material changes, we will notify you via a notice in the Application and/or by email (sent to the address associated with your account) before the changes take effect.

16. Contact

If you have any questions about this Privacy Policy, please contact us at [email protected].