1. Privacy Policy and Cookie Policy

1.1. Introduction

The purpose of this policy is to inform visitors of the website www.smarteh.com (hereinafter: the website), users of the SmartehCloud software tools (hereinafter: the software tools), and all other individuals who come into contact with Smarteh d.o.o. about the scope, purposes, legal bases and methods of processing personal data, including the use of cookies collected by Smarteh d.o.o., as well as the related rights of individuals in accordance with the applicable personal data protection regulations.

This policy applies to all users of the website, software tools, and all other forms of collection and processing of personal data within the operations of Smarteh d.o.o., such as newsletters, orders, contact forms, business communication, and similar activities.

Smarteh d.o.o. reserves the right to amend or update this policy. Any changes shall be published on the website and shall enter into force on the date of publication.

2. Privacy Policy

2.1. Controller of Personal Data

• full name: Smarteh Raziskave in razvoj procesne opreme d.o.o.;
• address: Poljubinj 114, 5220 Tolmin, Slovenia;
• website: https://www.smarteh.com
• email: info@smarteh.si

Smarteh d.o.o. (hereinafter: the controller), based on the scope and nature of personal data processing, is not required to appoint a Data Protection Officer. For any questions regarding the processing of personal data, the controller can be contacted at info@smarteh.si.

2.2. Purpose and Legal Basis of Processing of Personal Data

The controller processes personal data obtained through the website, the SmartehCloud software tools, electronic mail, telephone calls, and other communication channels, on the basis of the appropriate legal ground (consent, contract, legal obligation, or legitimate interest) for the following purposes:

• sending newsletters, where consent has been given;
• contacting customers in order to prepare offers or respond to inquiries;
• registration of users and business partners in the software tools;
• ensuring the operation, maintenance, and upgrading of the SmartehCloud service;
• managing user accounts and authorizing access to the service;
• ensuring information and network security and preventing misuse;
• providing technical support and resolving errors;
• fulfilling legal obligations (accounting, tax, and other statutory obligations).

Within the scope of the above purposes, the controller processes the following categories of personal data:

• identification and contact data: first name, last name, company name, company address, email address, telephone number;
• employment and business function data: job title, function within the company;
• company data, which may in certain cases constitute personal data, for example in the case of sole proprietors: company name, registered office and business address, tax number and registration number;
• other publicly available data related to the individual’s business activities;
• communication and business data: inquiries, orders, business communication;
• data related to the use of SmartehCloud: user account, login data, configurations, settings, access logs, and security logs;
• technical data when using the website or the SmartehCloud service: IP address, date and time of access, data about the device, operating system, and browser, as well as data from cookies in accordance with the Cookie Policy, where such data constitute personal data;
• other personal data voluntarily entered into forms, sent via electronic mail, or otherwise provided to the controller by the individual.

The legal bases for the processing of personal data are as follows:

• the individual’s consent (e.g. for newsletters, promotional notifications, the use of cookies on the website, and other activities where consent is required), whereby the individual gives consent to receive newsletters or to the processing of personal data by checking the appropriate box when submitting the application, and consent to the use of cookies by explicitly confirming through a pop-up window upon the first visit to the website; such consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to the withdrawal;
• the performance of a contract or the taking of steps prior to entering into a contract (e.g. preparation of offers, processing of orders, registration of a user account, and other business communication in the process of concluding or performing a contract);
• the legitimate interest of the controller, where such processing is necessary for:
  • the establishment and conduct of basic business communication or the performance of the controller’s business activities;
  • ensuring information and network security and preventing misuse;
  • ensuring the functioning, maintenance, and upgrading of the website (e.g. necessary or mandatory cookies) and software, including technical support and troubleshooting;

  provided that, prior to any such processing, the controller carries out a legitimate interest assessment in order to identify its legitimate interest, assess whether the processing of personal data is necessary for the purposes of that interest, and verify whether the interests or rights of the individual override the interests of the controller;

• compliance with legal obligations (e.g. accounting, tax, or other statutory obligations binding on the controller).

The controller does not carry out automated decision-making, including profiling, on the basis of the personal data provided or processed.

The controller protects the collected personal data in accordance with the General Data Protection Regulation (EU) 2016/679 and the Personal Data Protection Act (ZVOP-2, Official Gazette of the Republic of Slovenia, No. 163/22 et seq.). The controller shall not be responsible for the correctness and accuracy of the data provided by users.

2.3. Is the Provision of Personal Data Mandatory and What Are the Consequences if Personal Data Is Not Provided?

The provision or enabling of the processing of personal data is, in certain cases, voluntary, while in other cases it is based on the legitimate interest of the controller or constitutes a contractual requirement, i.e. a condition for entering into or performing a contract or offer. The nature of the obligation and the consequences of not providing personal data depend on the purpose for which the data are provided or processed.

Use of the Website

When visiting the website, certain technical data are processed, such as the IP address, date and time of access, data about the device, operating system and browser, as well as data from cookies in accordance with the Cookie Policy. The processing of data that is technically necessary for the operation of the website, including necessary cookies, is based on the legitimate interest of the controller in ensuring the secure, stable and uninterrupted operation of the website. Without the processing of such data, the website cannot function properly or its operation may be limited.

The processing of personal data based on non-essential cookies, such as functional, analytical or marketing cookies, is voluntary and based on the individual’s consent. Consent to the use of cookies is given through the explicit action of the user via a pop-up window upon the first visit to the website. The individual is under no obligation to provide such consent. If consent is not given, the use of the website is in principle not prevented, but certain functionalities or content customizations may not be available. Consent may be changed or withdrawn by the individual at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

Receiving Newsletters and Standardized Materials

The provision of personal data for the purpose of subscribing to newsletters or receiving standardized materials, such as general offers or professional content, is voluntary and based on the individual’s consent. If the individual does not provide the data or does not give consent, they cannot receive newsletters or other materials. Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

Inquiries and Pre-Contractual Activities

The provision of personal data in the context of submitting an inquiry, preparing a specific offer, or carrying out other activities at the request of an individual prior to the conclusion of a contract constitutes a contractual requirement or a condition for taking steps prior to entering into a contract. If the individual does not provide the requested personal data, the controller cannot process the inquiry, prepare a tailored offer, or enter into a contract with that individual.

Performance of a Contract and Provision of Services

The provision or enabling of the processing of personal data necessary for the performance of a contract, for example data required to create a user account, login data, IP address, or technical data relating to the use of the software, constitutes a contractual requirement. Without such data, the controller cannot provide the contractually agreed services, such as creating or managing a user account, providing the software, or otherwise performing the contract.

2.4. Recipients of Personal Data

Personal data shall not be disclosed to third parties, except to the controller’s contractual processors or where such disclosure is required by applicable legislation or necessary for compliance with the controller’s legal obligations.

Where necessary for the achievement of the purpose of processing, personal data shall be disclosed to the controller’s contractual processors, i.e. recipients of personal data, who perform specific services on behalf of and for the account of the controller, such as IT service providers, information system maintenance providers, hosting and software infrastructure providers, email service providers, external marketing service providers, accounting service providers, printers, delivery services, and other contractual partners providing technical or organizational support.

The controller’s contractual processors process personal data exclusively in accordance with the contractual purpose and the controller’s instructions, while observing the appropriate technical and organizational measures for the protection of personal data.

Personal data shall be disclosed to competent state authorities, holders of public authority, and other public law entities where such disclosure is required by applicable legislation or necessary for compliance with the controller’s legal obligations.

2.5. Security, Retention, and Possible Transfers of Personal Data

The controller implements appropriate technical and organizational measures to ensure the security of personal data, including:

• protection of premises and equipment;
• protection of software and application equipment;
• prevention of unauthorized access, misuse, or disclosure of data;
• ensuring traceability of access to and modification of data;
• protection of communication between the user and the server through the use of encrypted communication protocols (SSL/TLS), together with additional security mechanisms such as firewalls, access controls, and similar security measures.

Through these measures, the controller ensures that personal data are processed in accordance with the principles of lawfulness, fairness, and transparency, and that their security is safeguarded in accordance with the applicable personal data protection regulations.

Any transfers of personal data to third countries or international organizations shall be carried out only exceptionally and exclusively within the framework of the use of analytical or advertising tools on the website, i.e. cookies of providers located abroad, where this is required by the purpose of the processing and there is an appropriate legal basis for such transfer, and where adequate safeguards are in place to ensure a level of protection of personal data equivalent to that within the European Union.

2.6. Retention Period of Personal Data

Personal data shall be processed only for as long as necessary to achieve the purpose for which it was collected, or until consent is withdrawn, where the processing is based on consent.

Individual categories of personal data shall be retained in accordance with the following retention periods:

• data used for sending newsletters or standardized materials shall be retained until the user’s consent is withdrawn;
• data collected as part of business communication, including offers and inquiries, shall be retained for up to 12 months following the end of the communication;
• contractual and related personal data shall be retained in accordance with the applicable accounting and tax legislation, for a period of up to 10 years;
• personal data collected upon visiting the website on the basis of cookies shall be retained for the duration of the individual cookie that collects the personal data, as set out in point 3 of the Cookie Policy.

Where processing is necessary for compliance with the controller’s legal obligations or for the establishment, exercise, or defence of legal claims, personal data shall be retained until the expiry of the statutory limitation periods or other legally prescribed deadlines.

Consents for the sending of newsletters are recorded separately and retained for the purpose of demonstrating compliance with GDPR.

2.7. Processing of Personal Data Not Obtained Directly from the Individual

In certain cases, the controller does not obtain personal data directly from the individual, but from other lawful sources, namely:

• the publicly available Business Register of Slovenia – AJPES;
• the Dun & Bradstreet business database;
• publicly available information published on company websites or other publicly available sources.

The categories of personal data obtained from these sources include in particular:

• identification and contact data: first name, last name, company name, company address, business email address, telephone number;
• employment and business function data: job title, function within the company;
• company data, which may in certain cases constitute personal data, for example in the case of sole proprietors: company name, registered office and business address, tax number and registration number;
• other publicly available data related to the individual’s business activities.

The above data are processed on the basis of the controller’s legitimate interest where this is necessary for the effective establishment and performance of basic business communication or the conduct of the controller’s legitimate business activities, provided that the controller performs a legitimate interest assessment prior to each such processing in order to identify its legitimate interest, assess whether the processing of personal data is necessary to achieve that interest, and verify whether the interests or rights of the individual override the interests of the controller.

2.8. Rights of the Individual

By means of a written request sent to the address or email address of the controller, the individual may request access to personal data, rectification, completion, restriction of processing, or deletion of personal data, object to the processing of personal data relating to them, and request the portability of their personal data.

Where the processing of personal data is based on the legitimate interest of the controller, the individual has the right to object to such processing at any time. In such case, the controller shall cease processing unless it demonstrates compelling legitimate grounds for the processing which override the interests or rights of the individual, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.

Where personal data are processed for direct marketing purposes, the individual has the right to object to such processing at any time. In such case, the personal data shall no longer be processed for direct marketing purposes.

The individual may withdraw any consent given for the processing of personal data at any time, permanently or temporarily, in whole or in part, by means of a written request sent to the address or email address of the controller. The withdrawal of consent shall not affect the lawfulness of processing carried out on the basis of the consent prior to its withdrawal.

Where personal data have not been collected directly from the individual, the individual has the same rights as those set out above. The controller shall provide the individual with all information required under the applicable regulations at the time of the first communication with the individual or no later than one month after obtaining the data. Upon request, the controller may also provide the individual with additional information on the source of the personal data and the categories of data, if so requested by the individual.

The individual has the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia, Dunajska cesta 22, 1000 Ljubljana, email: gp.ip@ip-rs.si, website: www.ip-rs.si, if they believe that their personal data are being processed or retained in breach of the applicable regulations governing personal data protection.

3. Cookie Policy

This Cookie Policy has been prepared for the website https://www.smarteh.com, operated by Smarteh d.o.o. Since the website uses so-called cookies, the company aims to be transparent regarding their use so that all visitors may make informed decisions regarding their devices.

3.1. Legal Basis

The legal basis for the use of cookies is the Electronic Communications Act (ZEKom-2, Official Gazette of the Republic of Slovenia, No. 130/22 et seq.), the General Data Protection Regulation (EU) 2016/679, and Directive 2002/58/EC on privacy and electronic communications.

3.2. What Are Cookies and What Are They Used For?

Cookies are small text files stored on the user’s device, such as a computer, tablet, or smartphone, when visiting a website. Their purpose is to ensure the proper functioning of the website, improve the user experience, and enable the analysis of visits and the use of certain functionalities, such as remembering settings, logging into user accounts, or displaying personalized content. Cookies by themselves do not enable the direct identification of the user, but in combination with other data they may constitute personal data, for example web identifiers or an IP address. Their primary purpose is to help the website recognize the device and adapt its functionality according to the user’s preferences.

3.3. What Cookies Do We Use?

Different types of cookies are used on the website https://www.smarteh.com. Depending on their duration, session cookies are used, which are deleted as soon as the user closes the browser, as well as persistent cookies, which remain stored on the user’s device for a certain period of time. According to their purpose, the cookies used are classified as follows:

• Necessary (mandatory) cookies
  These cookies are essential for the basic functioning of the website and enable it to operate properly. Without them, the use of the website is not possible; therefore, their installation does not require the user’s consent, since they are based on the legitimate interest of the website operator.
• Functional cookies
  These cookies enable improved functionality and customization, i.e. personalization of the website, such as remembering the user’s previous settings, for example the language selection. If the user does not enable these cookies, certain functionalities of the website may not function properly. Functional cookies are placed on the user’s device only on the basis of prior explicit consent.
• Analytical cookies
  These cookies collect anonymous data on how users use the website, for example statistical data on website visits, analysis of website use, and user session data, which helps improve the website’s performance and content. Analytical cookies are placed on the user’s device only on the basis of prior explicit consent.
• Marketing cookies
  These cookies are used to display relevant advertisements and content to the user. They also enable the limitation of repeated advertisements and the measurement of the effectiveness of advertising campaigns. Marketing cookies are placed on the user’s device only on the basis of prior explicit consent.

The user gives consent to the use of functional, analytical, and marketing cookies through an explicit action, i.e. confirmation via a pop-up window upon the first visit to the website. The user may change or withdraw such consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

3.4. List of Cookies Used

Name of the cookie	Purpose	Type	Retention period	Provider
_ga	Counts visitors and analyzes website usage	Analytical	2 years	Google Analytics
_ga_9B8V6P0PCM	Stores user session and interaction data	Analytical	2 years	Google Analytics
_ga_R6X4Z5DJ9L	Collects statistical data about website visits	Analytical	2 years	Google Analytics
_gcl_au	Measures the effectiveness of advertising campaigns	Marketing	90 days	Google Ads
_icl_visitor_lang_js	Saves the language selected by the user	Functional	1 year	Smarteh
_icl_current_language	Saves the currently selected website language	Functional	1 year	Smarteh
CookieInfo	Saves information about cookie acceptance	Necessary	1 year	Smarteh
wpml_browser_redirect_test	Checks whether language redirection is possible	Necessary	Session	Smarteh
Additionally for SmartehCloud:
authjs.callback-url	Saves the page address for redirection after login	Necessary	Session	Smarteh
authjs.csrf-token	Protects login against malicious requests (CSRF)	Necessary	Session	Smarteh
authjs.session-token.0	Part of the login session for user identification	Necessary	Up to 30 days	Smarteh
authjs.session-token.1	Additional part of the login session for user verification	Necessary	Up to 30 days	Smarteh
smarteh.integrator	Saves basic integrator and user information	Functional	Session	Smarteh
smarteh.privileges	Saves user rights information	Functional	Session	Smarteh
smarteh.project	Saves the currently selected project	Functional	Session	Smarteh
smarteh.roles	Saves user roles	Functional	Session	Smarteh
smarteh.color-scheme	Saves the selected application color scheme	Functional	1 year	Smarteh
smarteh.selected-lang	Saves the selected user interface language	Functional	1 year	Smarteh
smarteh.cookies-consent	Saves information about cookie acceptance	Necessary	1 year	Smarteh

3.5. Use of Third-Party Cookies

The website also uses third-party cookies provided by external service providers, such as providers of analytical and advertising tools, for example Google Analytics and Google Ads.

The use of third-party cookies is based on the user’s consent, which may be withdrawn or adjusted at any time in order to block the use of such cookies. This may affect the functionality of the website or parts thereof. More information about the applicable third-party cookie policies used on the website https://www.smarteh.com is available on the websites of the respective providers:

• https://policies.google.com/privacy
• https://policies.google.com/technologies/partner-sites
• https://policies.google.com/technologies/ads

3.6. Cookie Management

The user may restrict or disable cookies at any time in the settings of their web browser. The user may also delete stored cookies from their browser at any time, which constitutes a change or withdrawal of consent. The procedure for restricting, disabling, or deleting accepted cookies depends on the browser used by the user. Restricting or disabling cookies may affect the functionality of the website or parts thereof, while restricting or disabling necessary or mandatory cookies may also affect the proper basic functioning of the website.

3.7. Contextual Interpretation of the Cookie Policy

More detailed information on the processing of personal data within the framework of the Cookie Policy, including information on the legal bases, the rights of the individual, and the methods for exercising such rights, is available in the Privacy Policy section, which should be read together with the Cookie Policy, as it complements it accordingly.

3.8. Validity of the Policy

This Privacy Policy and Cookie Policy shall enter into force on 1 April 2026 and shall apply from that date onwards until amended or replaced.