Politika privatnosti

Privacy policy — iTS & iTSmedia


Last updated: 14/01/2026


This Privacy Policy explains how iTS Servis & iTSmedia (hereinafter: “iTS”, “we”, “us” or “our”) collect, use, store and protect your personal data when you use our website, our IT service offerings and related digital services.


By accessing or using the website (the “Site”) or by engaging our services, you acknowledge that you have read and understood this Privacy Policy and that your personal data will be processed in accordance with it and with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).


1. Controller and service provider information

Service provider / Data controller:

iTS Servis, obrt za računalne i IT usluge, vl. Josip Marčić
Bana Josipa Jelačića 10, 22000 Šibenik, Croatia
OIB: 61640757656 · MBO: 99050374

For the purposes of this Privacy Policy, iTS Servis & iTSmedia act as:

  • Data Controller for their own client and business data; and
  • Data Processor when processing data on behalf of clients (e.g. system maintenance, marketing campaigns, hosting and similar services). In such cases, a Data Processing Agreement (DPA) is concluded in accordance with Article 28 GDPR.

For any questions about this Policy or your personal data, you may contact us via the contact details provided on the Site.


2. Categories of data and purposes of processing


2.1 Identification and contact data

Data: First and last name / company name, address, personal identification number for invoicing (OIB or equivalent), e-mail address, telephone number and similar contact details submitted through forms or direct communication.

Purpose: Communication with you, preparation of offers, contract conclusion and performance, invoicing, delivery of services and fulfilment of related obligations.


2.2 Service-related data

Data: Technical details of devices and systems, service orders, remote support logs, network/service configurations, tickets and related documentation necessary for the provision of IT and digital services.

Purpose: Provision and improvement of services, traceability of interventions, fulfilment of warranties, handling of complaints and ensuring service quality.


2.3 Digital services and marketing data

Data: Administrator access credentials and roles that you entrust to us, campaign settings, metrics and reports, business photographs or video material used in the context of our services, as well as analytics data related to digital campaigns and platforms.

Purpose: Execution of contracts for web services, hosting, online campaigns and digital solutions, reporting to clients, optimisation and further development of IT and media services provided through iTS & iTSmedia.


2.4 Payment data

Data: Basic payment information necessary for invoicing (e.g. billing address, invoice details). We do not store full credit or debit card numbers. Payment processing is carried out by certified payment processors or banks.

Purpose: Payment processing, bookkeeping and fulfilment of accounting and tax obligations.


2.5 Cookies and online identifiers

Data: Technical (necessary) cookies, analytics cookies and marketing cookies, IP address, device identifiers, browser type, operating system, pages viewed, time spent on pages and referring URLs. This may include similar technologies such as pixels, tags and local storage.

Purpose: Ensuring basic functionality of the Site, compiling statistics on usage, improving performance and user experience, and (where consent is given) personalising content and marketing.


3. Legal bases for processing

We process personal data only where we have a valid legal basis under GDPR, in particular:

  • Contract (Art. 6(1)(b) GDPR): When processing is necessary to enter into or perform a contract with you or to take steps at your request prior to entering into a contract (e.g. preparing offers, providing IT support, implementing digital projects).
  • Legal obligation (Art. 6(1)(c) GDPR): When processing is necessary to comply with legal obligations, such as accounting, tax regulations and consumer protection laws.
  • Legitimate interest (Art. 6(1)(f) GDPR): When processing is necessary for our legitimate interests or those of a third party, provided such interests are not overridden by your rights and freedoms. Typical examples include IT and network security, prevention of abuse, maintaining evidence of service delivery and defending legal claims.
  • Consent (Art. 6(1)(a) GDPR): When you have given your explicit consent, for example for receiving newsletters, participating in certain marketing activities, or for the use of non-essential (analytics/marketing) cookies. You may withdraw your consent at any time with effect for the future.


4. Cookies, analytics and advertising tools

Our Site uses cookies and similar technologies to provide and enhance our services. When you first visit the Site, a cookie banner may appear allowing you to choose which categories of cookies you accept.

  • Necessary cookies: Required for the basic operation and security of the Site and cannot be disabled via the banner.
  • Analytics cookies: Help us understand how visitors use the Site (e.g. via tools such as Google Analytics) so that we can improve performance and content.
  • Marketing cookies and pixels: Used for targeted advertising and measuring the effectiveness of campaigns (e.g. via Google Ads, Facebook Pixel or similar platforms). These may collect information such as IP address, device type, browsing behaviour and interactions with forms.

You may adjust your preferences at any time via the cookie settings on the Site or through your browser settings. Disabling certain cookies may limit the functionality or performance of the Site.

Where required by law, we use analytics and marketing cookies only on the basis of your prior consent. You can also manage your advertising preferences via platform-specific tools such as Google Ad Settings or Facebook Ad Preferences.


5. Recipients and international transfers

We share personal data only where necessary and in a proportionate manner:

  • Service providers and subcontractors: Couriers and logistics partners, suppliers, hosting and cloud providers, IT and security providers, advertising and analytics platforms, accounting and other professional advisors involved in the provision of our services.
  • Clients: When acting as a data processor, we process data exclusively in accordance with the instructions of our clients and the applicable Data Processing Agreement (DPA).
  • Legal and regulatory authorities: Where required for compliance with applicable laws, regulations, court orders or to defend legal claims.
  • Business transactions: In the context of mergers, acquisitions or other corporate restructuring, to the extent permitted by law and under appropriate safeguards.

All processors acting on our behalf are contractually bound by a Data Processing Agreement (DPA) and must implement appropriate technical and organisational measures to protect personal data.

Where personal data are transferred outside the European Economic Area (EEA), such transfers are carried out only if appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCC) or equivalent mechanisms, combined with additional technical and organisational measures where necessary.

We do not sell your personal data and we do not share your personal data with third parties for their independent marketing purposes without your consent.


6. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration or destruction. These measures include, in particular:

  • Access controls and role-based permissions
  • Encryption of data in transit and at rest where feasible
  • Two-factor authentication (2FA) for critical systems
  • Regular backups and secure storage
  • Network segmentation and security monitoring
  • Log monitoring and timely application of security patches

Our employees and partners who may have access to personal data are bound by confidentiality obligations and receive appropriate training on data protection and information security.

Despite our efforts, no method of transmission over the Internet or method of electronic storage is entirely secure. We therefore cannot guarantee absolute security, but we are committed to continuously improving our safeguards.


7. Data retention periods

We retain personal data only for as long as necessary to fulfil the purposes for which they were collected, or as long as required by applicable law. In particular:

  • Invoices and accounting records: At least 11 years, or longer where required by tax and accounting regulations.
  • Service orders and documentation of interventions: For the duration of warranty and statutory limitation periods, plus a reasonable additional period where necessary to protect our rights.
  • Support tickets, communication and remote support logs: Generally up to 2 years, unless a longer retention period is required for the establishment, exercise or defence of legal claims or to comply with legal obligations.
  • Marketing databases (e.g. newsletter lists): Until you unsubscribe, withdraw your consent or we no longer need the data for the specified purpose.
  • Video surveillance (if implemented at our premises): For the shortest period necessary in line with applicable laws and the principle of data minimisation.

After the respective retention period has expired, personal data are securely deleted, anonymised or otherwise rendered unusable.


8. Your rights

Subject to the conditions and limitations laid down in GDPR, you have the following rights with regard to your personal data:

  • Right of access: To obtain confirmation as to whether or not we process your personal data and, if so, to receive a copy of such data and additional information.
  • Right to rectification: To request the correction of inaccurate or incomplete personal data.
  • Right to erasure (“right to be forgotten”): To request the deletion of your personal data where the legal conditions are met (e.g. where the data are no longer necessary, you withdraw consent and there is no other legal basis, or processing is unlawful).
  • Right to restriction of processing: To request that we restrict the processing of your data under certain circumstances (e.g. for the period of verifying accuracy or in the context of an objection).
  • Right to data portability: To receive personal data you have provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller where processing is based on consent or contract and carried out by automated means.
  • Right to object: To object at any time, on grounds relating to your particular situation, to processing based on legitimate interest, including profiling. You also have an absolute right to object at any time to processing of personal data for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time with effect for the future, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise your rights, please contact us using the contact details provided on the Site (e.g. via the contact form or designated e-mail address). We will respond without undue delay and in any case within one month of receiving your request, subject to any extensions permitted by GDPR where necessary due to complexity or number of requests.

We may need to request additional information to verify your identity before we can act on your request.


9. Data breaches

In the event of a personal data breach, we will assess the risks for your rights and freedoms, take appropriate remedial measures and, where required by GDPR:

  • Notify the competent supervisory authority (in Croatia: AZOP) without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach; and
  • Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.


10. Children’s privacy

Our services and the Site are not directed at children under the age of 16, and we do not knowingly collect personal data from children in this age group.

If we become aware that we have processed personal data of a child under 16 without the necessary consent or other appropriate legal basis, we will take steps to delete such data as soon as reasonably possible.


11. Complaints and supervisory authority

If you believe that your data protection rights have been violated, you may contact us so that we can attempt to resolve the issue directly.

You also have the right to lodge a complaint with the competent supervisory authority:

Agencija za zaštitu osobnih podataka (AZOP)
Website: www.azop.hr


12. Updates to this policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements or technological developments related to our information services and community platform iTS & iTSmedia.

The latest version of the Privacy Policy, together with the effective date, will always be published on this Site. Your continued use of the Site or our services after changes have been published constitutes your acceptance of the updated Policy.


13. Relation to the iTS & iTSmedia services

iTS provides concrete IT solutions such as computer repair and technical support, while iTSmedia, as an advanced platform and community, brings together IT professionals and users and offers comprehensive digital solutions and IT services. Our objective is to ensure that every organisation, regardless of size or sector, has access to stable, secure and scalable IT infrastructure and can develop a sustainable and competitive digital strategy.

All personal data processed in the context of these services are handled in accordance with this Privacy Policy and applicable data protection laws.