Privacy Policy

privacy_hero_subtitle

Effective: May 29, 2026  |  Version: 2.0

IRNAS Technologies d.o.o. (hereinafter: IRNAS, the controller) as the controller of personal data respects your privacy and strives to ensure lawful, fair, and transparent processing of your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act (ZVOP-2).

1. Controller of Personal Data

NameIRNAS Technologies d.o.o.
AddressSokolska ulica 51, 2000 Maribor, Slovenia
Tax NumberSI78993857
Privacy Emailtech@irnas.eu
Websitetech.irnas.eu

2. Personal Data We Collect

2.1 Contact Form

When you submit the contact form on our website, we collect the following data:

  • first name and last name,
  • email address,
  • content of your inquiry or message,
  • time of form submission,
  • IP address (for abuse prevention).

2.2 User Accounts (Dashboard)

For registered dashboard users, we process:

  • first name and last name,
  • email address,
  • hashed password (stored in a secure one-way bcrypt format),
  • organization name,
  • system role (administrator, standard user),
  • language preferences,
  • time of registration, last login, and last modification.

2.3 SOS Točka Device Data

As part of the SOS Točka system operation, we process data transmitted by devices over the network:

  • device serial number and identifier,
  • GPS coordinates of the device location,
  • time and type of received messages,
  • device status information (reachability, battery level, etc.),
  • emergency data (when the device is activated in an emergency),
  • phone numbers and email addresses of notification contacts (stored encrypted).

This data constitutes business data of subscribing organizations and does not directly contain personal data of end users, except in the case of emergency messages forwarded to rescue services (112, 113) in accordance with applicable legislation.

2.4 Audit Log

To ensure security and compliance, we log security-relevant user activities:

  • type of action (login, settings change, device editing, etc.),
  • IP address and browser identifier,
  • time of action.

2.5 Cookies and Browsing Data

Details about cookies are available in our Cookie Policy.

3. Purpose and Legal Basis of Processing

PurposeDataLegal Basis (GDPR)
Responding to inquiries via the contact form Name, email, message content Legitimate interest (Art. 6(1)(f)) or pre-contractual measures (Art. 6(1)(b))
Managing dashboard user accounts Registration data Contract / pre-contractual measures (Art. 6(1)(b))
SOS Točka system operation (device data ingestion) Device and location data Legitimate interest (Art. 6(1)(f)); for emergency data: protection of vital interests (Art. 6(1)(d))
Forwarding messages to rescue services Device messages, location Protection of vital interests (Art. 6(1)(d)), compliance with legal obligations (Art. 6(1)(c))
Notifying device contacts (SMS, email) Phone number, email address, notification content Contract (Art. 6(1)(b)) — configured by the device administrator
System security and abuse prevention Log entries, IP addresses, audit trail Legitimate interest (Art. 6(1)(f))
Billing and subscription management Subscription data, payment references Contract (Art. 6(1)(b)), legal obligations for retention of accounting records (Art. 6(1)(c))

4. Retention Periods

  • Contact form: messages are retained for a maximum of 2 years from receipt, after which they are automatically deleted.
  • User accounts: data is retained as long as the account is active; after account deletion, data is anonymized within 30 days, unless the law requires longer retention.
  • Device data (messages, events): retained in accordance with the subscription plan (default 90 days, up to 365 days with an extension); after expiration, data is automatically deleted.
  • SMS logs: retained for 2 years for the purpose of proving emergency message delivery.
  • Audit trail: retained for a maximum of 2 years.
  • Security logs (server): retained for a maximum of 6 months.
  • Failed login attempts: records expire after 15 minutes (lockout period).
  • Accounting records: 10 years in accordance with legislation (ZGD-1).

5. Recipients and Data Sharing

We do not sell your personal data to third parties. We share data only with:

  • Data processors (hosting and IT service providers) that act exclusively under our instructions and are bound by a data processing agreement (DPA);
  • Blues Inc. (Notehub) — device data transfer platform (processor in the USA; transfer is based on the EU-US Data Privacy Framework (DPF) and supplementary Standard Contractual Clauses under Art. 46(2)(c) GDPR);
  • A1 Slovenija d.d. — SMS sending via the MGW3 gateway (processor in Slovenia; no transfer outside the EU/EEA);
  • Google LLC (reCAPTCHA) — contact form abuse protection (processor in the USA; transfer based on DPF);
  • Rescue services (112, 113) — exclusively in cases of emergency device activation, based on the protection of vital interests;
  • Competent state authorities — when required by law.

A complete list of processors and transfer mechanisms is available in our internal processor register. For a copy, contact tech@irnas.eu.

6. Data Transfers Outside the EU/EEA

Some processors are based in the United States. For these transfers, we ensure appropriate safeguards in accordance with Chapter V of the GDPR:

  • EU-US Data Privacy Framework (DPF) — when the processor is certified under the DPF (European Commission adequacy decision of July 10, 2023, Decision (EU) 2023/1795);
  • Standard Contractual Clauses (SCC) — in accordance with Commission Decision (EU) 2021/914 under Art. 46(2)(c) GDPR, when DPF is not applicable.

Copies of the relevant safeguards are available upon request from the controller.

7. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): obtain confirmation of whether we process your data, and a copy thereof. Registered users can export their data directly from the dashboard (Profile → Data & Privacy → Data Export).
  • Right to rectification (Art. 16): request correction of inaccurate or completion of incomplete data. Basic data (first name, last name) can be changed directly in the dashboard.
  • Right to erasure (Art. 17): in certain cases, request deletion of your data. Registered users can delete their account from the dashboard (Profile → Data & Privacy → Delete Account). Data is anonymized; after the expiration of statutory retention periods, it is permanently deleted.
  • Right to restriction of processing (Art. 18): request restriction of processing in certain cases. In the dashboard, you can activate restriction of processing (Profile → Data & Privacy → Restrict Processing), which halts non-essential processing operations while your account remains active.
  • Right to data portability (Art. 20): receive your data in a machine-readable format (JSON). The export includes: profile, organization data, devices, contacts, SMS logs, webhook deliveries, and audit trail.
  • Right to object (Art. 21): object to processing based on legitimate interest. In the dashboard, you can object to non-essential processing (Profile → Data & Privacy → Object to Processing), which automatically disables webhooks and API access for your account.
  • Right to withdraw consent: when processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise your rights, send a request to tech@irnas.eu. We will respond within 30 days of receipt. The deadline may be extended by an additional 2 months for complex requests, of which we will notify you in advance.

8. Complaint to a Supervisory Authority

If you believe your rights have not been respected, you have the right to file a complaint with the Information Commissioner of the Republic of Slovenia:

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or destruction, including:

  • encrypted data transmission (TLS/HTTPS on all channels),
  • one-way password hashing (bcrypt),
  • encryption of sensitive personal data in the database (AES-256-GCM for phone numbers and contact email addresses),
  • access restrictions based on the principle of least privilege (RBAC),
  • audit trail of all security-relevant actions,
  • rate limiting to prevent brute-force attacks,
  • password checks against known data breaches (HIBP k-anonymization),
  • regular static code analysis and dependency review in the CI/CD process,
  • HTTP security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options).

10. Automated Decision-Making

The SOS Točka system does not perform automated decision-making, including profiling, that would have legal or similarly significant effects on individuals (Art. 22 GDPR).

11. Changes to the Privacy Policy

We may update this privacy policy from time to time. In the event of material changes, we will notify you via the website or by email. The date of the last update is stated at the top of this document.

Change History

VersionDateDescription of Changes
1.0April 1, 2025Initial publication
2.0May 29, 2026Updated: data subject rights mechanisms (export, restriction, objection, deletion); cross-border transfers; processors; encryption; retention periods; billing

12. Contact

For any questions regarding the processing of your personal data, contact us:

  • Email: tech@irnas.eu
  • Mail: IRNAS Technologies d.o.o., Sokolska ulica 51, 2000 Maribor, Slovenia