Privacy Policy

This Privacy Policy explains how Konsepto d.o.o. ("we", "us") collects, uses and protects personal data in connection with the Dopusto service. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR), the Slovenian Personal Data Protection Act (ZVOP-2) and related legislation.

Last updated: 20 April 2026. Version 2.0.

1. Who is the controller

For the information we collect to provide our own services (e.g. marketing pages, customer contact, billing with Paddle), Konsepto d.o.o. is the controller.

For employee records that a customer uploads into the Dopusto application, the employer (our customer) is the controller and Konsepto acts as the processor. Those processing activities are governed by our separate Data Processing Agreement (DPA).

2. What data we collect and why

Category	Examples	Purpose	Legal basis
Account data	Name, e-mail, role, locale, hashed password, TOTP secret	Creating and securing your user account	Contract (Art. 6(1)(b) GDPR)
Employer data	Company name, slug, registered address, tax ID	Creating the tenant, issuing invoices	Contract, legal obligation (Art. 6(1)(b) & (c))
Employee records (controlled by the employer)	Name, EMŠO, tax ID, IBAN, address, phone, marital status, children, disability status	Leave calculation under ZDR-1, payroll exports	Processor only — legal basis set by the employer-controller
Leave data	Request dates, type, working days, sickness certificate	Managing the leave workflow	Processor only
Payment data	Payment card is handled by Paddle; we receive only invoice metadata (amount, date, invoice ID)	Subscription management	Contract, legal obligation
Usage and technical data	IP, user agent, session ID, audit-log entries, feature events	Security, fraud detection, service improvement	Legitimate interest (Art. 6(1)(f))
Cookies and similar	Session cookie, cookie-consent cookie, locale cookie	Login session, language, consent state	Necessary for the service or consent

3. Sensitive data

Dopusto may process special categories of data under Article 9 GDPR, specifically: (a) disability status of employees (used by the ZDR-1 engine to compute annual leave), and (b) sickness certificates uploaded by employees. Processing of such data is governed by Article 9(2)(b) (employment and social security law) and is performed strictly under the employer's instructions.

4. Who we share data with

We share personal data only with sub-processors who are necessary to operate the service:

• Hetzner Online GmbH (Germany) — cloud hosting, EU data centre.
• Paddle.com Market Limited (Ireland) — payment processing as Merchant of Record, issues invoices, collects VAT.
• Google Ireland Limited — only if the user explicitly connects their Google Calendar; only calendar events for approved leave are sent.
• Postmark / transactional e-mail provider — outbound e-mail delivery.

All sub-processors are contractually bound by GDPR-compliant data-processing terms. A current list of sub-processors is available at /legal/dpa. We notify customers of new sub-processors through in-app notification before activation.

5. International transfers

Personal data is stored and processed within the European Union / European Economic Area. We do not intentionally transfer personal data outside the EU/EEA. If a sub-processor becomes affiliated with a non-EU entity, we use EU Standard Contractual Clauses (SCCs) and, where required, supplementary measures.

6. How long we keep data

• Account data — while the account is active, plus the statutory limitation period for claims.
• Employee records — kept for the duration of employment plus ten (10) years after termination (ZEPDSV Art. 49). After this period, personal identifiers are irreversibly anonymised and only aggregate records remain.
• Invoices and tax records — ten (10) years (Slovenian Accounting Act / tax legislation).
• Audit log — five (5) years from the event.
• Session cookies — up to one (1) day of inactivity.
• Marketing cookies — only with consent; maximum thirteen (13) months.

7. Your rights

Under GDPR you have the right to:

• request access to your personal data (Art. 15);
• request rectification of inaccurate data (Art. 16);
• request erasure where legally possible (Art. 17);
• request restriction of processing (Art. 18);
• receive your data in a structured, machine-readable format (Art. 20);
• object to processing based on legitimate interest (Art. 21);
• withdraw consent at any time where processing is based on consent (Art. 7(3));
• lodge a complaint with the competent supervisory authority.

Users may export their data from /my/data or contact the employer's Administrator directly. Slovenian supervisory authority: Informacijski pooblaščenec RS, Dunajska cesta 22, SI-1000 Ljubljana, ip-rs.si.

8. Security

We implement technical and organisational measures aligned with GDPR Article 32: TLS 1.2+ in transit, Argon2id password hashing, AES-256-GCM encryption at rest for sensitive identifiers (EMŠO, IBAN, TOTP secret, OAuth tokens), strict role-based access control, audit logging, backup every 24 hours with retention of 30 days, periodic restore tests, CSP, CSRF protection, rate limiting, two-factor authentication for administrators, and secure software development practices. We review these measures at least annually.

9. Children

The service is intended for business use only and is not directed at children. We do not knowingly collect personal data from persons under the age of 16.

10. Automated decision-making

We do not perform automated decision-making that produces legal or similarly significant effects on individuals.

11. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes are announced by e-mail at least thirty (30) days before they take effect and are subject to re-acceptance inside the application.

12. Contact

Konsepto, oblikovanje in kreativne rešitve, d.o.o. (Konsepto d.o.o.)
Dunajska cesta 136, 1000 Ljubljana, Slovenia
Matična št.: 7440405000 · VAT ID: SI90994299
Data Protection contact: dpo@dopusto.si
General: hello@dopusto.si