Privacy Policy

We process only the data we need, for clearly defined purposes, in a lawful and transparent manner. We store data securely and do not share it with third parties beyond what is permitted by law and described in this Policy.

3a. User account

When you register, we collect:

• first and last name
• e-mail address
• phone number
• address (for invoicing and, optionally, for vehicle location)
• for legal entities: business name, company registration number, tax identification number (PIB), registered seat

Legal basis: entering into and performing a contract (Art. 12(1)(2) of the Serbian Personal Data Protection Act).

Retention period: for the duration of the account; upon account deletion, data is permanently removed within 30 days, except where retention is required by other regulations.

3b. Vehicle and Service data

We collect data about the vehicle (make, model, year of manufacture, registration or VIN, mileage) and the type of Service requested. This data is shared with the selected Service Provider for the purpose of preparing and performing the Service.

Legal basis: contract performance.

Retention period: 3 years after completion of the Service, in line with statute-of-limitation periods for contractual claims.

3c. Payment data

When paying by card, your card details (number, expiry date, CVC) do not pass through our systems — they are entered exclusively on the secure page of the acquiring bank. We collect only transaction data (amount, time, status, transaction ID, and the last four digits of the card for customer support).

Legal basis: contract performance and compliance with statutory obligations (accounting and tax).

Retention period: 10 years, in accordance with accounting and tax regulations.

3d. Communications with Auto Konekt and the Service Provider

We retain the content of messages you exchange with our customer support and with Service Providers through the Platform, for support, evidence of services rendered, and resolution of any disputes.

Legal basis: contract performance and legitimate interest in handling complaints and disputes.

Retention period: 2 years from the end of the communication.

3e. Technical data on Platform use

Each visit automatically logs: IP address, device and browser type, language, time of visit, and behavior on the site. This data is processed in pseudonymised form to improve the Platform and protect against abuse.

Legal basis: legitimate interest (Art. 12(1)(6) of the Serbian Personal Data Protection Act).

Retention period: up to 12 months.

3f. Marketing communications

With your explicit consent, we send you information about offers, new Service Providers, and promotions. You may withdraw your consent at any time, via the link in each marketing e-mail or by contacting Auto Konekt.

Legal basis: consent.

Retention period: until consent is withdrawn.

4a. Service Providers

The data necessary to perform the Service (your name and contact details, vehicle data, description of the issue, selected appointment) is shared with the Service Provider you select. The Service Provider is, with respect to that data, an independent controller for the purposes of performing its own contract with you, fulfilling tax obligations, and issuing the fiscal receipt.

4b. Acquiring bank

Card payments are processed on the infrastructure of the acquiring bank, which receives the data necessary to execute the transaction. The acquiring bank operates in compliance with PCI-DSS standards.

4c. Data processors

We have data processing agreements in place with the following categories of processors:

• Hosting and infrastructure: [TO BE FILLED: hosting provider name, e.g. DigitalOcean LLC, EU server location]
• E-mail delivery: [TO BE FILLED: e-mail provider, e.g. Mailjet SAS]
• SMS phone verification: [TO BE FILLED: SMS provider]
• Usage analytics: Google Analytics 4 (Google LLC), with IP pseudonymisation, only after your consent to analytics cookies
• Marketing and advertising: Meta Pixel (Meta Platforms Ireland Ltd.), only after your consent to marketing cookies

4d. Public authorities

We may disclose data to competent authorities where required by law or by a final court order.

Some processors are located outside the European Union and the Republic of Serbia (e.g. Google LLC and Meta Platforms Inc. in the United States). In such cases we apply appropriate safeguards under Article 65 of the Serbian Personal Data Protection Act, including:

• standard contractual clauses (SCCs) adopted by the European Commission;
• the EU–U.S. Data Privacy Framework for certified processors;
• technical and organisational safeguards (encryption, access controls, retention policies).

You can request more information on the applicable safeguards by contacting our Data Protection Officer.

The site www.autokonekt.rs uses the following categories of cookies:

• Essential cookies — always active, required for the Platform to function;
• Analytics cookies — activated only with your consent;
• Marketing cookies — activated only with your consent.

A more detailed description is provided in the Cookie Policy. On your first visit, a cookie banner is shown where you can accept or refuse non-essential cookies. You may change your decision at any time.

We implement appropriate technical and organisational safeguards, including:

• encryption of communications with our servers (SSL/TLS, HTTPS);
• restricted access to data, available only to staff who need it for their work;
• regular backups;
• monitoring of security incidents and mandatory notification of authorities and affected individuals where required by law;
• processing of financial transactions exclusively through PCI-DSS compliant partners.

Under the Serbian Personal Data Protection Act, you have the following rights:

• Right of access — to obtain confirmation of, and information about, the data we process;
• Right to rectification — to have inaccurate data corrected;
• Right to erasure ("right to be forgotten") — to have your data deleted in cases provided for by law;
• Right to restriction of processing — to have processing temporarily suspended;
• Right to data portability — to receive a copy of your data in a common electronic format;
• Right to object — in particular to direct marketing;
• Right to withdraw consent — at any time, without consequences for you; withdrawal does not affect the lawfulness of processing carried out before withdrawal.

You may submit requests to [DPO_KONTAKT] or to our general contact [EMAIL].

If you believe your rights have been violated, you may lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection (www.poverenik.rs).

We reserve the right to amend this Policy. Any changes will be published on this page with the date of the latest revision noted. We recommend checking the current version periodically.