Privacy Policy — Moddrum

MKU, svetovanje, digitalne rešitve in upravljanje, d.o.o. ("MKU d.o.o.", "Company", "we", "us") operates the Moddrum platform. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and Slovenian data protection law. Please read it carefully before using our services.

1 Who We Are

Data Controller: MKU, svetovanje, digitalne rešitve in upravljanje, d.o.o.

Registration no.: 6742700000 · VAT: SI26127717

Address: Torkarjeva ulica 9, 1000 Ljubljana, Slovenia

Email: info@moddrum.com

For all data protection enquiries, contact us at the above email address.

2 Data We Collect

Category	Data	When collected
Account data	Name, email address, company name, job role	Registration
Billing data	Company name, address, VAT ID, billing email. Card details are handled solely by Stripe — we never store them.	Subscription setup
Document data	Invoices, bank statements, and other financial documents you upload. May contain personal data of your clients.	Service use
Usage data	IP address, browser type, pages visited, actions taken within the app, session duration	Automatically, during use
Support data	Messages and attachments sent to our support team	When you contact us

We apply the principle of data minimisation — we only collect data necessary for the stated purpose.

3 How We Use Your Data

Providing and operating the Service (account management, document processing, matching, export).
Billing and invoicing — processing payments via Stripe.
Customer support — responding to your enquiries and resolving issues.
Service improvement — analysing usage patterns to improve functionality.
Security — detecting and preventing unauthorised access or abuse.
Legal compliance — meeting tax, accounting, and other regulatory obligations.
Communications — sending service-related notifications (not marketing without consent).

4 Legal Basis for Processing

Purpose	Legal basis (GDPR Art. 6)
Delivering the Service	Art. 6(1)(b) — Performance of a contract
Billing and invoicing	Art. 6(1)(b) and Art. 6(1)(c) — Contract + legal obligation
Service improvement and security	Art. 6(1)(f) — Legitimate interest
Marketing communications	Art. 6(1)(a) — Consent (separately obtained)
Tax record retention	Art. 6(1)(c) — Legal obligation

5 Data Sharing & Sub-processors

We do not sell your data. We share it only with trusted processors who help us deliver the Service:

Stripe Inc. — payment processing. Stripe processes billing data under its own privacy policy. Card details are never stored by us.
Cloud infrastructure provider — hosting and storage. Servers are located within the EU.
Email service provider — transactional emails (account notifications, invoices).

All processors are bound by data processing agreements and are required to protect your data to GDPR standards.

We never transfer your data outside the European Economic Area without appropriate safeguards (Standard Contractual Clauses or adequacy decision).

6 Document Data & Your Role as Controller

When you upload financial documents (invoices, bank statements) that contain personal data of your clients or counterparties, you act as the data controller and we act as the data processor for that data.

A Data Processing Agreement (DPA) is incorporated by reference into our Terms of Service. We process document data solely on your behalf, for the purpose of delivering the Service, and in accordance with your instructions.

Your clients' data is not used for any other purpose, not shared with third parties beyond the processors listed above, and is deleted when you delete documents or close your account.

7 Data Retention

Account data: Retained for the duration of your active subscription plus 30 days after account closure.
Billing records: Retained for 10 years to comply with Slovenian accounting law.
Uploaded documents: Retained as long as you store them in the Service. Deleted within 30 days of account closure.
Usage logs: Retained for up to 12 months for security and analytics purposes.

8 Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

Right of access

Request a copy of all personal data we hold about you.

Right to rectification

Request correction of inaccurate or incomplete data.

Right to erasure

Request deletion of your data where no legal obligation to retain it exists.

Right to portability

Receive your data in a structured, machine-readable format.

Right to restriction

Request that we limit processing of your data in certain circumstances.

Right to object

Object to processing based on legitimate interest.

To exercise any of these rights, email us at info@moddrum.com. We will respond within 30 days.

9 Cookies

We use a minimal set of cookies:

Session cookies — required for authentication. These are deleted when you close your browser.
Preference cookies — store your language choice (SL/EN). These persist for 30 days.

We do not use advertising or tracking cookies. We do not use Google Analytics or any third-party analytics that place cookies.

10 Security

We apply appropriate technical and organisational measures to protect your data:

AES-256 encryption for data at rest.
TLS encryption for all data in transit.
Access control — data is accessible only to authorised personnel and systems.
Audit trail — all access to documents and sensitive data is logged.

In the event of a data breach affecting your rights, we will notify you and the competent supervisory authority within 72 hours, as required by GDPR Art. 33–34.

11 Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email. The current version is always available at moddrum.com/privacy.

12 Contact

For any data protection enquiries:

MKU, svetovanje, digitalne rešitve in upravljanje, d.o.o.
Email: info@moddrum.com
Address: Torkarjeva ulica 9, 1000 Ljubljana, Slovenia