Privacy Policy

EFFECTIVE JANUARY 25, 2024

How we collect, use, and share your personal information.

About data protection

We are dedicated to keeping your personal information confidential. We do not sell, rent, or lease your data to third parties, we will not provide your personal information to any third party, individual, government agency, or company without legal ground.

Within this Privacy Policy we inform you of how we take care of personal data and what are your rights according to GDPR – General Data Protection Regulation (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

We will handle your personal data respecting basic GDPR principles. We do not collect more personal data than necessary and we process it in a lawful, fair, and transparent manner. We’ve implemented appropriate security measures to make sure personal data isn’t accessed by hackers or accidentally leaked as part of a data breach. We keep data in a form that permits identification for no longer than is necessary for the specific purpose while the specific purpose is being explicitly described and justified. If certain data ceases to be accurate, they will be removed or rectified.

Infinum’s role

Infinum subsidiaries and affiliates are based in the EU, USA, UK, Montenegro and North Macedonia (in further text: Infinum entity, Infinum) and contact details of each Infinum entity are available at our Legal page.
Each Infinum entity on various occasions and for the purposes stated within this Privacy Policy, can be considered a data controller or data processor and, in many cases, jointly with another Infinum entity, a joint controller.
Infinum designated a single data protection officer who is involved, properly and in a timely manner, in all issues which relate to the protection of personal data and is available at .

Infinum determined, in a transparent manner, the responsibilities of roles of each Infinum entity vis-à-vis your personal data and the essence of the arrangement for each specific situation will be made available to you on request at . However, irrespective of the terms of our internal arrangements you may exercise your rights contacting Infinum d.o.o. Croatia or contacting any other Infinum entity of your choice.

Collecting, using, storing and sharing of your personal data

Generally, we might process your personal data based on 4 legal grounds:

1) Consent (e.g., when you agree that we contact you if employment opportunity occurs);
2) Contractual relationship (e.g., processing your personal data is necessary for us to complete our contractual obligations);
3) Legal obligation (e.g., keeping financial records in accordance with tax and accounting legislation or when we receive a legitimate request for information from the competent authority);
4) Legitimate interest (e.g., contacting our clients for possible follow-up projects and offers). 

Please note that we do not keep your data longer than necessary; all periods are specified in each particular category.

We use your personal information for the following purposes: 

Handling inquiries and managing client relationships
When you contact us for new business, sponsorship, media inquiries, events, or anything else via e-mail or web form, we will first determine the nature of the inquiry. In case it contains personal information, we will process this information in the manner prescribed by this Privacy Policy for a particular type of personal data, or manner which is prescribed by law. We process your data based on our legitimate interest, contractual obligation, or based on our legal obligations.

We will keep your data for the period necessary to resolve your inquiry, for the duration of our (pre) contractual relationship, for the period we are legally obliged to keep data about our business partners or other business-related contacts, but we may also keep your contact data to contact you for possible follow-up projects and offers or ask for your feedback, on the basis of our legitimate interest.

Promoting and marketing our services
When you enter your email address in the form to receive our newsletter, or you give your consent that we can deliver you specific content regarding the topic you are interested in, your email address will be used only for that specific purpose.  You can unsubscribe via the link at the bottom of each newsletter or by sending us an e-mail at . Such activities are provided based on your explicit consent, and you can opt-out freely, without impact on previous processing, at any time using the option at the bottom of every material delivered.

We provide books, whitepapers, and other downloadable content on our website. Before downloading such content, you will be asked to provide your personal information. We will use your e-mail address to send requested resources and to solicit feedback. We may use your e-mail based on a legitimate interest to contact you for similar content and for the purposes of direct marketing based on our legitimate interest.

We may use your data for promotion and marketing of our services for the period we’ve got your consent to do so and for the purposes of direct marketing and purposes based on our legitimate interest until you request us to remove you from our mailing list and for an additional 5 years so that any potential disputes or issues may be resolved in this period.

Improving our services by conducting survey and gathering insights
We may contact you to provide feedback about your experience with our website, products and/or services in the form of online surveys to improve the quality of our services and to monitor the quality of our services, all based on our legitimate interest. We also may analyze your activity and interactions within our website to improve your user experience or to improve our services.

We use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behavior patterns (e.g., number of visitors to the various parts of our web page) provided by Google Ireland Limited (in further text “Google”), in accordance with privacy policy  and terms of use. Google Analytics uses cookies, which are stored on your computer, and the data generated by the cookie about your visit is usually sent and stored on a Google server in the USA. Infinum has activated IP anonymization for this website, which is an important measure to reduce privacy risks. We’ve additionally adjusted settings in order not to allow Google to process your data for their own purposes, disabled Google from using your personal information for advertising purposes and also from linking your behaviors when visiting our pages.

Based on our legitimate interest and, when legally required, based on your consent, we may use cookies, log files, and other technologies to collect personal information in a manner described within our Cookie Policy.

Recruiting staff
When you submit your personal data into web forms for the purposes of employment, they’re going to be used solely for the job you’re currently applying for, or the first position we think might fit your profile in case you’re applying for an unspecified position. We keep your data only during the job contest. You can also choose that we keep your data for five years after closing the contest you’re applying for. If a career opportunity that matches your profile opens during that time period, we’ll inform you. You can change this whenever by sending us an e-mail to .

Infinum can organize recruitment-related events, in which situations we’re obtaining certain information such as your first name, last name, e-mail, phone, education, and CV to assess your suitability for participation in such an event. We will use your information for the duration of the event, except your contact information that we may use based on our legitimate interest to contact you for future similar events. However, we will ask you directly if you would like us to keep your data in case of future job opportunities, but for no longer than five years.

Based on legitimate interest or your specific consent we may contact you to inform you about various events and ask for your feedback. For that purpose, we need your first name, last name, e-mail address and we will process that data for the period of duration of our legitimate interest, or for the period we’ve got your consent to do so.

Processing base on legitimate interests

When you contact us for new business, employment, sponsorship, Infinum or a third party may have legitimate interests to process your personal information in a fair and balanced way that doesn’t impact your rights in an unnecessary manner. This ground may apply in a wide range of circumstances, e.g., sharing personal data with our external advisors, agencies, contractors, auditors, and affiliates for the purposes of enforcement of legal claims, direct marketing, fundraising, prevention of fraud, research and development, HR matters, accounting, network, and information security, internal administrative purposes, etc.

You have the right to object to the processing based on legitimate interest when the data is used for marketing purposes by contacting us at .

Regardless of the fact that legitimate interests give us a lawful basis for the transfer, if a recipient is based in a third country, we comply with all international transfers requirements as stated within this Privacy Policy.

Where we store your data and who do we share information with

Internally, your personal data is disclosed to our employees and associates only on a need-to-know basis. Respecting the same rule, we will share your personal data with other Infinum entities seated in the EU, USA, UK, Montenegro, and North Macedonia, based on legitimate interest for wide business-related reasons, such as research and development, HR matters, accounting, network, and information security, internal administrative purposes, prevention of fraud, etc.

In order to provide our services on the highest level, we cooperate with carefully selected companies and use their tools and services for managing client relations, billing, payments, administration, communication, business planning, HR and recruitment, sending emails on our behalf, customized advertising on our website, hosting, operation, optimization, and maintenance of our website, performing marketing activities, market research, organizing events, etc. Companies we cooperate with are seated within the EU, USA, UK and Canada. You may request a full list of the parties to whom we disclose your data by contacting us at .

We may be legally obliged to disclose your personal data within the legal process, or court order from governmental authorities, for the purposes of law enforcement, national security, anti-terrorism, or other issues that are related to public security.

Certain organizational and corporate issues such as merger, transfer, acquisition, sale, or bankruptcy may occur and your personal data may be shared with third parties such as advisors, competent authorities, companies participating in such events, etc. 

Also, for certain disclosures described in this Privacy Policy, we may share information about you with third parties following your explicit consent.

Data transfers to third countries

We pay a lot of attention to localizing most of our data processing within EU territory, as in respect of the dominant role of the EU-based Infinum entity regarding data processing operations, but also in respect to the choice of entities we collaborate with.

However, some of our third-party tools are provided by service providers based outside the EU or EU-based companies that share data with their affiliates seated outside of the EU. According to GDPR, a transfer of personal data to a third country or an international organization may take place where that third country, or the international organization in question, ensures an adequate level of protection. Also, there are countries that are still not covered with adequacy decisions. In such cases, according to GDPR, we transfer your data providing appropriate additional safeguards. 

Upon request, you can obtain information about data transfers performed to the USA or any other third country not covered by adequacy decisions. We’ve thoroughly considered all elements of such relationships, concluded written contracts based on standard contractual clauses prescribed by the European Commission but also took care that our partners implement appropriate supplementary measures, safeguards, and policies.

Also, for the purposes of our business, we may share your data with our affiliates based outside of the EU. All communication takes place through secure channels of communication and respects this Privacy Policy.

For more information, please contact us at .

Your rights

1. Right of access (GDPR Article 15) – you have a right to ask us if and which of your personal are being processed, where, why, for how long and who are they shared with;
2. Right to rectification (GDPR Article 16) – you have a right to correct and supplement incomplete personal data;
3. Right to erasure or right to be forgotten with additional stipulations, among others if personal data has been made public (GDPR Article 17) – you can ask us to delete your personal data if they are no longer necessary in relation to the purpose of the processing, in case you have withdrawn your consent to the processing, etc.
4. Right to restriction of processing (GDPR Article 18) – in certain situations you have the right to request that the processing be limited with the exception of storage and some other types of processing;
5. Right to be informed (GDPR Article 19) – within this Privacy Policy and also on your request, you can obtain information on Infinum’s identity, contact data, the purposes of the processing and the legal basis for the processing of data, recipients, presentation to third countries, storage period, ability to withdraw consent, etc.
6. Right to data portability (GDPR Article 20 – means you have the right to receive your personal data previously provided to the us in a structured form and in a commonly used and machine-readable format and transmit it to another controller if the processing is carried out by automated means and is based on the consent or contract;
7. Right to object (GDPR Article 21) – in certain circumstances, depending on the purposes for processing and legal basis for processing, you can object to the processing of your personal data. E.g., if you don’t agree with processing for the purposes of direct marketing based on our legitimate interest, let us know.
8. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on you (GDPR Article 22) – (this is just a legal possibility – we won’t be deciding on your rights based on automated processing)

If data was collected based on your consent, you can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

For more information and for executing your rights, please contact Infinum’s data protection officer at .

Information security

We are holders of the certificate ISO / IEC 27001 so you can rely on that all of our processes, protocols, systems, transfers, databases, etc. are tested, secure, and verified. In short, this means that in order to protect data privacy, we implement physical, technical, and administrative measures such as:

– regular updating and testing our systems and security technology;
– implementing technology of highest security standards;
– ensuring that our partners are GDPR compliant;
– providing access to personal data only to authorized employees using multiple level password systems;
– training employees about GDPR and taking appropriate disciplinary measures to enforce employees’ privacy responsibilities.

Supervisory body and dispute resolution

We are doing all that is within our power to make your experience with Infinum pleasant, and treat your information with the highest integrity. We will endeavor to resolve reasonable complaints and disputes regarding our use and disclosure of personal information in accordance with this Privacy Policy. In case the dispute cannot be resolved via our internal dispute resolution mechanism, EEA individuals may contact or submit a complaint to the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge. The supervisory body in the Republic of Croatia is Croatian Personal Data Protection Agency, Zagreb, Selska cesta 136, and you can submit your complaint also via this form.