Privacy Policy

The Personal Data Protection Statement has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and is part of the contractual relationship entered into by the Provider and the Client.

Link to the online copy of Regulation (EU) 2016/679: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

1. DEFINITIONS

1. Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
2. Individual (Data Subject): Any entity that possesses its own personal data, which are (or may be) subject to processing by the Controller and/or Processor.
3. Controller: The Client, who orders Contractual Services via the Provider's website (or otherwise), will have the status of a controller in their mutual relationship and in accordance with the Regulation (hereinafter: "Controller (or "controller")").
4. Processor: The Provider, who enables the Client to use the ordered services, will have the status of a processor in accordance with the Regulation (hereinafter "Processor (or "processor")").
5. Contractual Services: Services that the Individual or Controller orders and/or uses on the Provider's (Processor's) infrastructure.

Any other terms used in this Statement have the same meaning as defined in the Regulation.

2. INTRODUCTORY PROVISIONS

The Processor assures the Controller that upon ordering and subsequent use of Contractual Services, data is transmitted via an appropriately secured (encrypted) HTTPS (SSL) connection.

The Processor stores personal data exclusively within the EU territory and in areas for which the EU publicly recognizes an adequate level of security (https://ec.europa.eu/info/law/law-topic/data-protection_en).

The Processor will maintain appropriate records of all personal data received, necessary for the performance of Contractual Services. Data encountered by the Processor during the performance of Contractual Services are also considered as transferred. The Processor will also maintain appropriate records of processing activities, including the purposes of processing (point 8).

The Processor assures the Controller that:

• appropriately protected software is used for access to personal data, preventing access to data by unauthorized persons;
• this software allows access only to persons who are appropriately authorized by the processor (e.g., employees in a specific job position);
• persons authorized by the Processor to carry out processing of personal data are committed to confidentiality and/or are bound by confidentiality by law;
• authorized persons are allowed access only to the data they strictly need for the proper performance of their job duties;
• all employees and other persons involved in the performance of Contractual Services on the part of the Processor are obliged to comply with the instructions and standards provided by the Controller and as stipulated by the Regulation (Articles 28, 29, 32);
• all employees and other persons involved in the performance of Contractual Services on the part of the Processor are obliged to protect trade secrets and that the obligation to protect trade secrets remains valid even after the termination of employment or other contractual relationship or the termination of cooperation between the Controller and the Processor;
• it provides audit trails intended for subsequent determination of the times of entry of individual data into personal data records, use, transfers, insights, or other processing.

The Processor ensures that in its operations it observes and fulfills the provisions, requirements, and standards defined by this statement, the Regulation, and good practices in information security for greater security of personal data. The Processor also fulfills all provisions of the Regulation and good practices of information security in connection with the preparation and storage of audit trails.

3. RIGHTS OF THE INDIVIDUAL (DATA SUBJECT)

The Controller enables all individuals in connection with their personal data to exercise all rights listed in Articles 12 to 22 of the Regulation.

In accordance with the provisions of Articles 37, 38, and 39 of the Regulation, the Processor has appointed a Data Protection Officer and defined his/her competencies, obligations, and responsibilities.

4. RIGHTS AND OBLIGATIONS OF THE CONTROLLER

4.1. The Controller may at any time, at its own expense, verify with the Processor the implementation of appropriate technical and organizational measures that ensure information security and the security of personal data, as well as compliance with the Regulation.

4.2. The Controller may restrict or prohibit the Processor from cooperating with an individual sub-processor based or operating within or outside the EU territory in the performance of services.

4.3. The Controller is obliged to submit all requests and instructions related to the performance of Contractual Services to the Processor in writing.

4.4. The Controller is obliged to ensure the legality of the use of information resources that are the subject of Contractual Services and over which the Processor has no control or other means of influence.

5. RIGHTS AND OBLIGATIONS OF THE PROCESSOR

5.1. If the Processor suspects that carrying out an instruction from the Controller would violate applicable legislation, it may temporarily suspend the performance of Contractual Services pending confirmation or modification of the instruction. The Processor is obliged to immediately inform the Controller of the suspected non-compliance with applicable legislation and the intention to suspend the performance of Contractual Services.

5.2. In case of suspected illegal use of information resources or abuse, the Processor may immediately terminate such activities.

5.3. The Processor may, for the performance of Contractual Services, enter into an agreement with sub-processors based / operating within or outside the EU to the extent and for the type of cooperation as previously confirmed in writing by the Controller. If the Controller does not specify restrictions, the Processor may enter into agreements with sub-processors at its own discretion.

5.4. The Processor is obliged to perform Contractual Services exclusively to the extent and for the purposes specified in the order for Contractual Services, in the General Terms and Conditions, and in the written requests or instructions of the Controller.

5.5. When performing Contractual Services, the Processor will comply with all requirements of the Regulation in connection with the preparation and storage of audit trails.

5.6. In accordance with the Regulation and good practice in information security, the Processor will implement and upgrade all appropriate technical and organizational measures that ensure the protection of personal and other related data of individuals and the Controller, so that the security, integrity, availability, and resilience of systems and services are continuously ensured.

5.7. The Processor will conclude appropriate contracts with approved sub-processors in writing. It is its responsibility to ensure that they provide at least the same level of security or protection of personal data as provided by the Processor.

5.8. Upon receiving a request from a specific Individual to exercise his/her right granted by the Regulation, and if, based on the data available to it, it can link the individual with the Controller, the Processor will immediately forward the request to the Controller in writing.

5.9. The Processor will cooperate with the Information Commissioner's Office in cases specified by the Regulation or based on a written request from the Controller.

5.10. After the termination of cooperation, the Processor will, no later than within 60 days, permanently destroy all copies, remnants, or traces of personal data records that were the subject of Contractual Services or with which it came into contact during the performance of Contractual Services. This does not include data whose storage is required by law or specific technical limitations (e.g., system data backups).

6. INCIDENT MANAGEMENT

6.1. In accordance with the Regulation and good practices in information security, the Processor implements all technical or organizational measures that ensure the management and execution of appropriate activities in the event of a suspected security incident.

6.2. In the event of a detected security incident, the Processor and the Controller will immediately act in accordance with Articles 33 and 34 of the Regulation.

6.3. In addition to carrying out all activities provided for in the internal guidelines of each organization, in the event of a suspected security incident, the Processor and the Controller will notify each other within 72 hours.

7. VALIDITY OF THE DOCUMENT

7.1. New versions of this Statement fully supersede previous versions of this document.

7.2. In the event of a dispute regarding the security of personal data, the provisions of this Statement shall take precedence over the provisions of the underlying contractual relationship. In the event of a dispute, the competent court is in Kranj, and the laws of the Republic of Slovenia shall apply.

7.3. The invalidity or unenforceability of certain parts of this Statement does not affect the potential validity or enforceability of other provisions of the Statement.

7.3. The Statement is accepted and binding on both contractual partners from the moment of placing the order (or written confirmation of the order) or from the moment of payment execution. For clients in an existing contractual relationship, this statement applies from the moment of publication of the Statement.

7.4. The Statement is valid for the entire period of validity of the underlying Contractual Relationship.

8. RECORD OF PROCESSING ACTIVITIES

For each service provided by the Provider, only data that are strictly necessary for the quality technical execution and provision of the respective service are stored.

8.1. Domain Registration

Legal Frameworks	Data required for issuing an invoice are stored for 10 years. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address.
Service Realization	Data about the owner, technical and administrative contact are necessary for the technical execution of domain registration. All the above-mentioned contacts are forwarded to the registry of the respective domain extension and are in certain cases visible in publicly accessible WHOIS databases. The Provider's database (data is not public) also records data about the user who can manage a specific domain and data about the payer of the domain. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address, Payer's IP address (electronic transaction), PayPal user account (PayPal transaction), Payer's bank account (bank transaction).
User Data	Besides the contacts that are strictly necessary for the technical execution of domain registration, the Provider does not possess other Client data.

8.2. Shared Hosting

Legal Frameworks	Data required for issuing an invoice are stored for 10 years. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address.
Service Realization	Upon activation of the hosting plan, the Provider sends the Client access data to the client area. The latter contains a link to access the hosting plan's control panel and the option to set the username and password. The Client can update the data at any time using the client area. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address, Phone number, Payer's IP address (electronic transaction), PayPal user account (PayPal transaction), Payer's bank account (bank transaction). When migrating data from another provider, access data to the hosting plan with the other provider are obtained for the purpose of migration. These are typically access data to the control panel and/or SSH access data. When migrating e-mail inbox content, e-mail inbox passwords are also obtained.
User Data	The Provider has access to all data located in each hosting plan. Data is accessed exclusively for the purpose of providing technical support to users, troubleshooting technical issues, maintaining system operation, analyzing system parameters, or ensuring the quality of service operation. The Provider also has access to personal data that the Client may have transferred to the hosting plan. This also includes data that users (customers, visitors, etc.) of the Client may transfer to the hosting plan. Data: files, databases, e-mail inboxes with their content, log entries. Data is stored in backup copies, which are accessed exclusively when strictly necessary (user request, data restoration in case of system failure, system maintenance, etc.). Access to the hosting plan, containing username and IP address, is logged on the server environment.

8.3. Servers

Legal Frameworks	Data required for issuing an invoice are stored for 10 years. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address.
Service Realization	Upon activation of a managed (Eng. "managed") VPS or dedicated server, the Provider sends the Client access data to the client area. The latter contains a link to access the server environment's control panel and the option to set the username and password. The Client can update the data at any time using the client area. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address, Phone number, Payer's IP address (electronic transaction), PayPal user account (PayPal transaction), Payer's bank account (bank transaction). When migrating the Client's data from another service provider to the Provider's infrastructure, the Provider may obtain data for access to the hosting plan or server environment with the other provider. Typically, these are access data to the server and control panel; when migrating e-mail inbox content, e-mail inbox passwords are also obtained.
User Data	The Provider has access to all data located in each hosting plan. Data is accessed exclusively for the purpose of providing technical support to users, troubleshooting technical issues, maintaining system operation, analyzing system parameters, or ensuring the quality of service operation. The Provider also has access to personal data that the Client may have transferred to the hosting plan. This also includes data that users (customers, visitors, etc.) of the Client may transfer to the hosting plan. Data: files, databases, e-mail inboxes with their content, log entries. Data is stored in backup copies, which are accessed exclusively when strictly necessary (user request, data restoration in case of system failure, system maintenance, etc.). Access to the hosting plan, containing username and IP address, is logged on the server environment.

8.3. SSL Certificates

Legal Frameworks	Data required for issuing an invoice are stored for 10 years. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address.
Service Realization	Data is recorded only for paid certificates and is necessary for the issuance of the certificate by an authorized certificate issuing organization. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address, Phone number, Payer's IP address (electronic transaction), PayPal user account (PayPal transaction), Payer's bank account (bank transaction).
User Data	Upon issuance of the certificate, the Provider does not have access to other user data. If the Provider assists the Client with installing the certificate, it may obtain access data to the hosting plan and/or server environment.

8.4. NEOSERV STUDIO (websites)

Legal Frameworks	Data required for issuing an invoice are stored for 10 years. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address.
Service Realization	Upon activation of the user account, the Client is provided with access data (username and password). The Client can independently update their subscription data at any time via the client area. Data: Name and surname or company name, VAT ID (legal entities), Address and city/place, E-mail address, Phone number, Payer's IP address (electronic transaction), PayPal user account (PayPal transaction), Payer's bank account (bank transaction).
User Data	The Provider has access to all data located in each hosting plan. Data is accessed exclusively for the purpose of providing technical support to users, troubleshooting technical issues, maintaining system operation, analyzing system parameters, or ensuring the quality of service operation. The Provider also has access to personal data that the Client may have transferred to the hosting plan. This also includes data that users (customers, visitors, etc.) of the Client may transfer to the hosting plan. Data: files, databases, e-mail inboxes with their content, log entries. Data is stored in backup copies, which are accessed exclusively when strictly necessary (user request, data restoration in case of system failure, system maintenance, etc.). Access to the hosting plan, containing username and IP address, is logged on the server environment.