PRIVACY POLICY

Effective date: 1 November 2026
Last updated: 17 January 2026

These Privacy Rules are issued by the company Klamaris j.d.o.o., Ulica Mahatme Gandhija 2, 10090 Zagreb, OIB: 68132114888 (hereinafter: the “Privacy Policy”).

1. Definitions, purpose and scope of application of the Privacy Policy

In this Privacy Policy:

“Klamaris” or “we” refers to the company Klamaris j.d.o.o., OIB: 68132114888, with its registered office at Ulica Mahatme Gandhija 2, 10090 Zagreb, Croatia.
“Website” means the website www.klamaris.hr and all of its subpages.
“User”, “You” refers to any natural person who uses the Website, visits it and submits inquiries.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Agency” means the Croatian Personal Data Protection Agency (AZOP).
“Personal Data” means any data relating to an identified or identifiable natural person, directly or indirectly (e.g. name, surname, e-mail address, address, OIB, IP address, etc.).
“Processing of Personal Data” means any operation or set of operations performed on personal data (collection, storage, use, access, transfer, erasure, etc.).
“Data Controller” means the entity that determines the purposes and means of the processing of personal data (in this case, Klamaris j.d.o.o.).
“Data Processor” means an entity that processes personal data on behalf of the Data Controller (e.g. hosting providers, delivery services, accounting services).

We care about the protection of your personal data and kindly ask you to carefully read this Privacy Policy in order to understand:

• which personal data we collect
• for what purposes we process them
• on which legal basis
• how long we retain them
• with whom we share them
• which rights you have in relation to the processing.

This Privacy Policy applies to the processing of personal data via the Website www.klamaris.hr, including:

• use of the website
• submission of inquiries via the “Request a Quote” and “Contact Us” forms
• communication via e-mail or telephone
• possible receipt of newsletters and marketing communications
• use of Klamaris profiles on social media.

If you do not agree with this Privacy Policy, please do not continue using the Website and do not provide us with your personal data.

If the Website contains links to other websites (e.g. social networks, partners), we recommend that you familiarize yourself with their privacy policies. Klamaris cannot be held responsible for the manner in which such third parties process your data.

2. Personal data we collect

Klamaris collects personal data that users voluntarily provide through forms, e-mail, telephone or other forms of communication, including identification, contact and technical data, to the extent necessary for achieving the purposes described in Section 6 of this Privacy Policy.

3. Data Controller

Klamaris j.d.o.o.
Ulica Mahatme Gandhija 2
10090 Zagreb, Croatia
OIB: 68132114888
E-mail: info@klamaris.hr
Website: www.klamaris.hr

Klamaris, as the data controller, determines the purpose, legal basis and manner of processing your personal data.

4. Hosting, Storage and Transfer of Personal Data

Klamaris j.d.o.o. generally processes personal data within the European Union and the European Economic Area.

However, the website www.klamaris.hr and the related databases are hosted by the hosting service provider Bluehost. Although Bluehost offers the possibility of storing data on servers located within the European Union, it is a company headquartered in the United States of America, which means that a transfer of personal data to a third country within the meaning of the GDPR may occur.

In such cases, personal data may be transferred to third countries (e.g. the United States of America). Such transfers are carried out with the application of appropriate safeguards in accordance with Article 46 of the GDPR, including Standard Contractual Clauses (SCCs) and additional technical and organisational data protection measures.

The hosting provider processes personal data exclusively in accordance with the instructions of Klamaris j.d.o.o. and has no right to use the data for its own purposes.

The hosting provider applies a high level of technical and organisational security measures, including:

  • physical and logical protection of servers

  • controlled access to infrastructure

  • regular data backups

  • systems for protection against unauthorised access

  • encryption and security protocols

Klamaris j.d.o.o. uses hosting services exclusively for:

  • systems for sending notifications and communicating with users

The hosting partner processes data solely according to the instructions of Klamaris j.d.o.o. and has no right to use the data for its own purposes.

5. Scope, Purpose and Legal Basis of Personal Data Processing and Data Retention Periods

The scope of personal data that we process depends on how you use our website. Below, the types of data are described according to specific situations.

5.1. Legal Bases for the Processing of Personal Data (Article 6 of the GDPR)

Klamaris j.d.o.o. processes personal data exclusively when there is a valid legal basis for such processing in accordance with Article 6(1) of the General Data Protection Regulation (GDPR), as follows:

a) Consent of the data subject – Article 6(1)(a) GDPR

Processing is based on consent when the user:

  • consents to receiving marketing communications or newsletters

  • accepts cookies that are not strictly necessary (analytical and marketing cookies)

  • voluntarily provides additional data that is not necessary for preparing a quotation

Consent may be withdrawn at any time, without any negative consequences.

b) Pre-contractual actions and performance of a contract – Article 6(1)(b) GDPR

Processing is necessary when it is required:

  • to respond to an enquiry submitted via the “Request a Quote” or “Contact Us” forms

  • to prepare a quotation

  • to conclude and perform a contract

  • to communicate during the execution of a project

If the user does not provide the necessary data, Klamaris will not be able to prepare a quotation or perform the contract.

c) Compliance with legal obligations – Article 6(1)(c) GDPR

Processing is carried out when it is necessary for:

  • issuing invoices

  • maintaining business and accounting records

  • fulfilling tax and accounting obligations

  • acting upon requests from competent authorities

In such cases, the data is retained in accordance with statutory retention periods (e.g. at least 10 years).

d) Legitimate interests of the controller – Article 6(1)(f) GDPR

Klamaris processes personal data on the basis of legitimate interests when this is necessary for:

  • ensuring the security of the website and IT systems

  • preventing misuse and fraud

  • responding to enquiries from potential clients

  • conducting business communication

  • establishing, exercising or defending legal claims

In all cases, due consideration is given to ensuring that the interests, rights and freedoms of the data subjects do not override the legitimate interests of Klamaris.

6. Visit to the Website

When you visit our website, your browser automatically transmits certain technical data to our server (IP address, date and time of access, page URL, browser type, and possibly the operating system, etc.). These data may be temporarily stored in server log files for the purpose of:

  • ensuring the proper functioning of the website

  • system security

  • preventing misuse

  • basic statistical analysis

Legal basis: legitimate interest of Klamaris (Article 6(1)(f) GDPR) – system security and website functionality.
Retention period: up to several months in server log files, unless longer retention is necessary due to a security incident.

6.1. “Request a Quote” and “Contact Us” Forms

When you submit an enquiry or a request for a quotation via a form on the website, we collect the following data:

  • first and last name

  • e-mail address

  • telephone number

  • address and location (if provided for the purpose of preparing an accurate quotation)

  • description of the project or enquiry

  • any technical data that you voluntarily provide (e.g. electricity consumption, roof photographs, type of roof, desired system capacity, etc.)

These data are used exclusively for the purpose of:

  • preparing a quotation

  • contacting you to clarify the enquiry

  • preparing a technical assessment

  • arranging potential cooperation

Legal basis:

  • pre-contractual actions (Article 6(1)(b) GDPR)

  • legitimate interest (Article 6(1)(f) GDPR) – responding to enquiries from potential clients

Retention period: up to 12 months from receipt of the enquiry, unless a business relationship arises from the enquiry, in which case the retention periods applicable to business documentation apply.

6.2. Additional Voluntary Data (Photographs, Bills, Floor Plans)

Users may occasionally provide additional information necessary for preparing a quotation or a technical assessment, such as:

  • photographs of the property (roof, distribution cabinets, roofing, etc.)

  • electricity bills

  • floor plans and technical drawings

  • other technical data relevant for the quotation

These data are processed exclusively for the purpose of:

  • assessing technical feasibility

  • preparing a quotation

  • possible preparation of project documentation

We do not share these data with third parties unless this is necessary for preparing an expert assessment or project (e.g. an authorised designer), and even then only to the minimum extent necessary.

Retention period: no later than 12 months from submission, unless a contract is concluded, in which case the data may be retained in accordance with project and technical documentation requirements.

6.3. Social Media

Klamaris is present on social media platforms (e.g. Facebook, Instagram).

If you send us a message, comment, or leave a public post, we may process:

  • data that you voluntarily provide (questions, comments, images, etc.)

These data are used for:

  • communication with you

  • responding to enquiries, compliments, and complaints

  • informing you about services and offers

Part of the processing of personal data is carried out by the social media platforms themselves, over which Klamaris has no influence. We recommend that you review their respective privacy policies.

Legal basis: legitimate interest (Article 6(1)(f) GDPR) – communication with users and presentation of services.
Retention period: generally up to 1 year from the last relevant communication, unless the content forms part of evidentiary documentation.

6.4. Establishment, Exercise and Defence of Legal Claims

We may also process your personal data when this is necessary for:

  • protecting our rights and interests

  • conducting judicial, administrative or other proceedings

  • resolving disputes with users, suppliers or third parties

Legal basis: legitimate interest (Article 6(1)(f) GDPR).
Retention period: until the expiry of all limitation periods and any related proceedings (typically 5 + 1 years or longer if proceedings are ongoing).

6.5. Data We Intentionally Do Not Process

We do not intentionally collect or process special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, biometric or genetic data), unless this is exceptionally required by law or unless you explicitly provide specific consent.

7. Cookies and Technologies

The website uses cookies and similar technologies. Detailed information on the types of cookies, their purposes and retention periods is provided in the Cookie Policy.

8. Recipients of Personal Data and Transfer to Third Parties

We may share your personal data with third parties only when this is necessary for:

  • providing services

  • complying with legal obligations

  • protecting our rights

Recipients may include:

  • hosting and IT maintenance providers (data processors)

  • accounting service providers

  • delivery service providers (first and last name, address, telephone number)

  • external partners (e.g. authorised designers, if required for technical assessment or project preparation)

  • lawyers, insurers and advisors (in the event of disputes)

  • competent authorities (courts, inspectorates, tax authorities) where required by law

All such recipients are obliged to maintain confidentiality and to act in accordance with the GDPR.

As a rule, personal data are processed within the European Union. If, exceptionally, data are transferred to third countries, appropriate safeguards will be ensured (e.g. Standard Contractual Clauses).

9. Transfer of Data Outside the European Union

The transfer of personal data outside the European Union may be carried out exclusively in the cases described in Section 4 of this Privacy Policy, with the application of appropriate safeguards in accordance with the GDPR.

10. Retention Period of Personal Data

In general:

  • data required for invoicing and accounting purposes: at least 10 years

  • data collected through the “Request a Quote” / “Contact Us” forms: up to 12 months, unless a business relationship is established

  • technical documentation and photographs: up to 12 months, unless they form part of a project or contract

  • marketing data processed on the basis of consent: until consent is withdrawn + up to a maximum of 6 months for technical deletion

  • log files and technical data: typically several months, unless longer retention is required due to a security incident

  • documentation for the establishment, exercise or defence of legal claims: until the expiry of all applicable limitation periods

After the expiry of the retention period, the data are deleted or anonymised.

11. Minors

The Website is not intended for persons under the age of 16. We do not knowingly collect personal data of minors.

If a parent or legal guardian believes that a child has provided personal data without their consent, they may contact us at info@klamaris.hr, and we will delete such data without delay.

12. Security Measures

In order to protect personal data, we apply appropriate technical and organisational measures, including:

  • SSL/HTTPS encryption

  • password encryption using strong cryptographic algorithms

  • restricted access to data (only authorised persons)

  • regular data backups

  • server protection through the hosting partner

  • regular system, plugin and security component updates

  • monitoring of potential security incidents

In the event of a personal data breach that may result in a risk to the rights and freedoms of users, we will act in accordance with the GDPR, including notification of the supervisory authority and, where necessary, the affected users.

In the event of a personal data breach that may result in a risk to the rights and freedoms of users, Klamaris j.d.o.o. shall act in accordance with Article 33 of the GDPR and shall:

  • notify the supervisory authority (the Croatian Personal Data Protection Agency – AZOP) without undue delay and no later than 72 hours after becoming aware of the breach,

  • if it is likely that the breach will result in a high risk to the rights of users, notify the affected users without undue delay,

  • document all facts, effects and remedial actions taken in relation to the breach.

13. Rights of Users (Data Subjects)

In accordance with the GDPR, you have the following rights:

  • the right to be informed about the processing of personal data,

  • the right of access to your personal data,

  • the right to rectification of inaccurate or incomplete personal data,

  • the right to erasure (“right to be forgotten”) in cases prescribed by law,

  • the right to restriction of processing,

  • the right to data portability (for data processed on the basis of consent or a contract),

  • the right to object to processing based on legitimate interests,

  • the right to withdraw consent at any time (where processing is based on consent),

  • the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP).

To exercise your rights, you may contact us at info@klamaris.hr or by post at the registered office address.

We will respond to your request within 30 days, with the possibility of an extension in complex cases, of which you will be duly informed.

14. Amendments to the Privacy Policy

Klamaris may periodically update this Privacy Policy due to:

  • changes in legislation,

  • changes in services,

  • introduction of new functionalities (e.g. loyalty programs, newsletters, new payment methods).

The updated version will always be available on the Website, with the effective date clearly indicated.

15. Contact

For any questions, requests or complaints related to the protection of personal data, you may contact:

Klamaris j.d.o.o.
Ulica Mahatme Gandhija 2
10090 Zagreb
Croatia

Tel: +385 99 434 7334
E-mail: info@klamaris.hr