Log in

Privacy Policy

Effective date: March 13, 2026

Version: 2.0.0

DRAFT — This document is a working version and legal review is recommended before production use.

This Privacy Policy describes how we collect, use, store and protect your personal data when you use the Collie platform (https://collie.hr) — a digital marketplace platform connecting service providers with customers in the Republic of Croatia. This Policy has been drafted in accordance with the General Data Protection Regulation (GDPR), the Croatian Act on Implementation of the General Data Protection Regulation (NN 42/2018) and the Electronic Communications Act (ZEK).

1. Data Controller

The controller of your personal data is the following legal entity:

  • Full name: EONIdeas jednostavno društvo s ograničenom odgovornošću za računalne djelatnosti
  • Short name: EONIdeas j.d.o.o.
  • OIB: 87607117119
  • EUID: HRSR.070135217
  • Registration: Commercial Court in Zagreb
  • Registered office: [TODO: provide registered office address]
  • Email: info@collie.hr
  • Phone: [TODO: provide phone number]
  • Privacy email: privatnost@collie.hr

EONIdeas j.d.o.o. has not appointed a Data Protection Officer (DPO) because the data processing on the platform currently does not require the appointment of a DPO pursuant to Art. 37 GDPR (there is no large-scale systematic monitoring nor large-scale processing of special categories of data). For all questions related to personal data protection, please contact: privatnost@collie.hr.

2. What personal data we collect and why

We collect different categories of personal data depending on your role on the platform. For each category we specify the purpose of processing and the legal basis pursuant to Art. 6(1) GDPR.

2.1. Customers (users)

  • First and last name — Art. 6(1)(b) performance of a contract — creating a user account, identifying parties in orders
  • Email address — Art. 6(1)(b) performance of a contract — authentication, order notifications, transactional email
  • Firebase UID and authentication type — Art. 6(1)(b) performance of a contract — secure login, identity linking
  • Date of birth — Art. 6(1)(a) consent — OPTIONAL — profile personalisation, age verification
  • Gender — Art. 6(1)(a) consent — OPTIONAL
  • Profile photo — Art. 6(1)(a) consent — OPTIONAL — identity display, platform trust
  • Order data (service, date, price, notes) — Art. 6(1)(b) performance of a contract — order fulfilment, payment records
  • Reviews and ratings — Art. 6(1)(b) performance of a contract — platform quality, informing other users
  • Order messages — Art. 6(1)(b) performance of a contract — communication between parties
  • Legal acceptance records (terms version, privacy policy version, timestamp) — Art. 6(1)(c) legal obligation — proof of compliance

Optional fields (date of birth, gender, profile photo) can be left blank without any consequences for your use of the platform. If you fill them in, you can delete them at any time in your profile settings.

2.2. Service providers

In addition to all data listed in section 2.1., we also collect the following for service providers:

  • Company name — Art. 6(1)(b) performance of a contract — identity verification, display on platform
  • OIB — Art. 6(1)(b) performance of a contract + Art. 6(1)(c) legal obligation — identity verification, tax compliance
  • IBAN — Art. 6(1)(b) performance of a contract — processing payments for services provided
  • Mobile phone number — Art. 6(1)(b) performance of a contract — service coordination, notifications
  • Business description — Art. 6(1)(b) performance of a contract — listing on platform
  • Address (county, city, street, house number) — Art. 6(1)(b) performance of a contract — service area, geographic search, invoicing
  • Profile, gallery and service images — Art. 6(1)(a) consent + Art. 6(1)(b) performance of a contract — display on platform
  • Service listings (name, description, price, categories) — Art. 6(1)(b) performance of a contract — finding and ordering services

OIB and IBAN are collected exclusively from service providers, not from customers. Failure to provide mandatory data may result in the inability to use certain platform features (e.g. without an OIB a provider cannot publish a service).

3. Legal bases for processing

We process your personal data on the basis of the following legal grounds under Art. 6(1) GDPR:

  • Performance of a contract — Art. 6(1)(b): We process data necessary for providing platform services — account creation, order processing, communication between parties, displaying services on the platform.
  • Legal obligation — Art. 6(1)(c): We process and retain data when required by law — tax and accounting records (Accounting Act, General Tax Act), proof of acceptance of legal documents.
  • Consent — Art. 6(1)(a): For optional personal data (date of birth, gender, profile photo) and functional cookies. You may withdraw consent at any time without any consequences for your use of the platform.
  • Legitimate interest — Art. 6(1)(f): We rely on legitimate interest for storing the sidebar state UI preference (cookie sidebar_state). Our legitimate interest is providing a more comfortable user experience by remembering navigation state. This is balanced against the minimal impact on user privacy, as the cookie contains no personal data and is not shared with third parties.

4. Recipients of personal data

We do not sell your personal data. We share data with the following recipients:

4.1. Internal recipients

Platform personnel with access limited to the scope required to perform their duties (principle of least privilege).

4.2. External data processors

We use the following external service providers to process your data:

Service providerPurposeDataCountrySafeguard
Google Ireland Ltd (Firebase Authentication)User authenticationEmail, password, OAuth tokens, UID, IP addressUSADPF + SCC
Google Ireland Ltd (Firebase Firestore)User data storageUID, name, email, authentication typeEUCDPA + DPF + SCC (fallback)
Google Ireland Ltd (Google Cloud Storage)Media file storageProfile, service and gallery imagesEUCDPA + DPF + SCC (fallback)
Google Ireland Ltd (Google App Engine)Application hostingAll API requests containing personal dataEUCDPA + DPF + SCC (fallback)
Twilio Inc. (SendGrid)Transactional emailEmail addresses, names, order dataUSASCC + DPF

Each processor processes data on the basis of a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. Sub-processor lists are available at: Firebase sub-processors, Google Cloud sub-processors, Twilio/SendGrid sub-processors.

4.3. Other parties

  • Other contracting party: When placing an order, the customer receives the service provider's contact details for service fulfilment, and the provider receives the customer's order data.
  • Tax authority: Where legally required, data is forwarded to the competent authorities.

5. International data transfers

Some of our processors process data outside the European Economic Area (EEA). In such cases we apply appropriate safeguards pursuant to Art. 44–49 GDPR:

  • Firebase Authentication (Google LLC): Authentication data is processed exclusively in the United States. Safeguards: EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCC).
  • SendGrid (Twilio Inc.): Email data is processed in the USA. Safeguards: Standard Contractual Clauses (SCC) as the primary mechanism (Twilio BCRs explicitly exclude SendGrid) with Twilio Inc. DPF certification.
  • Google Cloud (Firestore, Cloud Storage, App Engine): Data is stored in EU data centres. Google Ireland Ltd is the contracting party. For any incidental transfer, DPF + SCC apply as fallback safeguards.

You can verify DPF certification at: dataprivacyframework.gov. The relevant data processing agreements are available at: Firebase DPA, Google Cloud CDPA, Twilio DPA.

6. Cookies and on-device data storage

In accordance with the Electronic Communications Act (ZEK Art. 107) which implements Art. 5(3) of the ePrivacy Directive, we list below all data storage mechanisms used on your device:

NameTypePurposeDurationCategoryConsent required?
collie_consentCookieStoring your cookie preference1 yearStrictly necessary (meta-consent)No
sidebar_stateCookieRemembering navigation sidebar state7 daysFunctionalYes
firebase:authUser:*localStorageFirebase authentication — persisting login stateSession / persistentStrictly necessaryNo
collie_filterssessionStorageTemporary storage of search filtersSession onlyFunctional (session)No

The platform currently does not use analytics, advertising or tracking cookies.

You can change your cookie preferences at any time via the "Cookie settings" link in the page footer. You can also delete cookies through your browser settings.

7. Data retention and deletion

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law. Retention periods by category:

Data categoryRetention periodLegal basis
Active user account (name, email, profile)Duration of the accountArt. 6(1)(b) contract
Orders with financial amounts11 years from end of fiscal yearArt. 6(1)(c) Accounting Act
OIB (providers only)11 years from end of fiscal yearArt. 6(1)(c) tax legislation
IBAN (providers only)11 years from end of fiscal yearArt. 6(1)(c) accounting
Order messages2 years after order completionArt. 6(1)(f) dispute resolution
Reviews and ratingsDuration of the account; anonymised after deletionArt. 6(1)(b) contract
Profile photos and mediaUntil deleted by the userArt. 6(1)(a) consent
Legal acceptance records11 yearsArt. 6(1)(c) proof of compliance
Firebase Auth recordsDuration of the account + up to 30 daysArt. 6(1)(b) contract
Cookie sidebar_state7 daysArt. 6(1)(f) legitimate interest
Session storage (search filters)Session onlyArt. 6(1)(f) legitimate interest
Deleted account data (non-financial)Permanently deleted within 30 daysArt. 17 right to erasure

What happens after account deletion: After deleting your user account, personal data that does not need to be retained due to legal obligations will be permanently deleted within 30 days. Data subject to legal retention requirements (e.g. order and payment data) will be kept for 11 years in accordance with the accounting and tax legislation of the Republic of Croatia, and access to such data will be strictly limited.

8. Children

Our platform is not intended for persons under the age of 16 pursuant to Art. 19 of the Croatian Act on Implementation of the General Data Protection Regulation (NN 42/2018).

If we become aware that a child under 16 has created an account without parental consent, we will immediately delete that user's personal data.

9. Your rights

Under the GDPR (Art. 15–22) you have the following rights regarding your personal data. You can exercise all rights by sending a request to privatnost@collie.hr.

9.1. Right of access (Art. 15)

You have the right to request a copy of all personal data we process about you. We respond within 1 month. The first copy is free of charge; a reasonable fee may be charged for additional copies. We verify your identity through your existing authentication on the platform.

9.2. Right to rectification (Art. 16)

You have the right to correct inaccurate or incomplete data. You can correct most data yourself in your profile settings. For data you cannot modify yourself (e.g. OIB, order data), please contact privatnost@collie.hr.

9.3. Right to erasure (Art. 17)

You have the right to request deletion of your personal data. Please note that this right does not apply to data we are legally required to retain — financial data (orders, OIB, IBAN) is kept for 11 years in accordance with accounting and tax legislation. Non-financial personal data is permanently deleted within 30 days of the request.

9.4. Right to restriction of processing (Art. 18)

You may request restriction of processing of your data in the following circumstances:

  • You contest the accuracy of the data (during verification)
  • The processing is unlawful, but you do not wish the data to be deleted
  • We no longer need your data, but you need it for legal claims
  • You have objected to processing (pending determination of whether our grounds override yours)

9.5. Right to data portability (Art. 20)

You have the right to receive your personal data in a structured, machine-readable format (JSON). This right applies to data processed on the basis of consent or contract — profile, orders, reviews. It does not apply to data processed on the basis of legal obligation (OIB, IBAN).

9.6. Right to object (Art. 21)

You have the right to object to the processing of data based on legitimate interest. If your data is used for direct marketing, you have an absolute right to object — an unsubscribe link is included in every marketing email.

9.7. Right to withdraw consent (Art. 7(3))

For processing based on consent (optional profile fields, photos, functional cookies), you may withdraw consent at any time. Withdrawal is as simple as giving consent — delete the optional fields in your profile settings or change your cookie preferences. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

9.8. Automated decision-making (Art. 22)

The platform does not make decisions based solely on automated processing, including profiling, that would produce legal effects or similarly significantly affect you. Ratings and rankings are based on reviews given by users themselves, not on algorithmic profiling.

9.9. Response timeframe

We respond to all requests related to your rights within 1 month. In the case of complex or numerous requests, the deadline may be extended by an additional 2 months with prior notice.

10. Right to lodge a complaint with a supervisory authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority:

Agencija za zaštitu osobnih podataka (AZOP)

Selska cesta 136, 10 000 Zagreb

Tel: +385 (0)1 4609-000

E-mail: azop@azop.hr

Web: https://azop.hr

The right to lodge a complaint does not preclude the right to judicial remedy or other legal remedies.

11. Data security

We take appropriate technical and organisational measures to protect your personal data pursuant to Art. 32 GDPR:

  • Encryption at rest: Sensitive data (particularly OIB and IBAN) is stored with encryption
  • Encryption in transit: All communication uses the HTTPS protocol
  • Access control: Access to personal data is limited to authorised personnel with a business need
  • Authentication: Use of secure authentication mechanisms (Firebase Authentication)

In the event of a personal data breach that may result in a risk to your rights and freedoms, we will notify AZOP within 72 hours pursuant to Art. 33 GDPR. If the breach may result in a high risk, we will also notify you directly pursuant to Art. 34 GDPR.

12. Changes to the privacy policy

  • You will be notified of any changes to this Privacy Policy by email in accordance with Art. 14(5) of the Digital Services Act (DSA).
  • Each version of the Privacy Policy is marked with a version number and effective date.
  • The version of the Privacy Policy you accepted is recorded in your user account together with the acceptance timestamp.

13. Contact

For all questions related to the protection of your personal data, please contact us:

EONIdeas j.d.o.o.
[TODO: provide registered office address]
Privacy email: privatnost@collie.hr
Email (general): info@collie.hr
Phone: [TODO: provide phone number]
Web: https://collie.hr

We respond to requests related to personal data protection within 1 month.