Privacy Policy

1. Data Controller

Tina Gabrovec s.p.
Trading as: Viktoria Compliance
Tišina 3g, 9251 Tišina, Slovenia
Registration number (matična številka): [MATIČNA_ŠTEVILKA]
Tax number (davčna številka): [DAVČNA_ŠTEVILKA]
Email: info@viktoria-compliance.eu

This organisation is the Data Controller responsible for your personal data under the General Data Protection Regulation (GDPR), the Slovenian Personal Data Protection Act (ZVOP-2, Official Gazette RS No. 163/22), and the Electronic Commerce Market Act (ZEPT, Official Gazette RS No. 96/09).

2. Personal Data We Collect

When you complete the Viktoria Compliance assessment and request a detailed PDF report, we collect the following personal data:

• Email address: Required to send you the personalized assessment report
• Assessment score: Your overall compliance readiness score (0-100)
• Company sector: Industry classification (e.g., healthcare, finance, retail)
• Country: Country of operation for your organization
• Employee count: Organizational size category for contextualization
• Timestamp: Date and time when the assessment was submitted

Additionally, the following technical data is automatically collected when you visit this website:

• IP address: Collected by our hosting provider for security and access logging
• Access logs: HTTP request metadata (URL, timestamp, user agent, status code)
• Session data: Authentication tokens and session identifiers when you log in

Your individual assessment answers are stored only in your browser's local storage and are not transmitted to our servers.

3. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

• Consent (Article 6(1)(a) GDPR): Where you have given explicit consent to the processing, such as when you submit your email address to receive a compliance report or accept cookies. You may withdraw your consent at any time.
• Contract performance (Article 6(1)(b) GDPR): Processing is necessary to provide you with the requested compliance assessment report and personalized recommendations.
• Legitimate interest (Article 6(1)(f) GDPR): We have a legitimate interest in maintaining records of assessments completed to improve our service, understand compliance trends across European SMEs, and provide aggregated analytics to support regulatory guidance. We have conducted a balancing test and determined that this processing does not override your rights and freedoms.

4. Data Recipients and Processing

Your personal data is shared with the following data processors, each of which processes data on our behalf and under our instructions:

Your data remains confidential and is not shared with marketing firms, data brokers, or other third parties without your explicit consent.

5. Data Retention Period

We retain your personal data for a maximum of 24 months from the date of submission. After this period, all data will be permanently deleted from our records. This retention period allows us to provide follow-up communications, generate compliance trend reports, and support any inquiries you may have about your assessment.

6. Your Rights Under the GDPR

You have the following rights with respect to your personal data:

• Right of access (Article 15): You may request a copy of your personal data that we hold. We will provide this in a portable, machine-readable format within 30 days.
• Right to rectification (Article 16): You may correct or update inaccurate personal data.
• Right to erasure (Article 17): You may request deletion of your data, subject to applicable legal retention requirements.
• Right to restrict processing (Article 18): You may request that we limit how we use your data.
• Right to data portability (Article 20): You may request your data in a structured, commonly used format suitable for transfer to another service provider.
• Right to object (Article 21): You may object to processing based on legitimate interest.
• Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Viktoria Compliance is:

If you reside in another EU/EEA member state, you may also contact your local data protection authority.

7. Cookies and Local Storage

This site uses cookies for essential functionality. Specifically:

• Authentication cookies: Set by Supabase to maintain your login session. These are strictly necessary cookies and do not require consent under GDPR (Article 5(3) of the ePrivacy Directive).
• Consent preference cookie: Stores your cookie consent choice so we do not ask you repeatedly.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not track you across websites.

In addition to cookies, your assessment progress, individual answers, and consent preferences are stored in your browser's localStorage for convenience, allowing you to resume an incomplete assessment. This data is stored only on your device and is never transmitted to our servers unless you explicitly submit your assessment to request a report. You can delete this data at any time by clearing your browser's local storage.

For a complete list of cookies and local storage keys used on this site, see our Cookie & Local Storage Policy.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. All data transmission occurs over encrypted connections (HTTPS/TLS). Authentication data is managed by Supabase with industry-standard security practices including secure session management and encrypted storage.

9. International Data Transfers

Some of our data processors (Supabase, Vercel, Google) are based in the United States. We ensure that all international transfers of personal data are protected by appropriate safeguards as required by GDPR Chapter V, specifically:

• EU-US Data Privacy Framework (DPF): Where the processor is certified under the DPF, we rely on the European Commission's adequacy decision (C(2023) 4745 final, July 10, 2023).
• Standard Contractual Clauses (SCCs): We have executed the European Commission's Standard Contractual Clauses with each US-based processor as a supplementary safeguard.

10. Data Protection Impact Assessment

Our processing of personal data in the assessment tool is low-risk. We collect limited categories of data with a clear lawful basis, implement appropriate safeguards, and maintain a retention policy aligned with GDPR requirements.

Pursuant to GDPR Article 13(2)(f), we inform you that we do not engage in automated decision-making, including profiling, as defined under GDPR Article 22. Assessment scores are generated algorithmically based on your questionnaire responses, but these scores do not produce legal effects or similarly significant effects concerning you. No decisions regarding your regulatory compliance status are made automatically — the assessment is informational only.

Pursuant to GDPR Article 37, we are not required to appoint a Data Protection Officer, as our core activities do not involve large-scale systematic monitoring of individuals or large-scale processing of special categories of data. Data protection inquiries are handled directly by the data controller and may be directed to info@viktoria-compliance.eu.

11. Exercising Your Rights

To exercise any of your rights, please contact us at:

Email: info@viktoria-compliance.eu
Address: Tina Gabrovec s.p., trading as Viktoria Compliance, Tišina 3g, 9251 Tišina, Slovenia

We will respond to your request within 30 days. If you have not received a response within this timeframe, or if you are not satisfied with our response, you may lodge a complaint with the Informacijski pooblaščenec (Information Commissioner) at www.ip-rs.si.

12. Children's Privacy

Viktoria Compliance is intended for use by organizations (businesses, government agencies, non-profits). We do not knowingly collect personal data from individuals under 16 years of age, in accordance with GDPR Article 8 and the Slovenian Personal Data Protection Act (ZVOP-2). If we become aware that a person under 16 has provided personal data, we will delete it promptly.

13. Policy Changes

We may update this privacy policy from time to time to reflect changes in our data practices or applicable law. We will notify you of material changes by updating the "Last updated" date. Your continued use of Viktoria Compliance after such changes constitutes your acceptance of the updated policy.

14. Consumer Dispute Resolution

Pursuant to the Slovenian Act on Out-of-Court Resolution of Consumer Disputes (ZIsRPS, Official Gazette RS No. 81/15), we inform you that Viktoria Compliance does not participate in any out-of-court consumer dispute resolution mechanism. The EU Online Dispute Resolution (ODR) platform was discontinued on 20 July 2025 pursuant to Regulation (EU) 2024/3228. If you wish to file a consumer complaint, you may contact the Market Inspectorate of the Republic of Slovenia (Tržni inšpektorat RS) at www.ti.gov.si.

15. Applicable Legal Framework

This privacy policy is governed by the following legal framework: (a) Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR); (b) the Slovenian Personal Data Protection Act (ZVOP-2, Official Gazette RS No. 163/22); (c) the Electronic Commerce Market Act (ZEPT, Official Gazette RS No. 96/09), transposing Directive 2000/31/EC; and (d) the ePrivacy Directive 2002/58/EC as transposed by the Electronic Communications Act (ZEKom-2). In the event of conflict between this policy and mandatory provisions of the above legislation, the mandatory provisions shall prevail.

16. Questions or Concerns

If you have questions about this privacy policy or our data handling practices, please contact us at info@viktoria-compliance.eu. We are committed to transparency and welcome your inquiries.