Privacy Policy

This Privacy Policy ("Policy") describes how Otiox d.o.o. ("Company", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you visit our website at https://otiox.com or use our cloud-based ERP/MRP platform ("Service").

We are committed to protecting your privacy and ensuring that your personal data is handled in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and all other applicable data protection laws.

This Policy applies to all visitors, users, and customers of the Service. By accessing or using the Service, you acknowledge that you have read and understood this Policy.

The data controller responsible for your personal data is:

Otiox d.o.o.

Email: legal@otiox.com

Website: https://otiox.com

If you have any questions about this Policy or our data practices, you may contact our Data Protection Officer at legal@otiox.com.

We collect the following categories of personal data:

3.1 Account Information

When you register for an Account, we collect: name, email address, company name, phone number (optional), billing address, and payment information (processed by our third-party payment processor).

3.2 Usage Data

We automatically collect information about how you interact with the Service, including: pages visited, features used, actions taken, time spent, browser type, operating system, IP address, device identifiers, and referral URLs.

3.3 Customer Data

You may submit business data to the Service, including inventory records, order details, supplier information, financial data, and production records. We process this data solely to provide the Service.

3.4 Communication Data

When you contact us via email, contact forms, or support channels, we collect the contents of your communications and any information you choose to provide.

3.5 Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies as described in Section 11 of this Policy.

We process your personal data on the following legal bases under the GDPR:

• Contract Performance (Art. 6(1)(b)) — Processing necessary to provide the Service, manage your Account, and fulfil our contractual obligations.

• Legitimate Interests (Art. 6(1)(f)) — Processing necessary for our legitimate business interests, including improving the Service, preventing fraud, ensuring security, and conducting analytics, provided these interests are not overridden by your rights.

• Consent (Art. 6(1)(a)) — Where you have given explicit consent, such as for marketing communications or non-essential cookies. You may withdraw consent at any time.

• Legal Obligation (Art. 6(1)(c)) — Processing necessary to comply with applicable laws, such as tax regulations, anti-money laundering requirements, or regulatory obligations.

We use your personal data for the following purposes:

• Providing the Service — Operating, maintaining, and improving the platform
• Account Management — Managing your Account, authentication, and access control
• Billing — Processing payments, issuing invoices, and managing subscriptions
• Customer Support — Responding to inquiries and providing technical assistance
• Security — Detecting, preventing, and responding to fraud, abuse, or security incidents
• Analytics — Understanding usage patterns, improving features, and optimising performance
• Communications — Sending service-related notifications, updates, and marketing communications (with consent)
• Legal Compliance — Complying with applicable laws, regulations, and legal processes
• Product Development — Using aggregated and anonymised data to develop new features and improve the Service

We do not sell your personal data. We may share your data with:

• Service Providers — Third-party companies that help us operate the Service (hosting, payment processing, email delivery, analytics). These providers are bound by contractual obligations to protect your data.

• Third-Party Integrations — When you enable an integration with a Third-Party Service, data may be shared as necessary to operate the integration. You control which integrations are enabled.

• Legal Requirements — When required by law, regulation, legal process, or governmental request.

• Business Transfers — In connection with a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

• With Your Consent — We may share data with other parties when you have given us explicit consent to do so.

We use the following categories of sub-processors to deliver the Service:

• Cloud Infrastructure — For hosting and data storage
• Payment Processing — For subscription billing and payment handling
• Email Delivery — For transactional and marketing emails
• Analytics — For understanding usage patterns and improving the Service
• Customer Support — For managing support tickets and communications

We maintain contracts with all sub-processors that require them to protect your data to the same standards as this Policy. We will notify Customers of any changes to sub-processors with at least 30 days' advance notice, allowing Customers to object if the change materially affects data protection.

Your personal data may be transferred to and processed in countries outside of your country of residence, including countries that may not provide the same level of data protection. When we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission for recipient countries
• Additional technical and organisational measures to protect data in transit and at rest

You may request a copy of the applicable safeguards by contacting legal@otiox.com.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account Data — Retained for the duration of your active Subscription plus 30 days
• Billing Data — Retained for 7 years to comply with tax and financial reporting requirements
• Usage Data — Retained in aggregated/anonymised form indefinitely for analytics purposes
• Communication Data — Retained for 3 years from the date of the last communication
• Cookies — Retention periods vary; see Section 11

When data is no longer needed, it is securely deleted or anonymised so that it can no longer be associated with you.

Under the GDPR and other applicable data protection laws, you have the following rights:

• Right of Access (Art. 15 GDPR) — You have the right to request a copy of the personal data we hold about you.

• Right to Rectification (Art. 16 GDPR) — You have the right to request correction of inaccurate or incomplete personal data.

• Right to Erasure (Art. 17 GDPR) — You have the right to request deletion of your personal data, subject to certain legal exceptions.

• Right to Restriction (Art. 18 GDPR) — You have the right to request restriction of processing in certain circumstances.

• Right to Data Portability (Art. 20 GDPR) — You have the right to receive your data in a structured, commonly used, machine-readable format.

• Right to Object (Art. 21 GDPR) — You have the right to object to processing based on legitimate interests or for direct marketing purposes.

• Right to Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

• Right to Lodge a Complaint — You have the right to lodge a complaint with your local supervisory authority.

For CCPA residents: You have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information (we do not sell personal information).

To exercise any of these rights, contact us at legal@otiox.com. We will respond within 30 days.

We use cookies and similar technologies to enhance your experience:

• Essential Cookies — Required for the Service to function (authentication, security, preferences). Cannot be disabled.

• Analytics Cookies — Help us understand how visitors interact with the Service. Used to improve features and user experience.

• Marketing Cookies — Used to deliver relevant advertisements. Only activated with your explicit consent.

You can manage cookie preferences through your browser settings or our cookie consent banner. Disabling non-essential cookies will not affect the core functionality of the Service.

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe that a child has provided us with personal data, please contact us at legal@otiox.com.

We implement appropriate technical and organisational security measures to protect your personal data, including:

• Encryption — All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls — Role-based access controls, multi-factor authentication, and principle of least privilege
• Infrastructure Security — Firewalls, intrusion detection systems, and regular vulnerability scanning
• Employee Training — Regular security awareness training for all staff
• Incident Response — Documented incident response procedures and regular testing
• Backups — Regular encrypted backups with tested restoration procedures
• Auditing — Regular security audits and penetration testing by independent third parties

While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying you in the event of a data breach as described in Section 14.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Otiox d.o.o. will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under Article 33 of the GDPR
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under Article 34 of the GDPR
• Document the breach, including the facts, effects, and remedial actions taken
• Cooperate with any investigation by the supervisory authority

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or a prominent notice within the Service. The "Last Updated" date at the top of this Policy indicates when it was last revised. Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Otiox d.o.o.

Data Protection Officer

Email: legal@otiox.com

Website: https://otiox.com/contact

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your personal data in accordance with applicable law.