1. Controller and contact

The controller responsible for processing your personal data under the GDPR is Apex Academy d.o.o. (trading as Digital Apex), operator of the Digital Worker platform.

• Registered seat: [INSERT REGISTERED ADDRESS], Croatia
• OIB / VAT ID: [INSERT OIB]
• Court registration: [INSERT COURT + MBS]
• Data Protection contact: privacy@apexacademy.hr (or post to the registered seat, attn. "Data Protection")

We have not appointed a statutory Data Protection Officer because our processing does not meet the GDPR Art. 37 mandatory-DPO thresholds. The contact above remains the single point of contact for data-protection queries and rights requests.

2. Categories of personal data and processing purposes

Category	Examples	Purpose	Legal basis (GDPR)	Retention
Account data	name, email, username, password hash, role	Provide and secure the platform	Art. 6(1)(b) contract	Lifetime of account + 30 days after deletion request
Profile data	company, job title, country, address, phone, profile image (optional)	Personalisation, invoicing where applicable	Art. 6(1)(b) contract / Art. 6(1)(a) consent	Lifetime of account
Usage / telemetry data	IP address, user agent, audit log of admin actions, error traces	Security, abuse detection, debugging	Art. 6(1)(f) legitimate interest	90 days rolling for raw logs; security incidents kept up to 2 years
Agent conversations	chat and voice transcripts, files you upload to your agents, tool execution logs	Deliver the AI service, quality assurance, billing	Art. 6(1)(b) contract	Default 365 days from last interaction; configurable per agent; deletable on request
End-user data	data of your visitors / customers who interact with agents you publish	You are the controller of this data; we process as your processor under a DPA	Art. 28 processor relationship	Inherits your configured retention; we have no independent basis to retain it
Billing and tax data	invoices, payment provider reference, VAT numbers	Comply with Croatian tax law	Art. 6(1)(c) legal obligation	11 years (Croatian accounting retention)
Support tickets	subject, message body, attachments	Investigate and resolve issues	Art. 6(1)(b) contract / Art. 6(1)(f) legitimate interest	2 years after ticket closure

3. Special categories and AI inputs

We do not ask for special-category data (Art. 9 — e.g. health, religion, political opinions) and you should not enter it into agents unless you have a valid legal basis. Anything you or your end-users type into an agent is processed by the underlying AI model provider (see Sub-processors); treat the chat box accordingly.

4. Sub-processors and transfers

We use a closed list of sub-processors to deliver the platform — LLM providers, hosting, messaging gateways, payment processing. The full current list, country, and safeguards (Standard Contractual Clauses where applicable) is published at /legal/sub-processors.html and is kept current. We notify customers under DPA before adding or replacing a sub-processor.

Our primary infrastructure runs in Frankfurt, Germany (EU). Some sub-processors (e.g. OpenAI, Anthropic) operate outside the EU; transfers are covered by the European Commission's Standard Contractual Clauses and supplementary measures.

5. Your rights

Under GDPR Articles 15–22 you have the right to:

• Access (Art. 15) — receive a copy of the personal data we process about you. Logged-in users can self-serve via GET /api/user/data-export (downloads a ZIP of all your stored data) or by writing to the contact above.
• Rectification (Art. 15) — correct inaccurate data via the Profile page or by contacting us.
• Erasure (Art. 17) — request deletion of your account and associated data. Some records (billing, audit logs needed for legal compliance) are retained for the statutory minimum and then deleted.
• Restriction (Art. 18) — ask us to pause processing in defined circumstances.
• Data portability (Art. 20) — receive your data in a structured, machine-readable (JSON) format; the data export endpoint above fulfils this.
• Objection (Art. 21) — object to processing based on legitimate interest, including any profiling.
• Withdrawal of consent — where processing relies on consent, withdraw it at any time. Withdrawal does not affect prior lawful processing.
• Complaint to supervisory authority — lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) or with the supervisory authority in your EU country of residence.

We respond to verified rights requests within one month (GDPR Art. 12(3)), extendable by two further months for complex requests.

6. Security

We use bcrypt for password storage, AES-256-GCM for secrets at rest, TLS 1.2+ for all traffic, MySQL encrypted backups, isolated-vm sandboxing for user-authored tool code, role-based access control, rate limiting, and append-only audit logs. No system is 100% secure; we notify affected users and the supervisory authority within 72 hours of any confirmed personal-data breach as required by GDPR Art. 33.

7. AI-specific transparency (EU AI Act)

Digital Worker is a general-purpose AI platform. Agents created on the platform are required to disclose their AI nature to natural persons they interact with (AI Act Art. 50). Our embed widgets render this disclosure by default — see /legal/ai-act-statement.html for the full transparency notice.

8. Cookies

We use strictly necessary cookies for session management. We do not use third-party advertising or cross-site tracking cookies on the platform. See /legal/cookies.html for the full cookie inventory.

9. Changes to this Policy

Material changes are announced at login and via in-product banner at least 14 days before they take effect. The version number and effective date at the top of this page change with every update; previous versions are kept on file and available on request.

10. Contact and complaints

Questions, rights requests, or concerns: privacy@apexacademy.hr. If you are unsatisfied with our response you may lodge a complaint with AZOP (Croatian Personal Data Protection Agency) at azop.hr.