Privacy Policy

This Privacy Policy describes how MIDAR, svetovanje in inžinering ter trgovina, d.o.o. ("MIDAR d.o.o.", "we", "us", or "our") processes information when you use JoeFlow—our websites, applications, and related services (collectively, the "Services"). By using the Services, you agree to this policy. Where the EU General Data Protection Regulation ("GDPR"), the UK GDPR, or the Swiss Federal Act on Data Protection applies, the additional disclosures below apply to you.

Information we collect

We may collect the following categories of information, depending on how you use the Services:

• Account and profile data, such as your name, email address, organization, and preferences you provide when you register or update your account.
• Content you submit, including messages, files, integrations configuration, and other materials you choose to send through the Services.
• Usage and device data, such as log data, approximate location derived from IP address, browser type, device identifiers, and interactions with the Services, collected through cookies and similar technologies where permitted.
• Analytics and measurement data from tools such as Google Analytics and the Meta Pixel (Facebook Pixel), including pages viewed, events, device and browser characteristics, and similar technical data, as described below.
• Information from third parties, such as authentication providers or connected tools, when you choose to link them to your account.
• Google account data when you connect Google services (for example Gmail, Google Calendar, or other Google APIs we support), limited to the categories and scopes you authorize during connection and as needed to provide the integration features you enable.

Google Analytics

We may use Google Analytics to understand how visitors use our websites and apps (for example traffic, navigation, and feature usage). Google Analytics uses cookies and similar technologies to collect information such as how often you visit, pages viewed, and referring pages. Google may process this information according to Google's Privacy Policy. You can learn about Google's practices and opt out through tools such as the Google Analytics Opt-out Browser Add-on where available, and by adjusting cookie settings in your browser.

Meta Pixel (Facebook Pixel)

We may use the Meta Pixel on our websites to measure advertising effectiveness, build audiences, and deliver or optimize ads on Meta platforms (such as Facebook and Instagram). The Pixel may collect identifiers, device information, and on-site activity. Meta processes such data under its own policies; see Meta's Privacy Policy. Depending on your region, you may adjust ad preferences in your Meta account or use industry opt-out tools where offered.

Google account integrations (Gmail, Calendar, and other Google services)

If you choose to connect your Google account, we access and use Google user data only as needed to provide the features you enable—for example reading or sending email, reading or creating calendar events, or other actions clearly described in the product when you connect. Access is obtained through Google's secure authorization flows, and you can review or revoke permissions in your Google Account security settings at any time. Disconnecting Google in our product or revoking access in Google stops new access from our side subject to reasonable technical delays and backup retention described in this policy.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements: we do not sell Google user data; we do not use it for generalized advertising unrelated to providing user-facing features of the Services; and we use it only as permitted by applicable law and your consent.

How we use information

We use information to:

• Provide, maintain, and improve the Services;
• Authenticate users, prevent fraud, and protect security;
• Communicate with you about your account, updates, and support;
• Analyze usage in aggregate to understand product performance and plan improvements;
• Operate analytics and, where applicable, measure and improve marketing and advertising (including through Google Analytics and the Meta Pixel), consistent with your choices and applicable law;
• Operate Google-based integrations you connect (for example to sync email or calendar data) and deliver the features you request;
• Comply with legal obligations and enforce our terms.

Legal bases (including GDPR)

Where the GDPR or similar laws apply, we process personal data only when we have a valid "legal basis" under Article 6 of the GDPR (and, where relevant, Article 9 for special categories). Depending on the activity, we rely on:

• Performance of a contract (Art. 6(1)(b)) — for example to provide the Services, your account, and features you request.
• Legitimate interests (Art. 6(1)(f)) — for example to secure the Services, prevent abuse, improve the product, and measure use in ways that are balanced against your rights; where required, we assess these interests and offer ways to object as described below.
• Consent (Art. 6(1)(a)) — where we ask for consent (for example for certain cookies or marketing), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c)) — where we must process data to comply with applicable law.

Sharing of information

We do not sell your personal information. We may share information with service providers who assist us (for example hosting, analytics, email delivery, and platforms such as Google and Meta when you use our websites and their measurement tools) subject to appropriate safeguards, when required by law, or in connection with a merger or acquisition. We may also share aggregated or de-identified information that cannot reasonably identify you.

Where the GDPR applies, we use processors (such as cloud and analytics providers) under agreements that require them to protect personal data and process it only on our instructions, consistent with Article 28 of the GDPR, unless another legal basis applies.

Data retention

We retain information for as long as your account is active or as needed to provide the Services, resolve disputes, comply with legal obligations, and enforce our agreements. Retention periods may vary based on the type of data and applicable law.

Security

We implement administrative, technical, and organizational measures designed to protect information. No method of transmission or storage is completely secure; we encourage you to use strong passwords and protect your account credentials.

International transfers

We are established in Slovenia. If you access the Services from outside Slovenia, your information may be processed in countries that may have different data protection laws. Where required, we use appropriate safeguards for cross-border transfers.

If we transfer personal data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of protection, we rely on appropriate safeguards such as the European Commission's standard contractual clauses ("SCCs"), the UK International Data Transfer Addendum or UK IDTA, or Swiss-approved mechanisms, together with supplementary measures where appropriate. You may request a copy of the relevant safeguards (redacted where necessary for confidentiality) by contacting us.

GDPR: controller, your rights, and complaints

For personal data covered by the GDPR (including, where applicable, the UK GDPR and Swiss law), MIDAR, svetovanje in inžinering ter trgovina, d.o.o., with its registered office at Partizanska cesta 26, 2000 Maribor, Slovenia (VAT ID SI29425522), acts as the data controller for the processing described in this policy, unless we process personal data strictly on behalf of another customer (for example as a processor in a business-to-business context), in which case we will describe that relationship separately.

Subject to applicable law and exceptions, you have the following rights:

• Access (Art. 15) — request a copy of your personal data and information about how we process it.
• Rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten," Art. 17) — request deletion where applicable.
• Restriction (Art. 18) — request that we limit processing in certain situations.
• Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and is carried out by automated means.
• Object (Art. 21) — object to processing based on legitimate interests or for direct marketing (including profiling related to direct marketing).
• Withdraw consent (Art. 7(3)) — where we rely on consent, withdraw it at any time.
• Automated decision-making (Art. 22) — where we use automated decision-making that produces legal or similarly significant effects, you have rights described in the GDPR; we will inform you if such processing applies.

To exercise these rights, contact us using the details in the Contact section below. We will respond within one month (extendable by two further months where permitted by law) and may need to verify your identity before fulfilling your request.

You also have the right to lodge a complaint with a supervisory authority in the EU Member State where you live, work, or where you believe an infringement occurred, or with the UK Information Commissioner's Office or the Swiss Federal Data Protection and Information Commissioner, as applicable. In Slovenia, the supervisory authority is the Information Commissioner (Informacijski pooblaščenec). A list of EU data protection authorities is available from the European Data Protection Board.

Cookie consent and browser storage

When you use our websites, we may show a cookie banner so you can accept or reject non-essential analytics and marketing technologies, or customize those choices. Your decision is stored locally in your browser (for example using localStorage) so we can apply the same preferences on later visits without asking every time. Essential cookies and storage needed to operate the Services (such as security and login) may still be used as described above. You can reopen your preferences at any time via "Cookie settings" in the site footer or on our legal pages.

Your choices and rights (general)

Depending on your location, you may have additional rights beyond those listed for the GDPR. For analytics and advertising technologies, you can adjust cookie settings in your browser, use opt-out tools offered by Google or Meta where available, and disconnect Google integrations or revoke OAuth scopes in your Google account settings as described above.

You may unsubscribe from marketing emails using the link in those messages. To exercise rights or ask questions, contact us using the details below.

Children

The Services are not directed to children under the age where parental consent is required for processing personal data in your jurisdiction.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the "Last updated" date at the top of this page. Material changes may be communicated through the Services or by email where appropriate.

Contact

For questions about this Privacy Policy, our GDPR compliance, or to exercise your rights, contact the controller using the details below. If we appoint a Data Protection Officer or EU/UK representative, we will publish their contact details here.