Privacy Policy

Introduction

VrtićMoj ("we", "us", "our", or "company") is a technology platform that provides cloud-based solutions for kindergarten management. It is important to note that VrtićMoj does not collect personal data directly from users, but serves as a data processor in accordance with GDPR terminology.

VrtićMoj is a product of Init.d services doo - a technology company specialized in developing advanced cloud-based solutions. Init.d services doo has years of experience in data protection, security, and GDPR compliance, which guarantees the highest standards in managing and protecting personal data through the VrtićMoj platform.

Preschool institutions that use our platform are data controllers and they are responsible for collecting, processing, and protecting personal data of children, parents, and employees. We provide secure infrastructure for storing and processing data on their behalf.

This policy explains how our platform works in the context of data protection and what our obligations are as a data processor under the General Data Protection Regulation (GDPR 2016/679) and the Personal Data Protection Law of the Republic of Serbia.

Our Role as Data Processor

The VrtićMoj platform functions exclusively as a data processor, which means:

• We do not collect data: All personal data is entered into the system by authorized kindergarten representatives
• We process according to instructions: We process data exclusively based on instructions from the data controller (kindergarten)
• We provide infrastructure: We provide secure technical infrastructure for storage and processing
• We respect limitations: We do not use data for our own purposes or for other purposes

Data Stored on Our Platform

Through our platform, kindergartens as data controllers store the following categories of data:

Children's Personal Data

• Identification data: name, surname, date of birth, personal identification number
• Parent contact data: names, phone numbers, email addresses, addresses
• Activity data: participation in activities, photographs (with parental consent)
• Emergency contacts: names and phone numbers of contact persons

Special Categories of Data

• Health data: information about allergies, medical restrictions of children
• Note: This data is stored exclusively with parental consent provided by kindergartens as data controllers

Technical Data

• Access logs: IP addresses, access times, device information
• Usage data: how the platform is used (anonymously and aggregated)

How Data is Processed

As a data processor, we process data exclusively for the following purposes:

• Service provision: Enabling the application and all its functionalities to work
• Storage: Secure storage of data on cloud servers
• Backup and recovery: Creating backup copies to protect against data loss
• Technical support: Solving technical problems and system maintenance
• Security: Protection against unauthorized access and cyber attacks

Important: We do not use data for marketing, analytics, profiling, or any other purposes beyond service provision.

Your Rights - How to Exercise Them

Since we are a data processor, your GDPR rights should be exercised directly through the kindergarten your child attends, as the kindergarten is the controller of your data.

The kindergarten as data controller is responsible for:

• Providing access to your data (Article 15 GDPR)
• Correcting inaccurate data (Article 16 GDPR)
• Deleting data upon request (Article 17 GDPR)
• Restricting processing (Article 18 GDPR)
• Data portability (Article 20 GDPR)
• Responding to objections (Article 21 GDPR)

If the kindergarten requests us to execute any of these requests, we will immediately act according to their instructions.

Data Security - Our Obligations

As a data processor, we have implemented the strictest technical and organizational security measures:

Technical Security

• Encryption in transit: All data is transmitted via HTTPS (TLS 1.3)
• Encryption at rest: AES-256 encryption for all data in the database
• Access control: Multi-factor authentication for all administrators
• Network security: Firewall, intrusion detection, DDoS protection

Organizational Measures

• Limited access: Only necessary employees have access to data
• Contractual obligations: All employees are contractually bound to confidentiality
• Regular audits: Periodic testing of security measures
• Incident response: Defined plan for responding to security incidents

Data Retention

As a data processor, we retain data for as long as instructed by the data controller (kindergarten):

• Active data: Stored while the contract with the kindergarten lasts
• Backup copies: Stored for 90 days for system recovery purposes
• Technical logs: Stored for a maximum of 12 months for security purposes
• Upon contract termination: All data is deleted within 30 days, unless the kindergarten requests otherwise

Data Breach Notification

In case of a data breach, as a processor we are obligated to:

• Immediately notify the kindergarten: Within 24 hours of discovering the breach
• Provide all information: Nature of the breach, affected data, cause and measures taken
• Cooperate in resolution: Help kindergartens fulfill their GDPR obligations
• Document the incident: Keep records of all security incidents

Note: The kindergarten as data controller is responsible for notifying competent authorities and affected individuals.

Our Sub-processors (Third Parties)

We use the following GDPR-compliant sub-processors:

• Amazon Web Services (AWS): Cloud hosting and infrastructure (EU regions)
• Backup providers: Certified EU providers for additional backup copies

We have signed Data Processing Agreements (DPA) with all sub-processors that guarantee the same level of data protection.

Contact for Data Protection Questions

For technical questions about our platform:

• Email: privacy@vrticmoj.rs
• Phone: +381 62 577 512
• Address: Belgrade, Serbia

For questions about your personal data:

Please contact the kindergarten your child attends directly, as the kindergarten is the controller of your data and only they can respond to your requests regarding access, correction, deletion, or other changes to your personal data.