Onvoy
← All legal documents

Privacy Policy

How we collect, use, and protect personal data under the GDPR.

Last updated:

1.Overview

This Privacy Policy explains how [Your full legal name — operator of Onvoy], operating as Onvoy (“we”, “us”), collects and processes personal data when you visit our website, create an account, or use the Onvoy service (the “Service”). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Croatian Act on the Implementation of the GDPR.

Two different roles

As a controller, we decide how and why we process personal data about our visitors and account holders — this Policy covers that processing.

As a processor, when our customers use Onvoy to collect personal data about their own end-clients (e.g. documents uploaded to a client portal), the customer is the controller of that data and we process it on their behalf under our Data Processing Agreement. If you are an end-client of a business using Onvoy, please refer to that business’s own privacy notice.

2.Who is responsible

The controller responsible for the processing described in this Policy is:

  • [Your full legal name — operator of Onvoy] (trading as Onvoy)
  • [Street and number], [Postal code, City], Croatia (Hrvatska)
  • OIB: [OIB]
  • Email: [privacy@onvoy.app]

For privacy questions or to exercise your rights, contact us at [privacy@onvoy.app]. We have not appointed a Data Protection Officer because we are not legally required to; this contact handles all data-protection matters.

3.What data we collect

We collect the following categories of personal data:

  • Account data — name, email address, password (stored only as a secure hash) or authentication identifiers, profile details, and any avatar or workspace logo you upload.
  • Workspace and usage data — workspaces and organisations you create, settings, templates, onboarding records, and your activity within the Service.
  • Customer Content — files, documents, form responses, and signatures you submit. Where this contains personal data about your own end-clients, we process it as a processor (see Section 1).
  • Billing data — subscription plan, billing details, and transaction history. Payments are handled by Stripe; we do not store full card numbers.
  • Communications — messages you send us (e.g. support requests) and email-related metadata.
  • Technical and analytics data — IP address, device and browser information, log data, and product-usage events, including, where you consent, session recordings (with sensitive fields masked) provided through our analytics tooling.
  • Cookie data — see our Cookie Policy.

4.Why we process data and legal bases

We process personal data for the purposes and on the legal bases set out below (Article 6(1) GDPR):

PurposeLegal basis
Create and manage your account; provide the Service and its featuresPerformance of a contract (Art. 6(1)(b))
Process subscriptions, payments, and send invoicesPerformance of a contract (Art. 6(1)(b)); legal obligation for accounting (Art. 6(1)(c))
Provide customer support and respond to enquiriesPerformance of a contract; legitimate interests (Art. 6(1)(f))
Secure the Service, prevent fraud and abuse, and ensure reliabilityLegitimate interests (Art. 6(1)(f))
Send essential service and transactional emailsPerformance of a contract; legitimate interests (Art. 6(1)(f))
Analytics, session recordings, and product improvementConsent (Art. 6(1)(a)) where required; otherwise legitimate interests
Marketing communications (if any)Consent (Art. 6(1)(a)), which you can withdraw at any time
Comply with legal obligations and respond to lawful requestsLegal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we balance those interests against your rights and freedoms. You can object to such processing as described in Section 8.

5.Who we share data with

We do not sell your personal data. We share it only with:

  • Service providers (processors) who help us run the Service — for example hosting, database, file storage, email, analytics, and payment providers. These are listed on our Subprocessors page and act under contract on our instructions.
  • Payment provider.Stripe processes payments as an independent controller for its own compliance purposes; see Stripe’s privacy policy.
  • Authorities and advisers where required by law, to establish or defend legal claims, or to protect rights, safety, and property.
  • Successors in connection with a merger, acquisition, or sale of assets, subject to this Policy.

6.International transfers

We aim to keep data within the European Economic Area (EEA) where practicable; for example, our analytics provider is configured to use its EU region. Some of our providers may process data outside the EEA (for example in the United States). Where that happens, we rely on appropriate safeguards under the GDPR, principally the European Commission’s Standard Contractual Clauses, and additional measures where needed. You can request more information about these safeguards using the contact details in Section 2.

7.How long we keep data

We keep personal data only as long as necessary for the purposes for which it was collected:

  • Account and Customer Content — for the life of your account, and for a limited period after closure to allow recovery, handle disputes, and meet legal obligations, after which it is deleted or anonymised.
  • Billing and accounting records — for the retention periods required by Croatian tax and accounting law.
  • Analytics data — for a limited period consistent with our analytics configuration.
  • Support communications — for as long as needed to handle your request and a reasonable period afterwards.

8.Your rights

Subject to conditions in the GDPR, you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • eraseyour data (“right to be forgotten”);
  • restrict processing in certain circumstances;
  • data portability — receive your data in a structured, commonly used, machine-readable format;
  • object to processing based on legitimate interests or to direct marketing; and
  • withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any right, email [privacy@onvoy.app]. We will respond within the time limits set by the GDPR (generally one month). Exercising these rights is free unless requests are manifestly unfounded or excessive.

Right to lodge a complaint

If you believe we have processed your data unlawfully, you may lodge a complaint with the Agencija za zaštitu osobnih podataka (AZOP) (Croatian Personal Data Protection Agency), Selska cesta 136, 10000 Zagreb, Croatia, https://azop.hr, or with the supervisory authority in your country of residence. We would appreciate the chance to address your concerns first.

9.Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, secure password hashing, and use of reputable infrastructure providers. No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident, including notifying you and the supervisory authority where the law requires.

10.Automated decision-making

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.

11.Children

The Service is intended for users aged 16 and over and is not directed at children. We do not knowingly collect personal data from children below the applicable age of digital consent. If you believe a child has provided us data, contact us and we will delete it.

12.Changes to this Policy

We may update this Policy from time to time. We will post the updated version here with a new “last updated” date and, where changes are material, provide additional notice. Please review it periodically.

Questions about this document? Contact us at [legal@onvoy.app]. See our Legal Notice for the identity of the service operator.