Politika privatnosti / Privacy Policy

1 Who We Are

This Privacy Policy describes how Planeta računari (hereinafter "Planeta," "we," "us," or "our") collects, uses, and shares your personal data when you use our products and services.

Controller Details

This Privacy Policy applies to:

• The website https://planeta-racunari.rs and all its subpages
• The sales portal https://planeta-racunari.rs/qr-license/buy/
• The client portal https://planeta-racunari.rs/qr-portal/
• The license server https://planeta-racunari.rs/qr-license/
• The QR vCard Pro WordPress plug-in installed on our clients' websites

2 What Data We Collect

2.1 When You Purchase a License

When you complete a purchase through /qr-license/buy/, we collect:

• Identification data: first name, last name, company name (if you are a business)
• Contact data: email address, phone number (optional)
• Billing data: invoice address, Tax ID (for businesses)
• Payment data: credit card numbers are NOT stored by us. They are processed exclusively by our bank's payment processor in accordance with their security standards.
• License data: license key, purchase date, selected tier (Personal/Single/5 Sites/Unlimited/Agency)
• Technical data: IP address, device type, and browser type (for fraud prevention)

2.2 When You Use Our License Server

When your plug-in communicates with https://planeta-racunari.rs/qr-license/, we collect:

• Activation domains: the list of domains on which your license key has been activated
• Activation/deactivation timestamps
• Update checks: dates of automated checks and the plug-in version you are using
• The IP address of the connecting server

2.3 When You Use the Client Portal

When you log in to https://planeta-racunari.rs/qr-portal/, we collect:

• Login credentials: username and a hashed password (we NEVER see your password in plain text)
• Session data: sign-in timestamp and session IP address
• Activity data: which QR cards you have created and when you have updated them

2.4 When Visitors Scan Our Clients' QR Cards

The data collected includes:

• Technical scan data: date and time, device type, browser, referrer URL
• IP address: by default, this is stored as a SHA256+salt hash, which means the original IP address CANNOT be reconstructed. This allows us to count "unique scans" without storing the actual IP address.
• Geolocation (optional): if our client has enabled this feature, we send the IP address to the ip-api.com service (based in Australia) to obtain city/country-level location information. The exact IP address is not stored anywhere.
• Contact Exchange form data (optional): name, email, phone, company, and message. This data is collected ONLY with the visitor's explicit consent via an opt-in checkbox and is sent directly to the client as the data controller.

2.5 When You Visit Our Website

• Standard analytics data: IP address, browser type, pages visited
• Cookies: see Section 10 below

3 Legal Basis for Processing

In accordance with Article 6 of the GDPR, our legal bases for processing your personal data are:

4 How We Use Your Data

We use your data exclusively for:

• Service delivery: delivering license keys, activating the plug-in, and providing support
• Communication: transactional emails (purchase confirmations, license delivery, support responses)
• Security: detecting suspicious activity and preventing misuse
• Legal obligations: issuing invoices and maintaining accounting records
• Service improvement: anonymized statistical data on plug-in usage

5 Who We Share Your Data With

We share your data only with the following third parties, and only to the extent necessary:

5.1 Payment Processors

• UniCredit Bank processes credit card payments. Privacy Policy: unicreditbank.rs/gdpr

5.2 Hosting and Infrastructure

• Unlimited (United Internet d.o.o., Milutina Milankovića 1c, 11073 Belgrade / New Belgrade, Republic of Serbia) hosts our website and license server.

5.3 Email Services

• SMTP through our hosting provider sends transactional emails.

5.4 Analytics

• Anonymized web analytics

5.5 Geolocation (only if the client enables it)

• ip-api.com (Salesforce.com Inc., Brisbane, Australia) — IP-based geolocation. Privacy Policy: ip-api.com/legal

5.6 Legal Obligations

We may disclose your data to the competent authorities when required by law (for example, pursuant to a court order, a tax inspection, or in the course of a fraud investigation).

6 International Data Transfers

Some of our processors (such as ip-api.com) are located outside the European Economic Area (EEA) and Serbia:

• Transfers to Australia: ip-api.com provides only optional geographic data (at the city level), without storing the IP address.

We carry out all transfers with appropriate safeguards in accordance with Articles 44–49 of the GDPR.

7 How Long We Retain Your Data

After these periods expire, the data is deleted or anonymized.

8 Your Rights

In accordance with the GDPR (and the Serbian Personal Data Protection Act where applicable), you have the following rights:

9 Data Security

We apply the following technical and organizational measures to protect your data:

Technical Measures

• HTTPS/TLS encryption for all traffic
• Passwords are stored as bcrypt/argon2 hashes (never in plain text)
• IP addresses from scans are stored as SHA256+salt hashes
• Regular encrypted backups
• Firewall and intrusion detection at the hosting provider level
• Regular security updates to WordPress core, plug-ins, and themes
• Restricted access to the license server by IP allowlist and authentication

Organizational Measures

• Personal data is accessible only to authorized personnel (Aleksander Krsmanović)
• A password policy with minimum length and complexity requirements
• Two-factor authentication (2FA) for administrator access
• Phishing-awareness training
• A "least privilege" policy for all system accounts

10 Cookies

Our website uses the following cookies:

Strictly Necessary Cookies (always active)

• PHPSESSID — site session; deleted when the browser is closed
• woocommerce_* (if WooCommerce is used) — cart and checkout

Functional Cookies (optional, with your consent)

• cookie_consent — remembers your cookie preferences
• language — remembers your selected language

Analytics Cookies (optional, with your consent)

• _ga, _gid, _gat — Google Analytics (if used)
• plausible_ignore — Plausible Analytics

You can manage cookies through our cookie banner, which is displayed on your first visit, or through your browser settings.

11 Minors

Our services are not intended for persons under the age of 16. We do NOT knowingly collect data from minors. If you are a parent or guardian and you learn that your child has provided us with their data, please contact us at office@planeta-racunari.rs — we will delete it immediately.

12 Changes to This Policy

We may amend this Privacy Policy from time to time. We will communicate any material changes through:

• An email notification to active customers (at least 30 days before the effective date)
• A banner on our homepage
• An updated "Last Updated" date at the top of this document

We version this policy, so prior versions are available upon request.

13 Contact

For any questions, complaints, or to exercise your rights, please contact us:

Supervisory Authority in Serbia

Supervisory Authorities in the EU

List of national authorities by country: edpb.europa.eu/members