APPCRO (“Company”) is the owner of the website („Website“).

The protection of your data is one of the most important principles of APPCRO. With this privacy policy, we would like to inform you about the type, scope and purpose of the personal data collected, used and processed by us. Furthermore, we would like to inform you about your rights.


  1. Contact information


APPCRO d.o.o.

Bolnicka cesta 34a

10000 Zagreb, Croatia

You can reach us via the email address:


Data Protection Officer:

Data Protection Officer

APPCRO d.o.o.

Bolnicka cesta 34a

10000 Zagreb, Croatia

If you want to assert your legal rights or have general questions, please contact or the corporate data protection officer of APPCRO at


  1. What information do we collect?

You may visit our site anonymously.


If you choose to register on our website, four categories of data will be processed:


“Account data”

When you register for an account on our site, place an order, subscribe to our newsletter or respond to a survey, basic contact details are collected such as the e-mail address and name of your contact person, company name, address, phone number, VAT number, preferred language and currency, any purchase order number, any e-mail address of invoice receivers and masked credit card or bank account details.


“Configuration data”

We collect your direct input to our cloud service APPCRO BMS (the “Service”) after login, like the domain name(s) of the website(s) where you implement the Service and configuration of the content, looks and behavior towards website visitors (“End Users”).


“End User Data”

Data generated by End Users browsing your website(s) using the Service. When an End User submits a consent from your website(s), the following data are automatically logged at APPCRO BMS:


The End User’s IP number in anonymized form (last three digits are set to ‘0’).

The date and time of the consent.

User agent of the End User’s browser.

The URL from which the consent was submitted.

An anonymous, random and encrypted key value.

The End User’s consent state, serving as proof of consent.

The key and consent state are also saved in the End User’s browser in the first party cookie so that the website can automatically read and respect the End User’s consent on all subsequent page requests and future End User sessions for up to 12 months. The key is used for proof of consent and an option to verify that the consent state stored in the End User’s browser is unaltered compared to the original consent submitted to APPCRO BMS.


“Log data”

When you visit our website or use our services, the device that you use to access the page automatically transmits log data (connection data) to our servers. Log data includes the IP address of the device that you use to access the website or service, the type of browser you are using, the website you have visited beforehand, your system configuration, and the date and time. We store IP addresses only to the extent necessary to provide our services. Otherwise, the IP addresses are deleted or made anonymous. We store your IP address when visiting our website for a maximum of 7 days to detect and ward off attacks.



Cookies: are small identifiers that a server stores on the device that you use to access our website or our services. They contain information that can be retrieved when accessing our services, allowing for more efficient and better use of our services.

We use cookies in various areas on our website:

  1. a) Own cookies: Sent to the user’s system from a system or domain managed by the editor and from which the service requested by the user is provided.
  2. b) Third party cookies: Sent to the user’s system from a system or domain that is not managed by the editor but by another company processing the data obtained through the cookies.

Depending on the period of time that they remain active:

  1. c) Session cookies: Designed for gathering and storing data while the user is using a web page. They are usually used to store information that is only intended for providing the service requested by the user on one single occasion (e.g. a list of purchased products).
  2. d) Persistent cookies: Continual storage of data on the system; may be accessed and processed during a specific period of time by the manager of the cookie, which may range between several minutes or several years.

Depending on their purpose:

  1. e) Technical cookies: Allow the user to browse a website, platform or application and use the different options or services offered, such as, for example, controlling data traffic and communication, identifying the session, accessing restricted areas, recalling the parts of an order, carrying out the process for purchase of an order, making a request to register for or participate in an event, using security elements during browsing, storing contents for the transmission of videos or sound or sharing contents through social networks.
  2. f) Analytical cookies: Used to measure the activity of the websites, applications or platforms, and draw up browsing profiles of the users of such websites, applications and platforms in order to introduce upgrades on the basis of the analysis of the data on the use of the service by users.
  3. g) Advertising cookies: Enable the most efficient management possible of the advertising space that the editor has included in a website, application or platform from which the requested service is provided on the basis of criteria such as the edited content or the frequency with which the advertisements are shown.
  4. h) Behavioural advertising cookies: Enable the most efficient management possible of the advertising space that the editor has included in a website, application or platform from which the requested service is provided. These cookies store behavioral information about users obtained through the ongoing observance of their browsing habits, which allows a specific profile to be defined in order to show advertising on the basis of such profile.

The data processed by cookies is required for the aforementioned purposes in order to protect our legitimate interests and those of third parties pursuant to Article 6 sec. 1 sent. 1 lit. f GDPR.

Disabling cookies

You may choose which cookies you want on this website by setting your browser. For further information on you opt-out choices, please see below.

Use of Google Tag Manager

This website uses Google Tag Manager. Google Tag Manager is a solution operated by Google LLC. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) that allows marketed website tags to be managed using an interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain and does not register personal data. The tool causes other tags to be activated which may, for their part, register data under certain circumstances. Google Tag Manager does not access this information. If recording has been deactivated on domain or cookie level, this setting will remain in place for all tracking tags implemented with Google Tag Manager.

Use of Google Analytics

This website uses Google Analytics, an analyzing service provided by Google. Google Analytics uses cookies to help the website analyze how users use the site. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the USA.

The IP-anonymization is activated on this website, your IP address will be truncated within the area of Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there.

Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing them other services relating to website activity and internet usage.

The IP-address that your browser conveys within the scope of Google Analytics, will not be associated with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also opt-out from being tracked by Google Analytics with effect for the future by downloading and installing Google Analytics Opt-out Browser Add-on for your current web browser:

Please refer to further information on usage rights or data protection please visit the following websites: or

As an alternative to the browser Add-on or within browsers on mobile devices click this link in order to opt-out from being tracked by Google Analytics within this website in the future (the opt-out applies only for the browser in which you set it and within this domain): Disable Google Analytics

Please note that in case of deletion of your cookies you will need to click on the links above again to secure your data. It is possible to object to the collection and processing of data.


You will be informed by APPCRO BMS about relevant changes concerning the Service, such as the implementation of additional functions, by e-mail, if you subscribe to APPCRO BMS’s newsletter from the account settings page in the Service Manager.


  1. What do we use your information for?

Any of the information we collect from you may be used for one or more of the following purposes:



To personalize your experience (the information will help APPCRO BMS better respond to your individual needs);


To enable you to control the user experience towards End Users and enable the Service to automatically apply the End User’s consent to other websites of you manage;


To improve our website (APPCRO BMS continually strives to improve our website based on the information and feedback we receive from our customers);


To identify you as a contracting party;


To enable secure login for your services at;


To establish a primary channel of communication with you;


To enable APPCRO BMS to issue valid VAT invoices and to process transactions (your information will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the service requested);


To enable automated handling of the subscriptions;


To produce and display cookie declarations to End Users and store and display scan report(s) to you;


To provide you with aggregated information on the choices of the End Users regarding accepted cookie types and generate a graphical representation in the Service Manager; and/or


To send periodic e-mails (The e-mail address you provide for order processing, may be used to send you information and updates pertaining to your order, in addition to receiving occasional company news (if accepted), updates, related product or service information, etc.)


  1. Legal basis

4.1. EU General Data Protection Regulation (GDPR)

The processing of your data is either based on your consent or in case the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract, cf. GDPR art. 6(1)(a)-(b).


If the processing is based on your consent, you may at any time withdraw your consent by contacting us using the contact information in clause 1.


In order to enter into a contract regarding the purchase of APPCRO BMS’s Service, you must provide us with the required personal data. If you do not to provide us with all the required information, it will not be possible to deliver the Service.


4.2. California Online Privacy Protection Act Compliance

Because APPCRO BMS values your privacy we have taken the necessary precautions to be in compliance with the California Online Privacy Protection Act. We therefore will not distribute any personal information to outside parties without your consent except as stated in clause 7.


As part of the California Online Privacy Protection Act, all users of our website may make any changes to their information at any time by logging into their account and navigating to the “profile page”.


4.3. Children’s Online Privacy Protection Act Compliance

APPCRO BMS is in compliance with the requirements of the Children’s Online Privacy Protection Act. We will not intentionally collect any information from anyone under 13 years of age. Our website, products and services are all directed at people who are at least 13 years old or older.


  1. How do we protect your information?

APPCRO BMS implements the following technical, physical and organizational measures to maintain the safety of your personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized use, unauthorized modification, disclosure or access and against all other unlawful forms of processing.


5.1. Availability

The Service utilizes the extensive features of the cloud environment to ensure high availability, like full redundancy, load balancing, automatic capacity scaling, continuous data backup and geo-replication along with a traffic manager for automatic geographical failover on datacenter level disasters. All failover mechanisms are fully automated.


No personal data is stored permanently outside APPCRO BMS’s cloud platforms. The physical security is thereby maintained by APPCRO BMS’s subcontractors, see clause 7. Microsoft’s datacenters comply with industry standards such as ISO 27001 for physical security and availability, e.g. by using security staff around the clock, two-factor access control using biometric and card readers, barriers, fencing, security cameras and other measures.


5.2. Integrity

To ensure integrity, all data transits are encrypted to align with best practices for protecting confidentiality and data integrity. E.g. all supplied credit card information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway provider’s database only to be accessible by those who are authorized to access such systems and who are required to keep the information confidential.


For data in transit, the Service uses industry-standard transport protocols between devices and Microsoft datacenters and within datacenters themselves.


5.3. Confidentiality

All personnel are subject to full confidentiality and any subcontractors and sub processors are required to sign a confidentiality agreement if not full confidentiality is part of the main agreement between the parties.


Whenever personal data is accessed by authorized personnel the access is only possible over an encrypted connection. When accessing the data in a database, the IP number of the person accessing the data must also be pre-authorized to obtain access.


Any device being used to access personal data is login protected by APPCRO BMS’s Azure Active Directory (AAD), Microsoft’s cloud based identity and access management service, and has APPCRO BMS’s corporate antivirus solution installed. If any personal data are temporarily stored on a device, the storage unit on the device must also be strongly encrypted.


On premise devices storing personal data temporarily is at all times, except when not being actively used or relocated under uninterrupted supervision, locked in a safe. Personal data are never stored on mobile media like USB sticks and DVD’s.


5.4. Transparency

APPCRO BMS will at all times keep you informed about changes to the processes to protect data privacy and security, including practices and policies. You may at any time request information on where and how data is stored, secured and used. APPCRO BMS will also provide the summaries of any independent audits of the Service.


5.5. Isolation

All access to personal data is blocked by default, using a zero privileges policy. Access to personal data is restricted to individually authorized personnel. APPCRO BMS’s Security and Privacy Officer issues authorizations and maintains a log of granted authorizations. Authorized personnel are granted a minimum access on a need-to-have basis through our AAD.


5.6. The ability to intervene

APPCRO BMS enables your rights of access, rectification, erasure, blocking and objection mainly by providing built-in functions for data handling in the Service Manager, by offering the option to send instructions through APPCRO BMS’s helpdesk and also by informing about and offering the customer the possibility of objection when APPCRO BMS is planning to implement changes to relevant practices and policies.


The overall responsibility for data security lies with APPCRO BMS’s Data Protection Officer who educates and updates all personnel on the data security measures outlined in APPCRO BMS’s security handbook and this Privacy Policy.


5.7. Monitoring

APPCRO BMS uses security reports to monitor access patterns and to proactively identify and mitigate potential threats. Administrative operations, including system access, are logged to provide an audit trail if unauthorized or accidental changes are made.


System performance and availability is monitored from both internal and external monitoring services.


5.8. Personal Data breach notification

In the event that your data is compromised, APPCRO BMS will notify you and competent Supervisory Authority(ies) within 72 hours by e-mail with information about the extent of the breach, affected data, any impact on the Service and APPCRO BMS’s action plan for measures to secure the data and limit any possible detrimental effect on the data subjects.


“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of the Service.


  1. Duration of storage

We only process and store personal data for the period required to achieve the purpose of storage or where required by law. As a rule, the processing purpose is achieved upon termination of your contract.

You can change and delete data that you save in our services yourself. After the termination of contract, we will delete the data stored in the services and backup copies in our backup systems are automatically deleted with a time delay stated by the Terms of use or if customer have contracted with APPCRO to keep data for longer period.


For contract data, processing will be restricted after the contract has been terminated; it will be deleted after expiry of the statutory retention period.

Data that you enter during the application process is stored for a maximum of six months.


  1. Do we disclose any information to outside parties?

APPCRO BMS does not sell, trade or otherwise transfer to outside parties any personally identifiable information.


This does not include trusted third parties or subcontractors who assist us in operating our website, conducting our business, or servicing you. Such trusted parties may have access to personally identifiable information on a need-to-know basis and will be contractually obliged to keep your information confidential.


We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect our or others’ rights, property, or safety. Furthermore, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.


7.1. Subcontractors/trusted third parties

The subcontractors Microsoft Ireland Operations Ltd, Dublin, Ireland is following and being audited against the standards of ISO/IEC 27001. The main subcontractor Microsoft has also adopted the international code of practice for cloud privacy, ISO/IEC 27018. The subprocessor E-conomic International A/S is certified in “International Standards on Assurance Engagements 3000” (ISAE 3000).


APPCRO BMS will monitor subcontractors’ and subprocessors’ maintenance of these standards and audits to ensure that data protection requirements are fulfilled.


Any intended changes concerning the addition or replacement of subcontractors or subprocessors handling personal data will be announced to you with at least 3 months’ notice. You retain at all times the possibility to object to such changes or to terminate the contract with APPCRO BMS.


7.2 Legally required disclosure

APPCRO BMS will not disclose the customer’s data to law enforcement except when instructed by you or where it is required by law. When governments make a lawful demand for customer data from APPCRO BMS, APPCRO BMS strives to limit the disclosure. APPCRO BMS will only release specific data mandated by the relevant legal demand.


If compelled to disclose your data, APPCRO BMS will promptly notify you and provide a copy of the demand unless legally prohibited from doing so.


  1. Third party links

Occasionally, at our discretion, we may include or offer third party products or services on our website. These third party sites have separate independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked websites. Nonetheless, we seek to protect the integrity of our website and welcome any feedback about these websites.


  1. Where do we store the information?

No stored data will be transferred, backed up and/or recovered by APPCRO BMS outside of the European Union.


9.1. Personal data location

All data are stored in databases and file repositories hosted in an Azure data center at APPCRO BMS’s cloud vendor, Microsoft Ireland Operations Ltd in Dublin. All data are automatically replicated in real time to secondary hot failover databases and file repositories in Microsoft’s data center in Amsterdam, Netherlands.


Databases are continuously backed up to enable restore to any point in time within a retention period of 35 days. Backups are stored on file storage at the same geographical location as the database.


A copy of the Account Data is also stored in APPCRO BMS’s cloud accounting system, Varazdin, Hrvatska, hosted in a datacenter operated by APPCRO.


9.2. Installation of software on cloud customer’s system

No installation of software is required to use the Service. The login-protected Service Manager is accessible through a standard web browser, automatically using an encrypted https-connection for all communications between your browser and APPCRO BMS’s server to protect any data from being intercepted during network transfers.


  1. Access, data portability, migration, and transfer back assistance

You may at any time obtain confirmation from APPCRO BMS as to whether or not personal data concerning you are being processed.


You may at any time order a complete data copy, which you may transmit to another controller of the data. Your data will be delivered within 10 working days by APPCRO BMS as spreadsheet files in Microsoft Excel-format. Logical relations between datasets will be preserved in form of unique identifiers. You are required to pay €1,000 + any applicable taxes on delivery for each data copy order.


  1. Request for rectification, restriction or erasure of the personal data

11.1. Rectification

You may at any time obtain without undue delay rectification of inaccurate personal data concerning you, cf. clause 5.6.


11.2. Restriction of processing personal data

You may at any time request APPCRO BMS to restrict the processing of personal data when one of the following applies:



if you contest the accuracy of the personal data, for a period enabling APPCRO BMS to verify the accuracy of the personal data;


if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; or


if APPCRO BMS no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims.

11.3. Erasure

You may without undue delay request the erasure of personal data concerning you, and APPCRO BMS shall erase the personal data without undue delay when one of the following applies:



if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;


if you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing;


if you object to the processing in case the processing is for direct marketing purposes;


if the personal data have been unlawfully processed; or


if the personal data have to be erased for compliance with a legal obligation in EU or national law.

  1. Data retention

12.1. Data retention policy

Account Data will due to tax regulations be retained for up to five full fiscal years from your cancellation of your Service account.


Configuration Data and System Generated Data will be erased immediately when you cancel the Service account.


End User Data will be erased on an ongoing basis after 12 months from registration, and immediately when you cancel the Service account.


12.2. Data retention for compliance with legal requirements

You cannot require APPCRO BMS to change any of the default retention periods, except for the reasons for erasure pursuant to clause 11.3, but may suggest changes for compliance with specific sector laws and regulations.


12.3. Data restitution and/or deletion

No data except Account Data will be retained after the termination of the contract. You may request a data copy before termination. You must not cancel the Service account until the data copy has been delivered, as APPCRO BMS otherwise will not be able to deliver the data copy.


  1. Accountability

APPCRO BMS uses the extensive range of built-in logging features and audits trails provided by Microsoft on its Azure cloud platform. APPCRO BMS also logs all system updates, configuration changes and access to provide an audit-trail if unauthorized or accidental changes are made.


You may request a data protection audit performed by an independent third party who is also accepted by APPCRO BMS. You will pay €5,000 plus applicable taxes for an audit request along with €200 per hour APPCRO BMS is spending in connection with the audit as well as any other costs related to the audit, including the auditor.


  1. Cooperation

APPCRO BMS will cooperate with you in order to ensure compliance with applicable data protection provisions, e.g. to enable you to effectively guarantee the exercise of data subjects’ rights (right of access, rectification, erasure, blocking, opposition), to manage incidents including forensic analysis in case of security breach.


  1. Terms of Service

Please also visit our Terms of Service section establishing the use, disclaimers, and limitations of liability governing the use of our website at


  1. Your consent

By using our site, you consent to this Privacy Policy.


  1. Changes to our Privacy Policy

If we decide to change our Privacy Policy, we will post those changes on this page, and/or update the Privacy Policy modification date below.

  1. Complaint

You may at any time lodge a complaint with a supervisory authority regarding APPCRO BMS’s collection and processing of your personal data. In Croatia, you can lodge a complaint with the Croatian Data Protection Agency.


This Privacy Policy was last modified on January 1 2023.