Everent

Politika privatnosti

Službeni pravni tekst u nastavku je na engleskom jeziku radi preciznosti. Korisnički interfejs Everenta je na bosanskom jeziku. Izvor u repozitoriju: docs/legal/PRIVACY_POLICY.md

Privacy Policy — Everent

Effective date: 7 April 2026
Last updated: 7 April 2026

Important notice (not legal advice)

This Privacy Policy is provided as a draft template to help describe how the Everent service handles personal data. It does not constitute legal advice. You should have this document reviewed and adapted by counsel qualified in Bosnia and Herzegovina (and, if applicable, the European Union or other jurisdictions where you operate or where data subjects are located). Registry identifiers and full postal address may be supplied on request to privacy@everent.ba if you choose not to publish them here.

1. Who we are

Service name: Everent (the “Service”).
Operator / data protection contact: SAAISolutions d.o.o. (“Everent”, “we”, “us”, “our”), Bosnia and Herzegovina.

ItemDetail
Registered nameSAAISolutions d.o.o.
Registered addressBosnia and Herzegovina (full registered office address on request to privacy@everent.ba)
Court / registry IDOn request to privacy@everent.ba
ID number (JIB / comparable)On request to privacy@everent.ba
General contact emailprivacy@everent.ba
Data protection contact / DPONo separate DPO appointed; privacy@everent.ba for data protection inquiries

Public websites / apps: The marketing site and web application are primarily provided at everent.ba (and related domains such as www.everent.ba). API endpoints may be provided under separate technical hostnames (e.g. *.empkeep.com) used to deliver the Service. The product user interface is primarily in Bosnian; this Policy is published in English for precision and international readability.

2. Scope of this Policy

This Policy applies to:

  1. Visitors to our public website and landing pages.
  2. Prospective customers who use contact or demo forms.
  3. Organizations that register for or subscribe to the Service (“Customers”).
  4. Authorized users of a Customer account, including company administrators, managers, and employees (“Users”).
  5. Platform administrators we authorize to operate or support the platform (limited scope).

This Policy does not govern third-party websites, plugins, or services that are not operated by us (even if linked from our site).

3. How Everent fits into privacy roles (controller vs processor)

Everent is a business-to-business (B2B) workforce operations platform. In typical use:

RolePartyTypical responsibility
ControllerThe Customer (employer / organization)Decides why and how employee and HR data is processed inside the Service (policies, retention, lawful basis toward employees, access rules).
ProcessorEverentProcesses personal data on the Customer’s instructions to provide the Service (hosting, authentication, workflows, storage, support).
Independent controller (limited)EverentIn some cases we process personal data for our own purposes, e.g. billing, fraud/abuse prevention, security logging, product improvement (aggregated), and compliance with law.

Where a User’s employer is the controller, Users should contact their employer first for rights requests that relate to employment records. We will assist Customers, as required by law and contract, to respond to individuals’ requests.

4. Personal data we process

The Service is configurable; Customers choose what they enter. We aim to collect and process only the minimum personal data necessary to provide the Service. Categories may include:

4.1 Customer organization data

  • Company name, identifiers, and operational settings.
  • Work locations and addresses; Google Places place identifiers (place IDs) where that feature is used.
  • Business-trip configuration (e.g. countries, vehicles, allowances) entered by the Customer.
  • Self-service registration / sales contact details collected at signup (e.g. contact name and phone).
  • Company logo or similar assets uploaded to our file storage.

4.2 User account and profile data (company Users)

  • Identifiers: name, email address, phone number, internal contact fields.
  • Credentials: password secrets are stored using one-way hashing; we do not store plaintext passwords.
  • Employment-related fields the Customer chooses to maintain (e.g. job title, schedule type, working-time patterns, hire date, hourly rate, annual leave configuration, internal notes).
  • Roles, groups, and permissions (including policy-based access control).
  • Verification and security tokens (e.g. email verification, password reset, registration OTP flows) with limited validity.

4.3 Operational and HR workflow data

Examples of records the Service may store include:

  • Time and attendance (e.g. clock/manual/imported work logs: start/end times, breaks, minutes, notes, source).
  • Leave, overtime, and business trip requests and approvals, including previews/calculations.
  • Shift templates, rules, and assignments.
  • Cases and related metadata; evidence files attached where the product allows uploads.
  • Razduženje (or similar) images / PDFs where uploaded for compliance workflows.
  • Documents generated or exported through the Service (e.g. reports, spreadsheets, generated documents).
  • Employee import runs and related metadata (if used).

4.4 AI-assisted features (Fast / command mode)

When a Customer enables or Users use AI-assisted features, we may process:

  • Text Users submit (e.g. commands, confirmations).
  • Audio Users submit for transcription (sent to our AI subprocessors for conversion to text).
  • Conversation state stored temporarily in our database (including references such as provider thread identifiers) to complete multi-step flows.

Technical note: Short-lived AI conversation records in our systems are designed to expire automatically after a limited period (e.g. on the order of 60 minutes of inactivity, subject to product changes). Provider-side retention is governed by the subprocessor’s terms and settings.

4.5 Communications with us

  • Public contact form: name, email, optional company name, message content, and delivery metadata.
  • Transactional email: recipients, subjects, sending metadata, and message content as needed to deliver verification, notifications, and password reset flows.
  • Support correspondence if you contact us by email or other channels.

4.6 Technical and security data

  • HTTP/API metadata: IP address, user agent, timestamps, route/method (as typically found in server logs).
  • Authentication artifacts: JSON Web Tokens (JWT) issued for session continuity; the frontend may store session data in browser local storage (e.g. key everent_session).
  • Error and application logs for diagnostics (we aim to minimize personal data in logs).

4.7 Sensitive data

Customers may choose to enter or upload data that is sensitive under law (e.g. health-related context in leave requests, financial/payroll data, document images). We process such data only as instructed by the Customer and only to provide the Service, unless otherwise required by law.

5. Purposes and legal bases (summary)

Depending on context and applicable law, we rely on one or more of the following:

PurposeExamplesTypical legal basis
Provide and operate the ServiceAccounts, workflows, reports, uploads, notificationsPerformance of a contract with the Customer; instructions as processor
Security and abuse preventionAuthentication, rate limits, fraud checksLegitimate interests; legal obligations
Improve reliabilityAggregated metrics, debuggingLegitimate interests (non-invasive)
AI-assisted UXIntent parsing, transcription, guided flowsPerformance of a contract; legitimate interests; where required consent (jurisdiction-specific)
Comply with lawTax, court orders, lawful requestsLegal obligation
Contact and marketing (if any)Responding to inquiriesLegitimate interests or consent as applicable

Customers remain responsible for establishing a lawful basis toward their employees and for notices, policies, and collective agreements as required by labor and data protection law.

6. Subprocessors and recipients

We use service providers that process personal data on our behalf or receive data as part of providing their services. As of the Last updated date, these include:

SubprocessorRole (summary)Location / notes
MongoDB, Inc. (e.g. MongoDB Atlas)Cloud database hostingData typically in selected cloud regions; see provider DPA
Amazon Web Services, Inc.Lambda, API Gateway, S3 (file storage), SES (email), loggingPrimary eu-central-1 (Frankfurt) for core infrastructure (see §7)
OpenAI, LLC (and affiliates)LLM intent parsing, Assistants API flows, speech-to-text transcriptionUS and other regions per OpenAI; review DPA / SCCs as applicable
Google LLCPlaces Autocomplete (address/location suggestions, BiH-focused configuration)US/global infrastructure per Google

We may add or replace subprocessors. Where our agreement with Customers requires, we will provide notice and an opportunity to object as contractually agreed.

Everent will provide at least 15 days’ prior notice of intended additions or replacements of subprocessors that process personal data on our behalf in connection with the Service. Customers may object on reasonable data protection grounds within that period. If the parties do not resolve the objection within a reasonable time, the Customer may terminate the affected Service components (or the agreement governing the Service, if substantially all relevant processing is affected), as the Customer’s exclusive remedy for that objection.

The current subprocessor list is maintained at https://everent.ba/subprocessors (we may update the URL with reasonable redirects if the path changes).

7. International transfers

Subprocessors may process data in Bosnia and Herzegovina, the European Union, the United States, and other countries. Where transfers are restricted by law, we implement appropriate safeguards (e.g. Standard Contractual Clauses, vendor DPAs, supplementary measures) as required and as updated with counsel.

Hosting (core Service). Primary hosting for core Service infrastructure is AWS eu-central-1 (Frankfurt). Backups may be stored in the same region. We do not intentionally use US-only hosting for core Customer production data; however, subprocessors (including AI providers) may process data in other regions as described in this Policy and our subprocessor disclosures.

8. Retention

Retention depends on Customer choices, contract, and legal obligations:

  • Active subscription: data retained to operate the Service.
  • AI conversation cache: short TTL-based deletion in our database (see §4.4); provider-side retention is separate.
  • Verification / reset tokens: expire automatically after a limited period (e.g. 72 hours where configured — subject to change).
  • Terminated accounts: governed by the Terms of Service / data processing agreement (export window, backup latency, legal holds).
  • Backups: may persist for a limited additional period before overwrite cycles complete.
  • Security and application logs: retained for a limited period (e.g. 30–90 days) unless longer retention is required for investigation, security incident response, or legal obligation.

9. Security measures

We implement technical and organizational measures appropriate to the risk, which may include:

  • Encryption in transit (HTTPS/TLS for web/API traffic).
  • Access controls and role-based / policy-based permissions inside the application.
  • Hashed passwords and token-based authentication (JWT).
  • Least-privilege access for operations staff (where applicable).
  • Segregation of Customer data in application logic (company-scoped queries).

Personal data breach notification (B2B Customers). If Everent becomes aware of a personal data breach affecting Customer data we process as processor, we will notify the Customer without undue delay, with a target of within 72 hours of becoming aware, where feasible. Notifications will describe, insofar as available, the nature of the incident, affected categories of data, likely consequences, and mitigation steps taken or proposed. Customers remain responsible for notifying their employees, supervisory authorities, or other parties where they are required to do so under applicable law.

No method of storage or transmission is 100% secure. Customers must protect credentials, use strong passwords, and restrict admin access.

10. Cookies, local storage, and similar technologies

  • Essential / functional: we use mechanisms required for authentication and security (including local storage for session continuity).
  • Analytics / marketing cookies: the core frontend dependency set may not include third-party advertising SDKs; we may introduce optional analytics later. If we do, we will update this Policy and, where required, obtain consent.

We rely on legitimate interests for essential storage (authentication and security) and on consent for optional analytics where required by applicable law.

You can clear local storage in your browser; this will typically sign you out.

11. Your rights (individuals)

Depending on applicable law (e.g. BiH personal data protection law, GDPR for EU data subjects where applicable), individuals may have rights including:

  • Access to personal data
  • Rectification of inaccurate data
  • Erasure (“right to be forgotten”) in certain cases
  • Restriction of processing
  • Objection to certain processing
  • Data portability
  • Withdraw consent where processing is consent-based
  • Lodge a complaint with a supervisory authority

If you are an employee User: contact your employer (Customer) first for requests regarding HR records in the Service.
If you are a Customer administrator: contact us at privacy@everent.ba.
Response timelines depend on law and complexity; we may need to verify identity.

Processor assistance. Everent assists Customers with individuals’ requests as processor, as required by applicable law and our agreements with Customers. Customers remain responsible for employee-facing compliance (notices, lawful basis, policies, and communications to their Users).

12. Automated decision-making

The Service may use AI to interpret user input and suggest or prepare actions. Meaningful decisions about employment should remain subject to human review by the Customer. We do not intend the Service to replace statutory human decisions; Customers configure approvals.

13. Children’s data

The Service is not directed to children and is intended for business use. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it where appropriate.

14. Changes to this Policy

We may update this Policy from time to time. We will post the revised version with a new Last updated date and, where appropriate, provide additional notice (e.g. email or in-app banner). Continued use after the effective date may constitute acceptance where permitted by law.

15. Contact

Privacy questions: privacy@everent.ba
Security vulnerability reports: security@everent.ba
Service status / incident information: https://everent.ba/status; support@everent.ba for operational incident enquiries.
Postal address: SAAISolutions d.o.o., Bosnia and Herzegovina (full postal address on request to privacy@everent.ba)
Supervisory authority (BiH example): Agency for Personal Data Protection of Bosnia and Herzegovina (Agencija za zaštitu ličnih podataka Bosne i Hercegovine) — competent authority depends on circumstances and jurisdiction

End of Privacy Policy