Privacy Policy | Moddrum AI

Last updated: 19 March 2026 · Effective date: 19 March 2026 · Supervisory authority: Information Commissioner of Slovenia (IP RS) — www.ip-rs.si

This Privacy Policy describes how [COMPANY NAME] ("[COMPANY NAME]", "we", "us", "our"), registered at [REGISTERED ADDRESS], Slovenia, processes personal data when you visit our website at moddrum.com, use the Moddrum Practice platform, or communicate with us.

We are committed to protecting your personal data and processing it in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Slovenian data protection law.

1. Data Controller

The data controller responsible for your personal data is:
[COMPANY NAME]
[REGISTERED ADDRESS], Slovenia
Email: privacy@moddrum.com
Phone: [PHONE NUMBER]

For questions about how we handle your personal data, or to exercise your rights, contact us at privacy@moddrum.com.

2. Definitions

Personal data — any information relating to an identified or identifiable natural person.
Processing — any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
Data controller — the entity that determines the purposes and means of processing personal data.
Data processor — an entity that processes personal data on behalf of the controller.
EEA — the European Economic Area.

3. What Personal Data We Collect and Why

Category	Data collected	Purpose	Legal basis	Retention
Account data	Name, role, email address, password (hashed)	Account creation and authentication	Contract performance	Duration of account + 30 days after deletion request
Organisation data	Company name, tax number (davčna številka), VAT ID, address	Tenant identification, invoice matching, MiniMax export	Contract performance	Duration of account + 7 years (legal accounting obligation)
Subscription & billing	Subscription plan, payment status, credit balance, billing email	Subscription management, invoicing	Contract performance, legal obligation	7 years (tax law)
Uploaded documents	Invoices, bank statements, receipts, and other accounting documents uploaded by the Customer	Automated data extraction, reconciliation, export — on behalf of the Customer (see Appendix 1 of Terms)	Contract performance (processor role)	Per Customer agreement; default 90 days after account termination
Usage & device data	IP address, browser type, session events, pages visited, feature usage counts	Service delivery, security, debugging, product improvement	Legitimate interest	90 days (logs); aggregated analytics retained indefinitely
Communications	Email content when you contact support; content of support tickets	Customer support and issue resolution	Legitimate interest / contract performance	3 years

Uploaded documents (processor role): When you upload invoices, bank statements, or other accounting documents, you act as the Data Controller for the personal data those documents contain (e.g. supplier names, IBAN numbers, employee data). We act as your Data Processor and process that data solely on your instructions. This relationship is governed by the Data Processing Contract in Appendix 1 of our Terms of Service.

4. Personal Data Protection

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data at rest (AES-256) and in transit (TLS 1.2+);
Role-based access controls and the principle of least privilege;
Regular security reviews and penetration testing;
Audit logging of sensitive operations;
Pseudonymisation where practicable;
Formal incident response procedures.

Data breach notification: If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner of Slovenia (IP RS) without undue delay and within 72 hours of becoming aware. If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.

5. Third Parties and Sub-processors

We share personal data with the following categories of third parties:

Third party	Country	Purpose	Transfer basis
Anthropic PBC	United States	AI/LLM processing for intelligent document understanding	EU Standard Contractual Clauses
Google Cloud Platform	EU (Frankfurt / Belgium)	Cloud infrastructure, storage, compute	EU adequacy / SCCs
MiniMax d.o.o.	Slovenia	Accounting system integration (export on Customer instruction)	Within EEA
Revolut Ltd	UK / EU	Payment processing (billing information only; document data not shared)	UK adequacy decision / SCCs

We do not sell personal data. We do not share personal data with advertisers or marketing platforms.

6. International Data Transfers

Some of our sub-processors are located outside the EEA, most notably Anthropic (United States). Transfers of personal data to countries not recognised by the European Commission as providing an adequate level of data protection are made under the European Commission's Standard Contractual Clauses (SCCs, 2021), which provide equivalent safeguards. You may request a copy of the applicable SCCs by contacting privacy@moddrum.com.

7. Cookie Policy

Our website (moddrum.com) uses cookies and similar tracking technologies. You can manage cookie preferences through your browser settings.

Category	Purpose	Examples	Expiry
Strictly Necessary	Authentication, session management, security	Session cookie, CSRF token	Session / 1 day
Functional	Remembering your language and display preferences	Language preference	1 year
Analytics	Understanding how the website is used (aggregate, anonymised)	Google Analytics (_ga, _gid)	Up to 2 years

Strictly necessary cookies cannot be disabled as they are essential for the Service to function. You may opt out of analytics cookies by adjusting your browser settings or using the Google Analytics opt-out browser add-on.

8. Your Rights Under GDPR

As a data subject in the EEA, you have the following rights:

Right of access

Request a copy of the personal data we hold about you.

Right to rectification

Request correction of inaccurate or incomplete personal data.

Right to erasure

Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.

Right to data portability

Receive your personal data in a structured, machine-readable format.

Right to restriction

Request that processing of your data be temporarily restricted.

Right to object

Object to processing based on legitimate interest, including for direct marketing.

Right to withdraw consent

Withdraw any previously given consent at any time, without affecting prior processing.

Right to lodge a complaint

Lodge a complaint with the Information Commissioner of Slovenia (IP RS) at www.ip-rs.si.

To exercise any of these rights, contact us at privacy@moddrum.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling your request.

9. Children's Privacy

The Service is intended for professional use by adults. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, contact us immediately at privacy@moddrum.com.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify registered users of material changes by email or in-app notification at least fourteen (14) days before they take effect. The "Last updated" date at the top of this page indicates when it was most recently revised.

11. Contact

For privacy-related questions or to exercise your rights:
[COMPANY NAME]
[REGISTERED ADDRESS], Slovenia
Email: privacy@moddrum.com

You also have the right to lodge a complaint with the supervisory authority:
Information Commissioner of Slovenia (IP RS)
Dunajska cesta 22, 1000 Ljubljana, Slovenia
www.ip-rs.si