Legal documentation
Privacy Policy
This document describes how BiznisPortal.rs collects, processes and stores users' personal data — in accordance with the Personal Data Protection Act (ZZPL) and the EU General Data Protection Regulation (GDPR).
Effective date
January 1, 2024.
Last updated
May 1, 2025
Version
v2.0
Data controller
The personal data controller within the meaning of Article 4 item 8 ZZPL is:
This document applies to all personal data processed via the website biznisportal.rs and all its subpages, API services, and mobile applications that are an integral part of the platform.
Data we collect
BiznisPortal.rs collects the following categories of personal data, solely to the extent necessary to achieve the stated processing purposes:
Identification data
- Full name (contact person)
- Company / brand name
- VAT / company ID (for invoicing)
Contact data
- Email address
- Phone number
- Registered office address
Technical data
- IP address
- Browser and operating system type
- Time and duration of visit
- Referral URL
Content data
- Text and images from the registration form
- Review content
- Contact form and message content
- Internal administrative notes
Mobile app data
- Approximate location (only on your request, for "Near me")
- Device push token (FCM) — for notifications
- App installation identifier
Purpose and legal basis of processing
Every processing of personal data has a clearly defined purpose and an appropriate legal basis in accordance with Article 12 of the ZZPL:
Processing of profile registration requests
Performance of a contract or pre-contractual actions — Art. 12 para. 1 item 2 ZZPL
Until the profile is deleted or the partnership ends
Content and review moderation
Legitimate interest of the controller — Art. 12, para. 1, item 6 of the PDPL
Until moderation is completed + 30 days
Communication via the contact form
Consent of the data subject — Art. 12, para. 1, item 1 PDPA
Until the communication is concluded
Invoicing and financial records
Legal obligation — Art. 12 para. 1 item 3 ZZPL
11 years (Accounting Act)
Analytics and system security (logs)
Legitimate interest of the controller — Art. 12 para. 1 item 6 ZZPL
90 days
Sending promotional messages
Consent — Art. 12 para. 1 item 1 ZZPL (with the right to withdraw)
Until consent is withdrawn
Cookies and tracking
BiznisPortal.rs uses cookies and similar technologies for the proper functioning of the platform and visit analysis.
Essential cookies
They ensure the site, sessions and security tokens function. They cannot be disabled.
Analytical cookies
Collect anonymous visit data to improve the user experience (e.g. number of visits, traffic source).
Functional cookies
Remember your preferences (language, region) for personalized content display.
You can manage cookies through your browser settings or via the cookie management banner shown on your first visit to the portal. Disabling necessary cookies may affect the functioning of certain parts of the platform.
Sharing data with third parties
BiznisPortal.rs does not sell and does not rent out personal data to third parties. Data may be shared only in the following situations:
Hosting and cloud service providers
Technical infrastructure and data storage
Data processing agreement (DPA)
Email sending system
Delivery of transactional email messages
Data Processing Agreement (DPA)
Analytics services (anonymized)
Site visit and performance statistics
Anonymization / pseudonymization before transfer
Accounting software / accountant
Financial records and invoicing
Confidentiality agreement + legal obligation
Government authorities
Based on a legal order or court order
Solely on instruction — the minimum data necessary
Artificial intelligence processing
To improve the user experience, BiznisPortal.rs also uses artificial intelligence tools. This is a sensitive area and we want to be fully transparent:
Anthropic (Claude)
Summarizing descriptions, SEO narratives by (region × category), content moderation, automated answers to questions, image classification for search.
DPA + SCC + zero-data-retention configuration (Anthropic does not use our inputs to train models).
Google Vision
OCR and image classification during profile import and moderation of inappropriate content.
DPA + SCC; images are not used to train Google models.
OpenAI (backup provider)
Active only if Anthropic is unavailable — the same types of tasks.
DPA + SCC + the option “API data not used for training" (enabled by default).
What we DON'T do: automated individual decision-making that produces legal or similarly significant effects for you (Art. 38 ZZPL / Art. 22 GDPR). AI serves as a supporting tool — all significant decisions (e.g. approving a profile, deleting a review) are made by a human.
What is forwarded to AI providers: only texts and images already publicly published on company profiles or that the user knowingly submits (e.g. a photo for visual search). Email, phone and other contact data are never forwarded.
Your right to object (Art. 27 PDPA / Art. 21 GDPR): you may request at any time that your contributions (e.g. reviews) be excluded from AI processing. Write to privatnost@biznisportal.rs — we respond within 5 business days.
Data security
BiznisPortal.rs applies appropriate technical and organizational protection measures in accordance with Art. 50 PDPA, taking into account the nature, scope, context and purposes of processing, as well as the likelihood and severity of risks.
SSL/TLS encryption
All communication between your browser and the server is encrypted with the TLS 1.3 protocol.
Access control
Personal data is accessible only to authorized members of the admin team, on a need-to-know basis.
Secure databases
Databases are protected by encryption, authentication, and regular security updates.
Response plan
In the event of an incident, BiznisPortal.rs notifies the Commissioner within 72h (Art. 53 ZZPL).
In the event of a data security breach that may cause a high risk to the rights and freedoms of natural persons, we will notify you without undue delay, in accordance with Art. 54 ZZPL.
Data retention periods
Personal data is stored for as long as is necessary to achieve the purpose for which it was collected, or as required by legal obligations.
| Category | Retention period |
|---|---|
| Company / place / module profile | Until profile deletion + 30 days |
| Financial documentation | 11 years (Accounting Act, Art. 26) |
| Contact forms and email | 2 years from the last communication |
| Reviews (if published) | Until consent is withdrawn or the account is deleted |
| Technical logs (IP, access) | 90 days |
| Newsletter / marketing consent | Until consent is withdrawn |
| Backup copies | Up to 30 days from creation |
After the retention period expires, the data is permanently deleted or anonymized in a way that makes identification of the natural person impossible.
Your rights
In accordance with ZZPL, you have the following rights regarding the processing of your personal data. You can submit a request in writing to the email address listed in section 11. We will respond within 30 days from receipt of the request (Art. 21 ZZPL).
Art. 26 ZZPL
Right of access
You have the right to know which of your personal data we process, for what purposes and who the recipients of that data are.
Art. 29 ZZPL
Right to rectification
You have the right to request the correction of inaccurate or the completion of incomplete personal data.
Art. 30 ZZPL
Right to erasure
In certain situations you have the right to request the deletion of your personal data ('right to be forgotten').
Art. 31 of the PDPL
Right to restriction
You may request restriction of the processing of your data while your objection or rectification request is being resolved.
Art. 36 PDPA
Right to data portability
You have the right to receive the data you provided to us in a structured, machine-readable format.
Art. 37 ZZPL
Right to object
You can object to processing based on legitimate interest, including direct marketing.
Art. 15 para. 3 ZZPL
Withdrawal of consent
Where the basis is consent, you may withdraw it at any time with no consequences for prior processing.
Art. 83 ZZPL
Right to lodge a complaint
You have the right to file a complaint with the Commissioner for Personal Data Protection — www.poverenik.rs.
International data transfers
Certain service providers (hosting, email, analytics) may be located outside the territory of the Republic of Serbia. In the event of data transfer outside Serbia, we apply one of the following safeguards in accordance with Art. 64–69 of the PDPL:
- Transfer to a country with an adequate level of protection (decision of the Government of the Republic of Serbia or the Commissioner)
- Standard contractual clauses approved by the competent authority
- Binding Corporate Rules
- Certification of the service provider under a recognized protection mechanism
Changes to the privacy policy
BiznisPortal.rs reserves the right to amend this Privacy Policy to align with changes in legislation, business practices, or the platform's technical features.
We will notify you of all material changes in one of the following ways:
- By publishing the amended version on this page, with a new effective date
- By sending email notifications to registered users (for material changes)
- By displaying a prominent notice on the portal
Continued use of the portal after the changes take effect will be considered acceptance of the amended Privacy Policy. We recommend checking this page from time to time.
Contact and complaints
For any questions, requests or objections regarding the processing of your personal data, contact the controller through the following channels:
Supervisory authority
Commissioner for Personal Data Protection
Bulevar kralja Aleksandra 15, 11000 Belgrade
You have the right to file a complaint with the Commissioner if you believe that the processing of your personal data was carried out contrary to the provisions of the PDPA (Art. 83 PDPA). We recommend that, before filing a complaint, you try to resolve the dispute by contacting us directly.