Privacy

Privacy Policy

1. Controller

2. What data we process

3. Legal bases under GDPR

4. Payments: Stripe first

Checkout launches through Stripe Payment Links. Stripe processes payment data as an independent controller or processor depending on the specific checkout integration, fraud controls, tax handling, and account setup. Stripe privacy notices apply when you use its checkout. PayPal may be added later only after equivalent privacy, refund, order-export, and legal-acceptance handling is configured.

Wise may be used for business banking, settlement, or account operations. It is not offered as a consumer checkout method unless a separate, written manual-payment arrangement is made. Payment and accounting records may be reconciled in the Altoria Accounting Platform.

5. Uploads, documents, and sensitive data

6. AI-assisted processing

AI tools may help summarize, structure, translate, or explain information. The output is educational/informational and must be verified by the user against original sources and qualified professionals where needed. We do not use AI to decide access to insurance, credit, employment, benefits, pricing, legal rights, tax liability, investment suitability, or any other matter with legal or similarly significant effects.

Before any live AI tool processes personal data or uploaded documents, the production build must name the AI provider, hosting region, data retention, DPA status, and whether data is used for model training. If that information is not ready, the intake should fail closed and route the request to manual review.

7. Cookies and analytics

Essential cookies may be used to operate the website, remember privacy choices, maintain security, or support checkout. Non-essential analytics, marketing, affiliate, remarketing, heatmap, or social-media pixels are off by default and may only load after opt-in. See the Cookie Policy.

8. Processors and recipients

9. Retention

10. International transfers

The production setup should prefer EU/EEA hosting and processors. If a provider transfers data outside the EEA, the provider must offer a lawful transfer mechanism such as EU Standard Contractual Clauses and appropriate safeguards. This must be checked for Stripe, email, hosting, AI, analytics, and banking providers before publication.

11. Your rights

You may request access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You may also lodge a complaint with the competent data protection authority.

Requests: info@altoria.hr.

12. Drafting references