Updated at 2022-02-01 General Terms

CityX Apps Ltd., Janka Draškovića Street 21B, 10430 Samobor, VAT Number: 44810033758 (hereinafter referred to as CityX or Data Controller), respects the privacy of every individual whose personal data it processes, and protects it as strictly confidential. CityX continuously implements appropriate organizational, technical, and administrative security measures to protect the personal data it processes from all foreseeable risks. The security of our Users' and clients' personal data is very important to us, so we would like to inform you below about which personal data and for what purpose CityX collects, how it protects them, as well as what your rights are as a data subject.

I. GENERAL INFORMATION

Data Controller and Legal Basis
CityX processes personal data in accordance with the provisions of EU Regulation 2016/679 of the European Parliament and Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation, hereinafter referred to as: GDPR), the Law on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018) and other applicable legal regulations governing the subject area. In the context of this Privacy Policy, natural and legal persons whose data is processed ("data subjects" as defined in the GDPR) are referred to as Users.

Principles of Personal Data Protection
CityX, during the processing of personal data, pays special attention to the principles of personal data processing:
legality, fairness, and transparency of processing: this means that processing should be in accordance with a specific legal basis, and the principles of fair and transparent processing require that the individual be informed about the processing procedure and its purposes, and that the Data Controller is obliged to provide the data subject with all additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context of personal data processing; purpose limitation: this means that data should be collected for specific, explicit, and lawful purposes and should not be further processed in a way that is not in accordance with those purposes; however, further processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes is possible; data minimization: this means that data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed; accuracy: this means that data must be accurate and up-to-date as needed; every reasonable measure must be taken to ensure that inaccurate personal data, considering the purposes for which they are processed, are deleted or corrected without delay; storage limitation: this means that data must be stored in a form that allows the identification of data subjects only for as long as necessary for the purposes for which personal data is processed; longer storage periods are possible only if personal data will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes with the implementation of appropriate protection measures prescribed by the Regulation; integrity and confidentiality: this means that data must be processed in a way that ensures an appropriate level of security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage;

II. WHAT PERSONAL DATA OF USERS DO WE COLLECT?
CityX processes personal data of data subjects who access and use our website WWW.CITYX.HR, as well as individuals who use services available through our website and application (hereinafter collectively referred to as: Users). The personal data of Users being processed is, as a rule, collected from the Users themselves. We collect personal data:
1. By using our website
2. When registering to use all applications


1. Personal data of Users we collect when accessing and using our website and application:
When registering to use our services, we collect the following personal data of Users:
i) First name;
ii) Last name;
iii) Email address;
iv) Phone number;

What do we use the aforementioned personal data for (purpose)?
We use the aforementioned data in order to perform registration and/or identification of an individual User, and to be able to provide information related to our use of services.

III. LEGAL BASIS FOR PROCESSING PERSONAL DATA
Legal basis for processing User's personal data:
a) processing is necessary for the performance of a contract in which the User is a party or to take steps at the request of the User prior to entering into a contract;
Data collected on the basis of this ground is used to establish a contractual relationship with the User, or to perform obligations arising from the relevant contract.
b) processing is necessary for compliance with the controller's legal obligations;
Data collected on the basis of this ground is used to meet the legal obligations of the controller in issuing invoices for services provided.
At the same time, this basis will be used to process the User's personal data in order to comply with regulations on money laundering and financing of terrorism.
If CityX decides to carry out processing of personal data for marketing and promotional purposes, the same will be collected and processed only on the basis of this legal ground.


IV. DURATION OF PERSONAL DATA PROCESSING
Given the sensitive nature of the services that CityX provides, all data processed in accordance with legal grounds will be kept for the minimum legal retention periods set by the regulations:
a) based on the Accounting Act – 11 years
b) based on the Law on the Prevention of Money Laundering and Financing of Terrorism – 5 years/10 years

V. WITH WHOM WE SHARE THE USER'S PERSONAL DATA
User's personal data can be shared with the following types of recipients:
a) with data processors when providing our services in accordance with these Privacy Policies, and with whom we have a legal agreement guaranteeing the protection of the User's personal data in accordance with these Privacy Policies and the positive legal regulations that ensure the protection of personal data of natural persons;
b) with service providers and third-party partners who provide us with data processing services, such as, but not limited to, payment processing and other payment-related issues, financial advisory services, IT support, etc. All such parties are required to use personal data of the User in accordance with these Privacy Policies and positive legal regulations that ensure the protection of personal data of natural persons;
c) with any competent authority, regulatory body, government agency, judicial authority, court, arbitration court, or third party that we consider necessary and justified to disclose
(i) to meet obligations imposed by positive legal regulations;
(ii) for the establishment, exercise, or defense of the rights of the Controller;
(iii) for the protection of the vital interests of the Controller and/or the interests of any other person when legally justified
e) With any other person, such as clients and third parties, with your consent for such disclosure.

VI. HOW WE PROTECT THE USER'S PERSONAL DATA?
CityX actively implements technical, physical, and administrative security measures to provide a high level of protection for the User's personal data from loss, misuse, unauthorized access, disclosure, and alteration. Security measures include firewalls, data encryption, physical control of access to our data centers, and limiting access authorization to personal data.

VII. RIGHTS OF USERS AS TEST SUBJECTS
The rights of Users as test subjects in terms of the GDPR related to the processing of personal data are as follows:
Right of access – The User has the right to receive from CityX a confirmation whether personal data that relate to him/her are processed and, if such personal data are processed, access to personal data and the following information: the purpose of the processing, the categories of personal data in question, the recipients or categories of recipients of personal data, the period for which personal data will be stored, information on rights and sources of data if not collected from the User. If the User's personal data are transferred and processed outside the EU, the User has the right to information about appropriate protective measures. Where possible, the User may receive a copy of the personal data being processed.
Right to rectification – The User has the right to rectify inaccurate personal data that relate to him/her, and we are obliged to carry out the rectification without undue delay. Taking into account the purposes of processing, the User has the right to complete incomplete personal data, among others by providing additional statements.
Right to deletion (“right to be forgotten”) – The User has the right to delete personal data that relate to him/her without undue delay, if there is no legal reason for further processing of such data (if the data is no longer necessary in relation to the purposes for which they were processed and there is no legal obligation to store/retain personal data).
Right to restrict processing - The User has the right to restrict the processing of his/her personal data in the following situations: if he/she disputes the accuracy; if the processing is illegal, but he/she objects to deletion; if he/she requests them for the purpose of establishing, exercising or defending legal claims and CityX is not required for processing; if a complaint has been made regarding the processing of the User's personal data and awaits confirmation.
Right to data portability – The User has the right to receive data relating to him/her in a structured, commonly used and machine-readable format and to transfer them to another service provider, i.e. data processing controller, if the following conditions are met: the processing is based on the User's consent or contract and is carried out by automated means. When exercising his/her rights to data portability, the User has the right to direct transfer of data to another data controller if technically feasible.
Right to object - If the processing of the User's personal data is based on the achievement of CityX's legitimate interests, the User has the right to object at any time to such processing of personal data to the extent that the processing relates to his/her data.

Exercise of the rights of the User as a test subject:
For all questions and requests regarding personal data, please contact the CityX data protection officer at:
e-mail: katarina@cityx.hr
We will process requests and requests without unnecessary delay and in accordance with legal obligations and we will inform you of the measures we have taken.
If you believe that CityX is processing your data illegally and you cannot resolve it in cooperation with us, you have the right to file a complaint with the supervisory authority (Agency for Personal Data Protection – AZOP).

VIII. RIGHTS OF THE SUBJECT WHEN PERSONAL DATA IS NOT OBTAINED FROM THE SUBJECT
In cases of collection and processing of personal data referred to in point II.6, the controller may collect and process personal data of third parties - subjects that have been obtained from the User. In accordance with Art. 14 GDPR, the controller ensures all the rights of the subjects when the personal data of the subjects is obtained from the User, as well as when the User is the subject, and all the rights, obligations, deadlines, conditions and information contained in these Privacy Rules are fully applicable and available to third parties - subjects whose personal data has been obtained from the User. The obligation is on the User to warn and instruct the third party - subject whose personal data has been forwarded for processing by the Controller of the contents of these Privacy Rules and the rights contained in them.

IX. CHANGES AND AMENDMENTS TO THE PRIVACY POLICY
CityX may periodically and at its own discretion update, modify and supplement this Privacy Policy in response to changes in legal, technical or business development. When we update, modify or supplement our Privacy Policy, we will take appropriate measures to inform users, in accordance with the significance of the changes we make. The amended Privacy Rules come into effect on the date of publication.