Privacy Policy

1. Introduction

This Privacy Policy describes how Kodius d.o.o. (hereinafter: "Data Controller") collects, uses, stores, and protects personal data through the Kloki platform (hereinafter: "Platform"), in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Implementation Act on the General Data Protection Regulation (NN 42/2018).

2. Data Controller

Kodius d.o.o.
OIB: 27444943498
Oreškovićeva 1a, 10000 Zagreb, Croatia
info@kloki.app+385 1 2095 273

3. Categories of Data We Collect

  • Company data: Company name, tax ID (OIB), registered address, company contact details.
  • Employee personal data: First name, last name, email address, job title, department, start date, contact phone number.
  • Work time data: Records of arrivals and departures, overtime hours, night work, work on public holidays.
  • Absence data: Annual leave, sick leave, remote work, paid and unpaid leave.
  • Project data: Time entries per project (Work log), task descriptions, billability labels.
  • Shift data: Work schedules, planned and completed shifts.
  • Travel orders: Destinations, dates, mileage, daily allowances.
  • Technical data: IP address, browser and device type, cookies, Platform usage data.

4. Legal Basis for Processing

We process personal data based on the following legal grounds under Article 6(1) of the GDPR:
  • Performance of a contract (point b): Processing necessary for providing the Platform service — registration, account management, work time and absence tracking.
  • Legal obligation (point c): Processing necessary for compliance with labor regulations, the Labor Act, and tax regulations.
  • Legitimate interest (point f): Platform improvement, system security, abuse prevention, and usage analytics.
  • Consent (point a): For analytical cookies and marketing communications. Consent may be withdrawn at any time.

5. Purposes of Processing

We use data exclusively for:
  • Providing and maintaining Platform services.
  • Maintaining legally required work time records.
  • Subscription billing and invoicing.
  • Service-related communications (maintenance notices, terms changes, security alerts).
  • Usage analysis to improve functionality and user experience.
  • Technical support and troubleshooting.
  • Abuse prevention and Platform security protection.

6. Data Processors (Sub-processors)

We use the following third parties to provide our service:
Sub-processorPurposeData location
Amazon Web Services (AWS SES)Sending transactional emailsEU (Frankfurt)
Google LLC (Google Analytics)Website usage analyticsEU/US (with SCCs)
All other data (database, application server, chat system) is stored on the Data Controller's own servers located in a data center in Zagreb, Croatia.

7. Data Storage and Location

  • Primary location: All user data is stored on our own servers in Zagreb, Republic of Croatia.
  • Transfers outside the EU: Google Analytics may transfer data to the US. For such transfers, appropriate safeguards are in place (Standard Contractual Clauses — SCCs). Users may reject analytical cookies via the cookie banner.
  • Encryption: All data in transit is protected by TLS encryption. Data at rest is protected at the database level.

8. Data Retention Periods

  • Active account data: Retained while the subscription is active.
  • After subscription cancellation: Data is retained for 90 days to allow reactivation or export, after which it is permanently deleted.
  • Accounting data: Invoices and payment data are retained for 11 years in accordance with the Accounting Act.
  • Technical logs: Retained for up to 12 months for security and diagnostics purposes.
  • Consent-based data: Retained until consent is withdrawn.

9. Data Subject Rights

Under the GDPR, you have the following rights:
  • Right of access (Art. 15): You may request confirmation of whether we process your data and obtain a copy.
  • Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): You may request deletion of data when processing is no longer necessary, unless retention is legally required.
  • Right to restriction of processing (Art. 18): You may request restriction of processing in certain cases.
  • Right to data portability (Art. 20): You may request your data in a machine-readable format. Kloki enables data export in CSV and Excel formats.
  • Right to object (Art. 21): You may object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7): Consent for analytical cookies and marketing may be withdrawn at any time.
To exercise your rights, contact us at info@kloki.app. We will respond within 30 days. You also have the right to file a complaint with the Croatian Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, azop.hr.

10. Controller and Processor Relationship

When the User (company) uses the Platform to record data of their employees:
  • The User is the Data Controller for their employees' data.
  • Kodius d.o.o. is the Data Processor who processes this data solely according to the User's instructions and for the purpose of providing the service.
  • By accepting the Terms of Use, the User enters into a Data Processing Agreement (DPA) with Kodius d.o.o. that includes obligations under Article 28 of the GDPR.
  • Kodius d.o.o. undertakes not to process the User's employee data for its own purposes.

11. Security Measures

We implement the following technical and organizational security measures:
  • TLS encryption for all data in transit (HTTPS).
  • Encryption of data at rest at the database level.
  • Regular encrypted backups.
  • Restricted data access limited to authorized personnel on the principle of least privilege.
  • Access and security event monitoring (audit log).
  • Regular software updates and security patches.

12. Cookies

A detailed overview of the cookies we use is available in our Cookie Policy.

13. Changes to the Privacy Policy

We will notify Users of significant changes to this Privacy Policy via email at least 15 days before they take effect. The updated version will be published on this page with a new modification date. We recommend periodically reviewing this page.

14. Contact

For any questions regarding the protection of personal data:

Thank you for using Kloki!

Date of last change: April 17, 2026

We use cookies to give you the best experience on our website. By continuing to browse, you agree to our Privacy Policy and the use of cookies. Learn more.