Last updated: April 2026
Personal data is controlled by HODURAK (David Sabo PR, sole proprietor).
Under GDPR Article 37, we are not required to appoint a Data Protection Officer (DPO). All data protection inquiries are handled at support@birenko.com.
For users in the Republic of Serbia, this policy also complies with the Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti, "ZZPL", Official Gazette RS No. 87/2018). Where the ZZPL provides additional or different protections, those protections apply to data subjects in Serbia.
Name, email address, password (stored encrypted), profile photo (optional), language preference.
Tasks, documents, calendar entries, meeting reports, chat messages, and other content created by users.
IP address (audit log), browser type, device information, action logs (for security purposes), push notification tokens (for web and mobile push delivery), feature usage data (pages visited, response times; for internal service improvement, accessible only to system administrators).
The mobile application optionally supports biometric authentication (fingerprint/face recognition). Biometric data is processed and stored exclusively on the User's device using the Android Keystore system. This data is never transmitted to our servers.
The application may access the device camera for file uploads (capturing photos). The camera is only activated at the User's initiation, and captured photos are uploaded solely to the respective organization's storage.
Google Calendar (if enabled by the User), Sentry (error reporting).
When a person fills out a public form created by an organization (on the Birenko website or as an embedded widget on an external website), the following data is collected on behalf of the organization (which acts as the data controller for form submissions): the fields provided (name, email, phone, and other information depending on the form type), the IP address and browser user agent (for spam prevention). For ticket preorder forms, the submitted data is shared with the selected seller so they can contact the submitter.
When using an embedded widget, the external website may use its own cookies and trackers. The operator of the hosting website is responsible for those.
| Purpose | Legal Basis |
|---|---|
| Account management and authentication | Contractual necessity (GDPR Art. 6(1)(b)) |
| Core platform features (tasks, events, documents, etc.) | Contractual necessity (GDPR Art. 6(1)(b)) |
| Security measures and audit logging | Legitimate interest (GDPR Art. 6(1)(f)) |
| Error tracking (Sentry) | Legitimate interest (GDPR Art. 6(1)(f)) |
| AI features (Groq) | Consent (GDPR Art. 6(1)(a)) |
| Google Calendar sync | Consent (GDPR Art. 6(1)(a)) |
| Push notifications | Consent (GDPR Art. 6(1)(a)) |
| Newsletter | Consent (GDPR Art. 6(1)(a)) |
| Public forms and ticket preorder | Consent (GDPR Art. 6(1)(a)) |
Providing account data (name, email address, and password) is a contractual necessity required for us to deliver the service. Without this data, we cannot create or maintain the account. All other personal data, including biography, birthday, phone number, and profile photo, is voluntary. Not providing voluntary data may limit certain features but will not prevent basic platform use.
Birenko does not make automated decisions that produce legal effects or similarly significantly affect Data Subjects within the meaning of GDPR Article 22. AI features (powered by third-party LLM services) are assistive only: they generate suggestions that the User reviews and acts on at their own discretion. We reserve the right to use automated processing for security purposes, including spam detection, anomaly detection, and abuse prevention, based on our legitimate interest in platform security.
Where we rely on legitimate interest as a legal basis for processing, we conduct a balancing test to ensure our interests do not override the fundamental rights and freedoms of Data Subjects. Details of any such assessment may be requested by contacting support@birenko.com.
Birenko is a multi-tenant platform. Organization administrators may create user accounts by entering members' names and email addresses.
In this case:
By setting a password and using the platform, the User accepts this Privacy Policy.
| Provider | Purpose | Location |
|---|---|---|
| United Internet doo (unlimited.rs) | Platform hosting, data storage, and email delivery | Serbia |
| Sentry | Error tracking and performance monitoring | USA |
| Groq | AI features (opt-in) | USA |
| Calendar sync (opt-in) | USA | |
| Firebase Cloud Messaging (Google) | Mobile push notification delivery | USA |
We may engage new sub-processors or replace existing ones. We will provide at least 30 days' advance notice of material sub-processor changes by updating this page. If the User objects to a new sub-processor, they may terminate their use of the platform and request account deletion. Continued use of the platform after the notice period constitutes acceptance of the change.
Some of our sub-processors are located in the United States. Transfer safeguards are provided by the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs).
| Data | Retention Period |
|---|---|
| Active account data | Duration of service |
| Audit logs | 12 months |
| Deleted account data | 30 days (then permanently deleted) |
| Error logs | 90 days |
| Feature usage logs | 12 months |
| Public form submissions | As determined by the organization, up to deletion of the form |
Following deletion of an account or personal data, we may retain anonymized and aggregated data indefinitely for statistical analysis, service improvement, and reporting purposes. Anonymized data is data that cannot reasonably be linked back to any identified or identifiable individual, including through combination with other data sets. Such data is not considered personal data under GDPR (Recital 26) or ZZPL and falls outside the scope of data protection regulation.
Under the GDPR and ZZPL, Data Subjects have the following rights:
To exercise these rights, contact support@birenko.com. We will respond within one month.
Account deletion: The User may request deletion of their account and all associated personal data by contacting support@birenko.com. Upon receiving the request, the account will be deleted within 30 days, subject to any legally required retention periods described in this policy.
Data Subjects may lodge a complaint with:
Under Serbian law, unauthorized collection, processing, or use of personal data may constitute a criminal offense punishable by fine or imprisonment (Criminal Code of the Republic of Serbia). Birenko takes these obligations seriously and implements appropriate safeguards to ensure lawful processing.
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure. These include encryption technologies, access controls, and regular security reviews. In the event of a data breach, affected Data Subjects will be notified in accordance with applicable law.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, we will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. Where the breach is likely to result in a high risk to an individual, we will also notify the affected Data Subject without undue delay, unless an exception under GDPR Article 34(3) applies (e.g., the data was encrypted, or subsequent measures have eliminated the risk).
The platform is not directed at children. The minimum age for digital consent is 16 under the GDPR and 15 under Serbian ZZPL (Article 16). We do not intentionally collect data from individuals below the applicable age threshold in their jurisdiction. Anyone who believes we have inadvertently collected data from a minor should contact us immediately at support@birenko.com.
Under GDPR Article 27, controllers established outside the European Union who offer services to EU data subjects may be required to designate a representative within the EU. We are currently assessing the need for an EU representative and will update this section accordingly. In the meantime, all data protection inquiries may be directed to support@birenko.com.
We may update this Privacy Policy from time to time. Non-material changes take effect immediately upon updating the "Last updated" date, without separate notice. For material changes (those that affect how personal data is processed or that affect Data Subject rights) we will provide 30 days' notice.