Our Privacy Policy 

Factory d.o.o.

Version: 1.0 Governing law: Republic of Croatia / EU (GDPR) Language note: This policy is available in Croatian and English. In the event of any conflict between the two versions, the Croatian text prevails.

This Privacy Policy describes how Factory d.o.o. (“Factory”, “we”, “us”) collects, uses, and protects personal data in three distinct contexts:

• Part A — Processing through our website (factory.dev), where Factory acts as data controller.
• Part B — Our Software (Microsoft Dynamics add-on products), where Factory acts as a software vendor. The Customer is the sole data controller for all data processed using the Software. Factory only becomes a data processor in specific scenarios involving access to the Customer’s environment (remote support, hosted services).
• Part C — Collection of anonymised telemetry from our Software, where Factory acts as data controller.

1. Data Controller

Factory d.o.o.

Poduzetnička zona II 18 (Poduzetnički inkubator) 33 000 Virovitica, Republic of Croatia

Phone: +385 33 638 271

Email: hello@factory.dev

OIB: 47726994562

2. Data Protection Officer

Martina Vašarević Email: dpo@factory.dev

You may contact our Data Protection Officer directly at any time with questions or requests relating to the processing of your personal data.

3. Legal Framework

• Personal data is processed in accordance with:
• Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
• Zakon o provedbi Opće uredbe o zaštiti podataka (NN 42/18) — Croatian Act implementing the GDPR
• Zakon o elektroničkim komunikacijama — for the use of cookies and electronic communications

4. Legal Bases

We process personal data only where a valid legal basis exists under Article 6 GDPR:

Part A — Website Processing (factory.dev)

In this part, Factory d.o.o. acts as data controller.

A.1 Website Log Files

When you visit factory.dev for informational purposes only, our server automatically records the following data in server log files:

• Browser type and version
• Operating system
• Referrer URL (previously visited page)
• Pages accessed on our website
• Date and time of access
• IP address (anonymised)
• Internet service provider

This data is used to ensure the technical functioning of the website, to optimise content, and to provide information necessary for law enforcement in the event of a security incident. Log data is stored separately from any personally identifiable data you provide.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining a functional and secure website. Retention: 30 days, then automatically deleted.

A.2 Cookies

Cookies are small text files stored on your device when you visit our website. We use the following categories of cookies.

A.2.1 Necessary cookies

These cookies are strictly required for the website to function and are placed without consent.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in website operation.

A.2.2 Analytics cookies

These cookies are placed only after you have given your consent via our cookie banner.

Google Analytics creates pseudonymised user profiles. IP addresses are anonymised (IP masking). Data is transmitted to Google servers in the United States.

Legal basis: Art. 6(1)(a) GDPR — consent. Third-country transfer: Google LLC is certified under the EU-US Data Privacy Framework (adequacy decision, Art. 45 GDPR). A Data Processing Agreement is in place. Opt-out: You may withdraw consent at any time via the cookie settings on our website, or install the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout

A.2.3 Marketing cookies

These cookies are placed only after you have given your consent via our cookie banner.

Legal basis: Art. 6(1)(a) GDPR — consent. Third-country transfer: Google LLC — EU-US Data Privacy Framework adequacy decision applies. Opt-out: Withdraw consent via cookie settings, or visit https://www.google.com/settings/ads

A.2.4 Managing cookie preferences

You can change or withdraw your cookie consent at any time via the cookie settings accessible from the footer of our website. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

A.3 Contact Form and Direct Enquiries

When you contact us via our website contact form or by email, we collect the information you provide (name, email address, company, and the content of your message).

This data is used exclusively to respond to your enquiry. It is not shared with third parties, except where required by law.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in responding to enquiries; additionally Art. 6(1)(b) GDPR where the enquiry relates to a prospective contract. Retention: Data is deleted once your enquiry has been fully resolved and no statutory retention obligation applies, typically within 12 months.

A.4 Newsletter (MailChimp)

You may subscribe to our newsletter on factory.dev. We use a double opt-in procedure: after you submit your email address, a confirmation email is sent to verify that you hold the address and have authorised the subscription.

Data collected at subscription: email address, first name (if provided), IP address and timestamp of the opt-in confirmation.

This data is transmitted to and stored by our newsletter provider:

The Rocket Science Group, LLC d/b/a MailChimp 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA

Our newsletters may contain tracking pixels that allow us to determine whether an email was opened and which links were clicked. This data is used in pseudonymised form to optimise our newsletter content.

Legal basis: Art. 6(1)(a) GDPR — consent. Third-country transfer: A Data Processing Agreement based on EU Standard Contractual Clauses (EU Commission Decision 2021/914) has been concluded with MailChimp. Unsubscribe: You may unsubscribe at any time via the unsubscribe link in any newsletter email or by contacting dpo@factory.dev. Unsubscribing is treated as withdrawal of consent. Retention: Newsletter subscriber data is deleted within 30 days of unsubscription.

A.5 Career Applications (Talentlyft)

Candidates who apply for positions at Factory through our careers page submit application data via Talentlyft, a recruitment platform. Data collected includes: name, contact details, CV, cover letter, and any other information voluntarily provided.

Application data is used exclusively for evaluating your candidacy. If an employment contract is concluded, data is retained for the purpose of employment administration. If no contract is concluded, application data is deleted six months after notification of the rejection decision, unless statutory obligations or pending proceedings require longer retention.

Legal basis: Art. 6(1)(b) GDPR — processing necessary for steps taken at the request of the data subject prior to entering into a contract. Retention: 6 months after rejection, or for the duration of the employment relationship.

A.6 Testimonials

Where we display testimonials, quotes, or case study references from clients, employees, or interns on our website, we obtain prior written consent from the individual concerned before publishing any personally identifiable information (name, role, company).

Legal basis: Art. 6(1)(a) GDPR — consent.

A.7 External Links

Our website may contain links to third-party websites. Factory is not responsible for the data protection practices or content of those websites. We recommend reviewing the privacy policy of each website you visit.

A.8 ​​Third-Party Processors (Website)

Factory shares website data with the following processors, all bound by Data Processing Agreements:

Part B — Software Product (Factory as Software Vendor)

In this part, Factory d.o.o. acts as a software vendor and licensor. The Customer is the sole data controller for all personal data processed using the Software.

B.1 Factory’s role — software vendor, not data processor

Factory develops and licenses Microsoft Dynamics and Pimcore add-on software. When a Customer installs and operates the Software in their own environment — whether on their own servers (On-Premises Deployment) or within their own Microsoft Tenant (Cloud Deployment) — Factory does not access, receive, or process the personal data that the Customer’s users enter into or store within the Software.

In this standard deployment model:

• The Customer is the sole data controller under Article 4(7) GDPR — responsible for determining what personal data is processed using the Software, for what purposes, on what legal basis, and for how long.
• Factory is a software vendor — Factory delivers code and does not process personal data on the Customer’s behalf. Factory has no access to the Customer’s servers, database, Microsoft Tenant, Pimcore instance, or the data held within the Software.

GDPR obligations for personal data processed through the Software — including providing a lawful basis, informing data subjects, handling data subject rights requests, and ensuring data security — rest entirely with the Customer.

B.2 When Factory may act as a data processor

Factory’s role changes to that of a data processor (Article 4(8) GDPR) only in specific circumstances where Factory staff gain access to a Customer’s environment or data:

Where Factory acts as a data processor, a Data Processing Agreement (DPA) compliant with Article 28 GDPR must be in place before any such access occurs. The DPA governs the scope, purpose, and duration of processing; security obligations; sub-processor rules; and the return or deletion of data.

To arrange a DPA or request remote support access, contact: dpo@factory.dev

B.3 Data subject rights — Software users

If you are an individual whose personal data has been entered into the Software by a Customer, your rights under GDPR (access, rectification, erasure, etc.) must be exercised directly with that Customer, who is your data controller. Factory has no visibility of or access to your data and cannot respond to such requests on the Customer’s behalf.

Part C — Software Telemetry (Factory as Data Controller)

In this part, Factory d.o.o. acts as data controller for anonymised usage data collected from the Software.

C.1 Anonymised Usage and Telemetry Data

Factory may collect anonymised and aggregated technical usage data from the Software to understand how the product is used, improve functionality, and prioritise development. This includes data such as: feature usage frequency, error rates, performance metrics, and session counts.

This data is anonymised and aggregated before collection — it cannot be used to identify any individual user or customer. No personal data (names, email addresses, customer records, or business data) is collected through telemetry.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in improving the quality and reliability of our Software products.

C.2 What is not collected

Factory does not collect through telemetry: - Any personal data entered into the Software by users - Customer business data (orders, invoices, contacts, financial records) - User identities, email addresses, or login credentials - Any data that can be attributed to a specific individual or company

C.3 Opt-out

Customers may disable telemetry collection by adjusting the Software settings as described in the Documentation, or by contacting dpo@factory.dev.

5. Data Rights

Under GDPR Chapter III and the Croatian Zakon o provedbi Opće uredbe o zaštiti podataka (NN 42/18), you have the following rights with respect to personal data that Factory processes as a data controller (Parts A and C above):

​​Right to access (Article 15 GDPR)

You have the right to obtain confirmation of whether we process personal data about you, and to receive a copy of that data along with information about the purposes, categories, recipients, retention periods, and the source of the data.

Right to rectification (Article 16 GDPR)

You have the right to request immediate correction of inaccurate personal data and completion of incomplete personal data.

Right to erasure (Article 17 GDPR)

You have the right to request deletion of your personal data where: it is no longer necessary for the purpose for which it was collected; you withdraw consent and no other legal basis applies; you object and we have no overriding legitimate grounds; or the data has been unlawfully processed.

Right to restriction of processing (Article 18 GDPR)

You have the right to request that we restrict processing of your data — meaning we may store it but not otherwise use it — while the accuracy of data is contested, an objection is pending, or processing is unlawful but you do not want the data erased.

Right to data portability (Article 20 GDPR)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transmit it to another controller.

Right to object (Article 21 GDPR)

You have the right to object at any time to processing based on our legitimate interest (Art. 6(1)(f) GDPR), including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.

You have an absolute right to object to the use of your data for direct marketing purposes at any time.

Right to withdraw consent (Article 7(3) GDPR)

Where processing is based on consent, you may withdraw your consent at any time with future effect. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right to lodge a complaint (Article 77 GDPR)

You have the right to lodge a complaint with the Croatian data protection supervisory authority:

Agencija za zaštitu osobnih podataka (AZOP) Selska cesta 136, 10 000 Zagreb, Republic of Croatia Web: azop.hr Email: azop@azop.hr

You may also lodge a complaint with the supervisory authority of your place of habitual residence or workplace.

To exercise any of the above rights, contact our Data Protection Officer at dpo@factory.dev. We will respond within 30 days of receipt of your request, as required by Article 12 GDPR.

6. Retention Periods

Data is deleted or anonymised once the applicable retention period expires, unless a longer period is required by law or is necessary for the establishment, exercise, or defence of legal claims.

7. Security

Factory implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Technical: HTTPS/TLS encryption for all data transmission, access controls, pseudonymisation where applicable, regular security assessments.
• Organisational: Data protection policies, staff training, contractual confidentiality obligations for all personnel with access to personal data, Data Processing Agreements with all third-party processors.

8. Third-Country Data Transfers

Some of our third-party processors are located in countries outside the European Economic Area (EEA). We ensure that any such transfers comply with Chapter V GDPR:

We do not transfer personal data to countries outside the EEA unless one of the mechanisms listed above, or another mechanism permitted under Chapter V GDPR, is in place.

9. Updates to This Policy

Factory may update this Privacy Policy from time to time to reflect changes in our data processing practices or applicable law. We will notify users of material changes by posting the updated policy on factory.dev and updating the version number and date at the top of this document.

Continued use of our website or Software after the effective date of a revised policy constitutes acceptance of the changes, to the extent permitted by applicable law.

10. Contact

For any questions about this Privacy Policy or to exercise your data subject rights:

Data Protection Officer Martina Vašarević dpo@factory.dev

Factory d.o.o.

Poduzetnička zona II 18 (Poduzetnički inkubator) 33 000 Virovitica, Republic of Croatia

Phone: +385 33 638 271

Email: hello@factory.dev