Privacy policy

1. WHAT IS THE PRIVACY POLICY?

This Privacy Policy refers to the data of contractual partners, job candidates, business partners or other persons (hereinafter: “data subjects”) with whom we have business cooperation and whose personal data we process in our business operations.

This Privacy Policy does not regulate the processing of personal data arising from the employment relationship, since such data is regulated by internal rules.

We believe that responsible handling of personal data supports business growth, builds trust and strong relationships. We are committed to respecting and protecting the privacy of all individuals whose personal data we process.

In this Privacy Policy we will use the term “personal data processing” when we talk about any activity related to personal data, such as the collection of personal data, their storage, sharing, destruction or even mere access to data without taking any other actions.

Transparency regarding your personal data we process is very important to us including: the reason, method and duration of processing, data protection and your rights. This Privacy Policy refers exactly to that. The Policy is divided into several parts for easier navigation. In addition to this Privacy Policy, we will also sometimes provide you with additional timely privacy information where appropriate. The Policy also provides the contact details of the Data Protection Officer, a person you can contact in order to exercise your rights.

2. ABOUT US

We process personal data as part of our business activities. Personal data include any information that can identify you, such as your name, phone number, IP address, information you provided while participating in one of our events, or a resume that you submitted with a job application.

When handling personal data, we act either as a Data Controller or as a Processor, depending on the situation. This distinction is crucial since it establishes the level of responsibility of the company, what the company should do in terms of data protection, and how it ensures that you exercise your right to privacy. The simplest explanation is that the Data Controller is the one who decides how and for what purpose your personal data will be used and he is ultimately responsible for handling them, while the Processor follows the instructions of the Data Controller on how to handle such data.

Our activities as the Processor:

Our contractual partners are mainly companies that use services from our portfolio for various needs in their business. When providing services, we act as a Processor on behalf of the contractual partner and we process relevant data exclusively for the purpose of providing our services to contractual partners. We do this within the defined limits, according to the instructions of the contractual partner and in accordance with the terms of use of the services, service agreement, data processing agreement or similar agreement concluded with the contractual partner.

• For example, if a contractual partner purchases online services from us, he can entrust us with administrative powers for the purpose of providing, managing and supporting these services. We process this information in accordance with the terms of the agreement on the processing of personal data that we conclude with the contractual partner. The contractual partner has the right to withdraw the assigned administrator powers at any time. In situations where the contractual partner grants us administrative powers, we act as a Processor on behalf of the contractual partner.

Our activities as the Data Controller:

This Privacy Policy describes the activities we undertake in the role of the Data Controller, not in the role of the Processor. We act as a Data Controller when we process personal data for our own needs and do not act on behalf of others.

• For example, we act as a Data Controller when we process contractual partners’ data necessary for invoicing our services. We also act as a Data Controller when sending marketing notifications or when processing the data of candidates who apply for our job vacancies.

3. WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA?

The entity responsible for the processing of personal data as described in this Privacy Policy - the Data Controller - is Bonsai Ltd., Croatia, Zagreb, Koturaška cesta 47, company identification number (OIB): 81255473305, https://bonsai.tech/.

Bonsai Ltd. is part of the Span group. For the processing of personal data within the Span group, each company is responsible for the part of the data it processes. Depending on the specific relationship that applies to you, another Span Group company may be the Data Controller of your personal data. Each company of the Span Group is authorized to define its own policies and rules for the protection of personal data in accordance with the applicable regulations. You can find a list of all Span Group companies here.

If you have any questions regarding this Privacy Policy, you can contact our Data Protection Officer at dpo@span.eu or by mail to the address Bonsai Ltd., Koturaška cesta 47, 10000 Zagreb, with the indication “Data Protection Officer”.

4. HOW DO WE OBTAIN YOUR PERSONAL DATA?

Most of the personal data we process is provided to us directly by you, for example when you:

• Use our services,
• Visit our website,
• Participate in our trainings and educations,
• Communicate with us (in person, via online sites or via e-mail);
• Complete our surveys or online questionnaires,
• Respond to a job ad, or other education.

We also receive your personal information from other sources, such as in the following situations:

• If you are an employee or representative of one of our contractual partners, the contractual partner may provide us with certain information about you in order for you to use our services.
• If you visit our website, we collect certain information through cookies (such as your browser type, the pages you visited and the order of visits, as well as information about whether you are a new or returning visitor). For more information about how we collect data through cookies, please read our Cookie Policy.

5. WHICH PERSONAL DATA DO WE PROCESS, WHY AND ON WHAT BASIS, HOW DO WE USE THEM AND HOW LONG DO WE KEEP THEM?

5.1 For the purpose of concluding a contract, and to enable or ensure the use of services

What personal data do we process?

Bonsai processes data necessary for concluding contracts and successfully maintaining business relations with contractual partners, which includes:

• If you are personally (as an individual, i.e. a natural person) our contractual partner, we process: your name and surname, business data: address, e-mail address, phone number, company name, as well as data necessary for billing (name and surname, address, identification number (OIB) / VAT ID, IBAN / bank account number and other information in accordance with current regulations),
• Business contacts of representatives of the contractual partner and other individuals who act as a contact point (e.g. name and surname, business data: address, e-mail address, phone number, company name),
• Data from the resume/CV of the supplier, i.e. the supplier's representative (e.g. data on education, previous employment, length of service, experience, etc.), for example, when applying for public procurement,
• Data required for providing support to contractual partners (i.e. communications with customer support, including the content of customer support tickets).

How do we collect personal data?

• Directly from you (if you are our contractual partner) or
• Directly from you or through your company, if your company is our contractual partner.

Why do we process personal data, on what legal basis and how do we use them?

We process such data in order to:

• Sign and execute contracts with you or your company.
• Provide customer support.
• Share relevant information about our products and services, or receive relevant information about your products or services.
• Maintain and improve business relationships with you or your company.
• Exercise our rights and fulfil our obligations arising from these business relationships.

We process your data because it is necessary to perform a contract with you or your company or to take actions before entering into a contract.

How long do we keep personal data?

• Contact details of the representative of the contractual partner (which are not in the contracts, but in our internal storage systems) are kept for 3 (three) years after the end of our business relationship with the contractual partner.
• Personal data of contractual partners (including contact data in contracts) are stored in accordance with accounting regulations.

If required by applicable national regulations, when requested by competent authorities, or if we need to retain them to defend our legal interests, we may be required to keep these data for a period that differs from the above.

5.2 When you contact us with a question about our products and services and when we are looking for new business opportunities

What personal data do we process?

• We may process your name and surname, business contact information (e.g. e-mail address, phone number, company name).
• We will also process any other information you choose to share with us, depending on the nature of our communications.

How do we collect personal data?

• Directly from you when you provide us with your contact information (via e-mail or web form) requesting additional information.
• Indirectly through business partners. We only retain information that helps us reach potential business partners who may benefit from our products and services, or if we are interested in their products and services.

Why do we process personal data, on what legal basis and how do we use them?

We process such data in order to:

• Communicate with you and answer your questions.
• Find out if you or your company are interested in working with us, either by using our products and services or by providing your products or services to us.
• Provide adequate support, if there is a common interest in concluding a contract.

Such activities represent our legitimate interest in conducting our business. If you personally, as our potential contractual partner, are interested in concluding a contract with us, we process your data since this is necessary for the execution of the contract concluded with you or in order to take actions before concluding the contract.

How long do we keep personal data?

Personal data collected for the stated purposes are kept until you request deletion, unless we conclude a contract with you or your company (in which case the retention periods from the previous point apply).

5.3 When we send you e-mails or other marketing communications

What personal data do we process?

• We process your e-mail address and, in certain cases, your name and surname, phone number and company name.
• We also process simple statistics on e-mail openings and clicks.

How do we collect personal data?

• Directly from you, if you subscribe to receive our newsletter or other marketing communications via a web form available on our website.
• Directly from you or through your company as part of business-to-business (B2B) marketing if we already have a business relationship with your company.
• Simple statistics about e-mail openings and clicks are automatically generated when you interact with our e-mail messages.

Why do we process personal data, on what legal basis and how do we use them?

The purpose of processing these data is:

• Information about our products and services, news, webinars and upcoming events.
• Collecting statistics (e-mail openings and clicks) to improve our direct marketing initiatives.

If you subscribe to our marketing communications via e-mail, we rely on your consent. For business-to-business (B2B) marketing, we rely on our legitimate interest in maintaining and improving business relationships and informing our existing business partners about our products and services, news, webinars and upcoming events via e-mail or other forms of communication.

In any case, you may unsubscribe from communications or unsubscribe from our marketing communications at any time via the unsubscribe link provided in our marketing communications. When you unsubscribe from our marketing communications (that is, withdraw your consent or object to processing), we will stop sending you marketing material. However, we retain the so-called “unsubscribe list” containing your e-mail address to ensure that we do not contact you with unwanted content in the future. We store this information based on our legitimate interest in respecting the selection of recipients of our newsletter.

How long do we keep personal data?

• Your personal data are kept for our marketing activities during your business relationship with us or your company's relationship with us, unless you object, i.e. opt out.
• If you have subscribed directly, your personal data will be kept for our marketing activities until you withdraw your consent.
• If you unsubscribe, we will keep your e-mail address on the “unsubscribe list” to ensure that you do not receive further marketing communications.

5.4 When you register to participate, attend or speak at our webinar, conference or other events

What personal data do we process?

• We usually process your name and surname, business data: e-mail address, company name, position, phone number.
• We may also process photos and audiovisual materials from our live events.

How do we collect personal data?

• Directly from you when you register to attend our event.
• Sometimes your company will send your contact information because this is necessary for participation in our events.

Why do we process personal data, on what legal basis and how do we use them?

If you register for one of our events, we process your data in order to:

• Provide you with event details in advance, secure your seat (in case of live events), remind you of the event, communicate with you regarding all relevant information and send you an evaluation survey afterwards.

We process your data because it is necessary to execute or conclude a contract with you or your organization or to take actions before entering into a contract.

• We maintain a list of event attendees to invite you to future events and to inform you about our products and services that we think may be of interest to you.
• For the purpose of carrying out promotional and educational activities of the events we have organized, we can publish photos, audiovisual materials and texts on our internal and external channels.

The legal basis we rely on for the stated purposes is our legitimate interest in conducting our business. You can object to such processing and communications (in terms of invitations to future events as well as information about our products and services) at any time by using the unsubscribe link provided in all our communications, and we will stop sending them to you.

How long do we keep personal data?

• Personal data collected during registration for a webinar or another live event (name and surname, e-mail, phone number, company name) are kept until you request their deletion.
• Event photos will be used actively for 2 (two) years, after which they will be kept for archival purposes.

5.5 When we conduct user experience research

What personal data do we process?

• We process your personal data such as name and surname, e-mail address, company name and business role, as well as the information you have shared with us.

How do we collect personal data?

• We collect your name, surname and contact information (e-mail address) from our database, if you or your company are our contractual partner, in order to invite you to be part of our research.
• All information (e.g. your feedback about our products) is collected directly from you as part of research.

Why do we process personal data, on what legal basis and how do we use them?

We process data:

• To collect your feedback in order to improve our products and services.

When inviting you to be part of our research, we send you an e-mail with a login link. For this activity, we rely on our legitimate interest in improving our products and services. We will only contact you in connection with research related to a product or service that you already use or have used.

How long do we keep personal data?

• We keep your personal data (e.g. contact details and information you have shared with us) for the duration of the contract concluded with your organization.

5.6 When visiting our website

What personal data do we process?

When you visit our website, we may collect certain information through cookies, such as your browser type, the pages you visited and the order of visits, as well as information about whether you are a new or returning visitor.

How do we collect personal data?

• Directly from you when browsing our website by placing cookies on your browser.

Cookies are set either automatically (strictly necessary cookies) or only after you have agreed to them (functional, statistical and marketing cookies). Please review our Cookie Policy for more information.

Why do we process personal data, on what legal basis and how do we use them?

We process such data in order to:

• Maintain and improve our website and overall business.

In doing so, we rely either on our legitimate interest in ensuring the functioning of the website (for strictly necessary cookies) or upon your consent (for functional, statistical and marketing cookies). Please review our Cookie Policy for more information on how you can manage cookies.

How long do we keep personal data?

This depends on the types of cookies, which can be temporary (they are deleted after closing the browser or after the end of the session) or permanently (they remain on your device until you delete them or until your browser does so). Please review our Cookie Policy for more information on the retention periods of certain types of cookies.

5.7 When you apply for a job or internship with us or when you send us an open application

What personal data do we process?

When you apply for a job for an advertised position or internship with us, we process the following data:

• Your name and surname, contact details (e-mail and phone number), place of residence, as well as information about your education, previous work experience and any other information you choose to share with us in your CV or application when you express interest in joining our team.
• Results of psychological and professional tests.
• Information we collected from you during the interview.

When you send us an open application (for a position that has not yet been published), we process the following data:

• Your name and surname, contact details (e-mail and phone number), place of residence, as well as information about your education, previous work experience and any other information you choose to share with us in your CV or application when you express interest in joining our team.

How do we collect such data?

• Directly from you when you submit your CV or application.
• In some cases, you may be contacted by one of our employees who has you in his/her contact network or through business networks you use (e.g. LinkedIn), with an inquiry if you are interested in a position at Bonsai.
• We may collect additional information about you during the selection process. This information will be generated by you and by us. For example, you may complete an evaluation test or we may take notes from an interview.

Why do we process personal data, on what legal basis and how do we use them?

We process your personal data in order to:

• Find talented individuals to become part of our team, enabling you to apply for a job or internship with us.
• If we find your professional data on the websites of business networks you use (e.g. LinkedIn), and assess that you are a suitable candidate for one of our open positions, we may contact you, and in case you are interested, we will include you in the standard selection procedure.

In doing so, we rely on our legitimate interest in finding talented individuals.

• Enable you to submit an open application to receive updates on Bonsai job postings.

In doing so, we rely on your consent to process your personal data.

If you are selected as the most suitable candidate for a position or internship, you will be provided with an offer. If you accept it, we will collect additional information so that we can conclude and execute a contract with you.

Further collection and processing of your personal data will be carried out in order to conclude a work or execute a contract with you or to take necessary actions that precede the conclusion of a contract.

We process your personal data through the employment platform of our processor, Talentlyft (AdoptoTech Ltd.). Your personal data will be collected and stored on servers maintained by Talentlyft in data centers located in the European Union, and they will be processed by authorized members of the Bonsai recruitment team. Please find more details on Talentft’s privacy practices here.

Furthermore, we perform psychological testing of candidates through our processor Selekcija Ltd., which collects and stores personal data of candidates in data centers located in the European Union. Please find more details on Selection's privacy policy here.

How long do we keep personal data?

• If you applied for an advertised position or internship at Bonsai and were not selected as the most suitable candidate, we will delete your data after we close the specific competition, and no later than within 3 months after your application.
• If you have given us your consent to inform you about future business opportunities in Bonsai, your personal data will be deleted at the time you withdraw your consent, and no later than within 24 months from the time you gave us your consent.

If requested by competent authorities or if necessary to defend our legal interests, we may be required to retain this data for a period that differs from the above.

You have the right to withdraw your consent at any time. If you want to withdraw your consent or edit your profile, you can do so directly by accessing your profile or by contacting our Data Protection Officer at dpo@span.eu or by mail to the address Bonsai Ltd., Koturaška cesta 47, 10000 Zagreb, with the indication “Data Protection Officer”.

• Please keep in mind that as part of our recruitment process, we have several processors who are in charge of different parts of the selection process and are not connected to each other: the process part/technical part is processed by Talentlyft, and the test part is handled by Selection. Therefore, if you want to independently delete the profiles created with the specified processors, you must do so with each processor separately or contact us to delete both of your profiles.

Please find more information about your rights in section 9 below.

5.8 When you visit our offices or premises

What personal data do we process?

• We process your personal data, such as your first and last name, the name of the company you work for or represent, and your car registration number (if we provide you with a parking space).
• We also process recordings from CCTV cameras.

How do we collect them?

• Directly from you when you visit us at one of our locations.

Why do we process personal data, on what legal basis and how do we use them?

We process your personal data in order to:

• Manage access control to our offices and premises.
• Ensure the safety of our employees, visitors and property (CCTV surveillance at the entrances to our premises and additionally at the entrance to server rooms).

The processing of CCTV surveillance data, as well as processing related to access control, is carried out on the basis of our legitimate interest in the protection of our employees, visitors and property.

How long do we keep personal data?

• CCTV recordings are deleted no later than 60 (sixty) days after the recording date.

However, we may be required to retain this information for different periods of time in certain circumstances, if required by applicable regulations, if requested by competent authorities or if necessary to defend our legal interests.

6. HOW LONG DO WE PROCESS YOUR PERSONAL DATA?

We will keep the personal data for which you have given us your consent until you withdraw your consent, and at the latest until the deadline specified in the consent. If you want to withdraw your consent and delete your data, you can do so at any time by sending an e-mail to dpo@span.eu or by mail to the address Bonsai Ltd., Koturaška cesta 47, 10000 Zagreb, with the indication “Data Protection Officer”. Please note that withdrawal of consent does not affect the legality of processing based on consent before its withdrawal.

As for your personal data which we process on a basis other than consent, we will keep them as long as necessary to fulfil the purposes for which they were collected before we anonymize it so that we can no longer identify you, or we delete them.

Specific storage periods are specified in section 5 of this Privacy Policy. The specified storage periods are standard periods. In some cases, in order to comply with legal regulations or for the purpose of defending our legal interests, we may keep these data for longer than the periods specified in section 5 (e.g. in case of legal proceedings or at the request of a competent authority).

7. WITH WHOM WE MAY SHARE YOUR PERSONAL DATA?

As a rule, we do not share personal data with third parties except when this is absolutely necessary and only to the extent necessary, such as in the following cases:

• If we engage other persons to perform certain tasks, such as subcontractors, i.e. processors (for example, using software supplier Talentlyft to manage the job application process), who act solely on our behalf, whereby we ensure all data protection measures as if we were performing these tasks personally and we also ensure that the processing is governed by a written data processing agreement.
• In order to comply with our legal obligations, we may share your personal data with:
• Courts and other public law bodies (for example, ministries, agencies).
• Financial institutions (e.g. banks for transaction execution).
• Furthermore, we may share your personal data with auditors and other external consultants, if we are required to demonstrate compliance with relevant accounting, financial and tax legislation.
• If your personal data need to be forwarded to third parties for the purpose of creating an offer for concluding a contract.
• Other agencies, institutions, associations, insurance companies, partner companies with whom we have a contract on business cooperation based on which contractual partners can contract and use the products and services we provide.
• We may share your personal data within the Span group to the extent that is necessary, and in accordance with regulations on the protection of personal data.
• In the event of a change in our ownership structure in the future, we may transfer personal data to new affiliates or third parties for business purposes.
• Based on your consent.

When transferring your personal data, we strictly comply with the principle of processing restrictions with the transfer of the minimum amount of data necessary to fulfil the purpose, and by complying with all other relevant data protection principles.

8. HOW DO WE CONDUCT INTERNATIONAL TRANSFER OF PERSONAL DATA?

We try to primarily process personal data within the EU/EEA area.

If the above is not possible, we select companies in countries outside the EU/EEA for which the European Commission has made a decision confirming that they ensure an adequate level of personal data protection (the so-called Adequacy decision).

If our business operations require the transfer of personal data from the EU/EEA to the USA, we choose companies in the USA that are subject to the decision of the European Commission on the adequacy of the data protection framework between the EU and the USA (the so-called EU-US Data Privacy Framework).

If we have to transfer your personal data to third countries for which an adequacy decision has not been made, in such situations we always apply the appropriate protection measures and try to achieve the level of personal data protection guaranteed by the GDPR (e.g. by applying the so-called Standard Contractual Clauses).

Exceptionally, in special situations and if data transfers are not of a regular type, your personal data may be transferred to third countries for which a decision on adequacy or appropriate protection measures has not been made (for example with your consent after we have previously informed you of the risks of such transfer; or if the transfer is necessary for the conclusion or performance of a contract concluded with you or in your interest; or if the transfer is necessary for important reasons of public interest or legal requirements).

9. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?

Regarding the processing of your personal data, we would like to draw your attention to the following rights you can exercise:

• Right to be informed about the processing of your personal data - this is exactly the purpose of this Privacy Policy, that is, to inform you about how we collect and use your personal data.
• Right to access data - you have the right to receive a copy of the personal data that we process about you as well as all relevant information about the said processing (e.g. how and why we process them, how long do we keep them, who are potential recipients to whom we forward such data, etc.).
• Right to correct data - you have the right to ask us to correct your personal data that you consider incorrect and to complete your personal data that you consider incomplete.
• Right to deletion - in certain situations, you have the right to ask us to delete your personal data. Please keep in mind that the right to deletion is not an absolute right and does not apply, for example, in cases where processing is necessary to comply with legal obligations, or to exercise or defend legal claims, etc.
• Right to restriction of processing – in certain situations you have the right to ask us to restrict the processing of your personal data (e.g. if you dispute the accuracy of your personal data, or if you have objected to processing based on our legitimate interest until it is established whose interest is stronger).
• Right to data transfer – if we process your personal data by automated means based on your consent or on the basis of a contractual relationship with you, you have the right to transfer the personal data you have provided to us in a structured, commonly used and machine-readable format.
• Right to object - if we process your personal data based on a legitimate interest, you have the right to object based on your particular situation. In such a situation, we may no longer process personal data unless we demonstrate that there are legitimate reasons for the processing that override your rights and interests or to defend our legal claims.
• If personal data are processed for direct marketing purposes, you have the right to object to the processing of your personal data at any time via the unsubscribe link provided in our marketing communications.

You also have the right to withdraw your consent at any time, in which case we will no longer use your personal data collected based on your consent. Please note that withdrawal of consent does not affect the legality of processing based on consent before its withdrawal. You can withdraw your consent directly (e.g. by clicking on the “unsubscribe” link in our marketing communications, or on your profile on the platform of our processors Talentlyft or Selekcija) or by sending an e-mail to dpo@span.eu or by mail to the address Bonsai Ltd., Koturaška cesta 47, 10000 Zagreb, with the indication “Data Protection Officer”.

You have the right to request the fulfilment of the stated rights, and we shall respond to your request within one month. In justified situations, we can extend that deadline by an additional 2 months, of which we will inform you in due time.

All stated requests can be submitted free of charge, unless your request is clearly unfounded or excessive. In such situations, we reserve the right to charge a reasonable fee or refuse to comply with the request. You will be informed in a timely and clear manner about all relevant information related to your requests.

If you have questions about how we use your personal data or if you want to exercise a certain right or file a complaint regarding the processing of your personal data, you can contact our Data Protection Officer by sending an e-mail to or by mail to the address Bonsai Ltd., Koturaška cesta 47, 10000 Zagreb, with the indication “Data Protection Officer”.

You can also send your complaint to the supervisory authority of the EU member state where you have your usual residence, place of work or at the place of the alleged violation. If you wish to make a complaint or contact the relevant data protection authority for any other reason, you can find the contact details of the EEA data protection authorities at https://edpb.europa.eu/about-edpb/board/members_en.

Contact details of the competent supervisory body in the Republic of Croatia are: Croatian Personal Data Protection Agency (“AZOP”), Selska cesta 136, HR - 10000 Zagreb, phone: +385 (0)1 4609-000, e-mail: azop@azop.hr, website: http://www.azop.hr.

10. PERSONAL DATA PROTECTION

In order to protect the personal data that we process, we implement appropriate physical, technical and organizational protection measures, taking into account the nature, scope, context and purposes of processing, as well as risks of different levels of probability and severity for the rights and freedoms of data subjects.

We update and test our security technologies on an ongoing basis and continuously improve them. We use advanced tools to protect and prevent data leakage, permanently monitor critical systems, encrypt certain sensitive data and protect data from unauthorized access, modification, loss, theft or any other data breach and abuse.

Access to data is limited only to the data that are necessary for the performance of certain business tasks, and only to authorized persons who work directly on the provision or maintenance of the service as well as on improving the quality and billing of the service, in accordance with clearly defined roles and responsibilities. All employees are bound by data confidentiality agreements, and we hire only partners with whom we contract the appropriate protection measures.

We make sure that all our employees are educated in the field of privacy and security, starting from their first day.

11. AUTOMATED INDIVIDUAL DECISION MAKING AND PROFILE CREATION

We will not make any decisions based on the automated processing of data relating to you and we will not profile you.