Politika zasebnosti
Last Updated:
PRIVACY POLICY
Zyflow Application
Effective Date: 15. 5. 2026
Version: 1.0
Your privacy matters. This Privacy Policy explains what personal data HERKO d.o.o. collects when you use Zyflow, why we collect it, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) and applicable Slovenian data protection law (ZVOP-2).
1. WHO WE ARE — DATA CONTROLLER
HERKO d.o.o.
Pševska cesta 10,
4000 Kranj
Republic of Slovenia
Tax number (Davčna številka): SI56613555
Registration number (Matična številka): 8830045000
Privacy contact: legal@zyflow.eu
General support: support@zyflow.eu
For questions about your data or to exercise your rights, contact us at the address above.
2. SCOPE OF THIS POLICY
This Privacy Policy applies to the Zyflow mobile application (iOS and Android) and the backend services that power it.
It does not apply to third-party websites or services linked from within the App.
3. WHAT PERSONAL DATA WE COLLECT AND WHY
We collect personal data only where we have a lawful basis to do so under GDPR Article 6. Below we describe each category, why we need it, and the legal basis that applies.
3.1 Account and Identity Data
What we collect: Email address; optional full name; optional phone number if you choose to add it to your profile.
How: When you create an account — via email, or through Sign in with Apple or Sign in with Google.
Why: To create and manage your account and provide you with the Service.
Lawful basis: Performance of contract (Article 6(1)(b)).
3.2 Location Data
What we collect: Geographic coordinates associated with:
Routes you plan and save
Route files you import
Locations you bookmark
Reports of missing or incorrect Points of Interest you submit
Location data from active navigation is processed on your device and is not stored on our servers unless you explicitly save a route.
Why: To provide core navigation, routing, and discovery features.
Lawful basis: Performance of contract (Article 6(1)(b)).
Important: Saved routes represent a record of movement history. We treat this as sensitive data — your routes are private and accessible only to you. Location access requires your permission through your device's operating system, which you can revoke at any time. Revoking it will disable core app features.
3.3 Community Contributions (POI Reports)
What we collect: When you report whether a Point of Interest is present and working, we store your contribution linked to your account, along with any optional notes and a timestamp.
Visibility: These contributions are visible to other users of the Service as community signals. Please do not include personal information in your notes.
Why: To maintain the accuracy of our Points of Interest database for all users.
Lawful basis: Legitimate interest (Article 6(1)(f)). Our legitimate interest is providing reliable, community-verified location data.
On account deletion: Your identity is removed from your contributions (anonymized), but the location data itself may be retained as part of the community dataset.
3.4 Missing Location Submissions
What we collect: If you report a charging station or other location that is missing from our database, we collect the location you reported, details you provided, your account identifier, your email address, and a timestamp.
Why: To investigate and potentially add the reported location to our database.
Lawful basis: Legitimate interest (Article 6(1)(f)).
Visibility: Visible to HERKO d.o.o. staff only during review. Approved submissions become part of our shared database; your identity is not displayed publicly.
3.5 Device and Notification Data
What we collect: If you enable push notifications, we store a device-level push token that allows us to deliver notifications to your device.
Why: To send you relevant in-app notifications (e.g. route alerts).
Lawful basis: Consent (Article 6(1)(a)). You grant permission through your device's operating system notification prompt. You may withdraw this at any time in your device settings.
3.6 Analytics Data
What we collect: We use a third-party analytics service to understand how users interact with Zyflow. This involves collecting a pseudonymous identifier, your email address (to associate usage with your account), screens and features you interact with, and general device and app version information.
Detailed behavioral tracking and automatic event capture are disabled. Only key interaction events are recorded manually.
Why: To understand usage patterns and improve the Service.
Lawful basis: Legitimate interest (Article 6(1)(f)).
Your right to object: You may object to analytics processing at any time by contacting us at legal@zyflow.eu.
3.7 Crash and Error Data
What we collect: We use a crash monitoring service that collects error reports when the App crashes or encounters a significant error. These reports may include your account identifier, technical information about the error, and device/OS details. This service is active in production only and processes a sample of sessions.
Why: To detect, diagnose, and fix bugs.
Lawful basis: Legitimate interest (Article 6(1)(f)).
3.8 Email Communications
We use an email service provider for two categories of communications:
Transactional emails: Notifications necessary for the operation of the Service (e.g. updates on reports you have submitted). Lawful basis: legitimate interest / performance of contract.
Marketing communications: News about features and updates. We will only send marketing emails with your prior explicit consent. You may opt out at any time via the unsubscribe link in any email or by contacting support@zyflow.eu.
3.9 Routing and Map Data Sent to Third Parties
When you plan a route or search for a location, certain data is transmitted to third-party services to fulfil your request:
Route calculation services receive the coordinates of your planned route (not your identity)
Location search services receive the text of your search query and a geographic region
Map tile services receive tile requests based on the area of the map you are viewing
Weather services receive an approximate location to return relevant weather data
All third parties receive your device's IP address as part of standard network communication. Where technically feasible, we proxy requests through our own servers to limit direct exposure of your IP to these services.
Lawful basis: Performance of contract (Article 6(1)(b)).
4. DATA WE DO NOT COLLECT
To be transparent about what Zyflow does not do:
We do not process payment information (the App is free)
We do not use advertising networks or sell your data to advertisers
We do not track your location continuously in the background
We do not collect health or biometric data
5. HOW WE SHARE YOUR DATA
We do not sell your personal data. We share data only as follows:
Service providers: We share data with third-party companies that process it on our behalf under written data processing agreements. These are listed in Section 6.
Community features: POI contribution data (presence/working status and notes) is visible to other authenticated users of the Service, as described in Section 3.3.
Legal requirements: We may disclose personal data if required by law, court order, or a competent authority. We will notify you where legally permitted.
Business transfers: In the event of a merger, acquisition, or sale of assets, your data may transfer as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
6. THIRD-PARTY DATA PROCESSORS
The following companies process personal data on our behalf. Each is bound by a data processing agreement and may only use your data for the purposes we specify.
Processor | Role | Location |
|---|---|---|
Cloud infrastructure provider | Secure hosting, database, authentication, file storage | European Union |
Analytics provider | Product analytics (EU-hosted) | European Union |
Error monitoring provider | Crash and error reporting | United States (SCCs) |
Email service provider | Transactional and marketing emails | European Union / varies |
Push notification service | Delivery of in-app notifications | United States |
Route calculation provider | Navigation routing (proxied) | European Union |
Geocoding provider | Location search and reverse geocoding | European Union |
Weather data provider | Weather information for route planning | European Union |
Map tile provider | Map display | Switzerland / EU |
Apple Inc. | Sign in with Apple | United States |
Google LLC | Sign in with Google | United States |
For transfers to processors located outside the EU/EEA, see Section 8.
7. DATA RETENTION
We keep your personal data for as long as necessary for the purposes described in this Policy, or as required by law.
Data | Retention |
|---|---|
Account data | Duration of your account, deleted within a reasonable period after deletion |
Saved routes | Until you delete them, or upon account deletion |
Bookmarked locations | Until you remove them, or upon account deletion |
Community contributions | Anonymized upon account deletion; location data retained as community dataset |
Location submission reports | Retained until resolved, then anonymized |
Push notification tokens | Deleted upon account deletion or permission revocation |
Analytics data | Retained per our analytics provider's configuration |
Crash reports | Retained per our error monitoring provider's configuration |
Legal and accounting records | 10 years (required by Slovenian law) |
8. INTERNATIONAL DATA TRANSFERS
Your personal data is primarily stored within the European Union. Some processors listed in Section 6 are located outside the EU/EEA (notably in the United States). For all such transfers, we ensure appropriate safeguards are in place:
Standard Contractual Clauses (SCCs) as approved by the European Commission
The EU–US Data Privacy Framework, where the processor is certified
You may request details of the safeguards applicable to any specific transfer by contacting us at legal@zyflow.eu.
9. YOUR RIGHTS UNDER GDPR
You have the following rights regarding your personal data. Contact us at legal@zyflow.eu to exercise any of them.
Right of access (Art. 15): Obtain a copy of the personal data we hold about you.
Right to rectification (Art. 16): Have inaccurate or incomplete data corrected.
Right to erasure (Art. 17): Request deletion of your personal data where no longer necessary, where you withdraw consent, or where processing was unlawful.
Right to restriction (Art. 18): Ask us to restrict processing in certain circumstances.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format where processing is based on consent or contract.
Right to object (Art. 21): Object to processing based on legitimate interest, including analytics, crash monitoring, and community data processing.
Right to withdraw consent: Where we rely on consent (e.g. push notifications), you may withdraw it at any time without affecting previous processing.
Right not to be subject to automated decision-making (Art. 22): We do not make automated decisions with legal or significant effects about you.
We will respond to your request within 30 days. In complex cases we may extend this by 60 days and will notify you within the first 30 days. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.
10. RIGHT TO LODGE A COMPLAINT
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the supervisory authority in your country of residence or with the Slovenian authority:
Informacijski pooblaščenec (Information Commissioner of Slovenia) Zaloška cesta 59, 1000 Ljubljana, Slovenia Website: www.ip-rs.si Email: gp.ip@ip-rs.si Phone: +386 1 230 97 30
We would appreciate the opportunity to address your concern directly first — please contact us at legal@zyflow.eu before escalating.
11. SECURITY
We take appropriate technical and organisational measures to protect your personal data against unauthorized access, loss, or misuse. These include encryption of data in transit and at rest, access controls to limit who can access production data, and careful vetting of our third-party processors.
No method of transmission or storage is 100% secure. In the event of a data breach likely to result in high risk to your rights and freedoms, we will notify you and the Information Commissioner as required by GDPR Articles 33 and 34.
12. CHILDREN'S PRIVACY
Zyflow is not intended for persons under the age of 16. This minimum age is aligned with the digital consent age under GDPR Article 8 as implemented in Slovenia. We do not knowingly collect personal data from persons under 16. If you believe a person under 16 has provided us with their data, please contact us at legal@zyflow.eu and we will promptly delete it.
13. COOKIES AND SIMILAR TECHNOLOGIES
The Zyflow mobile application does not use browser cookies. It uses your device's local storage to maintain your login session. This is a standard mobile application practice and is not accessible to other applications or websites.
Third-party services integrated in the App may use device-level identifiers for analytics or crash monitoring purposes. Please refer to the privacy policies of those services.
A separate Cookie Policy is available at https://www.zyflow.eu/cookie-policy and applies to any future Zyflow web presence.
14. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the App and/or by email. Material changes take effect no sooner than 30 days after notification. We recommend reviewing this Policy periodically.
15. CONTACT
HERKO d.o.o.
Pševska cesta 10,
4000 Kranj,
Republic of Slovenia
Privacy enquiries: legal@zyflow.eu
General support: support@zyflow.eu
We acknowledge privacy enquiries within 5 business days and respond substantively within 30 days.
