Effective Date: April 2025.
Published: April 2025.
3 What Data We Collect and How We Use Your Personal Data?
7 International Data Transfers
This Privacy Policy (“Policy“) provides information on how we handle your data when you use our website or our services. The data controller for the aforementioned processing is Harmony New Energy Auto Service Zagreb d.o.o., Savska cesta 43, 10000 Zagreb, OIB: 96066277885 (hereinafter referred to as we or Harmony New Energy Auto Service Zagreb).
Please read this Policy carefully to understand how we handle your data and to familiarize yourself with your rights regarding your personal data.
This Policy applies to the processing of personal data that we carry out in the course of our business where we act as a data controller, as defined by applicable data protection regulations, especially Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR).
The categories of personal data we collect depend on the subject and purpose of the processing. Depending on the nature of our relationship with you, we may process additional data, for example, if we provide a service based on a concluded contract, we will also process OIB data (for individuals or legal representatives), address, or other identifying data, as well as identification and contact details necessary for executing the contract.
We collect data directly from you, when you use our website, contact us via web forms, or use our services as described below.
1) Test Drive Inquiry: If you contact us to arrange a test drive, we collect the data you provide in the contact form along with your request.
These data are:
We also process the same data when you contact us via email, postal mail, or any other method regarding a test drive.
If you reach out via the contact form, email, or otherwise regarding a test drive, the legal basis for processing is Article 6(1)(b) of the GDPR – processing necessary for the performance of a contract or to take steps prior to entering into a contract. Without this data, we cannot respond to your request or provide the service.
We retain this data for up to 18 months after the last communication, unless we enter into a business relationship afterward and process the data under a different purpose and legal basis.
2) Inquiry or Comment: Whether through the contact form, email, phone, or other means – if you contact us with a question, comment, or request for information about a specific vehicle model, we collect the data you provide in the form.
These data are:
If you contact us with an inquiry about our products or services, the legal basis for data processing is our legitimate interest under Article 6(1)(f) of the GDPR – to maintain communication related to our business. Without this data, we cannot respond to your inquiry or provide services.
We retain this data for up to 18 months after the last communication.
3) Contract Conclusion: In case of entering into a sales contract with you, we collect your identification data necessary to conclude the contract, address, contact details, contract information, delivery and payment data (including payment confirmations, method of payment, etc.), as well as the type of vehicle and technical details of the selected vehicle and other information related to our relationship. This is to comply with legal obligations, such as those arising from commercial, tax, or criminal law, anti-money laundering regulations, etc.
When a contract is concluded, we retain data related to the contract as required by mandatory regulations (e.g., accounting laws or anti-money laundering laws). According to the Accounting Act, we must retain contracts for 11 years from the last day of the business year in which they were recorded in the business books. In accordance with tax laws, invoices and all other documentation relevant for determining and paying taxes must be kept for 10 years.
4) Compliance with Regulatory Requirements: We also process your data to comply with binding legal regulations, for example, in the area of product monitoring and safety, or for the prevention of fraud and money laundering, prevention, suppression, and investigation of terrorism financing, asserting legal claims and defending against legal disputes, and generally in the area of commercial, accounting, tax, or criminal law, anti-money laundering regulations, etc. This includes the disclosure of personal data upon request of competent or supervisory authorities, including tax authorities. We retain your data for as long as prescribed by applicable law.
5) Newsletter Subscription: If you consent, we process your email address to inform you about our products, events, and services. The legal basis for this processing is your consent under Article 6(1)(a) of the GDPR, which you have previously given by opting in. If you no longer wish to receive promotional emails, you may unsubscribe at any time via the unsubscribe link. In such a case, the withdrawal of consent will not affect the legality of processing carried out before the withdrawal.
We will process your data for this purpose until your consent is withdrawn.
6) Cookies: We collect personal data through cookies and similar technologies. For more information on how we use cookies, please see the overview below.
We use cookies on our website – small text files stored on your device when you visit the website. By duration, cookies may be persistent or temporary (session cookies), depending on whether they remain stored on your device after closing the browser. Session cookies are deleted when you close your internet browser. By purpose, cookies may be necessary, functional, analytical, and marketing. Necessary cookies are essential for proper functioning and access to the content of our site. Depending on the source, cookies may be first-party (placed by the website you are visiting) or third-party cookies. Functional cookies remember preferences and choices you made during site use. Third-party cookies are set by external providers or other websites that may use their own cookies. Through such cookies, other web locations may track your visit to our website. Based on our legitimate interest to provide the website, we use:
| NAME | DURATION | DESCRIPTION |
|---|---|---|
| NECESSARY | ||
| cookieyes-consent | 12 months | First-party cookie, records user consent for cookie use (CookieYes system). |
| cmplz_* | 12 months | First-party cookie, used for managing cookies. |
| FUNCTIONAL COOKIES | ||
| webp_lossy_supported | 12 months | First-party cookie, stores consent settings for analytical cookies. |
| wp-settings-* | 12 months | First-party cookie, stores user settings for the WordPress admin interface. |
| wp-settings-time-* | 12 months | First-party cookie, stores user settings for the WordPress admin interface. |
| wp-wpml_current_language | session | First-party cookie, associated with WPML plugin, stores language settings. |
| wpml-* | session | First-party cookie, associated with WPML plugin, used for managing multilingual content. |
| filebird | 12 months | First-party cookie, used for media management via the FileBird plugin. |
| e_kit-* | 12 months | First-party cookie, used for page design and content management, linked to Elementor plugin. |
| e_globals | 12 months | First-party cookie, used for page design and content management, linked to Elementor plugin. |
| screentype | session | First-party cookie, used to detect device type for display optimization. |
| loglevel | session | First-party cookie, used to define error log level in console. |
| ANALYTICAL COOKIES | ||
| _ga | 2 years | First-party cookie, part of Google Analytics – used to distinguish users by assigning a unique ID and analyzing visitor data. |
| _gid | 24 hours | First-party cookie, part of Google Analytics – used to distinguish visitors and analyze site traffic. |
| _gat_gtag_UA_* | 1 minute | First-party cookie, part of Google Analytics – stores unique visitor ID and limits requests to the site. |
| pys_ | 7 days | First-party cookie, linked to PixelYourSite plugin for analytics and event tracking. |
| last_pys* | 7 days | First-party cookie, linked to PixelYourSite plugin for managing analytics and event tracking tools. |
7) Access and Use of the Website: Your activities on the website, including your personal data, are logged in log files—special files used to store information about events and activities related to the IT system used to provide the website. Data collected in these log files are processed primarily for purposes related to providing the website. We process your personal data (including IP address, technical data on browser type, device type and mobile device identifier, browser data, and data collected through cookies or other similar technologies) for the purpose of delivering the website and its content, as well as for analytical and statistical purposes. The legal basis for this processing is our legitimate interest (Article 6(1)(f) GDPR), to deliver the website and analyze visitor activity and preferences, in order to improve the functionalities and services we provide.
8) Social Media Profiles: For the purposes of promotion, content publishing, and communication, we also use official profiles on social media. When interacting on social media, we collect and process your data to communicate with you (based on our legitimate interest), but we do not store or additionally process them. Authorized persons with access to our profiles can view such communication or posts.
Regarding the processing of personal data through our social media profiles, the social network may, in certain cases, be considered a joint controller with us. For our Facebook and Instagram profiles, we are joint controllers with Meta Platforms Ireland Limited. More information about this processing is available here. For processing via our LinkedIn profile, we are also joint controllers as detailed here. Please also read the relevant data privacy policies of the social media providers where you have an account, e.g., LinkedIn, Facebook, Instagram.
The duration of our data processing depends on the type of service provided and the purpose of processing. In general, data will be retained until the purposes for which they were collected are fulfilled, except where applicable regulations require us to retain personal data for longer. Data will not be used or stored longer than necessary for fulfilling the above-mentioned purposes, contract obligations, or as required by applicable laws. Once the relevant periods expire, personal data will be deleted.
We have implemented robust technical and organizational measures to protect your personal data in accordance with the current state of technology, particularly to protect personal data from loss, alteration, or access by unauthorized third parties. After receiving your personal data, we will use strict procedures and security features to prevent unauthorized access. However, transmitting information over the internet is not completely secure. While we will do our best to protect your personal data, we cannot always guarantee the security of data transmitted through our website. If a personal data security incident occurs, we will report it promptly and take corrective action in accordance with the requirements of applicable law and regulatory authorities.
Depending on the nature and purpose of the processing, we may disclose your personal data to our business partners, data processors acting on our behalf (e.g., IT service providers, such as website hosting providers, to the extent necessary for hosting the site), accounting service providers, etc.
If necessary for fulfilling the purpose (e.g., contract conclusion or execution), we may share your data with our business partners such as suppliers, service providers, subcontractors, or other organizations for the purpose of providing services to us or directly to you on our behalf. These third parties may include cloud service providers (e.g., email and hosting) or other service providers. We only share personal data necessary to perform their services and have appropriate agreements in place to ensure the protection of your data.
As noted earlier, we may also disclose your data to competent or supervisory authorities, including tax authorities, and in legal proceedings to protect our rights, property, or safety, as well as those of our customers, employees, or the public, and to prevent or investigate potential fraud or illegal activity.
When third parties access your personal data, we take necessary contractual, technical, and organizational measures to ensure safe processing of your data.
As a rule, we do not transfer your data to third countries, i.e., countries not considered to provide an adequate level of personal data protection.
If necessary—for example, if any of our essential service providers are located in so-called third countries outside the European Economic Area—we will ensure an adequate level of protection based on appropriate contractual and other mechanisms, such as the European Commission’s Standard Contractual Clauses, with additional technical measures (e.g., data encryption or other required steps) if needed.
In relation to our data processing, you have the following rights:
For any questions, further information, or requests related to the processing of personal data, feel free to contact us via: obrada.podataka@hexieauto.com
We will periodically update or modify this Policy to reflect changes in our business processes. The updated version will always be available on our website, with the date of the last update clearly indicated.
