Legal
Privacy Policy
Effective from: 15 May 2026
VEGA SmartLab d.o.o. respects your privacy. This policy explains what personal data we process on the website www.vegaerp.com and in the application app.vegaerp.com, and what rights you have under the GDPR.
Controller Identity
⚠️ Important Notice
EU GDPR does not prescribe specific technical measures for verifying the identity of a website controller, nor does it require website visitors to identify themselves. Until regulations are supplemented, the decision of whether to trust the unprotected displayed identity of the controller rests with the individual. The controller cannot guarantee that consent was obtained from the person who purportedly agreed to the data processing conditions, as the individual does not identify themselves in a unique and verifiable manner during the confirmation process. Consequently, the controller does not assume responsibility for potential misuse of web forms by third parties. If an individual objects to processing on the grounds that they did not give consent, the controller will immediately stop processing and delete the data.
Processing Activities and Legal Bases
| Processing | Purpose | Legal Basis | Data | Retention Period |
|---|---|---|---|---|
| Website visit | Technical operation | Legitimate interest | IP address, visit time, browser type, OS | Session |
| Security logging | Security, abuse prevention | Legitimate interest | IP address, requests, errors | Up to 90 days |
| Functional cookies | Technical session operation | Legitimate interest | Session identifier | Session |
| Subscriber registration | Management of the subscription relationship | Contract Art. 6(1)(b) | First name, last name, email, company | Duration of subscription + 30 days |
Technology Audit of the Website — www.vegaerp.com
Independent tool Website Evidence Collector, 15 May 2026.
| Parameter | Value |
|---|---|
| Security status | SAFE |
| Dangerous / Suspicious providers | 0 / 93 |
| Safe providers | 58 / 93 |
| Cookies (first-party) | No cookies |
| Cookies (third-party) | No cookies |
| Local storage | No records |
| Tracking elements | No trackers |
| Third-party domains | No third-party domains |
✅ Website security verified — SAFE (VirusTotal, 15 May 2026: 0/93 dangerous).
Transfers of Personal Data to Third Countries
The website does not share personal data with third parties and does not transfer data to third countries outside the EEA.
Rights of the Individual
Under the GDPR you have the following rights: - Access (Art. 15) - Rectification (Art. 16) - Erasure / 'right to be forgotten' (Art. 17) - Restriction of processing (Art. 18) - Data portability (Art. 20) - Objection (Art. 21) - Withdrawal of consent (Art. 7(3)) Address requests to: dpo@vegaerp.com.
Right to Lodge a Complaint with the Supervisory Authority
Automated Decision-Making and Profiling
The controller does not carry out automated decision-making or profiling within the meaning of Art. 22(1) and (4) GDPR.
Role of VEGA SmartLab as Data Processor
When providing the SaaS ERP service at app.vegaerp.com, VEGA SmartLab acts as a data processor (Art. 4(8) and Art. 28 GDPR). The subscriber is the data controller and determines the purpose and scope of processing.
Direction of obligation: from the Controller → to the Processor; the absence of a concluded Data Processing Agreement constitutes a breach of the Controller's obligations under Art. 28 GDPR.
Technology Audit of the Application — app.vegaerp.com
Independent tool Website Evidence Collector, 16 May 2026.
| Cookie | Domain | Duration | Purpose | Legal Basis |
|---|---|---|---|---|
| NEXT_LOCALE | app.vegaerp.com | Session | Stores interface language settings; functional cookie | Legitimate interest |
| (Third-party cookies) | — | — | No cookies | — |
| Key | Domain | Purpose | Legal Basis |
|---|---|---|---|
| vegaerp-crm-auth | app.vegaerp.com | Authentication token of the logged-in user. Technically required for the operation of the logged-in session. | Contract Art. 6(1)(b) |
Categories of Personal Data
| Category | Typical Data | Controller Determines |
|---|---|---|
| Employees (HR, payroll) | Name, national ID (EMŠO), tax ID, bank account, payslip, leave, sick leave | Purpose, retention period, access |
| Customers and contacts | Name, address, email, phone, order history | Purpose, retention period, access |
| Suppliers and contacts | Contact persons, addresses, banking details | Purpose, retention period, access |
| Accounting data | Data on invoices, payment orders and contracts containing personal data of natural persons | Purpose, retention period, access |
Infrastructure and Geographic Location of Data
✅ All data is located exclusively in the Republic of Slovenia.
The VEGA ERP system operates on VEGA SmartLab's own physical server infrastructure, hosted in the certified data centre of Pošta Slovenije (eIDAS, EU Regulation 910/2014, Tier 3 per Uptime Institute). Pošta Slovenije acts solely as a physical infrastructure provider and has no access to the data. VEGA SmartLab does not use sub-processors with access to personal data. Data is not transferred outside the EEA.
Privacy by Design — GDPR by Design (Art. 25)
- Audit Trail: records all changes with user, timestamp and content; immutable. - Access Control (RBAC): roles and permissions; each user sees only assigned data. - Portability (Art. 20): export of all data in CSV/Excel at any time. - Deletion procedure upon termination: data available for export for 30 days, then permanently deleted. - Transport encryption (HTTPS/TLS): all communication via TLS; HTTP is redirected to HTTPS. - Anonymisation in AI processing (Anthropic Claude): full anonymisation before each processing; the AI provider never receives personal data.
Integrations with National Institutions
VEGA ERP is integrated with legally designated controllers (FURS, ZZZS and others). Data exchange takes place exclusively at the explicit request of the subscriber, on their behalf (Art. 6(1)(c) GDPR). FURS, ZZZS and others are independent controllers — they are not sub-processors. Responsibility for the accuracy of data lies with the subscriber.
Data Processing Agreement (Art. 28)
A draft DPA is available upon request at dpo@vegaerp.com. The subscriber may prepare their own DPA or accept the VEGA SmartLab proposal; we will decline an agreement that requires standards we cannot fulfil.
Statement of Achieved Processing Standards
| Standard | How It Is Ensured |
|---|---|
| Geographic restriction | All data is processed and stored exclusively in Slovenia (Tier 3, eIDAS). |
| No sub-processors with access | No third-party provider has access to personal data. |
| Employee confidentiality | Access is limited to authorised employees bound by a confidentiality obligation. |
| Support for individual rights | The system technically supports access, rectification, erasure, and portability. |
| Breach notification | VEGA SmartLab notifies the subscriber within 24 hours of discovering a breach. |
| Audit availability | Documentation of implemented measures is provided upon request. |
Retention Period after Termination of the Subscription
| Phase | Duration | Status |
|---|---|---|
| Export period | 30 days from termination | Data available for read and export only; write access disabled. |
| Extension | On written justified request | Request required before the 30-day period expires. |
| Permanent deletion | After the period expires | All data permanently and irreversibly deleted, including backups. |
VEGA SmartLab notifies the subscriber of deletion 7 days before the export period expires.