Privacy Policy

Last updated: January 3, 2025

This Privacy Policy describes how IVAN NEDELJKOVIĆ PR RAČUNARSKO PROGRAMIRANJE POINT MARS UB ("we," "our," or "us") collects, uses, and protects your information when you use our Sofai Freight mobile application and services.

By using the Sofai Freight application, you agree to the collection and use of information in accordance with this policy.

Data Controller and Processor Roles

Data Controller

We act as the data controller for:

  • Account and authentication data
  • Device and technical information
  • App usage data and service interactions

Data Processor

For Customer Database Content that we process to answer your queries, we act as a data processor on your documented instructions. This includes data from your databases that we access to generate business intelligence reports, including generated reports, visualizations, and analytics derived from Customer Database Content; we store and process these on your documented instructions.

Legal Bases for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract Performance: Account and authentication data to provide our services
  • Consent: Push notifications (you can withdraw consent anytime in device settings)
  • Legitimate Interest: Security monitoring, system logs, and service improvements
  • Legal Compliance: Where required by applicable laws and regulations

Information We Collect

Information You Provide

  • Natural language queries: Business intelligence questions you enter
  • Report names: Custom names you assign to saved reports

Account Information (Created by Us)

  • Username and authentication credentials
  • User account identifiers
  • Database connection credentials (provided by you during setup)

Technical and Device Information

  • Authentication tokens for secure app access
  • Push notification tokens (FCM tokens)
  • Device identifiers necessary for app functionality
  • IP addresses and connection information
  • App usage logs and diagnostic information
  • Timestamps of interactions and sessions
  • Crash reports and error logs

Generated Data We Store

  • Business intelligence reports and visualizations
  • Analytics and insights derived from your database queries
  • Charts, tables, and map data generated from your requests
  • Report metadata (creation dates, update times, access history)

How We Access Your Business Data

We connect to your databases using credentials you provide during account setup. We use this connection to process your queries and generate business intelligence reports.

What we store: We permanently store the generated reports, analytics, and insights that result from your queries, as well as any data necessary for app functionality and report generation.

Recipients and Sub-processors

We share your data with the following third-party service providers. We maintain DPAs with all sub-processors and will post material changes to this list at least 7 days before use:

Firebase Cloud Messaging (Google)

Data shared: Push notification tokens (FCM tokens)
Purpose: Sending push notifications about report updates
Privacy Policy: Google Privacy Policy

Mapbox

Data shared: Map tile requests, device telemetry (enabled by default)
Purpose: Providing mapping functionality and improving map services
Opt-out: Mapbox telemetry cannot currently be disabled within the app
Privacy Policy: Mapbox Privacy Policy

Amazon Web Services (AWS)

Data shared: All application data and generated reports
Purpose: Cloud hosting and data processing
Location: EU Central (Frankfurt) region
Privacy Policy: AWS Privacy Notice

International Data Transfers

Your data is primarily stored and processed in the European Union (AWS EU Central region - Frankfurt). However, some data may be transferred internationally through our third-party services:

  • Firebase (Google): May transfer data to the US and other countries
  • Mapbox: May transfer telemetry data to the US
  • Legal safeguards: We rely on EU Standard Contractual Clauses (SCCs) and adequacy decisions where applicable

Data Retention

We retain your data for the following periods:

  • Access logs and IP addresses: 12 months
  • Push notification tokens: Removed within 30 days of logout
  • Cached reports on device: Until logout or manual deletion
  • Generated reports on servers: Until account deletion or contract termination + 90 days
  • Authentication tokens: Until logout or expiration
  • Account data: Until account deletion request
  • Database connection credentials: Until you revoke or 30 days after account deletion, whichever comes first
  • Service analytics/logs used for reliability: 12 months
  • Backup copies: Up to 60 days after primary deletion

Your Rights

EEA and UK Users (GDPR Rights)

You have the following rights under GDPR:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a portable format
  • Object: Object to processing based on legitimate interests
  • Withdraw consent: For processing based on consent

Complaints: You can lodge a complaint with a supervisory authority. For Serbia: Commissioner for Information of Public Importance and Personal Data Protection.

California Users (CCPA/CPRA Rights)

We do not "sell" or "share" personal information as defined by CPRA. California residents have the right to:

  • Know what personal information we collect and how it's used
  • Request deletion of personal information
  • Request correction of inaccurate personal information
  • Opt-out of sale/sharing (not applicable to us)

We do not use sensitive personal information for inferring characteristics about you. We will not discriminate for exercising CPRA rights. California requests: email info@sofai.rs or use Settings → Privacy → Request data.

How to Exercise Your Rights

To exercise any of these rights, contact us at: info@sofai.rs

We will respond within 30 days (or as required by applicable law) and may require identity verification before processing your request.

Data Security

  • All communications use HTTPS encryption
  • Data at rest is encrypted using industry-standard encryption (AES-256)
  • Authentication tokens are securely stored
  • Tenant-based access controls protect your data
  • Regular security monitoring and updates
  • We will notify you of data breaches where required by law

Data Deletion Process

To request account and data deletion:

  1. Email your deletion request to info@sofai.rs
  2. We will verify your identity and process the request within 30 days
  3. All personal data will be deleted except where retention is required by law
  4. Backup copies will be deleted within 60 days

Children's Privacy

Our service is not intended for children under 13 years old (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will:

  • Post the updated policy on this page
  • Send email notification to account administrators
  • Provide at least 7 days advance notice for material changes
  • Show in-app notifications where appropriate

Contact Us

For any questions about this Privacy Policy or to exercise your rights, contact us:

IVAN NEDELJKOVIĆ PR RAČUNARSKO PROGRAMIRANJE POINT MARS UB

Address: STUBLENICA BB, Ub, Serbia

Privacy Contact: info@sofai.rs

Data Protection Inquiries: info@sofai.rs