Privacy Policy

Effective from: 01.04.2026 | Last updated: 05.04.2026

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as the "GDPR Regulation") and the Slovak Personal Data Protection Act (Act No. 18/2018 Coll.) (hereinafter referred to as the "Personal Data Protection Act") impose an obligation on personal data controllers to provide data subjects with information about the purpose for which their personal data are intended, including cases where personal data are not obtained directly from the data subject.

2.1 Controller

DDN Consulting s.r.o. so sidlom Bodiky 222, Bodiky 930 31, ICO 55 879 128, zapisanej v OR SR Okresny sud Trnava, oddiel: Sro, vlozka cislo 55445/T

Contact email for GDPR matters: gdpr@easyai.sk

2.2 What Data We Collect

When ordering and using the service, we collect:

• Company identification data: name, ICO, DIC, registered office
• Contact details: name, email, phone number of the contact person
• Process data: information about business processes provided during the audit
• Technical data: IP address, browser type, cookies

The audit does NOT collect:

• Financial statements or accounting data
• Personal data of the company's customers
• Internal secrets and business strategies
• System access credentials (passwords, API keys)
• Employee data (salaries, personal information)

2.3 Purpose of Processing

• Service provision — conducting the audit and generating the report
• Invoicing and tax obligations
• Communication with the client regarding the service
• Improving service quality (anonymised data)

2.4 Legal Basis for Processing

• Art. 6(1)(b) GDPR Regulation — performance of a contract.
• Art. 6(1)(c) GDPR Regulation — legal obligation (invoicing, taxes)
• Art. 6(1)(f) GDPR Regulation — legitimate interest (service improvement)

2.5 Data Retention Period

• Audit process data: 90 days after report delivery, then automatically deleted
• Invoices and accounting documents: 10 years (statutory obligation)
• Contact details: until consent is withdrawn or until the legitimate interest expires

2.6 Rights of the Data Subject

As data subjects, you have the following rights:

— the right to be informed whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary for entering into a contract, whether the data subject is obliged to provide personal data, and the possible consequences of failing to provide such data.

— the right to obtain information about the source from which personal data originate, if they were not obtained from the data subject, or information about whether the data originate from publicly accessible sources.

— the right to obtain confirmation from the controller as to whether personal data relating to the data subject are being processed. Where the controller processes personal data, the data subject has the right to access such personal data and to obtain the following information:

• the purposes of processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data relating to the data subject, or restriction of processing, or the right to object to such processing;
• where the personal data were not obtained from the data subject, any available information as to their source.

— the right to request access to personal data relating to the data subject from the controller — the data subject has the right to be provided with a copy of the personal data held by the controller, as well as information on how the controller uses the personal data. In most cases, personal data will be provided to the data subject in written paper form, unless the data subject requests another method of provision. If the data subject requests that the information be provided by electronic means, the information shall be provided electronically where technically feasible.

— the right to rectification of personal data — the data subject has the right to have inaccurate personal data relating to them corrected by the controller without undue delay. The data subject has the right to have incomplete personal data completed. If the data subject believes that the personal data held by the controller are inaccurate, incomplete, or outdated, they should not hesitate to request that the controller amend, update, or complete such information.

— the right to erasure of personal data (right to be forgotten) — the data subject has the right to request the controller to erase personal data, for example where the personal data obtained by the controller are no longer necessary for the original purpose of processing. The data subject cannot effectively exercise their right to erasure where the processing is necessary for the establishment, exercise, or defence of the controller's legal claims, or where the personal data are still necessary for the purposes for which they were collected or otherwise processed.

— the right to restriction of processing of personal data — under certain circumstances, the data subject is entitled to request the controller to cease using their personal data. This applies, for example, in cases where the data subject believes that the personal data processed by the controller may be inaccurate or where they believe that the controller no longer needs to use the personal data.

— the right to object to the processing of personal data — the data subject has the right to object to the processing of data that is based on the legitimate interests of the controller. Where the data subject does not have a compelling legitimate reason for the processing and lodges an objection, the controller shall no longer process the personal data.

— the right to data portability — under certain circumstances, the data subject has the right to request the controller to transfer the personal data provided to them to another third party of their choice. However, the right to portability only applies to personal data that the controller obtained from the data subject on the basis of consent or on the basis of a contract to which the data subject is a party.

— the right to withdraw consent at any time — in cases where the controller processes personal data on the basis of the data subject's consent, the data subject has the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal; the data subject must be informed of this fact before providing consent. The data subject may withdraw consent in the same manner in which consent was given.

— the right to lodge a complaint — a data subject who claims to be directly affected in their rights (if they believe that the controller processes their personal data unfairly or unlawfully, or otherwise violates the protection of personal data) may file a motion to initiate proceedings or a complaint with the supervisory authority. The supervisory authority is: the Office for Personal Data Protection of the Slovak Republic (Urad na ochranu osobnych udajov SR), Namestie 1. maja 18, 811 06 Bratislava; if the motion is filed electronically, it must meet the requirements of administrative procedure law.

2.7 Processors and Third Parties

Data are NOT used for training AI models nor provided to third parties for marketing purposes.

2.8 Transfer of Data to Third Countries

The controller does not transfer personal data to third countries or to international organisations.