Privacy policy

  • Derya Group Consulting
  • Data Controller:  Derya Group Consulting
  • Registered office:  Nušićeva 7A, Belgrade
  • Company registration number:  21135399
  • Tax ID (VKN):  109163725
  • Website:  deryagroupconsulting.com
  • Contact email:  deryaconsulting@gmail.com
  • Last updated:  17 April 2026
  • Effective date:  29 April 2026

 

1. Introductory provisions

Derya Group Consulting (hereinafter: “Data Controller”, “we”, “us”, or “Derya Group”) is committed to protecting the privacy and personal data of all persons who use its services or visit the website deryagroupconsulting.com.

Through this Privacy Policy (hereinafter: “Policy”), the Data Controller provides clear and transparent information — in accordance with Article 23 of the Law on Personal Data Protection of the Republic of Serbia (Official Gazette of the Republic of Serbia, No. 87/2018) (“LPDP”) and the European Union General Data Protection Regulation 2016/679 (“GDPR”) — to the persons whose personal data are processed (hereinafter: “Person” or “You”) regarding all material aspects of the personal data processing carried out through the website, chatbot assistant, email, telephone, and other communication channels of the Data Controller.

By using the services of the Data Controller and communicating with it, you acknowledge that you have been informed of the contents of this Policy.

2. Definitions

Within the scope of this Policy, the following terms have the meanings set out below:

  • Personal data – any information relating to an identified or identifiable natural person (e.g., name, surname, email address, telephone number, IP address, session identifier, etc.);
  • Processing – any operation or set of operations performed on personal data (by automated or non-automated means; including collection, recording, storage, viewing, transmission, erasure, and similar operations);
  • Data Controller – Derya Group Consulting, which determines the purposes and means of processing personal data;
  • Data Processor – a natural or legal person who processes personal data on behalf of the Data Controller, based on a concluded contract;
  • Consent – any freely given, specific, informed, and unambiguous indication of the Person’s wishes by which they, through a statement or a clear affirmative action, signify agreement to the processing of personal data relating to them;
  • Commissioner – the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia.

3. Principles of personal data processing

The Data Controller processes personal data in accordance with the principles set out in Article 5 of the LPDP, which are as follows:

  • lawfulness, fairness, and transparency – processing is carried out in a lawful manner and in a form understandable to the Person;
  • purpose limitation – data are collected for specified, explicit, and legitimate purposes;
  • data minimisation – only adequate, relevant, and necessary personal data are collected;
  • accuracy – data are kept accurate and, where necessary, up to date;
  • storage limitation – data are retained for the period necessary to fulfil the purposes of processing;
  • integrity and confidentiality – data are processed with the application of appropriate technical, organisational, and administrative security measures.

4. Types of personal data we process

4.1. Data you provide to us directly

  • Identification and contact data: first name and surname, telephone number, email address;
  • Communication content: questions you submit to our chatbot assistant, as well as any data you voluntarily share regarding your business plans, residence status, or other needs;
  • Professional data: company name, job position, country of origin, information on planned investments, and other details voluntarily provided during the consultation process.

4.2. Data collected automatically

  • Technical data: unique identifier of the chat session, timestamps of communications, language selected in the user interface, browser type, approximate geographical location at country level;
  • Interaction data: the content of your queries, the service categories of interest to you, internal assessments carried out for the purpose of organising operations.

The Data Controller does not collect the following data through the chatbot assistant: national identification number (JMBG), identification document numbers, bank account numbers and payment card details, or health data. There is no need to share such data through the chatbot; should they be shared, they will be deleted immediately.

5. Processing purposes and legal basis

The Data Controller processes personal data for the following purposes and on the following legal bases:

Processing purpose Legal basis
Responding to inquiries and providing the requested consulting services Performance of a contract or taking steps at the request of the Person prior to entering into a contract – Article 12(1)(2) LPDP / GDPR Article 6(1)(b)
Contacting by telephone or email based on data left through the chatbot The Person’s consent – Article 12(1)(1) LPDP / GDPR Article 6(1)(a)
Improving service quality, analysing chatbot operations, and understanding the most frequently asked topics Legitimate interest of the Data Controller in improving services, with the use of anonymised data in that context – Article 12(1)(6) LPDP / GDPR Article 6(1)(f)
Fulfilment of statutory obligations (tax, accounting, and other obligations) Compliance with the Data Controller’s legal obligations – Article 12(1)(3) LPDP / GDPR Article 6(1)(c)
Establishment, exercise, or defence of legal claims Legitimate interest of the Data Controller – Article 12(1)(6) LPDP / GDPR Article 6(1)(f)

 

6. Data retention periods

Personal data are retained only for the period necessary to achieve the purpose of processing, that is, within the time frames prescribed by applicable regulations:

  • Inquiries from prospective clients who provided contact information but did not conclude a contract – up to 24 months from the last interaction, unless you previously request deletion;
  • Client records – for the duration of the contractual relationship and for up to 10 years after its termination, in accordance with the tax and accounting regulations of the Republic of Serbia;
  • Anonymised analytics data – indefinitely, as the Person cannot be identified through such data;
  • Chatbot communication logs linked to a specific Person – up to 12 months from the last message, with the possibility of longer retention where necessary for the fulfilment of legal or accounting obligations.

Upon expiry of the specified periods, data are deleted or anonymised in a manner that makes it impossible to associate them with a specific Person.

7. Recipients of personal data

The Data Controller may transfer personal data only to the following categories of recipients:

  • Data Processors – service providers who process personal data on behalf of the Data Controller on the basis of concluded data processing agreements, namely:
  • Google LLC – email services (Gmail), document storage (Google Drive, Google Sheets), and natural language processing (Gemini) services. Data may be processed in the United States and other countries where Google operates;
  • n8n GmbH (Federal Republic of Germany) – workflow automation services through which inquiries are routed to the Data Controller’s team;
  • the hosting provider of the website and chatbot assistant;
  • Professional advisors – lawyers, certified accountants, and court-certified translators engaged for the purpose of providing specific services at your request;
  • Competent state authorities – such as the Serbian Business Registers Agency (APR), the Tax Administration, immigration authorities, and others, where necessary for the provision of requested services or for compliance with statutory obligations;
  • Law enforcement authorities and courts – only where there is a legal obligation to disclose data.

The Data Controller does not sell personal data and does not share them with third parties for their own marketing purposes.

8. Transfer of data to other countries

Because the Data Controller uses service providers headquartered outside the Republic of Serbia and the European Economic Area (in particular Google LLC, whose servers may be located in the United States), personal data may be transferred to other countries.

Transfers of data to other countries are carried out in accordance with Articles 63–69 of the LPDP and with the application of appropriate safeguards:

  • through the use of standard contractual clauses approved by the European Commission or the Commissioner;
  • on the basis of decisions recognising an adequate level of protection, issued by the Commissioner, where such decisions exist;
  • through the application of certification mechanisms and the compliance commitments of service providers (for example, Google’s GDPR compliance commitments).

Upon written request of the Person, the Data Controller will provide more detailed information about the safeguards applied during the transfer.

9. Rights of the Person whose personal data are processed

Under Articles 21, 26, 29, 30, 31, 36, and 37 of the LPDP and under the GDPR, you have the following rights:

  • Right to information and access – to obtain from the Data Controller information as to whether your data are being processed, to access the processed data and information about processing activities, and to request a copy of the data;
  • Right to rectification and completion – to request the correction of inaccurate data or the completion of incomplete data;
  • Right to erasure (“right to be forgotten”) – to request deletion of your data, within the limits prescribed by law;
  • Right to restriction of processing – to request the temporary suspension of processing in cases provided for by law;
  • Right to data portability – to receive your data in a structured, commonly used, and machine-readable format, or to request their transfer to another data controller;
  • Right to object – to object to processing based on the legitimate interest of the Data Controller, including processing for direct marketing purposes;
  • Right to withdraw consent – to withdraw previously given consent at any time; however, such withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal;
  • Right to lodge a complaint with the Commissioner – at the address: Bulevar kralja Aleksandra 15, 11000 Belgrade; office@poverenik.rs; www.poverenik.rs.

You may submit a request regarding the exercise of your rights in writing to deryaconsulting@gmail.com, marked “request for the exercise of rights relating to the processing of personal data.” The Data Controller will act upon the request without undue delay and in any event within 30 days of receipt of the request. Where the request is complex or where there are multiple requests, this period may be extended by up to 60 further days, and you will be informed of such extension.

10. Obligation to provide data and consequences of non-provision

Providing personal data is voluntary. However, certain data (for example, contact data) are necessary for us to respond to your inquiries and provide the services you request.

If such data are not provided, the Data Controller will not be able to respond to your inquiry or provide the requested service; in some cases, this may also prevent the conclusion of a contract.

As regards data whose processing is based on statutory obligations (for example, tax and accounting regulations), the provision of such data is a legal requirement.

11. Automated decision-making and profiling

The Data Controller does not carry out automated decision-making or profiling that produces legal effects concerning the Person, or that significantly affects the Person in a similar way, within the meaning of Article 38 of the LPDP.

The chatbot assistant performs a basic categorisation for the purpose of routing inquiries to the appropriate team member; however, final commercial decisions (offers, contracts, recommendations) are made by the authorised personnel of the Data Controller.

12. Data security measures

In order to ensure an appropriate level of security of personal data, the Data Controller applies appropriate technical, organisational, and administrative measures, in particular:

  • access control to the systems in which data are processed (user authentication and the assignment of access rights in accordance with the “least privilege” principle);
  • encryption of data during transmission (HTTPS / TLS protocol);
  • regular review and updating of team members’ access rights;
  • requiring all employees and engaged persons to comply with data confidentiality obligations;
  • concluding data processing agreements with all Data Processors, obliging them to apply the same or a higher level of protection.

Despite the measures taken, no method of data transmission over the internet or electronic storage method can guarantee absolute security. Where a personal data breach is likely to result in a high risk to the rights and freedoms of the Person, the Data Controller will notify the Commissioner and the affected Persons without undue delay, in accordance with Articles 52 and 53 of the LPDP.

13. Cookies and similar technologies

The Data Controller’s website and chatbot assistant use cookies and similar technologies for the purposes of providing functionality, remembering user settings, and measuring how the site is used.

The Data Controller uses the following categories of cookies:

  • Strictly necessary cookies – enable the essential functions of the site and the chatbot session; they do not require consent;
  • Functional cookies – remember your settings (for example, language selection);
  • Analytics cookies – used to measure visits to and use of the site;
  • Marketing cookies – may be used to monitor the effectiveness of advertising activities.

Analytics, functional, and marketing cookies are placed only on the basis of your prior consent, which you may give or refuse through the cookie banner shown on your first visit to the website. Consent may be withdrawn at any time through your browser settings or by reopening the banner.

14. Minors

The Data Controller’s services are intended only for adults (businesses, investors, and persons making business decisions). The Data Controller does not knowingly collect personal data from persons under 18 years of age.

If there is a reasonable suspicion that a minor has provided their data, we kindly ask you to notify us at deryaconsulting@gmail.com; in such a case, the data in question will be deleted without undue delay.

15. Changes to the Privacy Policy

The Data Controller reserves the right to amend and update this Policy, in particular in the event of changes in legislation or in its business practices. The updated version takes effect upon publication on the Data Controller’s website and upon the update of the “Last updated” date at the top of the document.

In the event of material changes, the Data Controller will inform you via your email address if available, or through a clear notice on its website.

16. Data Controller contact details

For any questions regarding this Policy, the exercise of your rights, or any other matters relating to the protection of personal data, you may contact us as follows:

Name: Derya Group Consulting

Registered office: Nušićeva 7A, Belgrade

Company registration number: 21135399

Tax ID (VKN): 109163725

Email: deryaconsulting@gmail.com

Website: deryagroupconsulting.com