The purpose of this Privacy and Cookie Policy is to inform users (hereinafter also referred to as: individual or you) of the website https://astra.si/ai/ (“website”) about the purposes and basis for the processing of personal data by the company Astra AI d.o.o., Resljeva cesta 1, 1000 Ljubljana, company number: 9614036000, email: info@astra.si (hereinafter: the company, we, or controller).

We process, store, and protect all personal data in accordance with applicable legislation governing the protection of personal data, particularly in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR) and the Personal Data Protection Act (Official Gazette of RS, No. 163/22, hereinafter: ZVOP-2). Please read our Privacy Policy in detail to understand how we protect your privacy.

By submitting your personal data, you declare that you have read our Privacy and Cookie Policy and are aware of the methods of processing and the legal basis for the processing of personal data. If you do not agree with the methods of processing, we ask you not to provide us with your personal data.

BASIC TERMS

The following are basic terms encountered when reading our Privacy and Cookie Policy:

Personal Data: Personal data is information that identifies an individual as a specific or identifiable person. An individual is identifiable when they can be directly or indirectly identified, particularly by reference to an identifier such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

Data Subject: A determined or identifiable natural person whose personal data is processed by the controller responsible for the processing.

Processing of Personal Data: Means any operation or set of operations which is performed on personal data, particularly collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. The processing can be manual or automated.

Restriction of Processing: Is the marking of stored personal data with the aim of limiting their processing in the future.

Profiling: Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Automated Decision-Making: Means a decision based solely on automated processing (including profiling) that produces legal effects concerning an individual or similarly significantly affects an individual.

Anonymization: Is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Data Controller: Is a natural or legal person or another entity of the public or private sector that alone or jointly with others determines the purposes and means of processing of data; or a person designated by law which also specifies the purposes and means of processing.

Data Processor: Is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

User of Personal Data: Is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as users; the processing of those data by those public authorities must comply with the applicable data protection rules according to the purposes of the processing.

Third Party: Is a natural or legal person, public authority, agency or body other than the data subject, controller, processor, or persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Individual’s Consent: The individual’s consent to whom the personal data relates is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

DATA CONTROLLER AND DATA PROTECTION OFFICER

The personal data controller is Astra AI d.o.o., Resljeva cesta 1, 1000 Ljubljana, company number: 9614036000, e-mail: info@astra.si. In our company, we have appointed a Data Protection Officer, contact: andrej@astra.si

PURPOSE OF PROCESSING AND BASIS FOR DATA PROCESSING

a.) Processing Based on Consent

We process personal data based on clear and unambiguous consent from the individuals concerned for the following purposes:

• completion of the contact form,
• participation in promotional activities published on the website,
• consent to use the telephone number and email address for sending information and offers about products and services,
• sending newsletters,
• protection of our products and services.

b.) Processing Based on Legitimate Interest:

If required by circumstances, we process personal data based on a legitimate interest for the purposes of:

• responding to your inquiries about products and/or services,
• measuring satisfaction with the purchase, via email or telephone communication,
• email communication based on your initiation of the online purchasing process,
• informing about new products and services (direct marketing), based on point (f) of Article 6(1) of the GDPR and Article 226 of the Electronic Communications Act (ZEKom-2),
website optimization,
• ensuring the security of IT systems,
• prevention of abuse and/or fraud.

c.) Processing Based on the Law

Based on the law and in accordance with relevant legislation, we process personal data:

• For example, in connection with our cooperation for lawful purposes (e.g., reasons of tax legislation).

DATA WE COLLECT

We collect the following types of data:

Voluntarily Provided Data

For the purposes of conducting business, responding to inquiries, participating in promotional offers, and processing your order of products/services, we collect the following personal data, which we obtain if you explicitly communicate them:

• Name and surname,
• email address,
• other data that you provide.

The provision of personal data is a condition for the use of our services or for ordering products, as without the necessary personal data we cannot execute the order.

Automatically Generated Data

We automatically collect data about your device or other log data when you use our website.

We collect anonymous data from each visitor for traffic monitoring and error resolution. This information helps us understand who uses our website, which serves to improve and market our website, especially our online products and services. We collect data such as IP address, web requests, data sent in response to such requests, browser type, browser language, timestamp of the request, and other anonymous statistical data involving the use of our website. This information by itself cannot be used to identify or contact you. We may combine automatically collected data with other, non-personal data. In this case, we will treat the combined data as personal data in accordance with this Privacy Policy and will use it for marketing purposes.

We are not responsible for the accuracy of the data that you enter.

DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES OR TO THIRD COUNTRIES

We do not engage in the sale of your personal data. We may share your personal data with third parties only as specified in this Privacy Policy.

We share personal data with third parties:

• With your consent, we may share your personal data with those third parties for whom you have given consent.
• With our service providers, business partners, and contractors who provide services on our behalf or whom we use to support our business, such as:
• our accounting service,
• providers for managing and generating invoices or offers,
• subprocessors.

• We may report any activities to law enforcement that we reasonably believe to be unlawful, or that we reasonably believe may aid a law enforcement investigation into unlawful activity. In addition, we reserve the right to disclose your personal data to law enforcement if we determine, in our sole discretion, that either you violate the rules of our Privacy and Cookie Policy or that we may protect the rights, property, or safety of us or another person by disclosing your personal data. We will disclose only those personal data that law enforcement legitimately requests for each specific case.

• We may disclose your personal data when required by law, regulations, or official orders to protect the safety of any person from death or serious bodily injury, to prevent fraud or abuse of products and/or services or users, or to protect our proprietary rights. We will disclose personal data to government officials or third parties based on court judgments or decisions of administrative bodies or other binding acts. We will disclose the personal data that the aforementioned authorities legitimately request for each specific case.

We disclose your personal data if necessary to fulfill our obligations to you and only to the minimum extent necessary.

The personal data collected are not transferred to third countries. Your data is processed only within the territory of the European Union. In the event that your personal data are transferred to third countries, you will be informed.

For the purposes of web analytics, we use Google Analytics 4 and PostHog. The data collected for this purpose are anonymized and may be stored outside the EU or in third countries.

CONSENT OF MINORS

We recognize the importance of safeguarding the privacy of children online and ensuring internet safety. While our services, including online tutoring, are available to children under the age of 15, it is mandatory that they obtain consent from a parent or guardian before using our services.

We do not knowingly collect or solicit personal data from children under 15 without parental consent. We are committed to using advanced technology and methods to verify that such consent has been granted by a holder of parental responsibility.

Additionally, we advise parents or guardians to regularly monitor their children’s online activities, including the use of our services.

We use all available technology and strive to verify that a holder of parental responsibility for a child has given or authorized consent.

AUTOMATED DECISION MAKING AND PROFILING

The personal data of individuals are not subject to automated decision-making, nor are they subject to profiling.

HOW WE PROTECT DATA

We appreciate that you trust us and share your personal data with us. We are committed to protecting them, so we take appropriate technical and organizational measures to ensure a high level of data protection (some of the measures we implement include: the use of firewalls and data encryption, control of physical access – securing premises and IT equipment, and control over access authorizations to information with a password system for authorization and user identification).

We limit access to personal data to our employees, service providers, and agents who need to know it in order to develop or improve our services.

Please understand that our website offers links to other websites that we do not own and/or control. Your use of these third-party services is entirely optional. We are not responsible for the content and/or practices of third parties.

MANAGING PERSONAL DATA AND OPT-OUT

You can update, remove, or opt out of your personal data at any time.

Updates: If you still wish to use our products and services and need to change your relevant personal data (name, email, postal address, phone number, etc.), please inform us at info@astra.si.

Deletion of personal data: If you want to completely remove your data from our records, send a deletion request to info@astra.si.

Opt-out: If you dislike receiving emails or other marketing materials, you can opt out at any time using the “unsubscribe” link in any marketing email you receive from us. We will be sad to see you go, but we respect your privacy.

The processing of requests sent to info@astra.si may take up to 10 days. After this period, the request will be addressed and, if it meets the conditions, it will be valid.

Once we receive your consent withdrawal, we will stop processing your personal data and delete them. We will inform you that your withdrawal has been considered.

INDIVIDUAL RIGHTS

In accordance with the provisions of the GDPR, the individual has the right of access to personal data, the right to rectification, the right to erasure (“right to be forgotten”), the right to data portability, the right to request restriction of processing of personal data, the right to object, and the right to lodge a complaint with the supervisory authority.

For exercising your rights or obtaining additional information, you can contact us at the email address: info@astra.si. A response to your request will be given within 10 days in accordance with the GDPR.

If there is a justified doubt concerning the identity of the individual submitting a request related to any of their rights, we may request the provision of additional information necessary to confirm the identity of the individual to whom the personal data pertains.

If the requests of the individual to whom the personal data pertain are manifestly unfounded or excessive, particularly because of their repetitive character, we may charge a reasonable fee, taking into account the administrative costs of providing information or communication or taking the requested action, or refuse to act on the request.

RIGHT OF ACCESS TO DATA

The individual to whom the personal data pertain has the right to obtain confirmation from us as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organizations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the individual, or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the individual, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.

Upon request, we provide a copy of the personal data undergoing processing. For any further copies requested by the individual, we may charge a reasonable fee based on administrative costs.

RIGHT TO RECTIFICATION

The individual has the right to have us correct inaccurate personal data concerning them without undue delay. Taking into account the purposes of the processing, the individual has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

RIGHT TO ERASURE (“RIGHT TO BE FORGOTTEN”)

The individual has the right to have personal data concerning them erased without undue delay where:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the individual withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
• the individual objects to the processing based on the controller’s legitimate interests, and there are no overriding legitimate grounds for the processing;
• the individual objects to processing for direct marketing purposes;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; when it concerns data collected from a child regarding information society services offered directly to them.

Where the personal data have been made public and are to be erased, we take reasonable steps, including technical measures, to inform other controllers processing the personal data that the individual has requested the erasure of any links to, or copy or replication of, those personal data.

RIGHT TO RESTRICTION OF PROCESSING

The individual has the right to obtain restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by the individual, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the individual opposes the erasure of the personal data and requests the restriction of their use instead;
• we no longer need the personal data for the purposes of the processing, but they are required by the individual for the establishment, exercise, or defense of legal claims;
• the individual has objected to processing pending the verification whether the legitimate grounds of the controller override those of the individual.

RIGHT TO DATA PORTABILITY

The individual has the right to receive the personal data concerning them which they have provided to us, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance from us, where:

• the processing is based on consent or on a contract; and
• the processing is carried out by automated means.

RIGHT TO OBJECT

The individual whose personal data is being processed has the right, on grounds relating to their particular situation, to object at any time to the processing of personal data concerning them if it is based on the legitimate interests that we or a third party pursue. We shall no longer process personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual, or for the establishment, exercise, or defense of legal claims. When personal data is processed for direct marketing purposes, the individual has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If direct marketing is based on consent, the right to object can be exercised by withdrawing the given consent.

AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, if the decision:

• is not necessary for entering into, or the performance of, a contract between you and us,
• is not authorized by Union law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
• is not based on your explicit consent.

RIGHT TO LODGE A COMPLAINT REGARDING THE PROCESSING OF PERSONAL DATA

An individual can communicate a potential complaint concerning the processing of personal data via email to: info@astra.si or by mail to the address Astra AI d.o.o., Resljeva cesta 1, 1000 Ljubljana, registration number: 9614036000. In the event of a personal data breach, we will notify the competent supervisory authority unless it is unlikely that the breach poses a risk to the rights and freedoms of individuals. If there is suspicion that a criminal offense has been committed in relation to the breach, we will notify the police and/or the competent prosecutor’s office.

In the event of a breach that may result in a high risk to the rights and freedoms of individuals, we will notify the affected individuals immediately or, if not possible, without undue delay.

If an individual has exercised the right to access data and after receiving the decision believes that the personal data they received is not the data they requested, or they did not receive all the requested personal data, they can submit a reasoned complaint to the controller (Astra AI d.o.o., Resljeva cesta 1, 1000 Ljubljana, registration number: 9614036000) within 15 days before lodging a complaint with the Information Commissioner. We will make a decision on the complaint as a new request within five working days. If an individual believes that their rights or the regulations on the protection of personal data have been violated, they can complain to the competent national authority: The Information Commissioner of the Republic of Slovenia (Zaloška 59, 1000 Ljubljana, phone: 01 230 97 30, fax: 01 230 97 78, email: gp.ip@ip-rs.si).

RETENTION PERIOD OF PERSONAL DATA

We will store an individual’s personal data for as long as necessary to fulfill the purpose for which the personal data was collected and further processed.

Some data is obtained through the use of cookies and other similar technologies by analyzing your behavior on our website and response to email messages and from third parties whose cookies are loaded onto your device with your consent (providers of social media, etc.).

Data processed on the basis of legitimate interest or for the purpose of taking action upon your request before entering into a contract will be stored for a maximum of five years from the fulfillment of the purpose of our mutual communication or until the expiration of the limitation period for possible claims.

In cases where applicable sectoral legislation (e.g., tax law) stipulates mandatory periods for the retention of personal data, we will delete the personal data after the expiration of the period prescribed by law.

Compliance with Student Privacy Laws

We adhere to applicable federal student privacy laws, including the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). We have implemented measures to ensure compliance with these laws. If you believe we have not complied with these laws, please contact us at info@astra.si.

California Privacy Rights

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA), including the right to access, delete, and opt-out of the sale of your personal information. Since we do not sell your personal information, the right to opt-out of the sale does not apply. To exercise your right to access or delete your personal information, please contact us at info@astra.si.

EU/EEA and UK Data Subjects

If you are a data subject in the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), you have certain rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right to access, correct, delete, restrict the processing of, or object to the processing of your personal information. To exercise these rights, please contact us at info@astra.si.

Additionally, if you are an EU/EEA or UK data subject, you have the right to lodge a complaint with your local data protection authority.

LINKS TO OTHER WEBSITES

Our website may contain links to third-party websites, which we do not own or control. These sites have their own Privacy and Cookie Policies, which you must familiarize yourself with, as the controller assumes no responsibility for them.

COOKIES

Cookies are small text files that websites store on individuals’ devices when they access the internet. The storage of cookies is under the complete control of the individual, as they can restrict or disable the storage of cookies in the browser they use. Cookies perform many functions—they enable tracking of website visits, facilitate various campaigns and discounts, and store information about whether an individual is entitled to certain discounts or benefits, for example.

Cookies enable a convenient way to maintain fresh and relevant content in line with the interests and preferences of website visitors. Based on statistical data on website traffic, which is also enabled by cookies, we can assess the effectiveness of the design of our websites, as well as the appropriateness of the type and number of ads we offer on the website.

However, consent to install cookies is not required for necessary cookies. These enable the normal functioning of the website. Through these cookies, the basic use of the website is enabled. Without these cookies, the website does not function normally or at all, so they are installed even when an individual rejects the installation of cookies.

How do I change my cookie settings?

Currently, it is not possible to turn off cookie settings.

WHICH COOKIES DO WE USE?

CookieDurationPurpose
__ph_opt_in_out_phc_
F7dF44vCVzlEzc7rwrBRIQlwUEjjGZCQ81VWRbcGigC
persistentThis cookie is used to remember a user’s choice
about cookies on the website. This cookie is, by
default, set on pages where the cookie opt-in is present and is not set on all pages.
_fbp90 daysUsed by Facebook to deliver a series of advertisement products such as real-time bidding
from third-party advertisers.
localepersistentThis cookie is used to remember a user’s language selection.
__stripe_mid1 yearThis cookie is necessary for making credit card
transactions on the website. The service is provided
by Stripe.com, which allows online transactions
without storing any credit card information.
__stripe_sid30 minutesThis cookie is necessary for making credit card
transactions on the website. The service is provided
by Stripe.com, which allows online transactions
without storing any credit card information.
sb-api-auth-token-code-verifiersessionUsed for authentication via Supabase.
sb-api-auth-tokensessionUsed for authentication via Supabase.
pwa-never-show-againpersistentUsed to remember if the user has dismissed the PWA install prompt.
ph_#_window_id1 yearThis cookie is set by PostHog analytics software and is used to understand how visitors interact with our website.
ph_#_primary_window_exists1 yearThis cookie is set by PostHog analytics software and is used to understand how visitors interact with our website.
ph_current_project_token1 yearThis cookie is set by PostHog analytics software and is used to understand how visitors interact with our website.
ph_current_instance1 yearThis cookie is set by PostHog analytics software and is used to understand how visitors interact with our website.
ph_current_project_name1 yearThis cookie is set by PostHog analytics software and is used to understand how visitors interact with our website.
posthog_csrftoken1 yearThis cookie is set by PostHog analytics software and is used to understand how visitors interact with our website.
sentryReplaySessionpersistentThis cookie is set by Sentry and is used to analyze errors on the website.
lastExternalReferrerpersistentDetects how the user reached the website by registering their last URL-address.
lastExternalReferrerTimepersistentDetects how the user reached the website by registering their last URL-address.

MANAGING AND DELETING COOKIES

If you wish to change the way cookies are used in your browser, including blocking or deleting them, you can do so by making the appropriate changes to your browser settings. Most browsers allow you to accept or reject all cookies, accept only certain types of cookies, or warn you when a website wants to store a cookie. You can easily delete the cookies that have been stored by your browser. If you change or delete your browser’s cookie file, upgrade your browser or device, you may need to disable cookies again. The process for managing and deleting cookies varies from one browser to another.

CHANGES TO THE PRIVACY AND COOKIE POLICY

We reserve the right to update, change, or replace any part of our Privacy and Cookie Policy at our discretion by posting updates or changes to our website without prior notice. Any changes are effective from the date of the public posting of the revised Privacy and Cookie Policy on our website.

Published on: September 19, 2023