Legal

Privacy Policy

Last updated 15 June 2026

Introduction

This Privacy Policy explains how Office by Elevera collects, uses, shares and protects personal data when you visit our website or use the Office service. Office is a GDPR-first back-office platform for European teams, covering HR records, payroll preparation, compliance, absence, onboarding, performance and recruiting.

We have written this policy to be accurate and plain. It applies to our marketing site and to the Office application. Where this policy refers to the GDPR, it means Regulation (EU) 2016/679, together with the applicable national data protection law of Croatia.

Office acts as a controller for the data needed to run your account and as a processor for the employee and HR records that your organisation enters. The split between these two roles is explained in the section on our role as controller and processor below.

Who is responsible (the controller)

The provider of Office and the controller for account and website data is:

Elevera Studio (obrt za računalno programiranje, vl. Petar Markota), a Croatian sole-trader craft business (obrt).

  • Owner and responsible person: Petar Markota
  • Address: Ulica Stjepana Draganića 9, 10000 Zagreb, Croatia
  • Email: hello@eleverastudio.com
  • Phone: +385 99 833 4349
  • Croatian Crafts and Trades Register (Obrtni registar): MBO 99281139, OIB 42932294974, Obrtnica no. 21011610485, registered by Grad Zagreb (Gradski ured za gospodarstvo, ekološku održivost i strategijsko planiranje)
  • Activity: computer programming (NKD 62.10.9)

Elevera Studio is not registered for VAT and is not part of the Croatian VAT (PDV) system, so no VAT identification number is issued (in line with § 90 of the Croatian VAT Act and § 27a UStG). We have not appointed a separate Data Protection Officer; for any privacy matter please contact us using the details above.

Data we collect

We collect only the data we need to provide and operate Office. The categories of personal data are:

  • Account data: the names, email addresses and sign-in credentials of the administrators and users who set up and manage your organisation's account, plus their preferences and settings.
  • Employee and HR records: the personal data your organisation enters about its own people, such as contact details, contracts, roles, absence and leave, onboarding, performance and recruiting information. For this data Office is a processor and your organisation is the controller.
  • Billing data: subscription and payment details handled through our payment provider Stripe. We do not store full card numbers ourselves; Stripe processes the payment and returns only the information we need to manage your subscription.
  • Technical and usage data: information generated automatically when you use the service, such as IP address, device and browser type, log and security event records, and basic usage needed to keep the service running and secure.

We do not set analytics or marketing cookies and we do not buy personal data from third parties.

How we use your data

We use personal data for the following purposes:

  • To provide, operate and maintain the Office service and your account.
  • To authenticate users, keep accounts secure and prevent abuse or fraud.
  • To process subscriptions, invoices and payments through Stripe.
  • To provide support and to respond to your requests and questions.
  • To send essential service and transactional messages, such as sign-in, account and billing notifications.
  • To improve reliability and to diagnose and fix technical problems.
  • To comply with our legal and accounting obligations.

We do not use your data for advertising and we do not sell personal data. We do not carry out automated decision-making that produces legal or similarly significant effects.

Sharing and sub-processors

We do not sell personal data and we do not share it for advertising. We share data only with the service providers we rely on to run Office, and only as needed to deliver the service. These providers act as our sub-processors under data processing agreements:

  • Supabase: Postgres database, authentication and file storage, hosted in an EU region.
  • Vercel: web hosting and content delivery (CDN).
  • Stripe: subscription billing and payment processing.
  • Resend: transactional email delivery.

The current, complete list of sub-processors is maintained on our Sub-processors page. We may also disclose data where we are legally required to do so, or to protect our rights and the safety of users.

Where your data is stored (EU residency)

Office is built for European teams and your data is stored with EU data residency. Our database, authentication and file storage run in an EU region.

We do not make silent cross-border transfers of your personal data. Where any provider involves processing outside the EU or EEA, it takes place only under an appropriate safeguard recognised by the GDPR, such as the European Commission's Standard Contractual Clauses, and only where it is necessary to deliver the service.

How long we keep data

We keep personal data only for as long as it is needed for the purpose it was collected for, and then we delete or anonymise it.

  • Account and HR records are retained for the life of your account. When your organisation ends its account, we delete or return the data within a reasonable period, except where we must keep it to meet a legal obligation.
  • Billing and accounting records are kept for the statutory retention periods that apply to invoices and tax records.
  • Technical and security logs are kept for a limited period needed to operate and secure the service.

Where your organisation is the controller of employee and HR records, retention follows your organisation's instructions and the statutory windows that apply to those records.

Your rights

Under the GDPR you have the following rights in relation to your personal data:

  • Access: to obtain confirmation of whether we process your data and a copy of it.
  • Rectification: to have inaccurate or incomplete data corrected.
  • Erasure: to have your data deleted where the conditions are met.
  • Restriction: to limit how we process your data in certain circumstances.
  • Portability: to receive your data in a structured, commonly used, machine-readable format.
  • Objection: to object to processing based on our legitimate interests.
  • Withdraw consent: to withdraw consent at any time where processing relies on it.
  • Complain: to lodge a complaint with a supervisory authority.

To exercise any of these rights, contact us at hello@eleverastudio.com. If you believe we have not handled your data lawfully, you may complain to your local supervisory authority. In Croatia this is the Croatian Personal Data Protection Agency (AZOP). If your request concerns employee or HR records, your employer is the controller, so please direct it to them; we will support them as their processor.

Consumers in the EU may also use the European online dispute resolution platform at https://ec.europa.eu/consumers/odr/.

Cookies

We keep cookies to a minimum. Today we set only an essential sign-in session cookie, a cookie that remembers your language preference and the cookie that stores your cookie-consent choice itself. We do not set analytics or marketing cookies.

You can review the details and manage your choice in our consent panel. For the full description, see our Cookie Policy.

Security

We protect your data with measures appropriate to its sensitivity, including EU data residency, row-level isolation between organisations, least-privilege access, private document storage and an append-only audit trail for sensitive actions.

For a full description of how we protect your data, see our Security page. No system can be guaranteed perfectly secure, but we work to a high bar and review our controls regularly.

Our role: controller and processor

It is important to be clear about who controls which data, because it determines who you contact about your rights.

  • Office as controller: for account data (administrator names, emails and sign-in credentials), billing data and website and technical data, Office (Elevera Studio) decides why and how the data is processed, so it is the controller.
  • Office as processor: for the employee and HR records your organisation enters, your organisation decides why and how the data is processed and is the controller. Office processes that data only on your organisation's documented instructions, as its processor.

If you are an employee whose data was entered by your employer, your employer is the controller of that data. Please direct access, correction or deletion requests to your employer; we will assist them in meeting your request.

Changes to this policy

We may update this Privacy Policy from time to time, for example to reflect changes to the service, to our sub-processors or to the law. When we make a material change, we will update the date shown at the top of this page and, where appropriate, notify you.

We encourage you to review this page periodically. Your continued use of Office after an update means you accept the revised policy.

Contact us

If you have any question about this policy or about how we handle your personal data, please contact us:

  • Elevera Studio (obrt za računalno programiranje, vl. Petar Markota)
  • Ulica Stjepana Draganića 9, 10000 Zagreb, Croatia
  • Email: hello@eleverastudio.com
  • Phone: +385 99 833 4349

We will respond to genuine privacy requests as soon as we reasonably can and within the timescales required by the GDPR.