DDD Invoices, elektronsko fakturiranje, d.o.o.
Letališka cesta 32J
1000 Ljubljana, Slovenia
Company reg. no.: 9366288000
VAT ID no.: SI 61609820
website: https://dddinvoices.com/
Email: [email protected]
owned by DDD Invoices LTD, with a registered office at 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ, company number 15647926
(hereinafter jointly referred to as: DDD Invoices, we, us, our, or the company).
A data protection officer has been appointed and is available at [email protected].
This notice applies exclusively to personal data processing activities where DDD Invoices acts as a data controller, including in particular the registration and management of user accounts, billing and invoicing of services provided through the DDD Invoices Platform (hereinafter: the Platform), user authentication, communication with users, and compliance with legal obligations.
All other personal data processing activities carried out in the course of providing the Platform and its services, where DDD Invoices acts as a data processor on behalf of its customers, are governed by the Data Processing Agreement (DPA), which is concluded at the time of user account registration and is available at the following link: https://dddinvoices.com/data-processing.
Unless otherwise stated, capitalised terms used in this Privacy Policy (such as Personal Data, Processing, Controller, Processor, etc.) shall have the meaning ascribed to them under Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR).
For the purposes of this Privacy Policy, the following definitions apply:
| PERSONAL DATA | TYPES OF DATA | CATEGORIES OF DATA SUBJECTS | DATA RETENTION TIMESCALES* | LEGAL BASIS FOR PROCESSING, PURPOSES OF PROCESSING AND TYPES OF PROCESSING OF PERSONAL DATA** |
|---|---|---|---|---|
| Account registration and management | Email address, first name, last name, phone number, account credentials, account status, communication preferences | Registered users, prospective users | Duration of the account and 2 years after account deletion | Processing necessary for the performance of a contract or steps prior to entering into a contract (Art. 6(1)(b) GDPR). Processing includes user identification, authentication, account access management, and support. |
| Provision and maintenance of the Service | Usage Data, IP address, device identifiers, browser type and version, operating system, access logs, timestamps | Users of the Service | Up to 24 months from collection, unless longer retention is required for security or legal purposes | Legitimate interest in ensuring functionality, security, and performance of the Service (Art. 6(1)(f) GDPR). Processing includes monitoring, diagnostics, security logging, and system optimisation. |
| Billing, payments and invoicing (DDD Invoices services) | Billing details, invoice metadata, transaction references, statistical financial data (non-content), company identifiers | Users (customers) | 10 years in accordance with accounting and tax legislation | Processing necessary for compliance with legal obligations (Art. 6(1)(c) GDPR) and performance of contract (Art. 6(1)(b) GDPR). Processing includes invoicing, payment tracking, accounting, and audits. |
| Customer support and communication | Email address, phone number, message content, support tickets, communication metadata | Users, prospective users | 2 years from the last communication | Processing necessary for contract performance or pre-contractual steps (Art. 6(1)(b) GDPR). Processing includes responding to inquiries, troubleshooting, and service communication. |
| Details of individuals opted-in to newsletters or commercial communication | Consent. | Data subjects: Individuals who have subscribed to receive our marketing messages. Data includes: email address, name (optional), subscription preferences. | Until consent is withdrawn. Individuals can opt-out via each email or by contacting the company. | On the basis of consent, the company may process the data solely for the purpose of sending commercial and informational content (e.g., storage in the email system, sending newsletters, tracking delivery, unsubscribing). |
| Marketing and service updates | Email address, usage metadata, service preferences | Users, prospective users | Until withdrawal of consent or 2 years after last interaction | Legitimate interest or consent, where required (Art. 6(1)(a) or (f) GDPR). Processing includes newsletters, feature announcements, and promotional communications. |
| Management of user requests and rights | Identification data, request content, communication logs | Users, data subjects | 5 years from request resolution | Compliance with legal obligations under data protection law (Art. 6(1)(c) GDPR). Processing includes handling access, erasure, objection, and other GDPR rights. |
| Communication channels (email, website chat tools) | Name and/or surname (if provided), e-mail, content of communication, call recordings (if applicable), call metadata (date, duration) | Individuals communicating with the company. | Call recordings – up to 6 months; other correspondence – up to 5 years from last contact. | Legitimate interest in ensuring service quality, accuracy of information and follow-up (Art. 6(1)(f) GDPR). Where conversations are recorded – consent (Art. 6(1)(a) GDPR). Processing includes recording, storage, review and deletion after retention period. |
| Website usage data and cookies | IP address, browser and operating-system details, page views, unique identifiers, cookie preferences (see Cookie Policy). | Website visitors | According to each cookie’s lifetime (see Cookie Policy). | Necessary cookies – legitimate interest (Art. 6(1)(f) GDPR); analytical/marketing cookies – consent (Art. 6(1)(a) GDPR) (see Cookie Policy). Data processed to ensure website operation, security, analytics and content personalisation. |
| Legal obligations and dispute resolution | Identification and contact details, relevant communications, contractual and procedural documents, etc. | Customers, partners, suppliers or other individuals involved in legal or administrative proceedings | Until completion of proceedings and, where necessary, up to 10 years thereafter. | Legal obligation and legitimate interest to assert or defend legal claims (Art. 6(1)(c), 6(1)(f) GDPR); processing of special-category or offence-related data where necessary for the establishment, exercise or defence of legal claims (Art. 9(2)(f) GDPR). |
| Survey on satisfaction of users of the company's services or products | Email address of the individual Any personal data that the individual includes in the survey | Personal data of the individual who agreed to complete and submit the questionnaire. | The company does not store email addresses and other personal data that may be obtained from the receipt of the survey questionnaire. | Based on the consent of the individual who had submitted the questionnaire, the company will process any personal data for the purpose of evaluating or taking into account the information provided in the questionnaire. |
*The Company reserves the right in certain cases based on its legitimate interests to keep certain data longer than the time limits set out above (e.g. in the case of an inspection procedure in connection with a product or service, where data on the client is officially requested or needed to protect the interests of the company), whereby in all such cases the company will limit the retention of data to those data which are necessary for the pursuit of such legitimate interest. The data subject may always request the erasure of the data by sending his or her request to the following official e-mail address: [email protected]
We may process personal data in order to carry out contracts that may have already been concluded between our company and our customers (e.g. to carry out contracts for the sale of goods).
A contractual legal basis for the processing of personal data also exists when we communicate with potential buyers before they conclude a contractual relationship (i.e. place their order) (as further described in the table above).
Where negotiation of a contract or the existence of a contract is stated in the table above as the legal basis for processing, we are not required to obtain your explicit consent when processing your personal data, as the legal basis for processing stems from the fact that you have entered into a contractual relationship with or from the fact that you are negotiating or communicating with us about the potential conclusion of a contract.
If in certain cases where the processing of personal data is based on a contractual relationship (or the negotiating of a contractual relationship) we have with you (or which you desire to enter into), you do not provide us with the required data, this shall in principle have no consequences for you. However, such situations may make our cooperation more difficult or even impossible (e.g. we cannot sell our products without processing your delivery details or the necessary data for issuing the invoice), whereby we shall try to duly notify you prior or after the occurrence of such situations.
The company also processes personal data in order to comply with its legal obligations particularly those governing taxes and accounting (e.g. records of issued and received invoices, etc.) (i.e. when possible legal requirements exist under which we might be required to forward personal data to a duly appointed public authority or third party citing relevant parts of the applicable and binding legislation and based on their explicit request).
The company may also process your personal data on the basis of your explicit consent, where this had been indicated in the table above. An example of this is the explicit consent of the visitor of the website, namely his voluntary declaration of will, with which he agrees to the processing of certain personal data for a certain purpose (e.g. marketing communication with people who are not yet our customers (see point 1.5. of this notice) (if we have obtained your explicit consent for this purpose in our branch office, on our website, etc.), whereby we process information on the person who gave their consent, namely their contact details (email address) for the purposes of sending customised advertising messages or "newsletters" (as described in the table above)). Receiving this kind of communication can be cancelled at any time by following the link contained in each email message, or by contacting us at [email protected].
An example of consent based processing can also be found in situations where our company might be showing visitors of its website its online ads (see point 1.5. of this notice). This is applicable when a visitor agreed with the installation of optional (advertising) cookies which are provided by our advertising partners (e.g. installation of the Google Analytics cookie, which makes it easier for us to advertise our products on other websites, etc.). The exact list of optional cookies which are provided by our advertising partners, the data that is processed, as well as their retention periods is available in our Cookie Policy.
Cooperating with us and using the services of our company are not, in principle, conditioned on your consent for the processing of personal data, insofar as this is not logically required for the performance of such services or required for cooperation (see section 1.1. of this chapter).
The company guarantees each individual the right to easily revoke his express consent at any time i.e. by contacting us at [email protected].
The withdrawal of consent does not affect the lawfulness of the processing that had been carried out on the basis of such consent until the moment of its withdrawal.
In the event that you do not give consent for the processing of personal data, give it in part or withdraw consent (as a whole or in part), we shall, where possible, cooperate with you only to the extent of your consent or in the ways permitted by applicable law.
Consent is voluntary and if you choose not to give it, or withdraw it later, this in no way interferes with your other rights that might arise from the business relationship you have with our company, or constitutes additional costs or aggravating circumstances for you.
Certain personal data may be processed for the purpose of securing our legitimate interests (e.g. for example, where the processing of your data would be necessary in order for us to secure our operations e.g. protect our business against potential fraud or required in inspection procedures that are carried out by duly appointed public authorities or litigious and other procedures, we shall process only those data that are strictly necessary to pursue these legitimate interests of our company).
The applicable legislation also allows us to process personal data for the purposes of sending marketing communications to existing customers* (e.g. we may send email messages to persons who have previously purchased our products), whereby we process the contact details of such persons (first name, last name, email address) for the purposes of sending customised advertising messages or "newsletters". Receiving this kind of communication can be cancelled at any time by following the link contained in each email, or by contacting us at [email protected].
The company may also process the personal data of an individual in cases where the processing is necessary in order to protect the vital interests of such individuals or other natural persons.
The period of retention of personal data depends on the legal basis and purpose of processing. Personal data is kept for as long as it is necessary to fulfil the purpose for which the data was collected, or as long as a regulation requires that we must keep it. Please see the table at the beginning of section 1 of this notice for more information.
Personal data shall be deleted, destroyed, blocked or anonymized after the purpose of processing has been fulfilled or consent has been withdrawn.
Your personal data is processed by individual employees of our company. Employees of the company process only those personal data that they need for their work, but they can also share them with each other if their work tasks and internal rules of the company allow them to do so. All employees are committed to confidentiality and the protection of personal data.
In certain cases prescribed by applicable law, the company must provide or report your personal data to the competent state authorities as well as to the authorities responsible for financial, tax or other control. In certain cases, the company is compelled to provide data to third parties if such an obligation to provide or disclose the data is imposed on the company by law or on the basis of a valid legal right of a third party.
In addition to employees of the company, employees of contractual processors of the company can also act as users of your personal data are, whereby they may only process personal data as confidential information on behalf of the company and within the scope and purposes that are laid down by the data processing agreement, which the company has entered into with any such processor. Contractual processors may only process personal data in the context of the company 's instructions since the company is acting as the controller of company personal data, and may not use the data to pursue any other self-interest.
The company cooperates with the following types of data processors:
The company shall not pass on your personal data to unauthorised third parties.
To obtain an accurate list of all contractual processors of the company, please send your request to [email protected].
If you agree to the installation of optional cookies (see Chapter 4. Cookies), we may share certain technical information and other information we record about visitors regarding their interaction with our website with our advertising partners:
In these cases, in addition to cookies, we may also use their tools (Google Analytics, Facebook Business Manager) and services (Google Display Network, Google Customer Match, Facebook Pixel, Facebook Lookalike Audiences, Facebook Custom Audiences) so that we may tailor our ads to your interests and the way you use social networks and other websites that also use the services of our advertising partners (e.g. Facebook, Google Search, Youtube, websites included in the »Google Display Network«, etc.). In these cases, we only share the personal information we collect through cookies and tracking pixel technologies with our advertising partners.
Also, our advertising partners may try to compare the information they receive from us with the information they already keep about you (e.g. in connection with your Facebook user profile or your Gmail email address) and consequently determine the optimal time and place (e.g. page, which you access) to display our ads. Our advertising partners also provide us with feedback on the reach and performance of our ad campaigns (i.e. aggregated data on ad clicks and purchases). If you do not want us to collect, share and process your data in the manner described above, you may not consent to the installation of cookies to your device when visiting our website, or you may delete cookies which have already been installed at any time. (see Chapter 4. Cookies). However, certain ads may still randomly appear to you while using social networks and other websites that use the services of our advertising partners.
If you agree to the installation of advertising cookies, we may also use the Google Customer Match service in order to share certain data (e.g. email addresses) with Alphabet Inc. as (SHA256) encrypted data. Google Inc. in this case shall not receive actual email address data since the data shall be encrypted before the transfer and then compared with data Alphabet Inc. may already have about a particular Google service user. The purpose of such transmission and comparison of data is to place certain individuals in groups based on their interests in order to better display our ads.
An accurate list of the data our partners collect for these purposes, the cookies and tracking pixels that make this possible, the advertising services which are also used in relation to this, as well as the storage time of the collected data and the procedure for removing an individual cookie can be found on our Cookie Policy.
Hosting, data storage and security
Our website and the personal data you provide to us through it (for example, when communicating via the contact form) are hosted and stored by our hosting providers on servers located exclusively within the European Union.
We secure our data through multiple technical and organizational measures. Our infrastructure is distributed across multiple secured data centers, with the majority of data stored on the infrastructure of Contabo and Dediserve. These providers implement their own security mechanisms and also apply recognized security standards, including ISO 27001, ISO 9001, or equivalent local certifications, as well as physical security measures. More information about these providers is available in their respective terms of service: Dediserve and Contabo
All data centers used for hosting and storage are located in the EU.
In addition, selected sensitive financial data fields (such as account balances within the Service) are encrypted. Access to production systems is strictly limited, and unauthorized employees of DDD Invoices do not have physical access to the production environment.
We may cooperate with service providers for sending electronic and other commercial messages, within which the email addresses or telephone numbers of those individuals who have explicitly agreed to such processing may be processed (see section 1.5.). To obtain information on our email marketing or newsletter service provider, please send your request to [email protected].
As a rule, the company does not export personal data to third countries (i.e. outside of the European Union, Iceland, Norway and Liechtenstein) and to international organisations. Exceptions to this are the occasional transfer of certain technical and personal data to the servers of the abovementioned processors, which are located in the USA (e.g. the automatic transfer of certain data collected by cookies and tracking pixels that are provided by Google Inc. or Facebook Inc. to their servers, the entry of an email addresses into our tools for sending commercial messages, etc.), whereby the contractual processors concerned are former members of the Privacy Shield program (https://www.privacyshield.gov/) who after the 12th of July 2020 respect and have put in place the required security measures (i.e. standard contractual clauses) regarding the receipt or transfer of data that are considered appropriate at the time that this document has been prepared (i.e. the post privacy shield invalidation requirements) or have duly undergone and achieved full self-certification in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (i.e. the new EU-USA data transfer framework as per the stated adequacy decision from the 10th of July 2023).
You can obtain more detailed information on user categories, contract processors and data transfers by sending us your request to: [email protected].
For a list of cookies and to manage your cookie settings, please visit our Cookie Policy.
In connection with this general information on the processing of personal data or regarding the processing of your personal data by our company and our contractual processors, you can contact us at any time and without hesitation via [email protected].
You can also contact us via the email mentioned above in order to send us your specific requests and requirements and for exercising your other rights, which relate to your personal data and applicable local legislation or the GDPR.
As a data subject, the GDPR grants you the following rights:
You have the right to obtain from the company as the controller of personal data confirmation, whether personal data are processed in relation to you and, where applicable, request access to the personal data concerned together with the information referred to in Article 15 (1) of the GDPR:
When personal data is transferred to a third country or international organisation, you, as the data subject, have the right to be informed of appropriate safeguards in accordance with Article 46 of the GDPR Regulation in respect of such a transfer.
As a controller of personal data, the company can also provide you with a copy of the personal data that are processed. For any further copies requested by you, the company may charge a reasonable fee based on administrative costs.
Where the data subject submits the request by electronic means, and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic form (i.e. excel spread sheet or other such form).
The data subject has the right to obtain that the company, as the controller of personal data, corrects inaccurate personal data concerning him without undue delay.
The data subject has the right to supplement incomplete personal data, including the submission of a supplementary statement, taking into account the purposes of the processing. Regarding the above-mentioned, an individual can contact the company via email at [email protected].
The data subject has the right to request that the company, as the controller of personal data, correct inaccurate personal data concerning him without undue delay. However, the company shall delete personal data without undue delay even when one of the following reasons apply: when, as a data subject, you dispute the accuracy of the data, for a period that allows the company to verify the accuracy of the personal data; where the processing is unlawful and you as a data subject oppose the erasure of personal data and instead request a restriction on their processing; when the company no longer needs personal data for the purposes of processing, but you, as the data subject, need said data to assert, enforce or defend legal claims; when you, as a data subject, lodge an objection to the processing and until it is verified that the legitimate interests of the company as the controller prevail over your interests (i.e. the interests of the data subject).
Pursuant to Article 17 (3) of the GDPR, in certain cases you do not have the right to have your personal data deleted by the company (e.g. when the company processes data for the purposes of asserting, enforcing or defending legal claims).
If, as an individual, you have consented to the processing of your personal data for one or more specific purposes (see point 1.3 of this general information on the processing of personal data), you have the right to revoke your consent (i.e. opt-out) at any time, without prejudice to the lawfulness of the processing of data carried out on the basis of consent until its revocation.
Your consent to the processing of personal data for the purposes described in this information is voluntary. Consent to data processing can be restricted or revoked at any time by contacting us at [email protected].
In the event of revocation of consent or partial consent, the company reserves the right, as far as possible, to cooperate with you only to the extent of the given consent or in the ways permitted by applicable law.
Your consent to the processing of personal data is always voluntary and if you choose not to provide it or cancel it later, this in no way interferes with your other rights, arising from the business relationship with the company or the GDPR regulation. In these cases you shall not incur any additional costs or expenses.
As a data subject, you have the right to have the company, as controller, restrict the processing of your personal data when one of the following cases applies: when, as a data subject, you dispute the accuracy of the data, for a period that allows the company to verify the accuracy of the personal data; where the processing is unlawful and you as a data subject oppose the erasure of personal data and instead request a restriction on their processing; when the company no longer needs personal data for the purposes of processing, but you, as the data subject, need said data to assert, enforce or defend legal claims; when you, as a data subject, lodge an objection to the processing and until it is verified that the legitimate interests of the company as the controller prevail over your interests (i.e. the interests of the data subject).
Where the processing of personal data has been restricted, such personal data, with the exception of their storage, shall be processed only with the consent of the data subject or to assert, enforce or defend legal claims or to protect the rights of another natural or legal persons.
Where the company, as the controller, achieves a processing restriction, it shall inform the data subject before lifting the processing restriction.
As an individual, you have the right to receive personal information about you that you have provided to the company in a structured, commonly used and machine-readable form, and you have the right to pass this information on to other controllers, without being hindered by the company, when processing is based on consent or a contract and processing is carried out with automated means.
As a data subject, in exercising the right of portability, you have the right to have personal data transferred directly from one controller (e.g. the company) to another where technically feasible.
As a data subject, you have the right, on grounds relating to your specific situation, to object to the processing of personal data concerning you where the processing is necessary for the performance of a task in the public interest or in the exercise of an official authority which has been granted to the company or where the processing is necessary for legitimate interests pursued by the company or a third party, except where such interests are outweighed by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular when the data subject is a child. The above also applies to the creation of profiles in such cases of processing.
In the event that you object, the company shall stop processing personal data unless it can prove that the legitimate interests for processing outweigh the interests, rights and freedoms of you as a data subject, or that the processing is necessary for the enforcement, implementation or defence of legal claims.
When personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data relating to them for the purposes of such marketing, including the creation of profiles insofar as such direct marketing is concerned.
Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for those purposes.
As part of using information society services, you, as a data subject, can exercise your right to object to processing by automated means technical specifications.
Where data are processed for scientific or historical-research purposes or for statistical purposes, you as the data subject have the right to object to the processing of data relating to you for reasons related to your particular situation, unless the processing is necessary for the performance of a task carried out by reasons of public interest.
If you believe that the processing of personal data carried out by the company in relation to you violates the rules on personal data protection, you, without prejudice to any other (administrative or other) remedy, have the right to lodge a complaint with the supervisory authority in the country in which you have your habitual residence, in which your place of work is located, or in which the violation allegedly occurred. In Slovenia the supervisory authority is the State Data Protection Inspectorate:
A list of other national supervisory authorities and their contact information can be found here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
The company carefully stores and protects personal data through organisational, technical and logical technical procedures and measures to protect data from accidental or intentional unauthorised access, destruction, alteration or loss, and unauthorised disclosure or other form of processing to which you have not expressly consented.
To this end, the company has also adopted appropriate internal processes and set up various measures (e.g. assigning, using and changing passwords, locking premises, offices, server and workstation locations, regularly updating software and upgrading security-critical components, physically protection of material containing personal data in specially designated places, training of employees, etc.). The company also demands these security commitments from its contractual processors.
If you visit the website and consent to the installation of analytical cookies on your device (see Chapter 4. Cookies), such cookies shall automatically process certain technical and personal data (e.g. the number of website visits, average time of each visit, the pages that were visited - for a detailed list, please see our Cookie Policy).
Performing advertising activities with the help of the tools and services of our advertising partners (see sections 1.5. and 3.4.1.) is also done in an automated way (i.e. without direct processing by our employees) and may result in the creation of user profiles on the part of our advertising partners, whereby they may collect, analyse and link certain economic, interest and behavioural indicator of our customers on our website and on other websites, so that the performance of our ads may be optimised and our marketing communications be more relevant (e.g. linking your visit of our website to the demographic information from your Facebook profile and your interest that you share on the social network for the purpose of optimising the performance of our ads, linking your visit of our website to your visits of other websites and the products you have purchased for the purpose of optimising the performance of our ads, linking the fact that you opened a marketing message and clicked on a link and made a purchase for the purposes of adjusting the offer in our next marketing message).
You may unsubscribe from the abovementioned automated processing of your personal data at any time by following the link contained in each email message, by deleting the relevant cookies (see our Cookie Policy) or by contacting us at [email protected].
The company does not accept orders from persons under the age of 18 or persons with limited or deprived legal capacity. All such persons must leave the website immediately before confirming the installation of cookies or performing other interactions with the website.
The purchase process was created following the principle of personal data minimization , whereby the company does not collect the age of its visitors or customers and any data relating to their legal capacity. As a result, the company does not have the means to economically and efficiently verify whether the use of the website, the execution of the purchase contract and the subsequent processing of the submitted personal data entail the processing of personal data of a person that is younger than 18 years of age or a person who does not have full legal capacity.
As a result, the company does not knowingly offer its products to persons under the age of 18 or persons with limited or deprived legal capacity and does not knowingly process any personal data related to them.
If the company subsequently finds out that it has processed the personal data of a person who is under the age of 18 or a person with limited or deprived legal capacity without the consent of his parent or guardian, the company shall do everything necessary to delete all provided personal data.
If the parents or guardian of the person under the age of 18 or a person with limited or deprived legal capacity find out that their child or the person in their care has used the online store of our website or has voluntarily provided his personal data to the company, they can inform the company about this and request the deletion of the relevant personal data at [email protected] .
You can contact us at the email address: [email protected] .
Version 2.0.
This notice had been published or last amended on the 29th of January, 2026.
DDD Invoices, elektronsko fakturiranje, d.o.o.
DDD Invoices is an enterprise-grade platform delivering a powerful infrastructure for creating, sending, receiving and storing electronic documents. DDD Invoices enables software providers like ERPs, SaaS, eCommerce, POS systems, accounting & invoicing softwares, billing services and others, to easily adhere to global invoicing compliance requirements and shorten their time-to-market.