Privacy policy (processing notice)
Notice version: 2026-05-19
This notice describes processing on the hosted Fascikle instance at fascikle.com. For the cloud service, GraMix d.o.o. acts as a processor hosting the application and technically processing data (accounts, documents, logs) on behalf of customer organisations. Your organisation remains responsible for document content and access decisions — data subject requests about documents should first go to that organisation's administrator. The operator identity may change; an updated version will be published on this page.
Roles in processing (Serbian DPA / GDPR)
- Your organisation (tenant) — typically the controller for document content, staff access, and internal retention decisions.
- GraMix d.o.o. — processor for the hosted Fascikle cloud: stores data on servers, provides login, OCR, audit, and e-signature features on the organisation's instructions, under the terms of use and this notice.
- You as a user — data subject for account data (email, profile). For archive documents, contact your organisation's administrator first.
What data we process
- Account: email, password hash (if used), optional display name and phone, Google account identifier (
google_sub) if you use Google sign-in, registration date, accepted terms and privacy version. - Organisation: name, member roles, invitations, access settings.
- Documents: metadata (title, folder, file path), file contents on disk, OCR text for search, versions and share links if used.
- E-signature (simple): signer name, signature image, consent text and checkbox, consent ID, timestamp, audit log entry — when your organisation sends a document for signature.
- Security and audit: activity log, IP address and time where the application records them for security.
- Internal messages within an organisation, if enabled.
- Server technical logs (access, errors) — standard for hosting; not used for profiling or advertising.
We do not sell personal data. We do not use Google Analytics, Meta pixel, or similar behavioural tracking on the site. The operator may keep internal aggregate visit statistics for public pages (page views and visitor counts, IP as a hash) solely to operate the service — not for ad profiling.
Purpose and legal basis
- Contract / use of the service — account, archive, search, sharing, OCR, messages, e-signature at the organisation's request.
- Legitimate interest — security (audit, abuse prevention), system maintenance, stability.
- Legal obligation — where law requires keeping certain records.
- Consent — for e-signature (signer confirms via checkbox); for marketing (we do not send any currently) we would use a separate opt-in.
OCR and text search are not “automated decision-making” with legal effect on you — they help the organisation find documents in the archive.
The service is not directed at children under 16 without parental consent.
Cookies
We set only cookies strictly necessary for the application to work. We do not use cookies for ads, profiling, or third-party visit analytics. Therefore we do not show a “Accept cookies” banner — there are no cookies that require consent before loading.
| Name | Purpose | Duration |
|---|---|---|
FASCIKLESESSID | Sign-in and session (security) | Session; up to ~30 days if you enable “Remember me” |
FASCIKLE_LANG | Chosen interface language (sr/en) | Up to 1 year |
You can delete cookies in your browser settings; that ends your signed-in session. Google sign-in is also subject to Google's policies (they may set their own cookies on their domains).
Recipients and subprocessors
We do not sell data. Only authorised staff of the operator (GraMix d.o.o.) access data for maintenance and support, as needed. Your organisation controls which team members see documents.
- Hosting (application server) — database and archive file storage.
- OCR server: for some PDFs and images, content is temporarily sent to a separate server for text recognition (HTTPS, shared secret). Files are not kept longer than needed for processing.
- Email (SMTP) — invitations, registration confirmation, signature and share notifications, per installation settings.
- Google — only if you choose “Sign in with Google” (authentication under Google OAuth policies).
If servers are located outside Serbia or the EU/EEA, appropriate contractual or technical safeguards (e.g. standard contractual clauses, risk assessment) are required — provided by the installation operator.
Security
We use HTTPS, sessions with HttpOnly and SameSite, password hashing, per-organisation (tenant) access control, and audit logging where enabled. You are responsible for password strength and device security. The cloud service operator provides automatic backups of the production installation (database and archive file storage) at least once every 24 hours, stored at a separate external location (infrastructure separate from the primary application server). Copies are retained for a limited number of days before rotation, per the operator's operational policy. Restore and extra copies for special regulatory needs are not part of the standard model unless otherwise agreed.Your organisation may also keep its own copies where law or business needs require.
Retention
Account and document data are kept while the account exists and while the organisation retains content in the archive, unless law requires longer retention (e.g. accounting records — the organisation's responsibility). After account or organisation deletion, data is removed per operator procedures and backups (backups may retain copies for a limited time before rotation).
Data subject rights
Under the Serbian Personal Data Protection Act (ZZPL) and the GDPR where applicable, you have the right to: access, rectification, erasure (“right to be forgotten”), restriction, objection, and data portability — within the limits of law and the organisation's legitimate interests (e.g. document retention duties).
- Archive documents — contact your organisation's administrator first.
- Account, language, profile — in the app: My account.
- Activity log — view within your organisation where enabled.
For requests regarding processing by the hosting operator, contact the address provided by your organisation's administrator or the support details published on the service website. A dedicated privacy email may be published in a later version of this notice.
Complaint to the supervisory authority
If you believe processing of your data is unlawful, you may lodge a complaint with: Commissioner for Information of Public Importance and Personal Data Protection (Serbia), Bulevar kralja Aleksandra 15, 11000 Belgrade — www.poverenik.rs. Please contact us first so we can try to resolve your request directly.
Changes to this notice
Updates are published on this page with a new version number. Material changes may require renewed acceptance on registration or sign-in. The version date is shown at the top of this page.
Home · Contact · Terms · Privacy · Cookies · Disclaimer · · © 2026 Fascikle