Privacy Policy

Heksagon Technologies ("Heksagon", "we", "us", "our") is committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR).  

This Privacy Policy explains how we collect, use, disclose, transfer, and safeguard your personal data when you:

- Visit our website www.heksagon.com

- Request product demos or services

- Subscribe to our newsletter

- Apply for employment

- Interact with us through any other means

By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

Company Name: Heksagon Technologies Ltd.  

Registered Address: Nedeljka Cabrinovica 62, 11030, Belgrade, Serbia  

Website: www.heksagon.com  

General Enquiries: info@heksagon.com  

For any questions about how we handle your personal data or to exercise your privacy rights, please contact us at the email address above.

We collect personal data to provide you with our services, improve your experience, and comply with legal obligations. The table below outlines what we collect and why:

3.1 Special Categories of Data

We do not intentionally collect sensitive personal data (e.g., health information, racial/ethnic origin, religious beliefs, trade union membership) unless:

- Required by law (e.g., employment law compliance)

- You explicitly provide it for a specific purpose with your consent

We process your personal data for the following purposes:

4.1 Service Delivery & Communication

- Respond to your enquiries and provide customer support

- Process demo requests and service quotations

- Manage your account and subscriptions

- Deliver products and services you've requested

4.2 Marketing & Business Development

- Send newsletters and promotional materials (with your consent)

- Conduct market research and customer surveys

- Analyze customer preferences and trends

- Improve our products and services

4.3 Website & Technical Operations

- Ensure website functionality and security

- Analyze website traffic and user behavior

- Prevent fraud and unauthorized access

- Conduct system testing and maintenance

4.4 Legal & Compliance

- Comply with legal and regulatory obligations

- Enforce our terms and conditions

- Protect our legal rights and interests

- Maintain business records for tax and accounting purposes

4.5 Recruitment

- Process job applications

- Assess candidate suitability

- Conduct background checks (where legally permitted)

- Maintain recruitment records

Under GDPR, we must have a lawful basis to process your personal data. We rely on the following:

5.1 Consent

When you give us clear permission to process your data for specific purposes, such as:

- Subscribing to our newsletter

- Accepting cookies on our website

- Providing optional information

You can withdraw your consent at any time by contacting us or using the unsubscribe link in our emails.

5.2 Contractual Necessity

Processing is necessary to fulfill our contract with you or to take steps before entering into a contract, such as:

- Processing your service orders

- Providing technical support

- Delivering products or services you've purchased

5.3 Legal Obligation

We must process your data to comply with legal requirements, such as:

- Tax and accounting regulations

- Employment law requirements

- Anti-money laundering legislation

5.4 Legitimate Interests

We process data based on our legitimate business interests, provided these don't override your rights, such as:

- Improving our services and website performance

- Conducting business analytics and research

- Preventing fraud and ensuring security

- Direct marketing to existing customers (unless you opt out)

6.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide you with a better experience and understand how our website is used.

6.2 Types of Cookies We Use

Strictly Necessary Cookies

These cookies are essential for the website to function properly. They cannot be disabled.

- Session management

- Security features

- Load balancing

Performance Cookies

These cookies collect information about how you use our website to help us improve it.

- Page response times

- Error messages

- User navigation patterns

Example: Google Analytics

Functional Cookies

These cookies enable enhanced functionality and personalization.

- Language preferences

- Login status

- Form auto-fill

Marketing/Targeting Cookies

These cookies track your browsing activity to deliver relevant advertisements.

- LinkedIn Insight Tag

- Facebook Pixel

- Google Ads remarketing

We only use marketing cookies with your consent.

6.3 Third-Party Cookies

Our website uses the following third-party services that may set cookies:

6.4 Managing Cookies

You can control cookies through:

- Browser settings: Most browsers allow you to refuse or delete cookies

- Cookie consent banner: Adjust your preferences when you first visit our site

- Opt-out tools: Use third-party opt-out mechanisms (e.g., [Your Online Choices](http://www.youronlinechoices.com/))

Please note: Disabling cookies may affect your ability to use certain features of our website.

For more information about cookies, visit www.allaboutcookies.org

7.1 Within Heksagon

We may share your data within our company group for administrative, technical, and business purposes.

7.2 Third-Party Service Providers

We share your data with trusted service providers who help us operate our business:

All service providers are contractually bound to:

- Process data only on our instructions

- Implement appropriate security measures

- Maintain confidentiality

7.3 Legal Disclosures

We may disclose your data when required by law or to:

- Comply with legal processes (court orders, subpoenas)

- Protect our rights and property

- Prevent fraud or criminal activity

- Respond to government or regulatory requests

7.4 International Data Transfers

Your personal data may be transferred to and processed in countries outside Serbia and the European Economic Area (EEA), including:

- United States

- United Kingdom

- Singapore

- Other countries where our service providers operate

When we transfer data internationally, we ensure appropriate safeguards through:

For UK/EU transfers:

- EU Standard Contractual Clauses (SCCs) approved by the European Commission

- UK International Data Transfer Agreement (IDTA)

- Adequacy decisions (for countries recognized as providing adequate protection)

For other transfers:

- Contractual safeguards equivalent to GDPR requirements

- Additional security measures as appropriate

7.5 Business Transfers

If Heksagon is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner. We will notify you before your data becomes subject to a different privacy policy.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.

8.1 Retention Periods

8.2 Data Deletion

After the retention period expires, we will:

- Securely delete or destroy personal data

- Anonymize data for statistical purposes (where applicable)

- Remove data from active systems and backups

You can request earlier deletion of your data by exercising your "right to erasure" (see Section 10).

We take data security seriously and implement industry-standard technical and organizational measures to protect your personal data from unauthorized access, loss, or misuse.

9.1 Technical Safeguards

- Encryption: SSL/TLS encryption for data in transit; AES-256 encryption for data at rest

- Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)

- Firewalls: Network and application-level firewalls to prevent intrusions

- Secure Servers: Data hosted in secure, certified data centers (ISO 27001)

- Regular Backups: Encrypted backups with disaster recovery procedures

- Vulnerability Management: Regular security patching and updates

9.2 Organizational Safeguards

- Staff Training: Regular data protection and security awareness training

- Confidentiality Agreements: All employees and contractors sign NDAs

- Access Restrictions: Data access limited to authorized personnel only

- Incident Response Plan: Procedures for detecting and responding to data breaches

- Regular Audits: Internal and external security assessments

- Data Protection Impact Assessments (DPIAs): For high-risk processing activities

9.3 Your Responsibilities

While we implement robust security measures, you also play a role in protecting your data:

- Keep your passwords secure and confidential

- Use strong, unique passwords

- Log out of your account after use

- Report any suspected security incidents to us immediately at info@heksagon.com

Please note: No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Under GDPR and Serbian data protection laws, you have the following rights regarding your personal data:

10.1 Right of Access

You can request a copy of the personal data we hold about you, including:

- Categories of data processed

- Purposes of processing

- Recipients of your data

- Retention periods

- Your other rights

Response time: Within 1 month (extendable by 2 months for complex requests)

10.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

Example: Updating your email address or job title

10.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

- It's no longer needed for the original purpose

- You withdraw consent (where consent was the legal basis)

- You object to processing based on legitimate interests

- The data was unlawfully processed

- Legal obligations require deletion

Exceptions: We may refuse if we need the data for legal claims, compliance, or other lawful purposes.

10.4 Right to Restriction of Processing

You can request that we limit how we use your data when:

- You contest the accuracy of the data

- Processing is unlawful but you don't want deletion

- We no longer need the data, but you need it for legal claims

- You've objected to processing pending verification

10.5 Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and have it transmitted to another controller where:

- Processing is based on consent or contract

- Processing is carried out by automated means

10.6 Right to Object

You can object to processing based on:

- Legitimate interests: We must stop unless we demonstrate compelling legitimate grounds

- Direct marketing: We will stop immediately, no questions asked

- Automated decision-making: You can request human intervention

10.7 Right to Withdraw Consent

If processing is based on consent, you can withdraw it at any time. This won't affect the lawfulness of processing before withdrawal.

10.8 Right to Lodge a Complaint

If you believe we've violated your data protection rights, you can lodge a complaint with:

Serbian Supervisory Authority:  

Commissioner for Information of Public Importance and Personal Data Protection  

Address: Bulevar kralja Aleksandra 15, 11000 Belgrade, Serbia  

Phone: +381 11 3408 900  

Email: office@poverenik.rs  

Website: www.poverenik.rs/en

You also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work.

10.9 How to Exercise Your Rights

To exercise any of these rights:

1. Email: info@heksagon.com with subject line "Privacy Rights Request"

2. Mail: Heksagon Technologies Ltd., Nedeljka Cabrinovica 62, 11030 Belgrade, Serbia

What we need from you:

- Your full name and contact details

- Proof of identity (copy of ID or passport)

- Clear description of your request

- Any relevant reference numbers or dates

Our response time: Within 1 month (we'll inform you if we need more time)

Cost: Free of charge (unless requests are manifestly unfounded or excessive)

11.1 Our Commitment

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

Within 72 hours:

- Notify the relevant supervisory authority (Commissioner for Information of Public Importance and Personal Data Protection)

Without undue delay:

- Notify affected individuals directly (via email or other appropriate means)

11.2 What We'll Tell You

Our breach notification will include:

- Nature of the breach (what happened)

- Categories and approximate number of individuals affected

- Categories and approximate number of records affected

- Likely consequences of the breach

- Measures we've taken or plan to take to address the breach

- Contact details of our Data Protection Officer

- Advice on steps you can take to protect yourself

11.3 Our Incident Response Process

We maintain a comprehensive incident response plan that includes:

- Early detection systems and monitoring

- Containment procedures to limit damage

- Investigation to determine cause and scope

- Notification procedures (internal and external)

- Recovery and remediation measures

- Post-incident review and lessons learned

If you suspect a data breach or security incident, please contact us immediately at: info@heksagon.com

12.1 Age Restriction

Our website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16.

12.2 Parental Notice

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at info@heksagon.com, and we will:

- Verify the age of the individual

- Delete the data without undue delay

- Cease any further processing

12.3 Age Verification

When we have reason to believe a user may be under 16, we may request additional age verification before processing their data.

13.1 External Websites

Our website may contain links to third-party websites, plugins, and applications (e.g., LinkedIn, Twitter, YouTube). When you click on these links, you leave our website.

Important: We are not responsible for the privacy practices or content of these external sites. They have their own privacy policies, which we encourage you to review.

13.2 Social Media Features

Our website may include social media features such as:

- Share buttons (Facebook, LinkedIn, Twitter)

- Embedded content (YouTube videos)

- Social login options

These features may collect your IP address, track which pages you visit, and set cookies. They are governed by the privacy policies of the respective social media companies.

14.1 Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

- Changes in our data processing practices

- New legal requirements

- Technological developments

- Business changes

14.2 How We'll Notify You

For minor updates:

- We'll update the "Last Updated" date at the top of this page

- We encourage you to review this policy periodically

For significant changes affecting your rights:

- We'll send you an email notification (if we have your email address)

- We'll display a prominent notice on our website

- We'll seek new consent where required by law

14.3 Continued Use

By continuing to use our website or services after changes become effective, you accept the updated Privacy Policy.

14.4 Version History

You can request previous versions of this policy by contacting info@heksagon.com.

15.1 General Enquiries

Heksagon Technology Ltd.  

Nedeljka Cabrinovica 62  

11030 Belgrade, Serbia  

Email: info@heksagon.com  

Website: www.heksagon.com

15.3 Response Time

We aim to respond to all enquiries within:

- General questions: 5 business days

- Data subject requests: 1 month (with possible 2-month extension for complex requests)

- Urgent security matters: 24-48 hours

15.4 Complaints & Escalation

If you're not satisfied with our response, you can:

1. Request escalation to our Chief Data Officer

2. Lodge a complaint with the Serbian supervisory authority (see Section 10.8)

3. Seek legal advice or pursue legal remedies

Additional Resources

GDPR Full Text

Serbian Data Protection Law

Your Online Choices (Cookie Opt-Out)

All About Cookies

---

This Privacy Policy was last reviewed and approved by our Data Protection Officer on December 29, 2025.

Document Version: 1.0  

Future versions will be numbered sequentially and archived for reference.

---

Thank you for trusting Heksagon with your personal data. We are committed to protecting your privacy and handling your data responsibly.