Privacy Policy of SmartKartica

Version: 3.0
Effective Date: April 5, 2026
Last Updated: April 5, 2026

This Privacy Policy governs the collection, use, storage, transfer, disclosure, protection, and other processing of personal data when using SmartKartica, including the website https://smartkartica.rs/, related subdomains, admin panels, public registration forms, API, digital card issuance and delivery tools, Apple Wallet and Google Wallet scripts, payment and billing functions, communication modules, technical support, integrations, receipt and checkout processes, as well as other platform components.

We operate on the assumption that the protection of personal data is part of the service architecture. Data processing is conducted based on principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, confidentiality, integrity, and accountability. To the extent that Regulation (EU) 2016/679 (GDPR) is applicable to a particular operation, we adhere to the GDPR requirements. For operations subject to the laws of the Republic of Serbia, we adhere to the Personal Data Protection Law of the Republic of Serbia and other applicable regulations.

1. Data Controller and Contact Information

The data controller in the context of SmartKartica's activities is VMTech d.o.o. Beograd.

• Full Name: VMTech d.o.o. Beograd
• Registration Number (Matični broj): 22069152
• Tax ID (PIB): 114779614
• Registered Address: Topalovićeva 4, Zvezdara, 11050 Belgrade, Serbia
• Contact Email: support@smartkartica.rs
• Phone: +381 61 680 7039
• Website: https://smartkartica.rs/

2. Scope of the Policy

This Policy applies to website visitors, prospective clients, registered users of the SmartKartica panel, representatives of client companies, end users of digital cards, individuals undergoing public registration and verification, and individuals whose data is received via API, webhook, billing, wallet scripts, check-out, and other integration contours.

3. When VMTech is a Controller and when a Processor

3.1. VMTech is a Controller concerning data and processes for which VMTech determines the purposes and essential means of processing. These cases include, inter alia: operation of the website and public pages; registration and maintenance of user accounts; billing, invoicing, recurring payments, financial and tax accounting; processing support requests; ensuring information security; audit, action logs, incident and dispute investigation; compliance with mandatory legal requirements; evidence of acceptance of legal documents; protection of rights and legitimate interests of VMTech.

3.2. Client companies of SmartKartica are typically independent controllers with respect to personal data of their end clients, loyalty program participants, buyers, digital cardholders, and other end users, as they determine program objectives, accrual and redemption rules, set of collected data, business logic, content of communications, template composition, segmentation criteria, notification texts, participation terms, and other key processing parameters.

3.3. Regarding such end-user data, VMTech usually acts as a Processor processing data on behalf of and in the interest of the respective client, providing infrastructure, interfaces, API, pass-content delivery, wallet integrations, billing, and service functions. The client is responsible for ensuring lawful basis, proper privacy notices, lawful data uploads, legality of message sending, and compliance with applicable norms.

3.4. Even if VMTech acts as a Processor for client end-user data, VMTech may be an independent controller of a limited amount of data and certain operations, if such processing is necessary for network and information security, fraud and abuse prevention, platform operability, backup, logging, incident investigation, legal compliance, tax, accounting, payment, or evidentiary regimes, protection of VMTech's rights, third parties, or other legitimate interests.

4. What Data May Be Processed

4.1. Contact and Identification Data. This may include name, surname, e-mail, phone number, company name, position, user role, billing and service contact data, and other information the user voluntarily provides during registration, service order, support inquiry, or platform functionality use.

4.2. Account and Security Data. We may process email address, password in hashed form, email verification details, confirmation tokens, password reset tokens, two-factor authentication data, backup codes, login attempts, blocks, access roles, interface language settings, account status, company ID, user ID, request ID, and other related technical data.

4.3. Data for Public Registration and Onboarding. Through public registration forms and loyalty program enrollments, name, email, phone number, chosen language, verification session data, confirmation code hashes, tracking ID of external SMS provider, number of attempts, IP address, user-agent, CAPTCHA tokens, idempotency keys, and other necessary data for card issuance and spam and abuse protection may be processed.

4.4. Data of Client Companies and Their Representatives. This may include information about the company, tariff, subscription plan, currency, subscription status, tax and registration data, invoice issuing details, billing address, permissions, account settings, localization settings, API keys, IP restrictions, and other service usage parameters.

4.5. Data of End Clients of Client Companies. Depending on the specific project configuration and client instructions, the system may receive or create name, surname, email, phone, client status, loyalty program parameters, custom field values, profile metadata, participation history, accrual history, discounts, cashback, levels, QR/bar code attributes, and other data the client decides to use in their program.

4.6. Data of Digital Cards, Pass Objects, and Wallet Integrations. We may process the card serial number, template data, dynamic field values, template version, localization settings, object ID and class ID Google Wallet, Apple pass type identifier, pass authentication token, push token, device ID, device fingerprint, pass installation, removal or retention status, callback event data, last sync information, and other data necessary for issuance, updating, and maintenance of digital cards.

4.7. Device Data and Technical Features. Depending on the scenario, IP address, user-agent, browser name and version, OS, locale, timestamps, technical identifiers, request logs, device fingerprint, device label, and other technical signals related to security, debugging, pass-content delivery, push notifications, and integration diagnostics may be processed.

4.8. Payment and Billing Data. We may process information about tariff, currency, amounts, invoices, invoicing and payment dates, transaction identifiers, payment session identifiers, merchant payment ID, gateway transaction ID, tokenized payment methods, masked card details, charge, refund, error status, as well as related fiscal and accounting data.

4.9. Data of Legal Consents and Accepts. We may store information on document type, version, language, acceptance time, IP address, user-agent, and technical parameters necessary to confirm the fact and context of acceptance of terms, policies, recurring payment consent, and other legally significant actions.

4.10. Communication and Support Data. Content of inquiries, correspondence history, attachments, service notes, delivery information of letters and notifications, and information necessary for resolving issues, verifying authority, and customer support may be processed during correspondence and support.

4.11. Data in Check-Out, Cash, and Trade Scenarios. If the client uses relevant functionality, QR URL check, raw and normalized check data, vendor parameters, points of sale, purchase date and time, total amounts, item composition, deduplication statuses, vendor validity, accrual results, and associated technical metadata may be processed.

5. Data Not to be Uploaded to the Service without Separate Written Basis

• full payment card details, CVV/CVC codes, complete bank accounts, and other authentication payment data;
• government identifiers, passport data, social security numbers, and other sensitive government identifiers, unless they are necessary for a lawful and specifically agreed purpose;
• medical data, health status information, medical insurance data;
• biometric identifiers and data for unique biometric identification;
• data on minors in scope beyond the clearly lawful and properly documented processing;
• special categories of personal data within the meaning of GDPR and similar laws;
• passwords, secrets, tokens, or account data of third-party systems, except when objectively necessary for client-integrated connections and processed in a secure environment;
• other data creating disproportionate regulatory, platform, contractual, or reputational risk for VMTech, Apple, Google, payment providers, or the client itself.

6. Sources of Data Collection

We may receive data directly from users, from client companies, automatically through the use of the website, admin panel, API, wallet-flow, billing and integrations, and from external providers, including payment gateways, email and SMS providers, anti-bot systems, Apple, Google, webhook sources, and fiscal or trade integrations.

7. Processing Purposes and Legal Bases

Personal data may be processed for account creation and maintenance, contract fulfillment, client registration, email and telephone verification, digital card issuance and delivery, service message sending, payment processing, security ensuring, auditing and logging, support provision, compliance with government obligations, localization, interface translation, and ensuring compatibility with Apple Wallet, Google Wallet, and other third-party platforms.

Depending on the scenario, legal bases for processing are: contract performance or pre-contractual measures; legal obligation compliance; legitimate interests of VMTech, clients, or third parties, provided such interests do not outweigh the data subject's rights and freedoms; consent of the data subject where legally required.

8. Use of External Providers and Data Sharing

We do not sell personal data. However, within the functioning of the platform, data may be shared strictly as necessary with client companies and their authorized users, email providers, SMS providers, anti-bot and security providers, payment and billing providers, electronic invoice and tax reporting systems, Apple, Google, infrastructure and integration providers, AI translation and text processing providers, as well as legal advisors, auditors, government authorities, and courts if required by law or to protect the rights and interests of VMTech.

9. Apple Wallet, Google Wallet, and Related Third-Party Platforms

SmartKartica integrates with Apple Wallet and Google Wallet for the issuance, updating, display, and delivery of digital cards. These platforms are not controlled by VMTech and operate according to their own rules, privacy policies, technical requirements, and brand guidelines.

If an end-user or client uses a pass in Apple Wallet or Google Wallet, a certain amount of data and technical identifiers may be processed by the respective platform as an independent controller within its ecosystem. We do not control subsequent processing by Apple or Google beyond our service.

SmartKartica clients must independently ensure that the content of their pass objects, loyalty programs, offers, notifications, linked websites, images, names, descriptions, use cases, and other materials comply with the requirements of Apple, Google, and other applicable platforms. We reserve the right to restrict, suspend, remove, or refuse to service content which, in our reasonable opinion, violates such requirements, creates a platform blocking risk, or may result in a legal violation.

10. International Data Transfers

Data may be processed in Serbia and other jurisdictions where our providers, partners, infrastructure, and integrations are located. If and to the extent that GDPR or similar requirements apply to the transfer, we use reasonably necessary and applicable legal protection mechanisms, including contractual and organizational guarantees, access restrictions, volume minimization, and other lawful mechanisms.

11. Data Retention Periods

We retain data no longer than necessary for achieving a legitimate processing purpose, contract performance, mandatory law compliance, rights and interests protection, dispute resolution, security maintenance, and evidential basis. Payment, accounting, tax, fiscal, and recurring payment-related data are stored for no less than durations required by mandatory law, tax, and accounting regimes, as well as payment provider rules.

12. Anonymized and Aggregated Data

To the extent permitted by law, we may use anonymized, aggregated, or statistical data that no longer allows direct or indirect identification of a specific individual for analyzing platform usage, reliability improvement, capacity planning, product analytics, and service enhancement.

13. Automated Processes and Decisions

The platform uses automated processes necessary for technical functioning: contact verification, deduplication, anti-fraud checks, notification routing, issuance and update of pass objects, push synchronization, status checks, billing and recurring payment flows, webhook processing, bonus calculations, and other operations embedded in the service logic. If specific automated logic is set by the client itself, the client is responsible for the legality of such business logic as an operator.

14. Data Subject Rights

Depending on applicable law, a data subject may have rights to access data, rectify inaccurate data, erase, restrict processing, data portability, withdraw consent, object to processing, and file a complaint with a competent supervisory authority. For processing subject to Serbian law, data subjects may address the Commissioner for Information of Public Importance and Personal Data Protection: https://www.poverenik.rs/.

15. Personal Data Security

We apply reasonable technical and organizational security measures commensurate with the service nature and processing risks. Such measures may include role-based access control, password and certain token hashing, secure transmission channels, logging, integrity checks, request limits, anti-abuse mechanisms, data segregation by company, backup, monitoring, and other measures.

16. Children and Minors

The service is not intended for independent use by children without appropriate legal basis and control by the relevant data operator. Client companies must not use the platform for unlawful or improper processing of children’s and minors’ data.

17. Cookies and Similar Technologies

SmartKartica uses cookies, server-side session mechanisms, local storage settings, and other similar technologies for website operation, language selection, user preferences preservation, session protection, CSRF/anti-abuse functions, and other lawful technical purposes. Details are provided in a separate Cookie Policy.

18. Policy Changes

We reserve the right to update this Policy from time to time as necessary due to changes in service architecture, law, provider composition, Apple or Google requirements, payment contours, platform functionality, security practices, or for other reasonable reasons.

19. Final Provisions

This Policy should be interpreted concerning the factual architecture of SmartKartica, our contractual documents, platform technical capabilities, applicable law, and role of parties in specific processing. For privacy questions and the exercise of data subject rights, contact support@smartkartica.rs.