1. Who We Are
This Privacy Policy describes how Kvizum d.o.o. ("we", "us", "our"), a company registered in Slovenia, European Union, collects, uses, and protects personal data in connection with the SendBrake service ("Service") available at sendbrake.com.
Kvizum d.o.o. is the data controller for personal data processed through the Service. As a company registered in the EU, we are subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the applicable Slovenian data protection legislation.
We take your privacy seriously. SendBrake is a B2B tool — the personal data we handle relates primarily to your account and usage of the Service, not to your end customers' data beyond what is necessary to perform suppression actions.
2. What Data We Collect
We collect the following categories of personal data:
| Category | Data collected | Source |
|---|---|---|
| Account data | Name, email address, company name, password (hashed) | Provided by you on registration |
| Billing data | Billing name, address, payment method details (handled by Stripe — we do not store card numbers) | Provided by you on subscription |
| Integration credentials | API keys and OAuth tokens for connected booking tools and sequencers (stored encrypted) | Provided by you when setting up integrations |
| Suppression log data | Company email domains processed through the Service, suppression timestamps, sequencer names, status | Generated automatically by the Service |
| Usage data | Log data, IP addresses, browser type, pages visited, feature usage, error logs | Collected automatically |
| Communications | Emails and messages you send to our support team | Provided by you |
We do not intentionally collect special category data (e.g. health, racial or ethnic origin, political opinions) and ask that you do not submit such data to the Service.
3. How We Use Your Data
We use your personal data for the following purposes:
- Providing the Service: To process bookings, execute suppression actions, maintain your account, and deliver the functionality you have subscribed to.
- Billing and payments: To process subscription payments, manage your billing cycle, and issue invoices.
- Service communications: To send transactional emails (account confirmations, billing receipts, important service notices). You cannot opt out of these as they are necessary for the Service.
- Customer support: To respond to your enquiries, troubleshoot issues, and improve support quality.
- Security and fraud prevention: To detect and prevent unauthorised access, abuse, and fraudulent activity.
- Service improvement: To analyse aggregated usage patterns, fix bugs, and develop new features. We use anonymised or aggregated data where possible.
- Legal compliance: To comply with applicable legal obligations, including tax, accounting, and regulatory requirements.
We will not sell your personal data to third parties, nor use it for advertising purposes.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we rely on the following legal bases under the GDPR:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including account management, suppression actions, and billing.
- Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service analytics, and improving the Service. We have assessed that our legitimate interests do not override your rights and freedoms.
- Legal obligation (Art. 6(1)(c)): Compliance with applicable Slovenian and EU law, including tax and accounting obligations.
- Consent (Art. 6(1)(a)): For optional marketing communications (where applicable). You may withdraw consent at any time.
5. Data Sharing & Third Parties
We do not sell or rent your personal data. We share data only in the following circumstances:
- Payment processors: Stripe, Inc. processes payment data on our behalf. Stripe is certified to PCI DSS Level 1 and processes data under its own privacy policy.
- Cloud infrastructure: We use cloud hosting providers (such as Vercel and Supabase) to store and process data. These providers act as data processors under contractual data processing agreements.
- Third-party integrations: When you connect booking tools or email sequencers, we transmit only the minimum data necessary (email domains) to those third-party APIs to perform suppressions. You are responsible for ensuring your use of those third-party services complies with applicable law.
- Legal requirements: We may disclose data to comply with a legal obligation, court order, or to protect the rights, property, or safety of Kvizum d.o.o., our users, or the public.
- Business transfers: If Kvizum d.o.o. is acquired or merged, your data may be transferred as part of that transaction. We will notify you in advance and you will have the option to delete your account.
All third-party service providers are contractually required to maintain the confidentiality and security of your data and to use it only as directed by us.
6. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
- Account data: Retained for the duration of your account plus 30 days after deletion, to allow recovery if deletion was in error.
- Suppression logs: Retained for the duration of your subscription. You can export or request deletion of logs at any time.
- Billing records: Retained for 7 years after the last transaction to comply with Slovenian accounting and tax law.
- Support communications: Retained for 2 years from the date of the last communication.
- Usage and technical logs: Retained for 90 days for security and debugging purposes.
When retention periods expire, data is securely deleted or anonymised.
7. Your Rights
As a data subject under the GDPR, you have the following rights:
- Right of access (Art. 15): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at privacy@sendbrake.com. We will respond within 30 days. You also have the right to lodge a complaint with the Slovenian supervisory authority, the Information Commissioner of the Republic of Slovenia (www.ip-rs.si).
8. Cookies & Tracking
We use cookies and similar technologies to operate and improve the Service:
- Strictly necessary cookies: Required for authentication, session management, and security. These cannot be disabled.
- Functional cookies: Remember your preferences (such as billing cycle selection). These can be disabled but may affect functionality.
- Analytics cookies: Collect anonymised usage statistics to help us understand how the Service is used and where to improve it. We use privacy-respecting analytics tools that do not share data with advertising networks.
We do not use advertising or tracking cookies. A cookie consent notice is displayed on first visit where required by applicable law.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
- Encryption of data in transit using TLS/HTTPS.
- Encryption of sensitive credentials (API keys, tokens) at rest.
- Access controls limiting data access to authorised personnel only.
- Regular security reviews and monitoring.
- Use of reputable, security-certified cloud infrastructure providers.
No method of data transmission or storage is 100% secure. If you become aware of any security incident related to your account, please notify us immediately at security@sendbrake.com.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Art. 33–34.
10. International Data Transfers
Kvizum d.o.o. is based in Slovenia, EU. Some of our service providers (such as Stripe and cloud hosting providers) are based outside the EEA, including in the United States.
When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions where the recipient country has been determined to provide an adequate level of data protection.
You may request a copy of the relevant safeguards by contacting us at privacy@sendbrake.com.
11. Children's Privacy
SendBrake is a business tool intended solely for use by professionals and organisations. We do not knowingly collect personal data from individuals under the age of 16.
If we become aware that we have collected data from a child under 16, we will delete that data promptly. If you believe we have inadvertently collected data from a minor, please contact us at privacy@sendbrake.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or by displaying a prominent notice in the Service at least 14 days before the changes take effect.
The "Last updated" date at the top of this page indicates when this policy was most recently revised. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.
13. Contact Us & Data Protection
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
- Company: Kvizum d.o.o.
- Country: Slovenia, European Union
- Privacy enquiries: privacy@sendbrake.com
- Security concerns: security@sendbrake.com
- General support: support@sendbrake.com
- Website: www.sendbrake.com
You also have the right to lodge a complaint with the Slovenian data protection supervisory authority:
- Information Commissioner of the Republic of Slovenia
- Dunajska cesta 22, 1000 Ljubljana, Slovenia
- www.ip-rs.si
- gp.ip@ip-rs.si