PRIVACY POLICY OF YOUMIN DOO BELGRADE (STARI GRAD)
1. What is this Policy about?
1.1. This Privacy Policy (hereinafter – the Privacy Policy) of YOUMIN DOO BELGRAD (STARI GRAD) (Registration
number: 22053175, address: Republic of Serbia, Belgrade, Palmoćićeva Street, No. 5) (hereinafter – We) defines
how We process and protect your personal data within the Platform (as defined below).
1.2. The provisions of this Policy apply to our processes on the Platform where we may act as a Controller of
personal data or as a Processor of your personal data. Our managers and employees strictly adhere tothisPolicy.
1.3. We process your personal data and ensure its security in accordance with the provisions of the legislation of
the Republic of Serbia, namely the Law on Personal Data Protection ("Official Gazette of the Republic of Serbia",
No. 87/2018) and EU Directive 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data, where the provisions of the
Directive are applicable to the processing of personal data on our Platform.
1.4. For any questions related to this Policy, as well as the processing and protection of your personal data, you
can contact us by email at: kvv@youmin.io.
2. Terms We Use
• Controller – any natural or legal person, public authority, agency, or other body that, alone or jointly with
others, determines the purposes and means of processing personal data. In some processes, we are the
Controller.
• Processor – a natural or legal person, public authority, agency, or other body that processes personal data
on behalf of and on the instructions of the Controller. In most personal data processing processes on the
Platform, we act as the Processor.
• Personal Data – any information relating to a "data subject," i.e., an identified or identifiable natural
person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier, or
to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social
identity of that natural person.
• Processing of Personal Data – any operation or set of operations performed on personal data, whether or
not by automated means, including collection, recording, organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure, or destruction.
• Transfer of Personal Data – providing a third party with lawful access to your Personal Data.
• Platform – software designed for monitoring and analyzing HR metrics, generating reports, and making
predictions based on employee and team data.
• Client – a legal entity that has been granted access to the Platform based on an agreement concluded
with us.
3. How Do We Process Your Personal Data?
3.1. We collect and process your personal data based on agreements concluded with our Clients, who are the
controllers of personal data for their employees and other individuals whose data the Clients enter into the
Platform's databases.
3.2. If we transfer your personal data, we implement all necessary data security measures described in Section 8 of
this Policy. The list of third parties to whom we transfer your personal data is specified in Clause 9.1 of the Policy.
3.3. If we transfer your personal data, we implement all necessary data security measures described in Section 8 of
this Policy. The list of third parties to whom we transfer your personal data is specified in Clause 9.1 of the Policy.
3.4. Below, we have provided information about the processing of personal data for each purpose of processing
your personal data.
3.5. For all operations with personal data on the Platform, we act as the processor of your personal data, while the
Clients are the controllers.
3.6. For the purposes specified in Clauses 4.4, 4.6, and 4.7 of this Policy, there is a technical capability for the Clientto fill in additional fields. Information that could be considered personal data of data subjects should not be
entered into these fields. We are not responsible for the Client's actions in entering data into the additional fields.
4. Processing of Your Personal Data Where We Act as a Processor
4.1. Purpose. User registration and authorization in the service.
List of Data Processed. We process general personal data:
• Email address
• Full name
• Phone number
• Job title
• Department
• Country
• Region
• Legal entity
Role in Data Processing: In this processing, we act as the processor of your personal data. The Clients act as the
controllers.
Data Deletion Criteria: After the termination of the data processing agreement or upon instruction from the
Client, as the controller of personal data.
Retention Period: Determined by the Client.
Categories of Data Subjects: Employees of the Client, contractors of the Client (sole proprietors), contractors of
the Client (individuals under civil law contracts).
4.2. Purpose. Service administration
List of Data Processed. We process general personal data:
• Email address
• Full name
• Phone number
• Job title
• Department
• Country
• Region
• Legal entity
• Employee identification number
Role in Data Processing: In this processing, we act as the processor of your personal data. The Clients act as the
controllers.
Data Deletion Criteria: After the termination of the data processing agreement or upon instruction from the
Client, as the controller of personal data.
Retention Period: Determined by the Client.
Categories of Data Subjects: Employees of the Client (system administrators).
4.3. Purpose. Contract management and document flow in the EOR service
List of Data Processed. We process general personal data:
• Details of the identity document
• Information contained in the employment contract or other contract with the data subject
• Full name
• Job title
• Salary information
• Information on the region of employment/residence
• Bank details/crypto wallet details
• Phone number
• Visa status
Role in Data Processing: In this processing, we act as the processor of your personal data. The Clients act as the
controllers.
Data Deletion Criteria: After the termination of the data processing agreement or upon instruction from the
Client, as the controller of personal data.
Retention Period: Determined by the Client.
Categories of Data Subjects: Employees of the Client, contractors of the Client (sole proprietors), contractors of
the Client (individuals under civil law contracts).
4.4. Purpose. Accounting and Payroll Processing
List. We process general personal data:
• Phone number
• Bank details, cryptocurrency wallet details
• Full name
• Country
• Region
• Legal entity
• Salary information (salary rate, salary currency, information on accruals and payments, including amounts before
and after taxation, accounting for bonuses, compensations, and taxes)
Role in data processing: In this processing, we act as a processor of your personal data. The controllers are the
Clients.
Data deletion criterion: After termination of the personal data processing agreement or as instructed by the Client,
as the controller of personal data.
Retention period: Determined by the Client.
Categories of data subjects: Client's employees, Client's contractors (sole proprietors), Client's contractors
(individuals under civil law contracts).
4.5. Purpose. Service Support and Consultations
List. We process general personal data:
• Email address
• Information about user inquiries (including date of inquiry, type of question, status, specialist to whom the
request was assigned, and response time)
• Full name
• Phone number
Role in data processing: In this processing, we act as a processor of your personal data. The controllers are the
Clients.
Data deletion criterion: After termination of the personal data processing agreement or as instructed by the Client,
as the controller of personal data.
Retention period: Determined by the Client.
Categories of data subjects: Client's employees, Client's contractors (sole proprietors), Client's contractors
(individuals under civil law contracts).
4.6. Purpose. Creating Dashboards and Reports for HR Analytics
List. We process general personal data:
• Full name
• Age
• Position
• Department/Unit
• Country
• Legal entity
• Payment currency
• Grade
• Salary rate
• Employment type
• Business unit
• P&L vertical
• Salary information (information on accruals and payments, including amounts before and after taxation,
accounting for bonuses, compensations, and taxes)
• Information about bonuses
• Information about benefits and compensations
• Information about taxes
• Information about social contributions
• Information about vacation pay
• Information about sick leave (date/period of absence from work due to illness)
Role in data processing: In this processing, we act as a processor of your personal data. The controllers are the
Clients.
Data deletion criterion: After termination of the personal data processing agreement or as instructed by the Client,
as the controller of personal data.
Retention period: Determined by the Client.
Categories of data subjects: Client's employees, Client's contractors (sole proprietors), Client's contractors
(individuals under civil law contracts).
4.7. Purpose. Data Analysis and Forecasting (HR Analytics)
List. We process general personal data:
• Full name
• Age
• Position
• Department/Unit• Country
• Legal entity
• Payment currency
• Grade
• Salary rate
• Employment type
• Business unit
• P&L vertical
• Salary information (information on accruals and payments, including amounts before and after taxation,
accounting for bonuses, compensations, and taxes)
• Information about bonuses
• Information about benefits and compensations
• Information about taxes
• Information about social contributions
• Information about vacation pay
• Information about sick leave (date/period of absence from work due to illness)
Role in data processing: In this processing, we act as a processor of your personal data. The controllers are the
Clients.
Data deletion criterion: After termination of the personal data processing agreement or as instructed by the Client,
as the controller of personal data.
Retention period: Determined by the Client.
Categories of data subjects: Client's employees, Client's contractors (sole proprietors), Client's contractors
(individuals under civil law contracts).
4.8. Procedure for Exercising Your Rights When We Act as a Processor:
To exercise your rights, you may contact the controller of your personal data.
If you do not know who your controller is, you can submit a request to us:
● By email: kvv@youmin.io
● Or by sending a letter to the address: Republic of Serbia, Belgrade, Palmotićeva Street, 5.
4.9. The personal data controllers undertake to fulfill your rights specified in clause 6.2.1 of the Policy, and we
undertake to assist you in exercising these rights.
5. Processing of Your Personal Data Where We Act as the Controller
5.1. Representatives, Managers, Beneficiaries of Clients.
• Purpose. Preparation, conclusion, and execution of a civil law contract
List. We process general personal data:
• Full name
• Date of birth
• Information from an identity document
• Registration address
• Phone number
• Email address
Legal basis: Legitimate interest
Data deletion criterion: After termination of the contract between the Clients and us, the data is stored for 5 years
and then deleted.
Retention period: 5 years after termination of the contract.
5.2. Website Visitors
Purpose: Using third-party analytics services to analyze your behavior on our Resource and improve our services
and products based on this data
Duration. We process data for up to 2 years (depending on cookie types) or until you withdraw your consent.
List. We process general personal data: Cookies (marketing, analytical). In Section 9, we have described in detail
which specific Cookies we collect on our Resource.
Legal basis: Your consent to processing.
6. Procedure for Exercising Your Rights When We Act as the Controller
6.1. For any questions regarding the exercise of your rights, you may contact us:
● By email: kvv@youmin.io
● Or by sending a letter to the address: Republic of Serbia, Belgrade, Palmotićeva Street, 5.
6.2. We undertake to fulfill your rights to the extent defined by the provisions of applicable personal data
legislation.
6.2.1. According to current data protection legislation, under certain circumstances, you have rights regarding your
personal data. You have the right to:
(1) request access to and a copy of your personal data that we process, including the transfer of this data to
another controller (right to data portability);
(2) request the correction of inaccurate or the completion of incomplete personal data;
(3) request the deletion of personal data (right to be forgotten) under certain circumstances, as well as the
modification or restriction of processing;
(4) object to the processing of personal data based on legitimate interest or for direct marketing; and
(5) file a complaint with national data protection authorities regarding our processing of your personal data.
6.2.2. We will respond to the request without undue delay, but no later than 30 days from receipt, except where
the request is complex or voluminous—in which case the deadline may be extended by an additional 60 days with
notification. Processing your request is free of charge, except where the request is manifestly unfounded or
excessive (e.g., repetitive)—in which case we may charge a fee or refuse to act, providing a justification. We are
obligated to verify the identity of the data subject upon receiving a request to prevent unauthorized access and
protect data; for this purpose, we may request additional information from you confirming that the request comes
from the relevant data subject.
6.3. We do not make decisions solely based on automated processing of your personal data.
6.4. We do not process the personal data of minors.
6.5. If you wish to exercise any of these rights, you may send us a corresponding request using the contact details
provided in Section 6.1 of the Policy.
7. Regarding the Storage and Destruction of Your Personal Data
7.1. In those processes where we act as the controller, we retain your data only as long as necessary for
the purposes of processing. Afterward, we securely delete it.
7.2. When determining the retention period, we consider the volume and nature of the personal data,
how sensitive it is, and the potential risks to you in case of a data breach or misuse.
7.3. Unless otherwise required by applicable law and provided there are no other grounds for processing
the personal data, we destroy personal data in the following cases:
● The processing purpose has been achieved. For example, if your data was used to improve the quality of
our service and analyze your experience using the Platform, and such analysis has been completed.
● The retention period has expired, or you have withdrawn your consent (if consent was the legal basis
for processing). For example, if you ask us to delete marketing Cookies associated with you.
● The data was processed unlawfully. For example, if you registered by mistake.
7.4. We have implemented a secure procedure for destroying personal data.
7.5. In those processing activities where we act as the processor of your personal data, the retention
periods and destruction procedures are determined by the controllers. As processors, we strictly adhere
to their instructions regarding your personal data.
8. How do we ensure the security of personal data?
8.1. We implement reasonable and appropriate technical, legal, and organizational security measures to
protect your personal information from any unauthorized actions, including but not limited to access,
disclosure, alteration, or destruction leading to loss, theft, or misuse of your data.
8.2. Security assurance processes in our company are developed in accordance with the ISO/IEC
27001:2022 standard, and we make every effort to confirm our commitment to protecting your
information. We regularly review our security measures in light of new technologies and methods. Since
absolute security does not exist, we cannot guarantee absolute protection of your information, especially
against malicious actions by third parties where the cost of a successful attack far exceeds the value of the
data that could be compromised. Nevertheless, we take commercially reasonable efforts to ensure the
security of your information.
8.3. As part of our personal data protection policy, we adhere to the principles of Privacy by Design and
Privacy by Default, which means an embedded approach to data protection at all stages of processing. We
design our processes and systems in such a way that privacy is ensured from the outset, rather than
added as an afterthought.
8.4. The Privacy by Design principle requires that personal data protection is incorporated into the
development of all products, services, and processes from the very beginning. This means minimizing data
collection, limiting access to data, and consistently applying technical and organizational security
measures.
8.5. The Privacy by Default principle ensures that the most secure settings are applied by default when
processing personal data, without requiring additional actions from data subjects. By default, only the
data that is truly necessary to achieve the processing purposes is processed, and only to the minimum
extent required.
8.6. By applying these principles, we ensure comprehensive and effective protection of personal data,
comply with legal requirements, and uphold the rights of data subjects.
9. Data Transfers
9.1. We may engage third parties to process your personal data and transfer your personal data to them
in accordance with applicable law:
1.1. This Privacy Policy (hereinafter – the Privacy Policy) of YOUMIN DOO BELGRAD (STARI GRAD) (Registration
number: 22053175, address: Republic of Serbia, Belgrade, Palmoćićeva Street, No. 5) (hereinafter – We) defines
how We process and protect your personal data within the Platform (as defined below).
1.2. The provisions of this Policy apply to our processes on the Platform where we may act as a Controller of
personal data or as a Processor of your personal data. Our managers and employees strictly adhere tothisPolicy.
1.3. We process your personal data and ensure its security in accordance with the provisions of the legislation of
the Republic of Serbia, namely the Law on Personal Data Protection ("Official Gazette of the Republic of Serbia",
No. 87/2018) and EU Directive 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data, where the provisions of the
Directive are applicable to the processing of personal data on our Platform.
1.4. For any questions related to this Policy, as well as the processing and protection of your personal data, you
can contact us by email at: kvv@youmin.io.
2. Terms We Use
• Controller – any natural or legal person, public authority, agency, or other body that, alone or jointly with
others, determines the purposes and means of processing personal data. In some processes, we are the
Controller.
• Processor – a natural or legal person, public authority, agency, or other body that processes personal data
on behalf of and on the instructions of the Controller. In most personal data processing processes on the
Platform, we act as the Processor.
• Personal Data – any information relating to a "data subject," i.e., an identified or identifiable natural
person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier, or
to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social
identity of that natural person.
• Processing of Personal Data – any operation or set of operations performed on personal data, whether or
not by automated means, including collection, recording, organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure, or destruction.
• Transfer of Personal Data – providing a third party with lawful access to your Personal Data.
• Platform – software designed for monitoring and analyzing HR metrics, generating reports, and making
predictions based on employee and team data.
• Client – a legal entity that has been granted access to the Platform based on an agreement concluded
with us.
3. How Do We Process Your Personal Data?
3.1. We collect and process your personal data based on agreements concluded with our Clients, who are the
controllers of personal data for their employees and other individuals whose data the Clients enter into the
Platform's databases.
3.2. If we transfer your personal data, we implement all necessary data security measures described in Section 8 of
this Policy. The list of third parties to whom we transfer your personal data is specified in Clause 9.1 of the Policy.
3.3. If we transfer your personal data, we implement all necessary data security measures described in Section 8 of
this Policy. The list of third parties to whom we transfer your personal data is specified in Clause 9.1 of the Policy.
3.4. Below, we have provided information about the processing of personal data for each purpose of processing
your personal data.
3.5. For all operations with personal data on the Platform, we act as the processor of your personal data, while the
Clients are the controllers.
3.6. For the purposes specified in Clauses 4.4, 4.6, and 4.7 of this Policy, there is a technical capability for the Clientto fill in additional fields. Information that could be considered personal data of data subjects should not be
entered into these fields. We are not responsible for the Client's actions in entering data into the additional fields.
4. Processing of Your Personal Data Where We Act as a Processor
4.1. Purpose. User registration and authorization in the service.
List of Data Processed. We process general personal data:
• Email address
• Full name
• Phone number
• Job title
• Department
• Country
• Region
• Legal entity
Role in Data Processing: In this processing, we act as the processor of your personal data. The Clients act as the
controllers.
Data Deletion Criteria: After the termination of the data processing agreement or upon instruction from the
Client, as the controller of personal data.
Retention Period: Determined by the Client.
Categories of Data Subjects: Employees of the Client, contractors of the Client (sole proprietors), contractors of
the Client (individuals under civil law contracts).
4.2. Purpose. Service administration
List of Data Processed. We process general personal data:
• Email address
• Full name
• Phone number
• Job title
• Department
• Country
• Region
• Legal entity
• Employee identification number
Role in Data Processing: In this processing, we act as the processor of your personal data. The Clients act as the
controllers.
Data Deletion Criteria: After the termination of the data processing agreement or upon instruction from the
Client, as the controller of personal data.
Retention Period: Determined by the Client.
Categories of Data Subjects: Employees of the Client (system administrators).
4.3. Purpose. Contract management and document flow in the EOR service
List of Data Processed. We process general personal data:
• Details of the identity document
• Information contained in the employment contract or other contract with the data subject
• Full name
• Job title
• Salary information
• Information on the region of employment/residence
• Bank details/crypto wallet details
• Phone number
• Visa status
Role in Data Processing: In this processing, we act as the processor of your personal data. The Clients act as the
controllers.
Data Deletion Criteria: After the termination of the data processing agreement or upon instruction from the
Client, as the controller of personal data.
Retention Period: Determined by the Client.
Categories of Data Subjects: Employees of the Client, contractors of the Client (sole proprietors), contractors of
the Client (individuals under civil law contracts).
4.4. Purpose. Accounting and Payroll Processing
List. We process general personal data:
• Phone number
• Bank details, cryptocurrency wallet details
• Full name
• Country
• Region
• Legal entity
• Salary information (salary rate, salary currency, information on accruals and payments, including amounts before
and after taxation, accounting for bonuses, compensations, and taxes)
Role in data processing: In this processing, we act as a processor of your personal data. The controllers are the
Clients.
Data deletion criterion: After termination of the personal data processing agreement or as instructed by the Client,
as the controller of personal data.
Retention period: Determined by the Client.
Categories of data subjects: Client's employees, Client's contractors (sole proprietors), Client's contractors
(individuals under civil law contracts).
4.5. Purpose. Service Support and Consultations
List. We process general personal data:
• Email address
• Information about user inquiries (including date of inquiry, type of question, status, specialist to whom the
request was assigned, and response time)
• Full name
• Phone number
Role in data processing: In this processing, we act as a processor of your personal data. The controllers are the
Clients.
Data deletion criterion: After termination of the personal data processing agreement or as instructed by the Client,
as the controller of personal data.
Retention period: Determined by the Client.
Categories of data subjects: Client's employees, Client's contractors (sole proprietors), Client's contractors
(individuals under civil law contracts).
4.6. Purpose. Creating Dashboards and Reports for HR Analytics
List. We process general personal data:
• Full name
• Age
• Position
• Department/Unit
• Country
• Legal entity
• Payment currency
• Grade
• Salary rate
• Employment type
• Business unit
• P&L vertical
• Salary information (information on accruals and payments, including amounts before and after taxation,
accounting for bonuses, compensations, and taxes)
• Information about bonuses
• Information about benefits and compensations
• Information about taxes
• Information about social contributions
• Information about vacation pay
• Information about sick leave (date/period of absence from work due to illness)
Role in data processing: In this processing, we act as a processor of your personal data. The controllers are the
Clients.
Data deletion criterion: After termination of the personal data processing agreement or as instructed by the Client,
as the controller of personal data.
Retention period: Determined by the Client.
Categories of data subjects: Client's employees, Client's contractors (sole proprietors), Client's contractors
(individuals under civil law contracts).
4.7. Purpose. Data Analysis and Forecasting (HR Analytics)
List. We process general personal data:
• Full name
• Age
• Position
• Department/Unit• Country
• Legal entity
• Payment currency
• Grade
• Salary rate
• Employment type
• Business unit
• P&L vertical
• Salary information (information on accruals and payments, including amounts before and after taxation,
accounting for bonuses, compensations, and taxes)
• Information about bonuses
• Information about benefits and compensations
• Information about taxes
• Information about social contributions
• Information about vacation pay
• Information about sick leave (date/period of absence from work due to illness)
Role in data processing: In this processing, we act as a processor of your personal data. The controllers are the
Clients.
Data deletion criterion: After termination of the personal data processing agreement or as instructed by the Client,
as the controller of personal data.
Retention period: Determined by the Client.
Categories of data subjects: Client's employees, Client's contractors (sole proprietors), Client's contractors
(individuals under civil law contracts).
4.8. Procedure for Exercising Your Rights When We Act as a Processor:
To exercise your rights, you may contact the controller of your personal data.
If you do not know who your controller is, you can submit a request to us:
● By email: kvv@youmin.io
● Or by sending a letter to the address: Republic of Serbia, Belgrade, Palmotićeva Street, 5.
4.9. The personal data controllers undertake to fulfill your rights specified in clause 6.2.1 of the Policy, and we
undertake to assist you in exercising these rights.
5. Processing of Your Personal Data Where We Act as the Controller
5.1. Representatives, Managers, Beneficiaries of Clients.
• Purpose. Preparation, conclusion, and execution of a civil law contract
List. We process general personal data:
• Full name
• Date of birth
• Information from an identity document
• Registration address
• Phone number
• Email address
Legal basis: Legitimate interest
Data deletion criterion: After termination of the contract between the Clients and us, the data is stored for 5 years
and then deleted.
Retention period: 5 years after termination of the contract.
5.2. Website Visitors
Purpose: Using third-party analytics services to analyze your behavior on our Resource and improve our services
and products based on this data
Duration. We process data for up to 2 years (depending on cookie types) or until you withdraw your consent.
List. We process general personal data: Cookies (marketing, analytical). In Section 9, we have described in detail
which specific Cookies we collect on our Resource.
Legal basis: Your consent to processing.
6. Procedure for Exercising Your Rights When We Act as the Controller
6.1. For any questions regarding the exercise of your rights, you may contact us:
● By email: kvv@youmin.io
● Or by sending a letter to the address: Republic of Serbia, Belgrade, Palmotićeva Street, 5.
6.2. We undertake to fulfill your rights to the extent defined by the provisions of applicable personal data
legislation.
6.2.1. According to current data protection legislation, under certain circumstances, you have rights regarding your
personal data. You have the right to:
(1) request access to and a copy of your personal data that we process, including the transfer of this data to
another controller (right to data portability);
(2) request the correction of inaccurate or the completion of incomplete personal data;
(3) request the deletion of personal data (right to be forgotten) under certain circumstances, as well as the
modification or restriction of processing;
(4) object to the processing of personal data based on legitimate interest or for direct marketing; and
(5) file a complaint with national data protection authorities regarding our processing of your personal data.
6.2.2. We will respond to the request without undue delay, but no later than 30 days from receipt, except where
the request is complex or voluminous—in which case the deadline may be extended by an additional 60 days with
notification. Processing your request is free of charge, except where the request is manifestly unfounded or
excessive (e.g., repetitive)—in which case we may charge a fee or refuse to act, providing a justification. We are
obligated to verify the identity of the data subject upon receiving a request to prevent unauthorized access and
protect data; for this purpose, we may request additional information from you confirming that the request comes
from the relevant data subject.
6.3. We do not make decisions solely based on automated processing of your personal data.
6.4. We do not process the personal data of minors.
6.5. If you wish to exercise any of these rights, you may send us a corresponding request using the contact details
provided in Section 6.1 of the Policy.
7. Regarding the Storage and Destruction of Your Personal Data
7.1. In those processes where we act as the controller, we retain your data only as long as necessary for
the purposes of processing. Afterward, we securely delete it.
7.2. When determining the retention period, we consider the volume and nature of the personal data,
how sensitive it is, and the potential risks to you in case of a data breach or misuse.
7.3. Unless otherwise required by applicable law and provided there are no other grounds for processing
the personal data, we destroy personal data in the following cases:
● The processing purpose has been achieved. For example, if your data was used to improve the quality of
our service and analyze your experience using the Platform, and such analysis has been completed.
● The retention period has expired, or you have withdrawn your consent (if consent was the legal basis
for processing). For example, if you ask us to delete marketing Cookies associated with you.
● The data was processed unlawfully. For example, if you registered by mistake.
7.4. We have implemented a secure procedure for destroying personal data.
7.5. In those processing activities where we act as the processor of your personal data, the retention
periods and destruction procedures are determined by the controllers. As processors, we strictly adhere
to their instructions regarding your personal data.
8. How do we ensure the security of personal data?
8.1. We implement reasonable and appropriate technical, legal, and organizational security measures to
protect your personal information from any unauthorized actions, including but not limited to access,
disclosure, alteration, or destruction leading to loss, theft, or misuse of your data.
8.2. Security assurance processes in our company are developed in accordance with the ISO/IEC
27001:2022 standard, and we make every effort to confirm our commitment to protecting your
information. We regularly review our security measures in light of new technologies and methods. Since
absolute security does not exist, we cannot guarantee absolute protection of your information, especially
against malicious actions by third parties where the cost of a successful attack far exceeds the value of the
data that could be compromised. Nevertheless, we take commercially reasonable efforts to ensure the
security of your information.
8.3. As part of our personal data protection policy, we adhere to the principles of Privacy by Design and
Privacy by Default, which means an embedded approach to data protection at all stages of processing. We
design our processes and systems in such a way that privacy is ensured from the outset, rather than
added as an afterthought.
8.4. The Privacy by Design principle requires that personal data protection is incorporated into the
development of all products, services, and processes from the very beginning. This means minimizing data
collection, limiting access to data, and consistently applying technical and organizational security
measures.
8.5. The Privacy by Default principle ensures that the most secure settings are applied by default when
processing personal data, without requiring additional actions from data subjects. By default, only the
data that is truly necessary to achieve the processing purposes is processed, and only to the minimum
extent required.
8.6. By applying these principles, we ensure comprehensive and effective protection of personal data,
comply with legal requirements, and uphold the rights of data subjects.
9. Data Transfers
9.1. We may engage third parties to process your personal data and transfer your personal data to them
in accordance with applicable law:
10. Use of Cookies and Other Web Analytics Tools
10.1. A cookie is a small file that is created and stored by the browser when visiting a website. Cookies are stored
on the user’s device and allow tracking the quality of the website’s performance and its usage characteristics.
10.2. We notify website users that visiting and using the website by default involves the generation and storage of
cookies. If technically feasible, website users may be offered the alternative of using the website without storing
cookies, in which case the full functionality of the website is not guaranteed.
10.3. We use the following types of cookies:
Strictly necessary cookies
These cookies are essential for the website to function and cannot be disabled in our systems. They are usually
set only in response to actions taken by visitors that amount to a request for services, such as setting privacy
preferences, logging in, or filling out forms.
Functional cookies
These cookies allow the Resource to remember the user's preferences and choices made on the website,
including geographic location, language, and enhanced content. These cookies also enable the display of
embedded content on the website.
10.4. How to manage cookies?
You can manage the cookies placed on your devices (tablet, smartphone, PC, etc.): delete cookies, set
permissions for them, and withdraw your consent to our use of cookies.
11. Final Provisions
11.1. In all other matters not regulated by this Policy, we are guided by the provisions of the applicable
legislation in force – the Personal Data Protection Law (“Official Gazette of the Republic of Serbia”, No.
87/2018) and EU Directive 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data.
11.2. We reserve the right to change this Policy. When changes are made, the updated version of the
Policy will be published on our website at: youmin.io
11.3. Date of publication of the Policy: December 17, 2025, Policy version: 1.0
10.1. A cookie is a small file that is created and stored by the browser when visiting a website. Cookies are stored
on the user’s device and allow tracking the quality of the website’s performance and its usage characteristics.
10.2. We notify website users that visiting and using the website by default involves the generation and storage of
cookies. If technically feasible, website users may be offered the alternative of using the website without storing
cookies, in which case the full functionality of the website is not guaranteed.
10.3. We use the following types of cookies:
Strictly necessary cookies
These cookies are essential for the website to function and cannot be disabled in our systems. They are usually
set only in response to actions taken by visitors that amount to a request for services, such as setting privacy
preferences, logging in, or filling out forms.
Functional cookies
These cookies allow the Resource to remember the user's preferences and choices made on the website,
including geographic location, language, and enhanced content. These cookies also enable the display of
embedded content on the website.
10.4. How to manage cookies?
You can manage the cookies placed on your devices (tablet, smartphone, PC, etc.): delete cookies, set
permissions for them, and withdraw your consent to our use of cookies.
11. Final Provisions
11.1. In all other matters not regulated by this Policy, we are guided by the provisions of the applicable
legislation in force – the Personal Data Protection Law (“Official Gazette of the Republic of Serbia”, No.
87/2018) and EU Directive 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data.
11.2. We reserve the right to change this Policy. When changes are made, the updated version of the
Policy will be published on our website at: youmin.io
11.3. Date of publication of the Policy: December 17, 2025, Policy version: 1.0
