Privacy Policy

Last updated: April 2026

1. Introduction & Controller

SmartIntro d.o.o. (OIB: 65142344288), Ul. Malešnica II 19, 10000 Zagreb, Croatia, is the controller of your personal data. This Privacy Policy explains what data we collect when you use the SmartIntro system (the SmartIntro application — a Progressive Web App (PWA) accessible on all platforms via a browser, the SmartIntro Home hub and the cloud service), the purposes of processing, and your rights under the EU General Data Protection Regulation (GDPR) and the Croatian Implementing Act (OG 42/2018).

2. Data We Collect

  • Account data: full name, email address, password (stored hashed), optional profile image.
  • Google account data: if you sign in with Google Sign-In, we receive your name, email and profile image URL from your Google account.
  • Device identifiers: a per-device UUID generated by the browser/app (stored locally), and FCM token for push notifications.
  • Premises data: home name, facility address, floor and section layout, component names.
  • Device states and events: states of lights, shutters, thermostats (measured and target temperature, humidity), sockets, locks, sensors (motion, smoke, flood, door/window), energy meters, live camera streams, lock/unlock history.
  • Automations: scenes, timers, schedulers and notification rules you define.
  • Activity data: login records, IP address on server communication, action timestamps.

3. Purposes of Processing

  • Providing core functionality (remote control, real-time state sync with the hub).
  • Sending push notifications about device status and security alerts.
  • Managing user accounts and access when an owner shares a home with residents.
  • Improving the service and debugging (technical diagnostics).
  • Complying with legal obligations (accounting, authority requests).

4. Legal Basis (GDPR Art. 6)

We rely on: performance of a contract (Art. 6(1)(b)) to provide the service; legitimate interest (Art. 6(1)(f)) for system security and abuse prevention; consent (Art. 6(1)(a)) for push notifications and optional communications; and legal obligation (Art. 6(1)(c)) for responses to authorities.

5. Third-Party Service Providers (Sub-Processors)

We use the following sub-processors:

  • Google Ireland Limited — Firebase Authentication, Firebase Realtime Database, Firebase Cloud Messaging, Firebase Storage, Google Cloud hosting.
  • Google LLC — Google Sign-In (for users signing in with a Google account).
  • Hosting provider for MySQL database and Redis sessions (within the EU).
We have a signed Data Processing Addendum with Google. We do not sell or rent personal data.

6. Storage & International Transfers

Data in Firebase services may be processed in Google regions including the EU and the US. For transfers outside the EEA, Standard Contractual Clauses (SCC) apply along with technical safeguards (encryption in transit and at rest). Local hosting infrastructure (MySQL, Redis) is located within the EU.

7. Data Retention

  • User account: for the lifetime of the active account + 30 days after deletion (recovery window).
  • Device states and event logs: rolling window of up to 90 days unless law requires longer retention.
  • Camera feeds: cameras stream live without permanent video storage on our servers. If local recording is enabled, video is stored exclusively on your hub.
  • Accounting data (for hardware purchases): 11 years (Croatian Accounting Act).
  • Security logs: 12 months.

8. Security Measures

We apply measures pursuant to GDPR Art. 32: TLS encryption in transit, password hashing with an appropriate algorithm, role-based access control (owner / resident), rate limiting, Helmet HTTP security headers, regular backups, and data minimization.

9. Your Rights (GDPR)

You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21) and withdrawal of consent. Send requests to contact@smartintro.hr; we respond within 30 days. You may also lodge a complaint with the Croatian Personal Data Protection Agency (AZOP, www.azop.hr).

10. Cameras & Video

SmartIntro lets you connect IP cameras that stream live inside your home. As a camera user, you are the controller of the video data and are responsible for: installing cameras only in locations compliant with applicable laws (public areas, third-party property or zones with a reasonable expectation of third-party privacy are not permitted); informing persons who may be recorded (signage, notices); and complying with the Croatian Implementing Act on video surveillance. SmartIntro does not store recordings on its servers but technically forwards the live stream between your hub and the app.

11. Children

The SmartIntro service is not intended for persons under 16. If we learn we collected personal data from a minor without parental or guardian consent, we will remove it without undue delay.

12. Cookies & Local Storage

  • Session cookie (connect.sid) — required for login, cleared on logout.
  • Preference cookie si-cookies — remembers that you accepted the cookie notice.
  • App localStorage — stores device ID (si-device-id), display preferences and theme.
  • Service Worker registered for FCM push notifications.

13. Data Breach Notification

In case of a breach likely to result in a high risk to your rights, we will notify you and AZOP within 72 hours of becoming aware, pursuant to GDPR Art. 33-34.

14. Changes

We reserve the right to modify this Policy. Material changes will be published on this page and through the app at least 30 days before taking effect.

15. Contact

SmartIntro d.o.o. Ul. Malešnica II 19, 10000 Zagreb, Croatia contact@smartintro.hr