GDPR — Data Protection
Last updated: 3. oĹľujka 2025.
Summary: As a user you have a range of rights under GDPR — from data access to deletion. Submit a request to info@phv-solutions.com and we will respond within 30 days.
1. Who We Are and What Is GDPR?
PharmaVision Solutions d.o.o. (operator of the CreaticoAI platform) is the controller of your personal data within the meaning of the General Data Protection Regulation (EU) 2016/679 (GDPR).
GDPR is a European Union regulation that protects the privacy and personal data of EU/EEA residents. It applies to all organizations that process such individuals' data, regardless of where the organization is located.
2. Your Rights as a Data Subject
Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation of whether we process your data and, if so, to receive a copy of that data along with information about the purpose, categories, recipients, and retention periods.
Right to Rectification (Art. 16 GDPR)
You have the right to request correction of inaccurate personal data concerning you. You can update profile data directly in account settings or by submitting a request.
Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)
You have the right to request deletion of personal data when:
- The data is no longer necessary for the purpose for which it was collected
- You withdraw the consent on which processing is based
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
Note: some data must be retained by law (e.g., accounting records for 11 years).
Right to Restriction of Processing (Art. 18 GDPR)
In certain cases you may request that we temporarily restrict the processing of your data (e.g., while accuracy is being verified or an objection is pending).
Right to Data Portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, machine-readable format (JSON/CSV) and to transmit it to another controller. You can request a data export in Settings → Account → Export Data or via email.
Right to Object (Art. 21 GDPR)
You have the right to object to processing based on legitimate interests or for direct marketing purposes. Upon receiving an objection we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Art. 7 GDPR)
Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. To unsubscribe from marketing: click "Unsubscribe" in any email or send a request to the address above.
3. How to Submit a Request
You can submit any of the above requests:
- By email: info@phv-solutions.com
- Via the app: Settings → Account → Privacy
We will respond within 30 days of receiving your request. In complex cases the deadline may be extended by an additional 60 days, with notification of the reasons for the delay. We may request identity verification to protect your data.
4. Legal Bases for Processing
- Performance of contract (Art. 6(1)(b)) — providing the CreaticoAI service
- Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, analytics
- Consent (Art. 6(1)(a)) — marketing communications
- Legal obligation (Art. 6(1)(c)) — tax and accounting regulations
5. Data Processors (Sub-processors)
We have entered into Data Processing Agreements (DPAs) with all providers to whom we transfer your personal data:
- Stripe, Inc. — payment processing
- Anthropic, PBC — AI content processing
- Cloudflare, Inc. — CDN and storage
- Vercel, Inc. — hosting
6. International Data Transfers
Transfers outside the EEA are conducted using EU Standard Contractual Clauses (SCCs), ensuring a level of protection equivalent to GDPR.
7. Right to Lodge a Complaint
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority. In Croatia this is:
- Croatian Personal Data Protection Agency (AZOP)
- Web: azop.hr
- Email: azop@azop.hr
- Tel: +385 1 4609 000
8. Data Breaches
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with our obligations under Art. 34 GDPR.