Privacy Policy
Last Updated: January 2026
This Privacy Policy describes how Rowporter, operated by BORIS JOVANETIĆ PR RAČUNARSKO PROGRAMIRANJE BOKA DEVELOPMENT (“Rowporter,” “we,” “us,” or “our”), collects, uses, discloses, and protects your personal information when you use our service.
By using Rowporter, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.
1. Definitions
- “Service” refers to the Rowporter website, API, embeddable widget, and all related services.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Customer” refers to businesses or individuals who register for a Rowporter account.
- “End User” refers to individuals who interact with the Rowporter widget embedded in a Customer's application.
- “Imported Data” refers to the data contained in CSV or Excel files processed through our Service.
- “Controller” means the entity that determines the purposes and means of processing Personal Data.
- “Processor” means the entity that processes Personal Data on behalf of the Controller.
2. Our Role in Data Processing
2.1 When We Act as a Controller
We act as a Data Controller for:
- Customer account information (email, name, organization)
- Billing and payment information
- Service usage analytics
- Support communications
- Cookie and tracking data on our website
2.2 When We Act as a Processor
We act as a Data Processor for:
- Imported Data processed through the Rowporter widget on behalf of our Customers
When processing Imported Data, our Customers are the Controllers, and we process data solely according to their instructions and the terms of our Data Processing Agreement.
3. Information We Collect
3.1 Account Information
When you create an account, we collect:
- Email address
- Full name
- Organization name (optional)
- Password (stored in cryptographically hashed form using bcrypt)
3.2 Billing Information
When you subscribe to a paid plan, our payment processor (Paddle) collects:
- Payment method details (credit card, PayPal, etc.)
- Billing address
- Transaction history
Note: Rowporter does not store complete payment card details. All payment processing is handled by Paddle in accordance with PCI-DSS standards.
3.3 Usage Information
We automatically collect certain information when you use our Service:
- IP address
- Browser type and version
- Device information
- Pages visited and features used
- Import statistics (file names, row counts, timestamps)
- API usage metrics
- Webhook delivery status
3.4 Imported Data — Privacy by Design
Important: Rowporter is designed with privacy as a core principle:
| What Happens | Where It Happens | What We Store |
|---|---|---|
| File parsing (CSV/Excel) | Your browser (client-side) | Nothing |
| Data validation | Your browser (client-side) | Nothing |
| Column mapping | Your browser (client-side) | Mapping configuration only |
| Validated data transmission | Direct to your webhook endpoint | Nothing |
We never:
- Upload or store your raw CSV/Excel files on our servers
- Access the contents of your Imported Data
- Use Imported Data for any purpose other than delivering it to your designated webhook endpoint
We only store metadata:
- Import ID and timestamp
- Template ID and organization ID
- File name and row count
- Column mapping configuration
- Webhook delivery status (success/failure)
3.5 Cookies and Tracking Technologies
We use cookies and similar technologies to:
- Maintain your session and authentication
- Remember your preferences
- Analyze how you use our Service
- Improve our Service
For details on managing cookies, see Section 11.
4. How We Use Your Information
We use collected information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and maintain the Service | Performance of contract |
| Process payments and billing | Performance of contract |
| Send administrative communications | Performance of contract |
| Respond to support requests | Performance of contract |
| Monitor and analyze usage patterns | Legitimate interest |
| Detect and prevent fraud or abuse | Legitimate interest |
| Improve and develop the Service | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Enforce our Terms of Service | Legitimate interest |
We do not use your information to:
- Sell to third parties
- Send unsolicited marketing (unless you opt in)
- Train AI models on your Imported Data
- Profile you for advertising purposes
5. Information Sharing and Disclosure
We do not sell, trade, or rent your Personal Data. We may share information only in the following circumstances:
5.1 Service Providers (Subprocessors)
We use the following third-party service providers to operate our Service:
| Provider | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Paddle | Payment processing | UK/EU | paddle.com/legal/privacy |
| Vercel | Hosting and deployment | Global (US primary) | vercel.com/legal/privacy-policy |
| Prisma Data Platform | Database infrastructure | EU | prisma.io/legal/privacy |
| Upstash | Caching and rate limiting | EU/US | upstash.com/trust/privacy |
We maintain Data Processing Agreements with all subprocessors and ensure they provide adequate data protection safeguards.
Subprocessor Updates: We will notify you of any additions or changes to our subprocessors by updating this Privacy Policy. For customers with enterprise agreements requiring advance notice, we provide 30 days' notice before engaging new subprocessors.
5.2 Legal Requirements
We may disclose your information when required by law, such as:
- To comply with a subpoena, court order, or legal process
- To respond to lawful requests by public authorities
- To protect our rights, property, or safety
- To investigate potential violations of our Terms of Service
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your Personal Data may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before your Personal Data becomes subject to a different privacy policy.
6. International Data Transfers
Your information may be transferred to and processed in countries other than your own. We take the following measures to ensure adequate protection:
6.1 Transfers from the European Economic Area (EEA)
For transfers of Personal Data outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- EU-US Data Privacy Framework for certified US recipients
6.2 Your Consent
By using our Service, you acknowledge that your information may be transferred internationally and consent to such transfers, provided appropriate safeguards are in place.
7. Data Retention
We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy:
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account, plus 30 days |
| Import metadata | 90 days (for debugging and support) |
| Billing records | 7 years (as required by law) |
| Support communications | 2 years after resolution |
| Server logs | 30 days |
After the retention period, data is securely deleted or anonymized.
8. Your Privacy Rights
8.1 Rights Under GDPR (EEA Residents)
If you are located in the European Economic Area, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your Personal Data |
| Rectification | Request correction of inaccurate data |
| Erasure | Request deletion of your Personal Data (“right to be forgotten”) |
| Restriction | Request restriction of processing |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent at any time (where processing is based on consent) |
| Lodge Complaint | File a complaint with your local supervisory authority |
8.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights:
- Right to Know: Request disclosure of the categories and specific pieces of Personal Data we collect
- Right to Delete: Request deletion of your Personal Data
- Right to Correct: Request correction of inaccurate Personal Data
- Right to Opt-Out: Opt out of the sale or sharing of Personal Data
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
California Disclosure: We do not “sell” or “share” Personal Data as defined under CCPA/CPRA. We do not use sensitive personal information for purposes other than those permitted under CCPA/CPRA.
8.3 How to Exercise Your Rights
To exercise any of these rights, please contact us at:
- Email: support@rowporter.com
- Subject Line: “Privacy Rights Request”
We will respond to your request within:
- GDPR: 30 days (extendable by 60 days for complex requests)
- CCPA: 45 days (extendable by 45 days for complex requests)
We may request verification of your identity before processing your request.
9. Data Security
We implement appropriate technical and organizational measures to protect your Personal Data:
9.1 Technical Measures
- Encryption in transit (TLS 1.2+)
- Encryption at rest for stored data
- Secure password hashing (bcrypt with salt)
- Regular security updates and patching
9.2 Organizational Measures
- Access controls based on principle of least privilege
- Employee confidentiality obligations
- Regular security training
- Incident response procedures
9.3 Infrastructure Security
- Hosting on reputable cloud providers with SOC 2 compliance
- Regular backups with encryption
- DDoS protection and rate limiting
- Monitoring and intrusion detection
9.4 Data Breach Notification
In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours
- Notify affected individuals within 48 hours of discovery
- Document the breach and remediation steps
10. Data Processing Agreement (DPA)
For Customers who require a formal Data Processing Agreement for GDPR compliance, we offer a DPA that includes:
- Standard Contractual Clauses (Module 2: Controller-to-Processor)
- Technical and organizational security measures
- Subprocessor management provisions
- Data subject rights assistance
- Audit rights
To request a DPA, please contact support@rowporter.com.
11. Cookies and Tracking
11.1 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, basic functionality | Session |
| Functional | Preferences, language settings | 1 year |
| Analytics | Usage patterns, service improvement | 1 year |
11.2 Managing Cookies
You can control cookies through:
- Your browser settings (blocking or deleting cookies)
- Our cookie consent banner (where applicable)
Note that disabling essential cookies may affect the functionality of our Service.
11.3 Do Not Track
We currently do not respond to “Do Not Track” browser signals. However, we honor Global Privacy Control (GPC) signals where required by law.
12. Children's Privacy
Our Service is not intended for individuals under 18 years of age. We do not knowingly collect Personal Data from children under 18. If you become aware that a child has provided us with Personal Data, please contact us immediately, and we will take steps to delete such information.
13. Third-Party Links
Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any Personal Data.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated Privacy Policy on this page
- Updating the “Last Updated” date
- Sending an email to your registered email address (for material changes)
Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.
15. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Email: support@rowporter.com
Data Controller:
BORIS JOVANETIĆ PR RAČUNARSKO PROGRAMIRANJE BOKA DEVELOPMENT
PIB: 115136390
MB: 68126886
Republic of Serbia
For GDPR-related inquiries, please include “GDPR” in your subject line.
16. Supervisory Authority
If you are located in the European Economic Area and believe we have violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority. A list of supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
This Privacy Policy is effective as of the “Last Updated” date above.