Privacy Policy

Introduction

This privacy policy explains how Dostavi.to ("we", "us", "our") collects, uses, and protects your personal data when you use our food ordering platform. We process your data in accordance with the Serbian Law on Personal Data Protection ("Sl. glasnik RS", br. 87/2018).

Data Controller

Dostavi.to is the data controller for the personal data processed through this platform. If you have questions about how your data is handled, contact us via the Contact page.

What Data We Collect

We collect and process the following categories of personal data:

• Account data — name, email address, and hashed password when you register. If you sign in via Google or GitHub, we receive your name, email, and profile picture from the provider.
• Order data — delivery address, phone number, order contents, special instructions, and payment method selection.
• Address data — saved delivery addresses including street, city, postal code, geographic coordinates, building type, floor, and door number.
• Restaurant owner data — restaurant name, description, location, contact details, delivery settings, and uploaded images (logo, banner, menu item photos).
• Usage data — pages visited, actions taken, and technical information (IP address, browser type) collected automatically through server logs.

Why We Process Your Data

We process your personal data for the following purposes and legal bases:

• To fulfill orders and manage your account — based on the performance of the contract between you and us (Article 12.1.2 of the Law).
• To improve our platform and prevent fraud — based on our legitimate interest (Article 12.1.6 of the Law).
• To comply with legal obligations, such as tax and accounting requirements — based on legal obligation (Article 12.1.3 of the Law).
• To send you marketing communications — only with your explicit consent (Article 12.1.1 of the Law), which you may withdraw at any time.

Who We Share Data With

We share your data with the following categories of recipients, solely for the purposes described above:

• Restaurant partners — receive your name, delivery address, phone number, and order details to fulfill your order.
• Service providers (data processors) — Vercel (hosting), Cloudinary (image storage), Resend (email delivery), Ably (real-time notifications), and Mapbox (geocoding and maps). Each operates under a data processing agreement.
• Authentication providers — Google and GitHub, only if you choose to sign in with them.

International Data Transfers

Some of our service providers are located outside Serbia (primarily in the US and UK). We ensure appropriate safeguards are in place for these transfers, including standard contractual clauses and the processors' compliance with applicable data protection frameworks.

How Long We Keep Your Data

• Account data — kept for as long as your account is active. Deleted within 30 days of account deletion.
• Order data — kept for 5 years after the order date to comply with tax and accounting obligations.
• Server logs — automatically deleted after 90 days.

Your Rights

Under the Law on Personal Data Protection, you have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your personal data when it is no longer necessary.
• Restriction — request that we limit how we use your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — for any processing based on consent, at any time.

To exercise any of these rights, contact us through the Contact page or use the account settings to update or delete your data. We will respond within 30 days.

Right to Complain

If you believe your data protection rights have been violated, you have the right to file a complaint with the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) at www.poverenik.rs.

Cookies

We use only essential cookies required for the platform to function (session management, language preference, theme preference). We do not use advertising or analytics cookies.

Children's Privacy

Our platform is not intended for users under 15 years of age. We do not knowingly collect personal data from children under 15. If you are under 15, please do not create an account.

Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of significant changes via email. The "last updated" date at the top of this page indicates when it was last revised.