Privacy Policy

Last updated: 14 January 2022


The privacy practice of collecting and processing of personal data provided by you to Dorofia d.o.o. (“Doroex”, “we”, “us” and “our”) is described hereby. The provisions of this Privacy Policy are subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“Regulation”) and the Law on the Implementation of the General Data Protection Regulation 2018 of 9 May 2018 (“Data Protection Law”).

Please read this Privacy Policy carefully to understand our policies and practices regarding your Personal data and how we will treat it. Contact Us details are provided at the end of the Privacy Policy for feedback or any privacy enquiries you may have.

References to “you” in this Privacy Policy are to the individual who is accessing or applying to use the Services (as defined below) either on your own account or on behalf of a legal entity. This includes, in relation to a client or prospective client of Doroex, any sole trader and any principals, including the managing and financial directors, any other directors and officers, shareholders, partners and beneficial owners of a client, as well as any member of staff accessing or using the Services on behalf of a client.

For the purposes of this Privacy Policy, “Personal data” means information about an identified or identifiable individual, excluding business contact information.

By providing data, or other information, to us or using our Services, you confirm that you understand and consent to the collection, use, disclosure, and processing of your Personal data and other information (or the Personal data or other information of any other individual you provide) in the manner as set forth in this Privacy Policy, and you understand that this Privacy Policy is legally binding when you use our Services. Check the Terms and Use for the meaning of defined words (those with capital letters) that are not defined in this Privacy Policy.

Please note that we provide services to both private individuals and legal entities and this Privacy Policy applies to both and should be read and interpreted accordingly.

We understand the importance of protection of your privacy and personal data and commit a lot of efforts to develop and maintain high standards of inner security measures and technologies to provide you with secure processing and storage of the data we collect from you; and keep your data safe against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Doroex is committed to protecting your privacy and will take all appropriate steps to ensure that your personal data is treated securely and will be collected, used, stored and disclosed in accordance with this Privacy Policy. This Privacy Policy (together with our Terms of Use applying to any specific services you may purchase or use) applies to (together these are all referred in this Privacy Policy as “Doroex Services” or “Our Services”):

  1. to the website/portal features and services provided to you when you visit our websites, portals or our web platform our clients may use on their websites;
  2. when you apply to use and/or use our products and services, as well as when you request changes to the services you are using;
  3. to your use of software including web platform, mobile and desktop applications provided by us; and to email, other electronic messages including SMS, telephone, web chat, website/portal and other communications between you and us.


When registering for an account via Doroex we collect and further process the following categories of data:

  1. Information requested during the registration of the account that identifies you, for example your name, date of birth, citizenship, etc.
  2. Financial information, including your income, source of income / funds, taxation residence information, etc.
  3. Your identity and residency verification documents, for example passport and/or ID card, utility bill, etc.
  4. Contact information, i.e. your phone number, e-mail address, etc.

We are obliged by applicable laws to maintain records of personal data for ten years after the termination of a client relationship, this term may be extended upon request by the local competent authority.

We collect and process the abovementioned data to fulfil our contractual obligations and legitimate interest before you, namely:

  1. provide services, including execution of requested transactions and related maintenance of the services you registered for and manage the account you hold;
  2. provide you with the information about your activities within the account;
  3. inform about any changes and updates to the services you are provided with;
  4. assess and mitigate risks related to anti-money laundering and terrorism financing regulations as well as transaction related risks;
  5. comply with applicable legislation;
  6. maintain actions in relation to legal claims;
  7. provide additional or supportive services, as well as perform Client surveys and statistical analysis;
  8. convey marketing activities;
  9. improve the performance and functionality of our services.

The above list may be extended depending on the development of the services.

The main lawful basis of Personal data processing for these purposes are:

  1. your consent to the personal data processing;
  2. conclusion and performance of the contract with you or your client;
  3. fulfilment of legal obligations under applicable legislation;
  4. our legitimate interests.


Your personal data may be received and processed:

(a) by Doroex within our inner systems of processing, which complies to technical and organizational measures in a manner that meets applicable requirements of Regulation and security standards; and/or

(b) by 3rd party service providers and processors who access and use the data only to the extent required to perform the obligations subcontracted to them by Doroex (hereinafter – “subprocessors”).

You don’t have to share information about yourself if you don’t want to. But if you don’t, you may not be able to use some (or any) of Our Services.

Those subprocessors perform tasks on our behalf and are contractually obligated not to disclose or use collected information for any other purposes, than storage, help in facilitation of technical aspects of our services or perform functions related to the administration of services (collection and analysis) or other indicated under contractual closes.

Client specifically agrees that Doroex may to its own discretion engage subprocessors, that comply with technical and organizational measures in a manner that meet applicable requirements of Regulation and security standards implied under this Privacy Policy.

If such subprocessors are outside of the European Union or European Economic Area, the processing of personal data is done or will be done in accordance with the applicable laws.

Subprocessors remain fully liable for all obligations subcontracted to, and all acts and omissions of, Doroex is not responsible if the information is disclosed as a result of a breach or security lapse at any such subprocessors, or for such subprocessors’ non-compliance with the foregoing requirements.


We do not disclose information which could identify you personally, to anyone except as described in this Privacy Policy, as permitted or required by law, and/or for the purposes described in this Privacy Policy, including:

  • members of management bodies, employees, representatives, authorised persons of Doroex;
  • internet/computer software services providers, companies specializing in IT and marketing services;
  • IT infrastructure services providers;
  • customer support services providers and helpdesk services providers;
  • public institutions, public officials, investigatory authorities, courts, prosecutor’s office, subjects of operational activities, orphans’ courts, notaries, law enforcement officials, judicial and investigatory authorities of other member states and foreign countries, tax authorities, arbitration courts, out-of-court dispute resolution bodies;
  • financial and payments market participants (global financial messaging infrastructures, correspondent banks, insurance companies, payment systems, payment service providers and technical and non-technical processors, agency companies, business partners of Doroex or clients, financial service intermediaries etc.);
  • companies that carry out KYC/AML database checks and fraud database checks;
  • Doroex’s cooperation partners, agents, suppliers and service providers, auditors, financial management and legal advisors;
  • Video surveillance/security services provider/s;
  • Other persons connected with the provision of our services.

Dorofia d.o.o. is using third-party partner Sum & Substance LTD for KYC checks. Sum & Substance will use your personal data only for internal compliance checks.

We may monitor or record telephone calls, emails, web chat or other communications with you for regulatory, security, quality assurance or training purposes. When visiting our offices, video surveillance, access control systems and/or other monitoring systems may be in operation for security reasons and for health and safety and office management purposes.

We may also share your details with people or companies if there’s a corporate restructure, merger, acquisition or takeover.


Usually, we do not transfer your Personal data to countries outside the European Economic Area (“EEA”). However, We, our service providers, and other parties with whom we may share your Personal data (as described above) may process your Personal data in territories that are outside the EEA, or otherwise outside of the territory in which you reside. These countries may have data protection standards that are different to (and, in some cases, lower than) those of the territory in which you reside.

We will take appropriate steps to protect your Personal data in accordance with this Privacy Policy and applicable data protection laws; including through the use of any appropriate safeguards required by law to ensure that any international data transfers are lawful. When we do this, we make sure that your Personal data is protected and that:

  • the European Commission says the country or organisation has adequate data protection, or
  • we’ve agreed to standard data protection clauses approved by the European Commission with the organisation.


We comply with its obligations under the applicable data protections laws by:

  • keeping personal data up to date;
  • storing and destroying it securely;
  • not collecting or retaining excessive amounts of data;
  • protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical and organizational measures are in place to protect personal data.

The transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal data, we cannot guarantee the security of your information transmitted to our site, unless you are communicating with us through a secure channel that we have provided. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.


If Doroex becomes aware of any breach of our security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to (excluding unsuccessful attempts or activities) personal data of Clients on systems managed or otherwise controlled by us we will notify you promptly and without undue delay and in compliance to the procedure prescribed under respective Regulation.

The notification will be sent to your e-mail address at the discretion of Doroex or by other direct communication channel available to Doroex and allowed by Client (for example, by phone). It is sole responsibility of the Client to provide us with the e-mail address and ensure that this e-mail address is valid and active.

None of Data Incidents notification from Doroex may not be and will not be construed as an acknowledgment of any fault or liability with respect to data incident by us.


Client agrees that without prejudice to our security measures and data incidents that it is Client’s responsibility to make appropriate use of our services to ensure a level of security appropriate to the risk in respect of your personal data and securing your authorization credentials, system and devices which you use to access to our services.

We are not obliged to protect your personal data that you choose to store or transfer outside Doroex and our subprocessors’ systems.


We store Personal data no longer than it is reasonably required for the purposes for which particular Personal data is processed. Personal data storage periods shall be determined based on applicable legal acts or our legitimate interests.

In order to establish how long we keep different categories of data, we consider why we hold it, how sensitive it is, how long the law says we need to keep it for, and what the risks are.

We reserve the right to erase specific information before the expiry of the set period if this is not prohibited by the applicable legal acts.


In some instances, our use of your Personal data may result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.

We may process of Personal data by automated means for the purposes of legislation relating to risk management and continuous and periodic monitoring of transactions in order to prevent fraud, money-laundering and terrorist financing events.

If you are using the Doroex Services in the EEA, when we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contacting us at the details below. Privacy laws continue to develop and if you think or are unsure as to whether such right may apply to you, please also contact us, so we can assess and advise.


Subject to applicable laws, you may have the right to access information we hold about you. Your right of access can be exercised in accordance with the relevant data protection legislation. If you have any questions in relation to our use of your Personal data, contact us.

Under certain conditions, you may have the right to require us to:

  • provide you with further details on the use we make of your Personal data;
  • provide you with a copy of the information that you have provided to us;
  • correct, or update your Personal data;
  • delete your Personal data that is no longer necessary, or no longer subject to a legal obligation to which we are subject to. We have legal obligations so it may not be possible to delete your Personal data at the time of request. Once the required time has passed then we will be able to comply with your request;
  • where processing is based on consent, to withdraw your consent so that we stop that particular processing;
  • object to its processing or temporarily restrict its processing while exercising your other rights. However, objection to any processing based on the legitimate interests ground may be possible unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights;
  • request to transfer certain of your Personal data to another service provider;
  • to opt-out of certain uses of your Personal data, including asking us to limit the sharing of your Personal data with affiliated and non-affiliated third parties.

Your exercise of these rights is subject to certain exemptions to safeguard the public interest, e.g., the prevention or detection of crime, and our interests, e.g., the maintenance of legal privilege. If you exercise any of these rights, we will check your entitlement and respond in most cases within a month.


We also use cookies and similar technologies for collecting technical information, which contains your unique identifiers. We automatically receive the web address of the site that you came from and the IP address of the computer or device that you are using to access the Doroex website. This information helps us to understand your preferences, improve website navigation, allows to develop and improve our services, and better manage our servers.

If you prefer to prohibit the usage of cookies, please use your browser settings. Most browsers give you an ability to manage your cookies or provide you with an “incognito mode” or similar features, which allows you to not record your visits and downloads in your browsing and download histories. In this mode any cookies created during this type of session are deleted after you close all “incognito” windows.

For more details, please check our Cookies Policy available on our website.


Please note that we may amend this Privacy Policy from time to time at our sole discretion. Therefore, please check this Privacy Policy for updates. If you continue to use and/or access the website following the posting of any changes, this automatically constitutes acceptance of those changes. In the event you disagree with any changes you shall immediately terminate the use of our website and/or services. If any significant updates with regard to the data processing terms are made here, we will notify you additionally within reasonable time period via e-mail provided by you.


By applying for an account with Doroex, you consent to the collection, processing and receipt of your personal data, as described in this Privacy Policy.


All comments, queries and requests relating to our use of your information are welcomed. You may submit your questions, requests and complaints to our data privacy department by email to, marked FAO Privacy or by post to Dorofia d.o.o., Ul. Ivana Meštrovića 3510360, Sesvete, Croatia.