Privacy Policy
Valuto d.o.o., headquartered in the Republic of Serbia, acts as the Data Controller within the meaning of the Law on Personal Data Protection and this Privacy Policy.
Valuto d.o.o. determines the purpose and means of processing data collected through the Valuto mobile and web application and is responsible for their security and lawful processing.
Valuto d.o.o. may engage Data Processors (e.g., hosting providers, cloud services, email delivery tools, or system maintenance providers), who process data technically on its behalf and solely under its instructions.
All processors with whom Valuto d.o.o. cooperates are contractually obliged to maintain data confidentiality and act in accordance with the Law on Personal Data Protection.
Recipients of the data may be Valuto itself (internally), engaged processors, as well as competent state authorities if there is a legal obligation to provide data (e.g., upon request of a court or law enforcement agencies).
📱 Note
This document represents the consolidated privacy policy for the Valuto mobile and web application.
Scope of Application
This document applies to the data of mobile application users (natural persons) and exchange offices (legal entities or entrepreneurs) utilizing the web application, which Valuto d.o.o. collects and processes for the purpose of providing services.
Personal data in relation to this Privacy Policy implies all data relating to an identified or identifiable natural person collected by Valuto during the use of the mobile or web application.
User Consent
Before accessing their user account, the mobile and web application user is enabled to read the Privacy Policy, which is available on the application's home page. Reading this document is not a condition for registration or use of the application.
By using the Valuto application, including accessing the account and interacting with the application's functionalities, the mobile and web application user confirms that they are familiar with the Privacy Policy and that they consent to it in its entirety.
The Privacy Policy forms an integral part of the Valuto application.
Legal Framework and Compliance
Valuto d.o.o. processes user data in accordance with:
- The Law on Personal Data Protection of the Republic of Serbia
- The General Data Protection Regulation (EU) 2016/679 (GDPR), where applicable
Valuto d.o.o. processes exclusively essential information necessary for the functioning of the application. All data is protected by advanced security protocols and is not shared with third parties without the user's explicit consent.
Protection of Minors
Our application is not intended for persons under the age of 15. Valuto d.o.o. does not knowingly collect data from minors.
If we become aware that we have inadvertently processed data of a minor user without the consent of a parent or guardian, such data will be immediately deleted.
Security Measures
Valuto d.o.o. implements technical and organizational data protection measures to prevent unauthorized access, loss, alteration, or disclosure of personal data.
Measures include:
- 🔐 Data encryption
- 🛡️ Access control
- 📚 Internal employee training
- 🔍 Regular system security checks
User Rights
The user has the following rights regarding the processing of their data:
Right to Access and Rectification
The user has the right to access, rectify, delete, and restrict the processing of their data within the application interface.
If the mobile or web application user, by inspecting their data in the application interface, becomes aware that the processed data is incorrect, incomplete, or outdated, they shall correct, supplement, or delete it independently within the mobile or web application interface.
Right to Object
In addition to the rights to access, rectification, deletion, and data portability, the user has the right to object to the processing of their data for marketing purposes at any time via the address: privacy@valuto.rs.
Right to Erasure (Right to be Forgotten)
Valuto d.o.o. shall delete collected personal data without delay and stop further processing thereof, if:
- Personal data is no longer necessary for the purpose for which it was collected
- The data subject has revoked consent for data processing
- The data subject has submitted an objection and requested deletion
- It turns out that the personal data has been unlawfully processed
- There is a legal obligation to delete the data
- The data relates to a minor who had not reached the age of 15 when consent was given
Right to Restriction of Processing
Valuto d.o.o. is obliged to restrict the processing of personal data (stop using, analyzing, deleting, modifying, sending, or sharing) if:
- The data subject contests the accuracy of the personal data
- The accuracy of the personal data is contested and cannot be determined
- Personal data must be stored for the purpose of collecting evidence
- The processing is unlawful, but the person opposes deletion
- The person has filed an objection to the processing in accordance with the Law
Mobile App Data
The data of mobile application users collected, processed, and stored in the application database by Valuto d.o.o. for the purpose of providing services are as follows:
- Transaction code
- Email and password of the registered mobile application user
- Email of the mobile application user accessing via Google account or Apple account
- Transaction type (currency purchase or sale)
- Data on the currency that is the subject of the transaction (currency name, amount, and exchange rate)
- The monetary amount that the exchange office needs to prepare
- Reservation status (completed/pending/expired/canceled)
- Date and time of the transaction
💾 Transaction History
For registered users of the Valuto mobile application, transaction history and favorite exchange offices are stored to improve user experience.
Technical Data
Valuto d.o.o. does not collect data on the user's IP address or device identifiers, while location data is collected temporarily and deleted from its database after the reservation ceases to be active.
However, servers and hosting providers used by the Valuto application may temporarily process technical data (such as IP addresses and access logs) to ensure system security and prevent abuse. Such data is not accessible to Valuto d.o.o. and is not used to identify users.
Personal Data Definition
Data of mobile application users, such as user email address, account password, and transaction data linkable to a specific user, are considered personal data if they can be linked to a specific natural person.
Valuto d.o.o. undertakes to act fully in accordance with the Law on Personal Data Protection of the Republic of Serbia regarding their collection.
Web App Data – Exchange Offices
Data of web application users – exchange offices, collected, processed, and stored during registration by Valuto d.o.o. for the purpose of providing services are as follows:
- Business name of the exchange office (for identity verification)
- TIN (PIB) and Registration Number (MB) of the exchange office (to verify registration with the NBS)
- Email and password for web application access
- Contact phone number
- Address: City, street, and number
- Working hours by days
🏢 Legal Entity Data
Data on legal entities (exchange offices) collected through the application are not considered personal data, unless the exchange office is registered as an entrepreneur (sole trader). In such cases, data is processed in accordance with this Policy.
Marketing Communication
Mobile App Users
Valuto d.o.o. may send promotional or informational messages to mobile application users via email, SMS, or push notifications solely with their prior and explicit consent.
Consent may be given during account registration or subsequently via account settings.
The user has the right to withdraw consent at any time — via the "Unsubscribe" option or by sending a request to privacy@valuto.rs.
✉️ Functional Notifications
Functional notifications necessary for the use of the application (e.g., registration confirmation, reservation notifications, or technical errors) are not considered promotional messages and are not subject to this restriction.
Business Users (Exchange Offices)
Valuto d.o.o. may send business exchange offices notifications, messages, and offers related to web application usage, system updates, new functionalities, or commercial packages based on legitimate interest.
Business users may opt-out via privacy@valuto.rs.
Data Processing and Protection
Rectification and Supplementation
If Valuto d.o.o. learns that processed data is incorrect, incomplete, or outdated, such data will not be transferred to third parties. Valuto d.o.o. will correct, supplement, or delete such data without delay.
Correction can also be requested by the data subject via privacy@valuto.rs.
Notification of Changes
Valuto d.o.o. will notify all recipients to whom personal data has been disclosed of any rectification, deletion, or restriction, unless impossible.
Rejection of Request
If competent authorities require data processing for specific purposes, and the user requests deletion, Valuto d.o.o. will inform the user in writing about the refusal and the reasons for it.
Third Parties and Partners
Valuto d.o.o. uses third-party services for hosting, maintaining, and improving the application. These partners may have temporary access to certain user data solely to the extent necessary to provide their services.
All partners are bound by confidentiality and data processing agreements in accordance with applicable laws.
Retention Period
Valuto d.o.o. retains user data for as long as necessary for the purposes for which it was collected, and for a maximum of 5 years from the user's last activity, unless otherwise provided by law.
After this period, data is deleted, anonymized, or archived.
Special Categories of Data
Valuto d.o.o. does not process personal data revealing:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for unique identification
- Health data
- Data concerning sex life or sexual orientation
🔴 Important
Valuto d.o.o. does not use automated decision-making or profiling that would produce legal effects for the user.
Records of Processing Activities
Valuto d.o.o. maintains internal records of the types and purposes of personal data processing in accordance with Article 47 of the Law on Personal Data Protection.
Data Breach Procedures
Valuto d.o.o. will document and notify the Commissioner for Personal Data Protection without delay, and no later than 72 hours after becoming aware of it, if a data breach occurs that may pose a risk to the rights and freedoms of natural persons.
Notification to Users
Valuto d.o.o. will inform the data subject about such a breach unless appropriate security measures (encryption) were applied, or subsequent measures ensured no high risk remains.
Legal Basis for Processing
- Contract Execution: Processing necessary to provide the service
- Legitimate Interest: Improving the application and business processes
- User Consent: For marketing and analytical activities
Exercising Rights
Request for a Copy
Users may request a copy of processed data via privacy@valuto.rs.
Right to Portability
Users may request data transfer to another controller.
Objection
Users may submit an objection via privacy@valuto.rs.
Complaint to Authority
Users have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection via email: office@poverenik.rs.
Contact
Data Protection Contact at Valuto d.o.o.:
For all questions regarding personal data protection
Policy Changes
Valuto d.o.o. reserves the right to amend this Privacy Policy. All changes will be published on the official website.
The new version becomes effective on the day of publication.
Effective Date
This Privacy Policy is effective from December 6, 2025.