Sciomagis Sky.Flow Online

Privacy Policy of Sky.Flow Platform and Sciomagis

This document describes how Sciomagis d.o.o. (“Sciomagis”, “we”, “us”) collects, processes, and protects Personal Data in connection with the Sky.Flow platform (“the Platform”). It can be printed for reference using the print command in your browser.

Last updated: May 2026.

1. Owner and Data Controller

Sciomagis d.o.o. (Sciomagis ltd)
Kolodvorska 34, 10410 Velika Gorica, Croatia
VAT: HR41324938444
Contact: info@sky-flow.net
Data protection inquiries: davorinanton.dumancic@sciomagis.com

2. About the Platform

Sky.Flow is a business-to-business (B2B) document management and business process platform. The content stored and processed within the Platform — documents, invoices, purchase orders, workflow records, KPI data, and similar — is business data owned by the customer organization. It is not personal data of individual users.

Personal Data processed by the Platform is limited to what is necessary to operate user accounts, provide the service, and maintain security and audit trails.

3. Types of Personal Data Collected

3.1 Account Data

When a user account is created, the following data is collected:

Full name
Email address
Username
Password (stored in hashed form)
Organization membership

This data is necessary for the performance of the service agreement.

3.2 Security and Audit Log Data

To protect user accounts and detect unauthorized access, the Platform records the following data when users log in, log out, or when a login attempt fails:

IP address
Browser identifier (User-Agent)
Session identifier
Timestamp
Request path
Success or failure status and reason

This data is accessible to:

Organization administrators — for events within their own organization only
Sciomagis platform administrators — for all events, including system-level events

The legal basis for this processing is legitimate interest (Article 6(1)(f) GDPR) — specifically, the security of user accounts, detection of unauthorized access, and protection of the Platform.

Security log data is retained for 12 months and is automatically deleted thereafter.

3.3 Usage Data

The Platform may collect technical data generated during use, such as page requests and error logs. This data is used exclusively for service operation, maintenance, and troubleshooting.

3.4 Cookies

The Platform uses session cookies strictly necessary for authentication and maintaining the user session. No tracking cookies, analytics cookies, or third-party advertising cookies are used.

4. Legal Basis for Processing

Data category	Legal basis	GDPR Article
Account data	Performance of contract	Art. 6(1)(b)
Business content	Performance of contract (data processor role)	Art. 6(1)(b)
Security logs	Legitimate interest (security)	Art. 6(1)(f)
Usage / system logs	Legitimate interest (service operation)	Art. 6(1)(f)

5. Sciomagis as Data Controller and Data Processor

For Account Data and Security Logs, Sciomagis acts as the data controller — we determine the purpose and means of processing this data.

For Business Content stored within the Platform (documents, workflow records, KPIs, and similar), Sciomagis acts as a data processor on behalf of the customer organization, which is the data controller. Business content is processed solely as instructed by the customer organization and in accordance with the service agreement.

Customer organizations using the Platform are responsible for ensuring that any personal data they upload or process through the Platform complies with applicable data protection laws, including obtaining any necessary consents from data subjects.

6. Place of Processing and Infrastructure

The Platform infrastructure is hosted on Amazon Web Services (AWS) in the EU West (Ireland) region. All data — including user accounts, business content, and security logs — is stored and processed within the European Union.

Data is not transferred outside the European Economic Area (EEA), with the following exception:

Disaster recovery backups: For business continuity purposes, encrypted backups of business content (documents and files) may be stored in AWS US East (Virginia). These backups are encrypted at rest, accessible only to Sciomagis platform administrators, and covered by the EU-US Data Privacy Framework. User account data, security logs, and database records are not included in off-region backups and remain exclusively within the EU.

Third-party services used:

Service	Provider	Purpose	Location
Cloud infrastructure	Amazon Web Services	Hosting, storage, compute	EU (Ireland)
Email delivery	Amazon SES	Transactional email (notifications)	EU (Ireland)
OCR processing	Amazon Textract	Document text extraction (optional)	EU (Ireland)
Disaster recovery	Amazon S3	Encrypted backup of business content	US (Virginia)

7. Data Retention

Data category	Retention period
Account data	Duration of the service agreement; deleted upon account closure
Business content	As determined by the customer organization; deleted upon contract end
Security logs	12 months, then automatically deleted
System / error logs	90 days

When an account is closed or a user requests deletion, personal data is masked or removed in accordance with the Sciomagis GDPR procedure. Business content retention and deletion is the responsibility of the customer organization.

8. Rights of Users

Under the GDPR, users have the following rights regarding their Personal Data:

Access — obtain confirmation of whether Personal Data is being processed and receive a copy of that data.
Rectification — request correction of inaccurate Personal Data.
Erasure — request deletion of Personal Data when it is no longer necessary, subject to legal retention obligations.
Restriction — request that processing be restricted under certain circumstances.
Data portability — receive Personal Data in a structured, commonly used, machine-readable format.
Objection — object to processing based on legitimate interest by providing grounds related to a particular situation.
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Lodge a complaint — file a complaint with the Croatian Personal Data Protection Agency (AZOP) or another competent supervisory authority.

To exercise any of these rights, contact us at: davorinanton.dumancic@sciomagis.com

Requests will be addressed within one month.

9. Security Measures

Sciomagis implements appropriate technical and organizational measures to protect Personal Data, including:

Encrypted data transmission (HTTPS/TLS)
Hashed password storage
Role-based access control within the Platform
Organization-scoped data isolation (each organization’s data is accessible only to its authorized users)
Regular database backups with encrypted storage
Security event logging and monitoring

10. Changes to This Policy

Sciomagis reserves the right to update this privacy policy at any time. Users will be notified of material changes through the Platform or by email. The date of the last update is shown at the top of this document.

It is recommended to review this page periodically.

11. Contact

For any questions regarding this privacy policy or the processing of your Personal Data:

Email: info@sky-flow.net
Data protection inquiries: davorinanton.dumancic@sciomagis.com
Phone: +385 1 5579 777

Sciomagis d.o.o. — Kolodvorska 34, 10410 Velika Gorica, Croatia — VAT: HR41324938444