Privacy Policy

Last updated: 18 March 2026.

VONDI GLOBAL D.O.O. BEOGRAD, with registered address at Patrisa Lumumbe 70, 11120 Beograd (Palilula), PIB: 115369231, MB: 22148117, processes your personal data in accordance with the Personal Data Protection Law (Official Gazette of RS, No. 87/2018). This privacy policy describes what data we collect, the purposes for which we use it, to whom we disclose it and what your rights are.

1. Who we are

Vondi is an online marketplace that enables buyers to find and purchase products from registered sellers. The data controller is VONDI GLOBAL D.O.O. BEOGRAD. For all questions regarding data processing, please contact us at: privacy@mail.vondi.rs.

2. What data we collect

• Registration data: first and last name, email address, password (stored in hashed form), phone number.
• Order data: delivery address, cart contents, order history, delivery status.
• Payment data: card type, last four digits, expiry date — we do not store full card data. Card payments are processed by AllSecure Exchange d.o.o. (PCI DSS Level 1). IPS QR payments are processed by PaySpot (Banca Intesa).
• Technical data: IP address, browser type and version, device data, session cookies, access time.
• Data you voluntarily provide: product reviews, messages to sellers, profile data.

3. Legal basis for processing

• Performance of a contract (Art. 12, para. 1, point 2 of the Law) — processing necessary to fulfil the purchase and delivery.
• Legal obligation (Art. 12, para. 1, point 3 of the Law) — fiscalization, accounting and tax documentation.
• Legitimate interest (Art. 12, para. 1, point 6 of the Law) — platform security, fraud prevention, service improvement.
• Consent (Art. 12, para. 1, point 1 of the Law) — sending marketing notifications (when you have given consent).

4. Who we share your data with

• Sellers on the Vondi platform — receive data necessary to prepare and dispatch the order (name, delivery address, contact phone).
• Courier service — Pošta Srbije / Post Express — data required for delivery.
• AllSecure Exchange d.o.o. — processing card payments (PCI DSS Level 1).
• PaySpot / Banca Intesa — processing IPS QR payments.
• Raiffeisen banka a.d. Beograd — company financial operations.
• Government authorities — when required by law (Tax Administration, courts, prosecutor's office).

We do not sell your data to third parties for commercial purposes.

5. Data security

We apply appropriate technical and organisational security measures:

• TLS encryption of traffic between your device and our servers
• AES-256 encryption of sensitive data in the database
• Bcrypt hashing for passwords
• PCI DSS compliance for card payments
• Regular security audits and penetration tests

6. Data retention periods

7. Your rights

Under the Law, you have the right to:

• Access — to know what data we process about you.
• Rectification — to request correction of inaccurate data.
• Erasure — to request deletion of your data (“right to be forgotten”), subject to legal limitations.
• Portability — to receive your data in a machine-readable format.
• Objection — to object to processing based on legitimate interest.
• Restriction of processing — in cases provided for by the Law.

You can submit a request to: privacy@mail.vondi.rs. We will respond within 30 days.

8. Right to lodge a complaint with the Commissioner

If you believe your data is being processed contrary to the Law, you have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection:

• Address: Bulevar kralja Aleksandra 15, 11000 Beograd
• Phone: +381 11 3408 900
• Email: office@poverenik.rs

9. Changes to this privacy policy

We reserve the right to amend this policy. We will notify you of significant changes by email or via a notice on the platform. Continued use of the platform after changes are published constitutes acceptance of the updated policy.

10. Contact

For all questions regarding personal data protection: privacy@mail.vondi.rs