General business terms

This Privacy Policy regulates rights and obligations in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - hereinafter: “Regulation”), Act on the General Data Protection Regulation Implementation (OG 42/18) and other laws that regulate personal data protection with regard to the registration and use of the PLATFORM.
A legal person accessing the PLATFORM shall have the obligation to participate in the creation of necessary conditions pertaining to the personal data protection, to the highest possible extent, so that NEOSTAR, NEOSTAR’s affiliated companies and third persons appointed by NEOSTAR could appropriately use the data as authorized persons. If there is no permission for data processing based on law or any other legal rule, the Legal person accessing the PLATFORM is obliged to submit a declaration of consent for personal data processing to the respective persons and try to get their consent within the legally allowed framework. The Legal person accessing the PLATFORM is obliged to ensure possible forwarding of data within and outside of the EU in the declaration. The Legal person accessing the PLATFORM shall, upon NEOSTAR’s invitation submit the necessary personal data processing consents at any time, should NEOSTAR ask so. NEOSTAR shall have the right to store and keep personal and business data they have received from the Legal person accessing the PLATFORM even after the cessation of the business relationships which are subject of these General Terms and Conditions.
Personal data according to the Privacy policy (hereinafter: Privacy policy) are all data concerning an identified or identifiable natural person (hereinafter for the purpose of this Privacy Policy: “Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing of Personal Information in accordance with the Privacy policy means any operation or set of operations which is performed upon Personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, structuring, restriction, or otherwise making available, alignment or combination, blocking or erasure, or destruction.
Personal data shall be processed pursuant to the guidelines contained in the applicable regulations/provisions of the Regulation, Act on the General Data Protection Regulation Implementation (OG 42/18) and other legal regulations in force that regulate data protection.
By providing and entering their personal data and confirming (clicking) that they accept the General Terms and Conditions and this Privacy policy, Data subject enters into a contractual relationship with NEOSTAR, thus, the processing of personal data collected in such a way is legal because actions are being taken at the request of the Data subject in order to realize the motor vehicle purchase and additional services as ordered by the Data subject.
If the Data subject does not provide mandatory information for a certain activity for which the PLATFORM requires information, they shall not be granted access to such activity because without these data, the activity on the PLATFORM shall not be executable. Withdrawal of consent shall disable the use of PLATFORM.
Data subjects are advised to read everything stated in the Privacy Policy in order to understand more easily which personal data NEOSTAR collects and processes, for which purpose, based on which legal grounds, with whom and why they they share them, what legal measures they undertake and what the rights of the Data subject are with regard to the access, rectification, erasure and complaint.
Controller:
NEOSTAR d.o.o., Zagrebačka 117, HR-10410 Velika Gorica, OIB: 24813383735,
Controller contact data:
+385 (0) 98 9802 081; e-mail: [email protected]
Data protection officer contact data: N/A (Data protection officer has not been appointed because there is no legal obligation to do so);
Processing purpose: NEOSTAR collects and processes personal data of the Data subject for the purpose of the contractual relationship i.e. the use of the PLATFORM, or to be more precise, for the purpose of conducting a secure check of the authenticity of the Data subjects who access the PLATFORM, realization of motor vehicle purchase contract and other accompanying activities, delivery of the motor vehicle to the Data subject, communication with the Data subject, possible legal procedures regarding the realization of the contract, and we partly apply automated processing procedures in order to constantly advance our processes in the best interest of our Data subjects, to make the offers more custom-made for Data Subjects and to adapt our scope of services as much as possible to the habits and needs of Data Subjects.
For the purposes of processing, NEOSTAR and/or the PLATFORM use certain tools which, among other things, enable marketing communication with the USERS.
Every marketing e-mail that NEOSTAR and/or the PLATFORM send to the USER shall contain a note explaining how to, easily and free of charge, refuse the use of data for marketing purposes collected by NEOSTAR and/or the PLATFORM/how to withdraw the consent for further use data for marketing purposes by NEOSTAR and/or the PLATFORM.
Through a link that shall be contained in every marketing email that NEOSTAR and/or the PLATFORM send to the USER, the USER will be able to access the [link] website and by selecting “Unsubscribe me from the mailing list” the USER may refuse the use of data for marketing purposes collected by NEOSTAR and/or PLATFORM/withdraw the consent to further use data for marketing purposes by NEOSTAR and/or the PLATFORM at any time.
Selecting the option “Unsubscribe me from the mailing list” shall disable all marketing communication, but shall not affect other activities that NEOSTAR and/or the PLATFORM undertake in connection with the USER (including but not limited to, USER data processing via marketing tools, but without sending marketing e-mails to the USER). All communication exchanged with the USER shall only be disabled if the USER as data subject generally withdraws their consent to process data. However, this may result in the inability to continue using the PLATFORM, if collected data are necessary for the implementation of a certain activity of NEOSTAR and/or the PLATFORM.
In addition to having the option “Unsubscribe me from the mailing list”, by accessing the website [link] the USER shall be able to opt for personalized marketing communication sent by NEOSTAR and/or the PLATFORM by choosing to receive the messages of a specific type/content only. However, by choosing the option “Unsubscribe me from the mailing list” found on the website” [link] and/or by opting for personalized marketing communication sent by NEOSTAR and/or the PLATFORM, and/or the option to choose to receive messages of a specific type/content, the USER shall be able to access only via the link contained in the e-mail sent by NEOSTAR/the PLATFORM to the USER, and not via the USER profile. This does not affect the right of the USER to generally withdraw their consent as a data subject as well as their right to unsubscribe and/or delete the profile from the PLATFORM.
Legal basis:
I. Specific regulation;

II. Contractual relationship;

III. Explicit and unambiguous Data subject’s consent;
In each of these three cases, for each specific database that the Controller sets up and/or activity that the Controller undertakes, legitimate interest of the Controller (e.g. legitimate interest can be reflected in the fact that some documents and personal data contained in them represent the proof of business activity and justification of the incurred business expense) shall be stated.
Collected data: name and surname, name of the legal person who owns the vehicle, OIB (PIN), IBAN, address, e-mail address, phone number, vehicle location, vehicle registration, VIN number, motor vehicle photographs. Special categories of personal data shall not be processed. We shall not collect data about children. If we come to understand that such data have been transferred to us without the consent of parents or guardians of underaged children (less than 18 years old), we shall immediately remove them. Minors (less than 18 years old) are not allowed to use the PLATFORM.
Apart from these data, NEOSTAR automatically collects data from the Data subjects device, which can include IP address and geo-location, and there are situations in which NEOSTAR automatically collects other types of data such as date and time of access to the PLATFORM, information about hardware, software or internet browser that Data subject uses as well as operating system and version of application and language properties.
NEOSTAR recommends to the user to take care of their password for the PLATFORM user account. We recommend you select a combination of characters that contain upper case and lower case letters and numbers and to use a password of at least six characters. We recommend that you change the password periodically (at least once a year).
Personal data recipients: The Controller does not normally forward nor give personal data to any unaffiliated third parties, and stores them safely on Controller’s server or an external server, subject to their own discretion, which can provide enough guarantee in terms of the implementation of technical and organisational measures so that personal data processing meets all the requirements set out in the Regulation and that it adequately ensures the protections of Data subjects’ rights.
In order to fulfill all their obligations, the Controller may forward Data subjects’ personal data to affiliated companies of the Controller so that they could appropriately use the data as authorized persons. The Controller can forward Data subjects’ data to third parties such as business partners, e.g. to on-line and/or offline authorization service providers. Furthermore, to the extent we need it, personal data may be forwarded to the legal persons who provide services to the Controller. These services might be: marketing help, credit card payment processing, providing services to the Data subjects (including legal, tax and financial advice) and sending messages on behalf of the Controller. The Controller shall limit personal data they deliver to the respective legal persons and they shall have access only to those data necessary for a particular purpose. Some personal data may be forwarded to the executive power of the Republic of Croatia at their request so that the Controller would meet legal or statutory obligations.
Controller’s Employees as well as employees of the aforementioned legal persons (as needed), out of which some can be in the USA and in other countries outside of the European Union, but whose job description justifiably requires access to these data in order to fulfill the purpose stated in this Privacy Policy, shall have access to the personal data. In accordance with the regular practice and work procedures when providing accounting services, personal data may be subsequently selected and revised by internal and external auditors of the Controller’s choice. Controller may transfer personal data within a group of connected persons i.e. may use third parties to store and process provided data in the USA or other countries that do not ensure equivalent level of personal data protection and applicability of personal data protection regulations that are in force in the Republic of Croatia, to the extent necessary for the aforementioned services of use, to meet legal requirements, to protect important public interest or process personal data. Controller shall undertake all reasonable steps in order to prevent the risk, with reasonable safeguards, from inappropriate or illicit access to personal data as well as to prevent their unauthorized use. With regard to that, in case personal data are sent to third countries, Controller shall enter into appropriate contractual relationship with the respective third parties (contracts with foreign Data subjects entail Standard Contractual Clauses in accordance with the Commission Decision C (2010) 593)) obliging them to safely store obtained data and not to use them for any other purposes, other than those stated in this form. (Commission Implementing Decision (EU) 2016/1250 as of July 12, 2016 confirmed that, for the purpose of Article 25, paragraph 2 of the Directive 95/46/EC, United States of America ensure appropriate level of personal data protection for the data transferred from the Union to organization in the United States of America within the EU-US Privacy Shield).
Storage period: Personal data shall be stored within a period which is needed to fulfill legitimate and lawful purpose, unless laws and regulations in force/provisions of the Regulation set out a different period.
In case consent is given, personal data shall be processed until consent is withdrawn. In case there is a request to erase the data, they shall be immediately erased unless set out differently in the regulations in force/provisions of the Regulation.
For example, on the grounds of accounting regulations, some data need to be stored at least 11 (eleven) years.
Data subjects’ rights: In accordance with the Regulation, among other things, Data subject has the right to transparency (Articles 12-14), right to access data (Article 15), right to have their data rectified (Article 16), right to have their data erased (“right to be forgotten”, Article 17), right to restriction of processing (Article 18), right to ask for a notification regarding rectification or erasure of personal data or restriction of processing (Article 19), right to data portability (Article 20), right to object (Article 21), right to object automated individual decision-making (including profiling, Article 22) and generally right to withdraw consent (Article 7) to the extent processing is based solely on Data subject’s consent.
Data subject’s withdrawal of their consent means they shall not be able to continue using the PLATFORM, if collected data are necessary for certain activities on the PLATFORM to be conducted.
Data subject’s withdrawal, if there are legal prerequisites for it, leads to anonymization of the registered PLATFORM USERS. Anonymization is the procedure of processing personal data which irreversibly prevents identification of a USER from processed data. As per definition, after correct anonymization it must not be possible to connect anonymized data with a particular person. Pursuant to the aforementioned, after data anonymization there is no way of retrieving the data in the same form as prior to anonymization.

Anonymization is possible:
- Through USER profile (valid for ORDINARY USERS, CONTRACTUAL USER and employees of CONTRACTUAL USERS). After anonymization, the application shall deregister USER.
The act of anonymization includes following activities:
- Selection of the particular USER
- Marking the USER as deleted
- Anonymization of the USER’s personal data using SHA256 hash method
o The following data are anonymized:
• E-mail address
• Name and surname
• OIB (PIN)
• IBAN
• Address
• Other personal data of the USER
- Creating a PDF document which records the act of the USER anonymization
o Document is displayed in order to be printed
o Document is permanently stored whereat the name of the file does not contain any personal data of the USER (Record on anonymization <timestamp>.PDF).
If the USER has ongoing activities on the PLATFORM (including transactions that are not finalized, published vehicles and similar), they are obliged to finish all of them independently before anonymization, within 15 (fifteen) working days at the latest, after which the process of anonymization shall be initiated. Whereas the USER is solely and exclusively responsible for any and all consequences that might arise if the ongoing activities are not finished prior to anonymization initiation. Upon anonymization, any and all rights of the USER that can cease to exist in accordance with law shall cease to exist, and the USER shall entirely waive any and all rights resulting from these General Terms and Conditions or related to them.
Data subject has the right to submit an objection to the supervisory authority - Personal Data Protection Agency.
If Data subject wishes to exercise any of their rights, they can address the Controller using the following contact data:
telephone: +385 (0) 98 9802 081; e-mail: [email protected]
Controller is obliged to provide information to Data subject within the deadline set out in the regulations/provisions of the Regulation in force. In case Data subject’s demands are unfounded or exaggerated, Controller has the right to charge a reasonable fee or refuse to take any action pursuant to the regulations/provisions of the Regulation in force.
Personal data protection safeguards: Controller shall undertake technical and organisational safeguards, which may include for example pseudoanonymization and/or anonymization, in order to enable efficient application of data protection principles such as: decreasing the amount of data and including safeguards in the processing to fulfill Regulation requirements and protect Data subjects’ rights.
NEOSTAR takes data protection seriously and undertakes different precautionary measures to keep data protected. Unfortunately, no data transmission via Internet or any other wireless measure is 100 % safe. Therefore, although NEOSTAR has reasonable safeguards to protect the data, it cannot guarantee protection of any information transmitted to and/or from the PLATFORM, and is not liable for any actions of any third parties that receive such information. NEOSTAR can decide to store personal data with service providers in the European Union (EU), and only under extraordinary circumstances outside of the EU. This shall be done only if there is a decision of the European Commission on appropriateness for this particular country and if safeguard and upholding of binding data protection regulations have been contracted.
Collected personal data are electronic and protected by SSL certificate which encrypts data thus ensuring that the communication between Data subject’s computer and the PLATFORM is conducted via secure protocol.
Controller’s expert and administrative staff processing personal data shall have in place all technical, human resource and organisational safeguards necessary to protect personal data from accidental loss or destruction, illicit access or amendment, illicit publication and any other misuse, and they establish obligations of the persons working on personal data processing.
By clicking the register button, Data subject accepts this Privacy Policy confirming that they read and understood it and agree with collection, processing and sharing of personal data in a way and to the extent set out in the Privacy Policy.
NEOSTAR may amend this Privacy Policy at any time by publishing the amended text of the Privacy Policy on the PLATFORM. Therefore, NEOSTAR invites Data subject to occasionally revise Privacy Policy which shall contain a remark about the amendments, if there will be any within a certain period of time.
If Data subject does not agree with this Privacy Policy, we advise Data subject to deregister and/or delete their profile from the Platform.

Cookies and other tracking technologies can be used on the PLATFORM in different ways e.g. To enable functioning of the PLATFORM and/or for marketing purposes.
Cookie is a small piece of data sent from a website and stored on the VISITOR’s computer (textual file stored on the VISITOR’s computer by the server which the VISITOR uses). Files originate when the browser on the VISITOR’s device uploads visited network destination, which then sends data to the browser and creates the textual file (cookie). The browser retrieves and sends the file to the servers of the network destination (place, website) when the user returns to it. Cookies are used to enable functioning of all internet site features and better USER experience. Cookie allows PLATFORM to “remember” VISITORS’ actions during their previous visits. Most browsers allow the use of cookies, but VISITOR can delete them or opt to have the storing disabled in the browser, at any time. The most frequent reasons to use cookies are: identification of VISITORS, remembering specific user preferences, help when entering information that had been entered during previous visits, collecting data for analyses and promotional campaigns. According to their functional division, cookies can be: necessary, functional and marketing.
Types of cookies
First party cookies
Cookies installed on the VISITOR’s device by an organization whose web site VISITOR is visiting are known as “first party” cookies.
Third party cookies
Cookies installed on the VISITOR’s device by an organization other than the one VISITOR is visiting are known as “third party” cookies. An example of “third party” cookies is cookie installed by a company specialized in web site analytics (such as Google Analytics) that provides the owner of the website with data about the number of people visiting it.
These cookies are not installed by the NEOSTAR platform and most often serve as help in interpreting the behavior of users and for marketing purposes. They are used to get statistical data about the number of visitors and the way PLATFORM’s internet sites are used. Data that are collected include: VISITOR’s IP address, browser data, language, operating system and other standard data that are collected and analyzed only in anonymous and mass form, unless these are VISITOR’s data. PLATFORM’s internet sites do not contain cookies that enable execution of a program or installing a virus on the VISITOR’s computer.
Persistent cookies
Persistent cookies remain stored on the VISITOR’s device after the browser had been closed. These cookies help web sites to store data to enable VISITOR their easier use. For example, web sites that require user name and password to be entered will remember VISITOR’s entry and they will appear on every subsequent visit.
Session cookies
Session cookies are removed from VISITOR’s device after having closed the web browser which VISITOR used to visit the web site. These cookies enable web sites to store temporary data that serve for its proper functioning.

Cookies management instructions for most used web browsers
If the VISITOR does not consent to their use, they can easily delete cookies (or prevent them) on their computer or mobile device in the settings section of the web browser in use. In the settings section of browsers such as Explorer, Safari, Firefox or Chrome, VISITOR can opt for the cookies they wish to accept and those they wish to decline.
A place where VISITOR can find settings depend on the type of their browser. Option “Help” in their web browser enables VISITOR to find the settings they need or they can find the information on www.allaboutcookies.org.
* * *
Since the purpose of cookies is to improve and enable internet sites of the PLATFORM and their processes, VISITOR should bear in mind that preventing or deleting cookies may disable functioning of these features or cause them to function and appear differently in their browser. If VISITOR selects the option not to accept certain types of cookies, they might not be able to use some functions of the PLATFORM.