Privacy Policy
GatesaFlow Website: gatesaflow.com Contact email: [email protected] Country: Republic of Kosovo
Last updated: 12 May 2026
1. Introduction
GatesaFlow ("we", "us", "the Company") provides a digital platform for bakery management. The privacy of visitors and users of our website is important to us. This Privacy Policy explains what personal data we collect, for what purpose, on what legal basis, how long we keep it, and what your rights are.
We process personal data in accordance with the Republic of Kosovo Law No. 06/L-082 on Personal Data Protection and the principles of the EU General Data Protection Regulation (GDPR) where applicable.
2. Data Controller
The controller of personal data collected through this website is:
GatesaFlow Email: [email protected] Website: gatesaflow.com
For any question, request, or complaint about the processing of your personal data, please contact us at the email above.
3. What data we collect
3.1 Data you provide to us
When you fill in the contact form or write to us directly, we may collect:
- First and last name
- Email address
- Phone number (if provided)
- Bakery or company name (if provided)
- The content of your message
3.2 Data collected automatically
When you visit our website, the following is collected automatically:
- IP address (shortened/anonymised where technically possible)
- Browser type and version
- Operating system
- Referring page (the URL you came from)
- Pages visited on our site and how long you stayed
- Date and time of visit
- Cookie and similar-technology identifiers
3.3 Data from social media
If our website loads content from social networks (e.g. embedded videos, posts, "share" buttons), the providers of those platforms (Meta/Facebook, Instagram, LinkedIn, YouTube) may collect data about you, including your IP address and your behaviour on our site. This may happen even if you do not click the content.
4. Purposes and legal basis for processing
| Purpose | Data processed | Legal basis |
|---|---|---|
| Responding to your contact-form messages | Name, email, phone, message content | Pre-contractual steps at your request (Art. 5.1(b), Law 06/L-082) |
| Technical operation of the website (essential cookies) | Session identifiers, language preference | Legitimate interest (Art. 5.1(f)) — site cannot function without them |
| Website usage analytics (Google Analytics) | Truncated IP, on-site behaviour, device | Your consent (Art. 5.1(a)) |
| Embedded content from social networks | IP, browser identifiers | Your consent (Art. 5.1(a)) |
| Marketing and retargeting (if activated) | Browser identifiers, on-site behaviour | Your consent (Art. 5.1(a)) |
| Compliance with legal obligations (e.g. authority requests) | Case-specific data | Legal obligation (Art. 5.1(c)) |
| Protection against fraud and site security | IP, technical logs | Legitimate interest (Art. 5.1(f)) |
Where the legal basis is consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
5. Retention periods
| Category | Retention |
|---|---|
| Contact-form messages | Up to 24 months from last communication, unless a commercial relationship is opened |
| Technical logs (server logs) | 12 months |
| Analytics data (Google Analytics) | Up to 14 months, per standard configuration |
| Essential cookies | Session-end or up to 12 months |
| Analytics cookies | Up to 24 months from last visit |
| Marketing cookies | Up to 13 months from being set |
After these periods, data is deleted or irreversibly anonymised.
6. Recipients and third parties
Your data may be shared with the following categories of recipients, only to the extent necessary:
- Hosting providers — for technical site operation
- Google Ireland Limited (Google Analytics) — for aggregated usage statistics
- Meta Platforms Ireland Limited (Facebook, Instagram) — if you load embedded content from those platforms
- YouTube / LinkedIn — for embedded videos or content where applicable
- Email and CRM providers — to manage your replies
- Public authorities — only when required by law
Some of these providers have offices or servers outside Kosovo and the EU (e.g. in the United States). In such cases, the transfer relies on the European Commission's Standard Contractual Clauses (SCCs) or other legally recognised mechanisms.
We do not sell your personal data.
7. Your rights
Under Law No. 06/L-082 and the GDPR, you have the right:
- To access — to know whether we process data about you and to receive a copy
- To rectification — to have inaccurate data corrected
- To erasure ("right to be forgotten") — to have data deleted when no longer needed
- To restriction — to restrict processing in certain circumstances
- To portability — to receive your data in a structured, transferable format
- To object — to processing based on legitimate interest or to direct marketing
- To withdraw consent — at any time, without consequence
- Not to be subject to automated decisions producing legal effects on you
- To lodge a complaint with the Information and Privacy Agency of Kosovo (AIP) — aip.rks-gov.net
To exercise these rights, write to [email protected]. We will respond within 30 days of receiving your request.
8. Data security
We take reasonable technical and organisational measures to protect your data from unauthorised access, loss, alteration, or disclosure: HTTPS encryption, access control, regular backups, and periodic security reviews.
9. Children
Our website is not directed at persons under 16, and we do not knowingly collect data from them. If we discover that we have collected a child's data without guardian consent, we will delete it immediately.
10. Changes to this policy
We may update this Policy from time to time. The latest version will always be published at gatesaflow.com with the update date. For material changes, we will notify you in a clearly visible way.
11. Contact
For any question about this policy or your rights:
Email: [email protected] Website: gatesaflow.com