Privacy Policy

Last updated: 24.06.2026

BID Grupa d.o.o. respects the privacy of its website visitors, business contacts, potential and existing clients, newsletter subscribers and job candidates.

This Privacy Policy explains what personal data we collect, from what sources we obtain it, for what purposes we use it, how long we keep it, to whom we may make it available and what rights the persons whose data we process have.

The Policy applies to the bid.hr and bid.agency websites, to the forms on them, to the communication related to these forms and to the related sales, marketing and recruitment activities of BID Grupa.

Data Controller

The Data Controller is:

BID Grupa d.o.o.

Trinajstići 74E

51215 Kastav, Croatia

OIB: 40985193097

Email for questions and requests related to the protection of personal data: privacy@bid.agency

In the remainder of this Policy, the terms “BID”, “we”, “us” and “our” refer to BID Grupa d.o.o.

What we consider to be personal data

Personal data is any information relating to a person whose identity is known or can be determined. These include, for example, name and surname, e-mail address, telephone number, IP address, job information, CV, content of a business query or an online identifier associated with a specific browser or device.

The processing of personal data includes any operation that is performed on data. This includes their collection, recording, organization, viewing, use, linking, forwarding, storage, restriction and deletion.

General principles of processing

We only collect data that we need for a clearly defined and legitimate purpose. We do not use them in a way that is incompatible with the purpose for which they were collected.

We strive to keep data accurate and up-to-date, limit access to data to persons who need it and keep it only for as long as required by the purpose of the processing or applicable regulations.

Depending on the individual processing, we process data based on consent, compliance with a legal obligation or the legitimate interest of BID Group.

Data collected via the contact form

When you send us a message via the contact form, we collect the data you enter in the form. This will generally be your name and surname, business e-mail address, website, type of facility, telephone number, company name, job title and content of the message. The web server and security systems may record the date and time of sending, IP address, technical data about the browser and data necessary to protect the form from unwanted and automated messages, along with the sent form. We use the data to read and understand the inquiry, respond to the sender, arrange a meeting, prepare an offer or carry out other actions requested by the person.

The form data is transferred to HubSpot CRM, where a contact record is opened or updated. This record may store the form data, the date of the contact, the content of the communication, notes related to the inquiry, scheduled meetings, and the status of a potential business relationship. Only authorized persons who need it for communication, sales, project management, or administration have access to such data. The processing is based on taking action at the request of the person before a possible contract can be concluded. When the inquiry does not directly relate to the conclusion of a contract, the processing is based on our legitimate interest to respond to business messages received and to keep a record of the communication.

If the inquiry does not develop into a business relationship, we generally retain the data for a maximum of two years from the last relevant communication. We may delete the data earlier if it becomes clear that further communication will not be necessary. If the communication develops into a contractual relationship, we continue to retain the data as part of the documentation related to the client and the contract.

Request for a Demo

Through the "Request our demo" form, we may collect first and last name, business email address, company name, website address, type of facility,.

We use the collected data to verify the request, contact the interested person, organize a demonstration, adapt the presentation to their business needs and, where applicable, prepare an offer. The data is stored in the HubSpot CRM. Within the CRM, we can record meetings held, the content of further communication, expressed interests, information provided, the status of inquiries and possible next steps.

The legal basis is to take action at the request of the person before a possible conclusion of a contract. The administrative record of the request and communication may be further based on our legitimate interest in the orderly management of business contacts.

If no business cooperation occurs after the demonstration, we generally retain the data for two years from the last relevant communication. If the person requests that we no longer contact them, we will stop using the data for further sales communication, except for the minimum record necessary to record and comply with that request.

Newsletter

When you subscribe to the newsletter, we collect your email address. When you subscribe, we record the content of the consent given, the date and time of subscription, and other technical data necessary to prove that consent has been given. Since the double opt-in procedure is used, we also record the confirmation sent by email. We store the data in HubSpot and use it to send newsletters, professional content, service notifications, events, news, and similar information. We send the newsletter based on consent. Subscription to the newsletter is not a condition for sending a business inquiry, downloading other content, or concluding a contract. Consent (newsletter) can be withdrawn at any time by clicking on the unsubscribe link in the received message or by sending a request to BID Group. Withdrawal of consent does not affect the legality of messages sent before unsubscribe.

We store the data of active subscribers until unsubscribe, withdrawal of consent, or termination of the newsletter program. After unsubscribe, we stop sending messages, but we may keep the email address on the internal list of unsubscribed recipients. This minimum record is kept so that the address is not included in the mailing again without a new legal basis. We may keep data on the consent given until the expiration of the deadlines in which it may be necessary to prove the lawfulness of the previous processing.

Job applications

When a person applies for a job through the "Careers" section, application form, email or other channel, we may collect first and last name, email address, open position, CV and/or motivation letter, which may contain information about education, previous experience, skills, knowledge, professional qualifications and availability to start work, and if the candidate provides them, we may also process links to portfolios or professional profiles, examples of previous work, recommendations, expectations related to the job and other information specified in the application. During the selection process, we may additionally record communication with the candidate, interview dates, notes of the interviewers, results of professional tasks or tests and assessment relevant to making a hiring decision.

We use the data exclusively for the purpose of receiving and reviewing the application, assessing whether the candidate meets the requirements of the position, organizing interviews and tests, communicating with the candidate, verifying information when justified and permitted, and making a decision on employment.

The processing is necessary to take action at the request of the candidate before the possible conclusion of an employment contract or other appropriate agreement. A certain part of the processing is based on the legitimate interest of the BID Group to conduct an orderly, objective and secure selection process. We do not use artificial intelligence tools in the selection process.

The data from the application may be technically received or recorded via HubSpot if the system is used to manage the form. The candidate's data must be organizationally separated from the general sales and marketing database and is not used to send newsletters or sales messages.

We generally retain the data of candidates who are not selected for six months after the end of the selection process. This period allows for the completion of communication and the protection of legal claims related to the selection process.

If we want to save the application for possible future positions, we will specifically inform the candidate about this and ask for his/her consent. Based on such consent, we may retain the data for a maximum of two years, unless a shorter period is specified in the consent notice. The candidate may withdraw consent at any time.

The data of the selected candidate that is necessary for the establishment of an employment relationship is transferred to the appropriate personnel documentation and stored in accordance with the rules applicable to employees.

Candidates are asked not to provide health data, data on religion, political beliefs, union membership, sexual orientation or other particularly sensitive data, as such data is not explicitly required for the recruitment process.

Business contact data and Apollo

BID uses Apollo as a platform for finding, verifying, supplementing and organizing professional contact data in a business or B2B environment.

Data available through Apollo may include first and last name, business email address, business phone number, employer name, job title, area of responsibility, company location, industry, size of organization and links to a publicly available professional profile. We do not obtain such data directly from the person, but from the business database provider, publicly available business sources or a combination of these sources. We may transfer the above data to HubSpot CRM, associate it with the company where the person works, and use it to assess whether there is a reasonable business connection between their professional function and the services of BID Group. Before sending a message, we assess whether the communication is relevant to the professional role of the recipient, whether the person can reasonably expect such business contact, and whether there is an easy way to refuse further communication. This processing may be based on the legitimate interest of the BID Group in developing its business and establishing relevant contacts with other business entities.

At the first communication, we provide the person with basic information about who processes their data, where the data was obtained and how they can object or request deletion.

The person may object to the use of their data for direct marketing at any time. After the objection, we will stop sending such messages. We may keep the e-mail address on an internal list of excluded contacts to ensure that the request is respected in the future.

We store the data of a contact with whom no business communication has been established for a maximum of twelve months from their entry or the last check for relevance. We store the data of a person who responded or with whom business communication has been developed for two years from the last meaningful contact, unless a contractual relationship or other reason for longer storage arises.

BID regularly reviews the contacts obtained through Apollo and deletes outdated, inaccurate or irrelevant data.

HubSpot CRM

We use HubSpot as a system for managing business contacts, forms, newsletters, leads, communications, and sales processes.

When a person fills out a form on the web, the data can be directly transferred to HubSpot. If the contact already exists, the new data and activities are associated with the existing record. Depending on how you use HubSpot and the consents you have given, the record may contain contact and professional data, the content of submitted forms, communication notes, scheduled meetings, business inquiry status, marketing consents, unsubscribes, and data about interactions with the website, phone, and email messages. Data about website visits, message openings, or clicks is not associated with a contact unless there is an appropriate legal basis for such tracking and, where required, prior consent.

We do not set a uniform data retention period for all contacts in HubSpot. The period related to the original purpose of processing applies. For example, candidate data is retained according to the deadlines for job applications, subscriber data until unsubscribed, and business inquiry data according to the deadline that applies to inquiries and customers.

We periodically review and delete or anonymize data in HubSpot when it is no longer needed.

Website Analytics

With the user's prior explicit consent, we use Google Analytics and certain HubSpot analytics features.

These technologies may collect data about the device and browser used, approximate location derived from the IP address, source of arrival, pages visited, duration of visit, interactions with content and forms, and identifiers that allow us to distinguish individual browsers or sessions.

We process the data to understand how the website is used, what content is useful, where visitors come from, whether there are technical difficulties, and how we can improve the structure, content, and results of the site.

Analytical technologies are activated only after the user accepts them in the cookie settings. The user can later withdraw consent via a link or cookie management tool available on the website.

The retention periods for analytical data depend on the settings of the individual tool. The specific cookie durations are specified in the Cookie Policy and the consent management tool.

LinkedIn, Meta and Google Ads

We may, now or in the future, use LinkedIn, Meta, and Google Ads technologies on the Website to measure the performance of campaigns, build audiences, limit the frequency with which ads are displayed, and display more relevant ads.

Such technologies may collect information about the website visit, content viewed, actions performed, source of arrival, device, browser, IP address and Internet identifiers. If the user is simultaneously logged into an account with a certain provider, the provider can associate the received data with his user account, in accordance with its own privacy policy.

Meta Pixel, LinkedIn Insight Tag, Google Ads tags, pixels and other marketing technologies are not activated before the user gives express consent for marketing cookies. This Policy may indicate their possible future use of advertising cookies.

Consent for marketing cookies can be withdrawn at any time via cookie settings.

Google Tag Manager

Google Tag Manager is used for the technical management of tags and scripts on the website.

Google Tag Manager itself is not a tool whose main purpose is behavioral analysis or advertising. However, Google Analytics, LinkedIn, Meta, Google Ads, HubSpot and other technologies can be loaded through it. That's why each tag managed via Google Tag Manager is activated according to the category it belongs to. The analytical tag is activated only after consent for analytics, and the marketing tag only after consent for marketing.

Technical and safety data

When you visit the website, our servers and security systems automatically record the IP address, date and time of the server request, requested IP address, technical server response, browser type, operating system and data on possible errors or suspicious activities. The above data is used for the proper operation of the site, detection of technical problems, prevention of misuse, protection of forms and systems, and investigation of security incidents. The processing is based on our legitimate interest in maintaining the security, availability and technical stability of the website. We keep standard technical records for up to 180 days. Records related to a security incident may be kept longer, as long as they are needed for investigation, remediation or protection of legal claims.

Business clients and contractual documentation

When a business relationship is established, we process the data of the owner, employees and representatives of the client or business partner. This may include name and surname, function, business contact details, authority, content of communication, project tasks, data on contracts, offers, purchase orders and invoices.

We process the data for the purpose of preparing an offer, concluding and executing contracts, project management, providing support, issuing invoices, keeping business records and resolving possible disputes. We generally keep contact and project data for the duration of the business relationship and after its termination for as long as may be necessary to protect legal claims. Accounting, tax and other documentation for which the law prescribes a special period is kept for the period prescribed by law.

Data recipients

Personal data is available to employees and associates of the BID Group only when they need it to perform their job. We may make the data available to providers of hosting, website maintenance, information security, CRM, e-mail communication, analytics, advertising, accounting and legal services. Among the providers that can be used are HubSpot, Google, LinkedIn, Meta and Apollo. The specific circle of recipients depends on which functionalities the user has activated, which consents they have given and which tools are actually included at the time of processing. When the provider processes data on our instructions, we regulate the relationship with it by means of an appropriate data processing agreement. We require the provider to process the data only for permitted purposes, to implement appropriate security measures and to ensure confidentiality.

We may provide the data to competent public authorities when we are obliged to do so by law or a valid official request.

We never sell personal data.

Data transfer outside the European Economic Area

Some of the providers we use are based or have infrastructure outside the European Economic Area, in particular in the United States. When data is transferred outside the European Economic Area, the transfer is based on an adequacy decision of the European Commission, standard contractual clauses or another mechanism permitted by the GDPR. Depending on the provider and the circumstances, additional contractual, technical and organizational protection measures apply.

Further information on the applicable transfer mechanism can be requested via our data protection address.

Automated decision-making and profiling

We may organize data from forms and CRMs according to expressed interest, company type, business query status or interactions with our content. Such organization may help us determine relevant content or priority of responses. We do not make decisions that produce legal or similarly significant effects on a person solely by automated means, unless we provide specific information about this in advance and ensure appropriate rights.

In the case of employment, the final decision is made by authorized persons, and not by an automated system.

Data security

We implement appropriate technical and organizational measures to protect data against unauthorized access, accidental loss, alteration, disclosure or destruction.

Measures include user authorization control, authentication, access restriction, backups, device and network protection, access logging, contractual confidentiality obligations and regular system updates.

No electronic system can be completely protected against all risks. In the event of an incident, we will act in accordance with applicable regulations and, where necessary, notify the competent authority and the affected persons.

Rights of the data subject

The person whose data we process may, depending on the circumstances, request access to their data, correction of inaccurate data, erasure, restriction of processing, data portability or object to processing based on legitimate interest.

Where processing is based on consent, the person may withdraw consent at any time.

An objection to the processing of data for direct marketing may be submitted at any time. After such an objection, we will no longer use the data for direct marketing.

To exercise your rights, you must send a request to privacy@bid.agency. We may request additional information necessary to verify the identity of the applicant, but we will not request more information than is necessary.

We will respond to reasonable requests without undue delay, as a rule, within one month. If the request is complex or a large number of requests are received, the deadline may be extended in accordance with the GDPR, of which we will inform the applicant. In the case of repeated requests or requests that significantly burden our business processes, we may also charge a processing fee.

Complaint to the supervisory authority

If you believe that your personal data is being processed in violation of the regulations, you have the right to file a complaint with:

The Personal Data Protection Agency - AZOP

Selska cesta 136

10000 Zagreb

Croatia

Before filing a complaint, you can contact us directly so that we can try to clarify and resolve the issue.

Obligation to provide data

You are not obliged to provide data just because you visit our website.

However, you must provide certain information if you want us to respond to your inquiry, organize a demonstration, subscribe to our newsletter or process your job application. Without the information marked as mandatory, we may not be able to perform the requested action.

Consent to analytical and marketing cookies is not a condition for using the basic and informative functions of the website.

Data of other persons

If you provide us with the data of another person, such as a contact colleague, a referral person or another company representative, you must ensure that you have an appropriate basis for doing so and that the person is familiar with the relevant parts of this Policy.

Minors

Our website and services are intended for business users and are not directed at children. We do not knowingly collect personal information from children through marketing and business forms. If we become aware that such information has been provided to us without an appropriate basis, we will take reasonable steps to delete it.

Changes to the Privacy Policy

We may change this Policy from time to time due to changes in our services, tools, business procedures or regulations.

The current version will always be published on the website, together with the date of the last update. If the change significantly affects the way we process data, we will take appropriate steps to notify the affected individuals.