CUPRES AI
EN DE HR
Try it out

PRIVACY POLICY

Protection of personal data in accordance with Regulation (EU) 2016/679 (GDPR)

Last updated: June 2026

CUPRES AI

brand of the company BLUE SAND d.o.o.

Rovinjska 4, 21000 Split, Republic of Croatia | OIB: 09275447629

info@cupres-ai.com

Article 1: Introduction and identity of the controller

The company BLUE SAND d.o.o., which operates on the market under the brand CUPRES AI, with its registered office in Rovinjska 4, 21000 Split, Republic of Croatia, OIB: 09275447629 (hereinafter: "Controller"), fully respects the right of natural persons to the protection of personal data.

This Privacy Policy has been developed in accordance with:
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR)
• the Act on the Implementation of the General Data Protection Regulation (OG 42/18, 144/21)
• Electronic Communications Act (Official Gazette 76/22) in the part relating to cookies

Data Protection Contact: info@cupres-ai.com

Article 2: Categories of personal data we process

Through the contact forms on the website, we collect cupresai.com exclusively: • The name and surname of the contact person
• business e-mail address
• name and basic information about the company
• business goals and a description of the project provided by the contact person

As part of the implementation and operation of AI agents for the Clients, the Controller may, depending on the specific configuration of the solution, process the personal data of the Client's end users on behalf of the Client. In such cases, BLUE SAND d.o.o. acts as a Data Processor within the meaning of Article 28 of the GDPR, and the Client remains the Controller responsible for the lawfulness of processing towards end users.

Such processing is governed by a separate Data Processing Agreement (DPA), which is an integral part of a specific service agreement.

Article 3: Purpose and legal basis of the processing

Personal data collected through the contact forms is processed exclusively for the following purposes and on the following legal bases:
• Response to the inquiry and conclusion of the contract (Art. 6 para. 1 (b) GDPR): processing is necessary to take action at the request of the data subject prior to entering into a contract
• Legitimate interest (Art. 6 para. 1 lit. f GDPR): sending relevant business information to potential customers who have expressed an interest in services
• Fulfilment of legal obligations (Art. 6 para. 1 item c of the GDPR): storage of data on business transactions in accordance with the tax and accounting regulations of the Republic of Croatia

Article 4: Recipients and data sharing

Personal data will not be sold, rented or given to third parties for commercial purposes.

To a limited extent, the following categories of recipients may receive data:
• Third-party platforms for the provision of the service: n8n GmbH (Germany), Voiceflow Inc. (Canada/USA), OpenAI LLC (USA), Google LLC (USA) and other technology partners engaged as subprocessors of data processing and with whom appropriate Data Processing Agreements (DPAs) have been concluded. A full list of active subcontractors is available upon request
• Competent authorities: solely on the basis of a legal obligation (courts, tax administration, regulators).

Article 5: Transfer of personal data outside the EEA

Some of the third-party platforms we use (e.g. OpenAI, Anthropic, Voiceflow) are based outside the European Economic Area (EEA), predominantly in the United States.

The transfer of personal data to the USA and other third countries is carried out only with the application of appropriate safeguards:
• Standard Contractual Clauses (SCCs) adopted by the European Commission (EU Implementing Decision 2021/914)
• EU-US Data Privacy Framework — European Commission's decision on the adequacy of the level of protection adopted in 2023
• Additional technical protection measures (encryption, pseudonymisation) where appropriate.

The Client's business data is processed in isolated environments and is never used to train public AI models or for any purpose other than executing agreed automations.

Article 6: Period of storage of personal data

• Data from lead contact forms: up to 2 (two) years from the last contact, i.e. until unsubscribing from marketing communications.

• Data related to concluded contracts: 11 (eleven) years from the end of the business year in which the contractual relationship ended, in accordance with the Accounting Act (Official Gazette 78/15 and amendments).

• Data processed as part of the provision of services to the Client: in accordance with the instructions of the Client as the Controller, as defined in a special DPA, and no longer than 90 (ninety) days from the termination of the contractual relationship, after which they are securely deleted.

Article 7: Rights of data subjects

Any natural person whose personal data is being processed by the Controller has the right to: • Right of access (Art. 15 GDPR): to request whether the processing is confirmed and to obtain a copy of the data
• Right to rectification (Art. 16 GDPR): to request the rectification of inaccurate or incomplete personal data
• Right to erasure (Art. 17 GDPR — "right to be forgotten"): to request the deletion of personal data when there is no longer a legal basis for the processing
• Right to restriction of processing (Art. 18 GDPR): to request a temporary restriction of processing in prescribed cases
• Right to data portability (Art. 20 GDPR): receive personal data in a machine-readable format and transmit it to another controller
• Right to object (Art. 21 GDPR): object at any time to data processing based on a legitimate interest.

All these rights can be exercised by sending a request to the e-mail address: info@cupres-ai.com. The Controller will respond to the request within 30 (thirty) days of receipt, in accordance with Article 12 of the GDPR.

The data subject has the right to lodge a complaint with the supervisory authority — in the Republic of Croatia, this is the Personal Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb, www.azop.hr.

Article 8: Security of personal data

The Controller applies appropriate technical and organizational protection measures in accordance with Article 32 of the GDPR, including:
• encryption of data in transit (TLS/HTTPS protocol) and storage
• access control and user privilege management (principle of least privilege)
• pseudonymization and data minimization where appropriate
• regular security assessments and monitoring of security incidents
• education of employees on personal data protection.

In the event of a personal data breach that may result in a risk to the rights and freedoms of natural persons, the Controller shall notify the AZOP within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.

Article 9: Cookies

The website cupresai.com only uses functional cookies that are necessary for the proper functioning of the site and the AI chat interface (Voiceflow). We do not use marketing, advertising, or cookies to track users on third parties.
• Strictly necessary cookies: enable the basic functioning of the website and the AI chat interface. I can't switch off. They do not collect personal information.
• Voiceflow session cookies: temporary cookies that store the context of conversations within a single session. They are deleted when the browser is closed and do not track the user's activity on other sites.

Article 10: Automated decision-making and profiling

The controller does not carry out automated decision-making that would have a legal or significant impact on the data subjects (profiling within the meaning of Article 22 of the GDPR) without prior consent or a specific legal basis.

AI agents deployed for Clients may perform automated processing of end-user data to provide a faster response — however, the final business decisions remain in the hands of the Customer and its employees.

Article 11: Changes to the Privacy Policy

The Controller reserves the right to amend this Privacy Policy in order to comply with changes in legislation, business processes or technical solutions. All changes will be published on the website with an indication of the effective date.
This Privacy Policy was last updated and is effective June 1, 2026.

Article 12: Contact

BLUE SAND d.o.o. (CUPRES AI)

Rovinjska 4, 21000 Split, Republic of Croatia

OIB: 09275447629

E-mail: info@cupres-ai.com

Cookies: We aim to keep our website as privacy-friendly as possible. We do not use marketing or advertising cookies. We may use strictly necessary cookies or local storage to ensure the proper functioning of the AI chat interface (Voiceflow). These do not track your activity across other websites.