Legal

Privacy Policy

Last updated: 10 May 2026 Effective date: 10 May 2026 Version: 1.0

This Privacy Policy explains how LLM Machine d.o.o. ("LLM Machine", "we", "us", or "our") collects, uses, discloses, and otherwise processes personal data, in accordance with Regulation (EU) 2016/679 (the GDPR), Croatian data-protection legislation, and other applicable European laws including the EU AI Act (Regulation (EU) 2024/1689), the NIS2 Directive (Directive (EU) 2022/2555) as transposed in Croatia, and the Data Act (Regulation (EU) 2023/2854).

We have written this Policy to be readable. The defined terms used here have the meanings given in Article 4 of the GDPR.

1. Who we are and our role

Legal name: LLM Machine d.o.o. Registered seat: Republic of Croatia Website: llm-machines.com Privacy contact: privacy@llm-machines.com Security contact: security@llm-machines.com

We act in two distinct roles depending on the processing activity:

  • Controller. When we collect personal data through our website, marketing channels, sales discussions, and recruitment, we determine the purposes and means of processing and act as the controller. This Policy describes that processing.
  • Processor. When we process personal data on behalf of a Customer in the course of operating an Appliance or providing the managed Service, we act as the processor. That processing is governed by the Data Processing Agreement (DPA) signed with each Customer, not by this Policy. The Customer is the controller of its End User and business data.

If you are an End User of a Customer's Appliance and you have questions about how your employer or service provider uses the system, please contact your employer's privacy team. If you have questions about how we support that processing as a processor, the contact details above remain valid.

2. Categories of personal data we process

2.1 Website visitors

When you visit llm-machines.com we may process:

  • technical data such as IP address, browser type and version, device type, operating system, time-zone, referrer URL, pages viewed, and time spent;
  • cookie identifiers and similar tracking data — only those strictly necessary for the website to function are set without your consent; analytics or marketing cookies, if any, are set only after you opt in via our cookie banner;
  • any information you submit through a contact form, demo request, or download request — typically name, business email, company name, role, and the message you write.

2.2 Prospects and sales contacts

If you contact us, attend a demo, or appear in a list of qualified prospects we maintain for outbound contact:

  • business contact data (name, role, business email, business phone, employer, country);
  • a record of our interactions with you (calls held, emails exchanged, materials shared, meeting notes);
  • where information is gathered from public sources or third-party data providers, the source and the date of collection.

2.3 Customers and Customer personnel

When a Customer engages us, we process:

  • contact and contractual data for the Customer's authorised representatives, IT contacts, administrators, and billing contacts;
  • account credentials limited to those required for our administrators to operate the Service (we minimise this and prefer federated identity over local accounts);
  • support correspondence, ticket history, and any operational data needed to investigate issues.

2.4 End User data processed on behalf of Customers (processor role)

In the course of operating the Appliance and providing the Service, we may technically have access to (but do not independently use) End User data including authentication identifiers, prompts, model outputs, retrieval-augmented generation content, telemetry, and audit logs. This processing is governed by the DPA. Default configuration places this data on the Customer's hardware and inside the Customer's perimeter; remote access for support requires Customer authorisation and is logged.

2.5 Recruitment

If you apply for a role with us, we process your CV, contact details, the contents of your application, interview notes, and references you provide.

2.6 Special-category data

We do not seek special-category data (Article 9 GDPR) and ask you not to provide it. If you do, we will delete it unless retention is strictly necessary and lawful.

3. Why we process personal data, and on what lawful basis

Processing purpose Categories of data Lawful basis (GDPR Art. 6)
Operating and securing the website Technical / cookie data Legitimate interests (Art. 6(1)(f)) — running and securing our site; strictly-necessary cookies do not require consent
Analytics, performance measurement, marketing cookies Analytics / marketing identifiers Consent (Art. 6(1)(a)), withdrawable at any time
Responding to enquiries, demo requests, and downloads Form submissions, contact data Pre-contractual steps at your request (Art. 6(1)(b)); legitimate interests in B2B communication (Art. 6(1)(f))
Outbound B2B contact with prospects Business contact data, public-source data Legitimate interests (Art. 6(1)(f)), subject to balancing test and easy opt-out
Negotiating and performing customer contracts Customer contact and contractual data Contract performance (Art. 6(1)(b))
Providing the Service and processing End User data End User data (as processor) Customer's lawful basis, instructed via the DPA
Invoicing, accounting, tax compliance Customer contact, financial data Legal obligation (Art. 6(1)(c))
Security monitoring, incident response, audit logging Technical and access data Legitimate interests (Art. 6(1)(f)); legal obligation under NIS2 (Art. 6(1)(c))
Recruitment Application data Pre-contractual steps (Art. 6(1)(b)); consent for retention beyond a closed application
Defending or asserting legal claims All relevant data Legitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))

We do not engage in profiling, scoring, or fully automated decision-making producing legal or similarly significant effects on you (Article 22 GDPR).

4. Sources of personal data

We obtain personal data:

  • directly from you when you visit the website, fill in a form, contact us, attend a meeting, or sign a contract;
  • from your employer, where you are introduced as a representative or End User of a Customer;
  • from public sources (company websites, professional networking sites, public registers, business directories) where we conduct outbound B2B prospecting in line with our legitimate interests;
  • from third-party data providers used for B2B prospect enrichment; where we use such providers we contractually require them to have a lawful basis for the data they share with us.

5. Recipients and disclosure

We disclose personal data only where necessary, and only to:

  • Sub-processors acting on our instructions (see Section 6);
  • our professional advisers (legal, tax, audit) bound by professional confidentiality;
  • public authorities or courts where required by applicable law (including a notification under NIS2 Article 23 or a supervisory authority request under the GDPR);
  • a successor entity in the event of a merger, acquisition, or restructuring, with prior notice to affected individuals where required.

We do not sell personal data and we do not share it with advertisers.

6. Sub-processors and a current list

We engage a small set of carefully-selected sub-processors. A current list, including the name, function, and country of operation of each sub-processor, is published at llm-machines.com/trust/subprocessors. Customers are notified in writing of any addition or replacement of a sub-processor handling Customer data, with a reasonable period to object.

We bind every sub-processor by a written agreement containing data-protection terms no less protective than those in the DPA, in accordance with Article 28(4) of the GDPR.

7. International transfers

Our default position is that all personal data is processed inside the European Economic Area (EEA). We host all primary infrastructure in the EU and the data centre we operate for Hosted deployments is located in the Republic of Croatia.

Where, exceptionally, a transfer to a third country is necessary (for example, where a chosen support tool is operated outside the EEA), we ensure a lawful transfer mechanism under Articles 44–49 of the GDPR — typically the European Commission's Standard Contractual Clauses combined with a documented Transfer Impact Assessment and supplementary technical and organisational measures (encryption, key separation, access controls). The current list of any third-country transfers and the safeguards applied is summarised on the sub-processors page.

In line with Article 32 of the EU Data Act, we apply technical and organisational measures designed to prevent any unlawful third-country government access to non-personal data we hold.

8. Retention

We keep personal data only for as long as necessary for the purpose for which it was collected, plus any period required by applicable law. Indicative retention periods:

  • Website server logs: up to 30 days for operational monitoring, longer for security incidents under investigation;
  • Cookie data: as set out in the cookie banner; consent-based cookies expire on the schedule disclosed there;
  • Contact-form and demo enquiries: 24 months from last interaction, then deletion or anonymisation;
  • Prospect records: 24 months from last meaningful interaction; deleted or refreshed after that;
  • Customer contact and contract data: for the duration of the engagement, plus the statutory limitation period for civil claims under Croatian law (currently five years from the cause of action), and longer where required by tax or accounting law (typically 11 years);
  • Invoicing and accounting records: 11 years, in line with Croatian accounting and tax obligations;
  • Security and access logs: at least 12 months, in line with NIS2 expectations;
  • Recruitment data for unsuccessful candidates: 12 months, unless the candidate consents to retention in our talent pool;
  • End User data processed on behalf of Customers: as instructed by the Customer in the DPA; deleted or returned on termination of the engagement.

9. Security

We take the security of personal data seriously. Our information-security programme is aligned with Article 32 of the GDPR and Article 21 of the NIS2 Directive (as transposed in Croatian law). Measures include, without limitation:

  • encryption of personal data at rest and in transit using current, industry-standard algorithms;
  • multi-factor authentication for all administrative access;
  • least-privilege role-based access control, periodically reviewed;
  • centralised logging with at least 12 months retention and tamper-evident storage;
  • vulnerability management with documented patching SLAs;
  • network segmentation and a documented secure software development lifecycle;
  • an incident-response runbook with explicit clocks for GDPR personal-data-breach notification (without undue delay, and where feasible within 72 hours) and NIS2 incident reporting (early warning within 24 hours, full notification within 72 hours, final report within one month);
  • supplier due diligence and contractual security obligations on every sub-processor;
  • periodic security testing and tabletop exercises;
  • security awareness training and AI literacy training under Article 4 of the EU AI Act for all staff who use or build AI systems.

We document our information-security management system to ISO/IEC 27001 structure and maintain a roadmap to formal certification.

10. AI processing transparency (EU AI Act)

LLM Machine designs and supplies AI infrastructure but does not train or operate the AI models running on Customer Appliances; the Customer chooses and configures the models from the curated catalogue or its own selection. Where we develop or fine-tune AI components ourselves, or where we operate any AI system that interacts with you (for example, an AI chatbot on our website), we will:

  • inform you, in line with Article 50 of the AI Act, when you are interacting with an AI system;
  • mark AI-generated content as such where required;
  • not use prompts or content you submit to train shared models without your explicit, informed consent;
  • maintain technical documentation, logs, and risk management consistent with the AI Act obligations applicable to the role we play.

We do not classify the operational platform itself as a "high-risk" AI system under Annex III of the AI Act in the abstract; the classification of any specific AI system deployed by a Customer on the Appliance is the Customer's responsibility, with our reasonable support.

11. Your rights

Subject to the conditions and exceptions in the GDPR, you have the right to:

  • Access — obtain confirmation as to whether we process your personal data and a copy of it (Article 15);
  • Rectification — correct inaccurate or complete incomplete data (Article 16);
  • Erasure — request deletion of your data where one of the grounds in Article 17 applies;
  • Restriction — restrict processing in the circumstances of Article 18;
  • Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller (Article 20);
  • Object — object to processing based on legitimate interests, including direct marketing (Article 21);
  • Withdraw consent — at any time, without affecting the lawfulness of prior processing (Article 7(3));
  • Not to be subject to automated decisions — we do not engage in such decision-making, but you may exercise this right under Article 22 if circumstances change;
  • Lodge a complaint with the supervisory authority — the Croatian Personal Data Protection Agency (AZOP, azop.hr) or the supervisory authority of your habitual residence or place of work.

To exercise any of these rights, contact us at privacy@llm-machines.com. We will respond without undue delay and within one month at the latest, with a possible extension of two further months for complex requests, of which we will inform you within the first month.

We may need to verify your identity before responding. We will not discriminate against you for exercising any right.

12. Cookies and similar technologies

The website uses a small number of cookies and similar technologies. Strictly-necessary cookies are set by default; analytics and marketing cookies, if any, are set only with your consent through our cookie banner. You can change your preferences at any time via the "Cookie settings" link in the website footer. Browser-level controls (such as Do Not Track or Global Privacy Control signals) are honoured where technically supported.

13. Children

Our website and Service are directed at business users. We do not knowingly process personal data of children under the age of 16. If you believe we hold such data, contact us and we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top of this Policy reflects the date of the most recent change. Material changes will be communicated to Customers in writing and prominently posted on the website. Where consent was the lawful basis for an existing processing activity, we will not extend that activity in a way materially inconsistent with the original consent without obtaining a fresh consent.

15. Contact

For any privacy-related question, request, or complaint:

LLM Machine d.o.o. Email: privacy@llm-machines.com Website: llm-machines.com

You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP)azop.hr — or with the supervisory authority of your habitual residence or place of work in the EEA.

Related documents

This Policy is intended for business-to-business use and reflects our commitment to operating as a sovereign, EU-governed AI infrastructure provider. It does not constitute legal advice and should be reviewed by qualified Croatian counsel before publication.