Privacy Policy
Last updated: March 2, 2026 · Version: 1.1 · Status: Final — Pending Legal Review
Bilko is operated by Basic Consulting AS (ALAI), a company registered in Norway.
1. Introduction and Data Controller
Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. Bilko is developed and operated by Basic Consulting AS (trading as ALAI), a company registered in Norway.
| Field | Details |
|---|---|
| Entity name | Basic Consulting AS (ALAI) |
| privacy@bilko.io | |
| Website | https://bilko.io |
Data Protection Officer (DPO):
| Field | Details |
|---|---|
| DPO name | Alem Bašić |
| DPO contact | alem@alai.no |
| Phone | +47 40 47 42 51 |
| Company | ALAI Holding AS (org.nr 932 953 736) |
| Appointed | 2026-03-02 |
2. Scope and Applicability
This Privacy Policy applies to:
- All users of the Bilko platform accessible at app.bilko.io
- All organizations registered on Bilko, including their authorized users (owners, admins, accountants, viewers)
- All data processed by Bilko in connection with providing cloud accounting services in Serbia, Bosnia & Herzegovina, and Croatia
This policy applies to data subjects in three categories:
- Business owners and employees who register and use Bilko directly
- Clients and contacts whose data is entered into Bilko by our users (e.g., customers listed on invoices)
- Website visitors to bilko.io
3. Legal Framework
Bilko processes personal data in compliance with the following data protection laws:
| Jurisdiction | Applicable Law | Supervisory Authority |
|---|---|---|
| Serbia | Zakon o zaštiti podataka o ličnosti (ZZPL), Sl. glasnik RS 87/2018 — aligned with GDPR | Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti |
| Bosnia & Herzegovina | Zakon o zaštiti ličnih podataka (ZZLP BiH), Sl. glasnik BiH 49/2006 | Agencija za zaštitu ličnih podataka (AZLP) |
| Croatia | GDPR — Uredba (EU) 2016/679 (directly applicable as EU member state) | Agencija za zaštitu osobnih podataka (AZOP) |
4. Data We Collect
4.1 Account and Registration Data
When you register an organization on Bilko, we collect:
| Data Element | Purpose | Classification |
|---|---|---|
| Email address | Account authentication, notifications | L2 Internal |
| Full name | User identification within organization | L2 Internal |
| Password (bcrypt-hashed) | Authentication — never stored in plaintext | L2 Internal |
| Organization name | Multi-tenant account setup | L2 Internal |
| Country of operation | Jurisdiction-specific compliance rules (VAT rates, CoA) | L2 Internal |
| Base currency | Financial calculations | L2 Internal |
4.2 Financial and Tax Data
When you use Bilko to create invoices, track expenses, and manage accounting:
| Data Element | Jurisdiction | Classification | Encryption |
|---|---|---|---|
| PIB (Poreski identifikacioni broj) | RS | L4-B Restricted | Disk-level AES-256 |
| JMBG (Jedinstveni matični broj građana) | RS, BA | L4-A Restricted | AES-256-GCM field-level |
| OIB (Osobni identifikacijski broj) | HR | L4-A Restricted | AES-256-GCM field-level |
| JIB (Jedinstveni identifikacioni broj) | BA | L4-B Restricted | Disk-level AES-256 |
| IBAN / Bank account numbers | All | L4-B Restricted | Disk-level AES-256 + API masking |
| Invoice amounts (subtotal, VAT, total) | All | L3 Confidential | AES-256 at rest |
| Transaction records (debit/credit entries) | All | L3 Confidential | AES-256 at rest |
| Contact details (clients/vendors) | All | L2 Internal | TLS 1.3 in transit |
Note on JMBG processing: Bilko only collects JMBG when a user explicitly confirms that an invoice is being issued to a natural person (not a legal entity). This is a voluntary user action gated by a UI confirmation checkbox.
4.3 Technical and Operational Data
| Data Element | Retention | Purpose |
|---|---|---|
| IP address | 30 days | Security monitoring, fraud detection |
| Browser user-agent | 30 days | Security monitoring |
| Session tokens (JWT, refresh tokens) | 15 min (access) / 7 days (refresh) | Authentication |
| Audit log entries (LoggedAction table) | 10–11 years | Legal compliance, accounting law |
| API request logs | 30 days | Security and debugging |
4.4 Data Entered by Users About Third Parties
Bilko is an accounting tool. Our users enter data about their clients and vendors (third parties). Bilko acts as a data processor for this third-party data — the organization using Bilko is the data controller for their clients' data and is responsible for ensuring they have an appropriate legal basis for entering that data into Bilko.
5. Legal Basis for Processing
| Data Category | Legal Basis | GDPR Article | ZZPL Article | ZZLP BiH |
|---|---|---|---|---|
| Account email, full name | Performance of contract | Art. 6(1)(b) | Art. 12(1)(b) | Art. 7(1)(b) |
| Organization details | Performance of contract | Art. 6(1)(b) | Art. 12(1)(b) | Art. 7(1)(b) |
| Tax IDs (PIB, JIB) | Legal obligation — accounting and tax law | Art. 6(1)(c) | Art. 12(1)(c) | Art. 7(1)(c) |
| JMBG, OIB | Legal obligation — accounting and tax law | Art. 6(1)(c) | Art. 12(1)(c) | Art. 7(1)(c) |
| IBAN | Performance of contract | Art. 6(1)(b) | Art. 12(1)(b) | Art. 7(1)(b) |
| Invoice and transaction data | Legal obligation — accounting/tax retention | Art. 6(1)(c) | Art. 12(1)(c) | Art. 7(1)(c) |
| IP address, session logs | Legitimate interest — platform security | Art. 6(1)(f) | Art. 12(1)(f) | Art. 7(1)(f) |
| Audit trail (LoggedAction) | Legal obligation — accounting law | Art. 6(1)(c) | Art. 12(1)(c) | Art. 7(1)(c) |
6. How We Use Your Data
We use the data we collect exclusively to:
- Provide the Bilko service — create and manage invoices, expenses, transactions, financial reports
- Ensure legal compliance — submit e-invoices to SEF (Serbia) and HR-FISK (Croatia), maintain accounting records per mandatory retention periods
- Secure the platform — authenticate users, prevent unauthorized access, detect and investigate fraud and security incidents
- Communicate with you — send invoice notifications, payment reminders, service announcements, and support responses
- Improve the service — analyze usage patterns (in aggregated, anonymized form) to improve features
We do not:
- Sell your data to third parties
- Use your financial data for advertising or profiling
- Process your data for any purpose beyond providing the accounting service and meeting legal obligations
7. Data Retention Periods
Data retention is governed by accounting and tax laws in each jurisdiction. We are legally required to retain certain financial records even if you delete your account.
| Data Category | Serbia (RS) | Bosnia & Herzegovina (BA) | Croatia (HR) |
|---|---|---|---|
| Financial statements and accounting records | 10 years | FBiH: 10 years; RS entity: 11 years | 11 years |
| Invoice records | 10 years | 10–11 years | 11 years |
| Expense records | 10 years | 10–11 years | 11 years |
| Audit trail (LoggedAction) | 10 years | 10–11 years | 11 years |
| VAT/PDV records | 10 years | 10–11 years | 11 years |
| User account data (name, email) | Account lifetime + 30 days | Account lifetime + 30 days | Account lifetime + 30 days |
| IP addresses and session logs | 30 days | 30 days | 30 days |
| JWT refresh tokens | 7 days | 7 days | 7 days |
Important — Right to Erasure Limitation
Under accounting and tax law in all three jurisdictions, financial records (invoices, transactions, expense records) cannot be deleted during the mandatory retention period. If you close your Bilko account, your personal identifiers (name, email) can be anonymized, but the underlying financial transaction data must be retained for the legally required period.
9. Cross-Border Data Transfers
Bilko hosts all data on Railway's EU West infrastructure (Amsterdam/Frankfurt). Data transfer mechanisms per jurisdiction:
| From | To | Mechanism |
|---|---|---|
| Croatia (HR) | Railway EU West | No transfer mechanism needed — EU to EU transfer |
| Serbia (RS) | Railway EU West | Serbia is on the European Commission's adequacy list (Decision 2023/1485) — no additional mechanism required |
| Bosnia & Herzegovina (BA) | Railway EU West | Standard Contractual Clauses (SCC 2021/914/EU) — BiH has no EU adequacy decision |
For Cloudflare and Sentry (US-based processors): Standard Contractual Clauses (SCC) apply, combined with a Transfer Impact Assessment.
10. Your Rights as a Data Subject
10.1 Rights Table
| Right | GDPR (Croatia) | ZZPL (Serbia) | ZZLP BiH | How to Exercise |
|---|---|---|---|---|
| Right of access | Art. 15 | Art. 26 | Art. 16 | Export via Bilko or email privacy@bilko.io |
| Right to rectification | Art. 16 | Art. 27 | Art. 17 | Edit in Bilko settings, or email privacy@bilko.io |
| Right to erasure | Art. 17 | Art. 28 | Art. 18 | Email privacy@bilko.io — subject to retention limitations |
| Right to data portability | Art. 20 | Art. 30 | N/A | JSON/CSV export via Bilko |
| Right to restriction | Art. 18 | Art. 29 | Art. 20 | Email privacy@bilko.io |
| Right to object | Art. 21 | Art. 31 | Art. 21 | Email privacy@bilko.io |
| Right re: automated decisions | Art. 22 | Art. 38 | Art. 24 | Bilko does not make automated decisions with legal effect |
10.2 Erasure Limitation (Financial Data)
The right to erasure does not apply to financial records that we are legally required to retain:
- In Serbia: Accounting records must be kept for 10 years (Zakon o računovodstvu Art. 26)
- In Bosnia & Herzegovina: Records must be kept for 10–11 years depending on entity
- In Croatia: Records must be kept for 11 years (Zakon o računovodstvu Art. 10)
10.3 Response Times
We will respond to data subject rights requests within 30 days (standard). This may be extended by 2 additional months for complex requests, with notification.
10.4 Right to Complain
| Jurisdiction | Authority | Website |
|---|---|---|
| Serbia | Poverenik za informacije | poverenik.rs |
| Bosnia & Herzegovina | AZLP | azlp.gov.ba |
| Croatia | AZOP | azop.hr |
11. Security Measures
Bilko implements the following technical and organizational security measures to protect your data:
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.3 (minimum TLS 1.2) for all connections via Cloudflare |
| Encryption at rest | AES-256 disk-level encryption on all Railway infrastructure |
| Field-level encryption | AES-256-GCM for JMBG (Serbia/BiH) and OIB (Croatia) |
| IBAN masking | Only last 4 digits shown in list views; full IBAN accessible only to authorized users |
| Password security | bcrypt with cost factor 12; breached password check via HaveIBeenPwned API |
| Authentication tokens | JWT RS256, 15-minute access token lifetime, 7-day refresh with rotation |
| Multi-tenancy isolation | Every database query is scoped to your organization — cross-tenant access is technically impossible by design |
| Role-based access control | 4 roles (owner, admin, accountant, viewer) — users see only what their role permits |
| Rate limiting | 5 failed authentication attempts per 15 minutes triggers lockout |
| Immutable audit log | All data modifications are recorded in an append-only audit trail |
| Breach notification | 72-hour notification to supervisory authorities in the event of a personal data breach |
13. Children's Privacy
Bilko is a business accounting platform intended for use by business owners and accounting professionals. We do not knowingly collect data from children under 16 years of age. If you believe a child has registered on Bilko, please contact privacy@bilko.io.
14. Changes to This Policy
We may update this Privacy Policy to reflect changes to our data practices or legal requirements. We will notify you of material changes by:
- Email to your registered account email address (at least 30 days before the change takes effect)
- Prominent notice on the Bilko platform
The date of the most recent revision is shown at the top of this document.
15. Contact and Data Protection Officer
For any privacy-related questions, requests, or complaints:
| Channel | Contact |
|---|---|
| Privacy inquiries | privacy@bilko.io |
| Data Protection Officer | Alem Bašić — alem@alai.no — +47 40 47 42 51 |
| DPO company | ALAI Holding AS (org.nr 932 953 736) |
16. Jurisdiction-Specific Notices
16.1 Serbia — Notice under ZZPL
Bilko processes personal data in accordance with the Zakon o zaštiti podataka o ličnosti (Sl. glasnik RS 87/2018 — ZZPL). Your rights under ZZPL Articles 26–38 are described in Section 10 of this policy.
The supervisory authority for data protection in Serbia is the Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (poverenik.rs).
Tax identification data (PIB) is processed pursuant to the Zakon o poreskom postupku i poreskoj administraciji and Zakon o PDV. Accounting records are retained pursuant to Zakon o računovodstvu (Sl. glasnik RS 73/2019) — minimum 10 years.
E-invoice data is submitted to the SEF portal (efaktura.mfin.gov.rs) pursuant to the Zakon o elektronskom fakturisanju (Sl. glasnik RS 44/2021). This transmission constitutes a legal obligation — no separate consent is required.
16.2 Bosnia & Herzegovina — Obavještenje prema ZZLP BiH
Bilko processes personal data in accordance with the Zakon o zaštiti ličnih podataka (Sl. glasnik BiH 49/2006 — ZZLP BiH). The supervisory authority is the Agencija za zaštitu ličnih podataka (AZLP) (azlp.gov.ba).
BiH has no EU adequacy decision. Data transferred to Railway (EU West) is protected by Standard Contractual Clauses (SCC 2021/914/EU).
Accounting records are retained pursuant to: FBiH — Zakon o računovodstvu i reviziji FBiH (minimum 10 years); RS entity — Zakon o računovodstvu i reviziji RS BiH (minimum 11 years).
16.3 Croatia — Napomena prema GDPR-u
As an EU member state, Croatia is subject to the GDPR (Uredba (EU) 2016/679) directly. The supervisory authority is the Agencija za zaštitu osobnih podataka (AZOP) (azop.hr).
Accounting records are retained pursuant to the Zakon o računovodstvu (NN 78/15, 116/18, 42/20, 47/20, 114/22) and Opći porezni zakon — minimum 11 years.
E-invoice data (when HR-FISK integration is active) is transmitted to FINA pursuant to the Zakon o elektroničkom izdavanju računa u javnoj nabavi. This constitutes a legal obligation.