# Bilko Privacy Notice (with Document Archive Sub-Processors §8.1) ⚠️ **DRAFT** — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). --- ## Table of Contents 1. [Introduction and Data Controller](#bkmrk-1.-introduction-and-) 2. [Scope and Applicability](#2-scope-and-applicability) 3. [Legal Framework](#3-legal-framework) 4. [Data We Collect](#4-data-we-collect) 5. [Legal Basis for Processing](#5-legal-basis-for-processing) 6. [How We Use Your Data](#6-how-we-use-your-data) 7. [Data Retention Periods](#7-data-retention-periods) 8. [Data Sharing and Third-Party Processors](#bkmrk-8.-data-sharing-and-) 9. [Cross-Border Data Transfers](#9-cross-border-data-transfers) 10. [Your Rights as a Data Subject](#10-your-rights-as-a-data-subject) --- ## 1. Introduction and Data Controller Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. Bilko is developed and operated by **ALAI Holding AS** (org.nr 932 516 136), a company registered in Norway. **Data Protection Officer (DPO):**
FieldDetails
DPO nameAlem Bašić
DPO contactalem@alai.no
Phone+47 40 47 42 51
CompanyALAI Holding AS (org.nr 932 516 136)
RoleResponsible for data protection compliance across all three jurisdictions
Appointed2026-03-02
## 8. Data Sharing and Third-Party Processors Bilko shares your data only with the following categories of third parties, all of whom are bound by Data Processing Agreements (DPAs): ### 8.1 Document Archive Sub-Processors When you enable the **document archival feature** in Bilko, the following additional sub-processors are used:
Sub-ProcessorPurposeData CategoriesLocationSafeguards
**Cloudflare R2** (Cloudflare, Inc., USA)Temporary staging for archive pipelineContract PDFs, invoices, care plans, incident reports, onboarding documentsEU region (eu-west bucket)Standard Contractual Clauses (SCCs)
**ALAI Azure VM Paperless-ngx** (ALAI Holding AS, org.nr 932 516 136, Norway)Long-term document archive at archive.alai.noSame categories as aboveEU/EEA (Microsoft Azure Sweden Central region)ALAI DPA + Azure SCCs
**How document archival works:** 1. **Upload:** When you mark a document for archival in Bilko (contracts, invoices, care plans, incident reports, onboarding documents), Bilko's backend writes the document to a Cloudflare R2 staging bucket in the EU region. 2. **Transfer:** Every 5 minutes, a Cloud Run worker retrieves documents from R2 and uploads them to Paperless-ngx, a document management system hosted on ALAI's Azure VM (archive.alai.no) located in the Azure Sweden Central region (EU/EEA). 3. **Retention:** Documents are retained in the archive according to the following schedule: - **Financial documents** (invoices, contracts): **7 years** (Serbian Zakon o računovodstvu, BiH accounting law, Croatian Zakon o računovodstvu) - **Care-related documents** (care plans, incident reports): **25 years** (UK NHS retention standard; pending Balkan legal review for care organizations) 4. **Deletion:** Documents are automatically deleted from Cloudflare R2 after successful upload to Paperless-ngx (typically within 5 minutes). Documents remain in Paperless-ngx for the retention period specified above. **Your rights regarding sub-processors (GDPR Art. 28(4)):** - You will receive **30 days' advance notice** via email before Bilko adds or replaces any sub-processor. - You have the right to **object** to a new sub-processor within the notice period. - If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty. - Contact **dpa@alai.no** to exercise this right. - This disclosure complies with GDPR Article 28(4), Serbian ZZPL Art. 31(4), and BiH ZZLP equivalent provisions. --- **Company:** ALAI Holding AS (org.nr 932 516 136) **Privacy Contact:** privacy@bilko.io | DPO: alem@alai.no | DPA: dpa@alai.no