Bilko Privacy Notice (with Document Archive Sub-Processors §8.1)

⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central). 

 

 Table of Contents 
 
 Introduction and Data Controller 
 Scope and Applicability 
 Legal Framework 
 Data We Collect 
 Legal Basis for Processing 
 How We Use Your Data 
 Data Retention Periods 
 Data Sharing and Third-Party Processors 
 Cross-Border Data Transfers 
 Your Rights as a Data Subject 
 

 

 1. Introduction and Data Controller 
 Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. Bilko is developed and operated by ALAI Holding AS (org.nr 932 516 136), a company registered in Norway. 

 Data Protection Officer (DPO): 
 
 Field Details 
 
 DPO name Alem Bašić 
 DPO contact alem@alai.no 
 Phone +47 40 47 42 51 
 Company ALAI Holding AS (org.nr 932 516 136) 
 Role Responsible for data protection compliance across all three jurisdictions 
 Appointed 2026-03-02 
 
 

 8. Data Sharing and Third-Party Processors 
 Bilko shares your data only with the following categories of third parties, all of whom are bound by Data Processing Agreements (DPAs): 

 8.1 Document Archive Sub-Processors 
 When you enable the document archival feature in Bilko, the following additional sub-processors are used: 

 
 
 
 Sub-Processor 
 Purpose 
 Data Categories 
 Location 
 Safeguards 
 
 
 
 
 Cloudflare R2 (Cloudflare, Inc., USA) 
 Temporary staging for archive pipeline 
 Contract PDFs, invoices, care plans, incident reports, onboarding documents 
 EU region (eu-west bucket) 
 Standard Contractual Clauses (SCCs) 
 
 
 ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway) 
 Long-term document archive at archive.alai.no 
 Same categories as above 
 EU/EEA (Microsoft Azure Sweden Central region) 
 ALAI DPA + Azure SCCs 
 
 
 

 How document archival works: 
 
 Upload: When you mark a document for archival in Bilko (contracts, invoices, care plans, incident reports, onboarding documents), Bilko's backend writes the document to a Cloudflare R2 staging bucket in the EU region. 
 Transfer: Every 5 minutes, a Cloud Run worker retrieves documents from R2 and uploads them to Paperless-ngx, a document management system hosted on ALAI's Azure VM (archive.alai.no) located in the Azure Sweden Central region (EU/EEA). 
 Retention: Documents are retained in the archive according to the following schedule:
 
 Financial documents (invoices, contracts): 7 years (Serbian Zakon o računovodstvu, BiH accounting law, Croatian Zakon o računovodstvu) 
 Care-related documents (care plans, incident reports): 25 years (UK NHS retention standard; pending Balkan legal review for care organizations) 
 
 
 Deletion: Documents are automatically deleted from Cloudflare R2 after successful upload to Paperless-ngx (typically within 5 minutes). Documents remain in Paperless-ngx for the retention period specified above. 
 

 Your rights regarding sub-processors (GDPR Art. 28(4)): 
 
 You will receive 30 days' advance notice via email before Bilko adds or replaces any sub-processor. 
 You have the right to object to a new sub-processor within the notice period. 
 If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty. 
 Contact dpa@alai.no to exercise this right. 
 This disclosure complies with GDPR Article 28(4), Serbian ZZPL Art. 31(4), and BiH ZZLP equivalent provisions. 
 

 
 Company: ALAI Holding AS (org.nr 932 516 136) 
 Privacy Contact: privacy@bilko.io | DPO: alem@alai.no | DPA: dpa@alai.no