Bilko Privacy Notice (with Document Archive Sub-Processors §8.1)
⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).
Table of Contents
- Introduction and Data Controller
- Scope and Applicability
- Legal Framework
- Data We Collect
- Legal Basis for Processing
- How We Use Your Data
- Data Retention Periods
- Data Sharing and Third-Party Processors
- Cross-Border Data Transfers
- Your Rights as a Data Subject
1. Introduction and Data Controller
Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. Bilko is developed and operated by ALAI Holding AS (org.nr 932 516 136), a company registered in Norway.
Data Protection Officer (DPO):
| Field | Details |
|---|---|
| DPO name | Alem Bašić |
| DPO contact | [email protected] |
| Phone | +47 40 47 42 51 |
| Company | ALAI Holding AS (org.nr 932 516 136) |
| Role | Responsible for data protection compliance across all three jurisdictions |
| Appointed | 2026-03-02 |
8. Data Sharing and Third-Party Processors
8.1 Document Archive Sub-Processors
When you enable the document archival feature in Bilko, the following additional sub-processors are used:
| Sub-Processor | Purpose | Data Categories | Location | Safeguards |
|---|---|---|---|---|
| Cloudflare R2 (Cloudflare, Inc., USA) | Temporary staging for archive pipeline | Contract PDFs, invoices, care plans, incident reports, onboarding documents | EU region (eu-west bucket) | Standard Contractual Clauses (SCCs) |
| ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway) | Long-term document archive at archive.alai.no | Same categories as above | EU/EEA (Microsoft Azure Sweden Central region) | ALAI DPA + Azure SCCs |
How document archival works:
- Upload: When you mark a document for archival in Bilko (contracts, invoices, care plans, incident reports, onboarding documents), Bilko's backend writes the document to a Cloudflare R2 staging bucket in the EU region.
- Transfer: Every 5 minutes, a Cloud Run worker retrieves documents from R2 and uploads them to Paperless-ngx, a document management system hosted on ALAI's Azure VM (archive.alai.no) located in the Azure Sweden Central region (EU/EEA).
- Retention: Documents are retained in the archive according to the following schedule:
- Financial documents (invoices, contracts): 7 years (Serbian Zakon o računovodstvu, BiH accounting law, Croatian Zakon o računovodstvu)
- Care-related documents (care plans, incident reports): 25 years (UK NHS retention standard; pending Balkan legal review for care organizations)
- Deletion: Documents are automatically deleted from Cloudflare R2 after successful upload to Paperless-ngx (typically within 5 minutes). Documents remain in Paperless-ngx for the retention period specified above.
Your rights regarding sub-processors (GDPR Art. 28(4)):
- You will receive 30 days' advance notice via email before Bilko adds or replaces any sub-processor.
- You have the right to object to a new sub-processor within the notice period.
- If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty.
- Contact [email protected] to exercise this right.
- This disclosure complies with GDPR Article 28(4), Serbian ZZPL Art. 31(4), and BiH ZZLP equivalent provisions.
Company: ALAI Holding AS (org.nr 932 516 136)
Privacy Contact: [email protected] | DPO: [email protected] | DPA: [email protected]