1. Data Controller
Buzzlo d.o.o. za usluge ("onedown.ai", "we", "us") is the data controller responsible for processing your personal data when you use the onedown.ai platform.
| Registered office | Zagrebačka cesta 126, 10000 Zagreb, Croatia |
| OIB | 62127636877 |
| MBS | 081532265 |
| Registry court | Commercial Court in Zagreb (Trgovački sud u Zagrebu) |
| Contact | privacy@onedown.ai |
2. About the Service
onedown.ai is an invite-only, cloud-based inventory management platform built for the hospitality industry. The service includes:
- Mobile and web applications for real-time inventory counting
- Barcode scanning via on-device camera processing
- Bluetooth Low Energy (BLE) scale integration for weight-based counting
- Export capabilities to ERP systems (e.g. Remaris)
3. Roles & Responsibilities
Under GDPR, processing responsibilities are split as follows:
- Buzzlo d.o.o. as controller — for account credentials, platform logs, error reporting, and product analytics.
- Your organization (the tenant) as controller — for business inventory data, counting sessions, warehouse records, and product catalogs entered into the platform.
- Buzzlo d.o.o. as processor — when we host and process tenant inventory content on behalf of your organization.
If your organization has a Data Processing Agreement (DPA) requirement, contact us at legal@onedown.ai.
4. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Email, name, hashed password | Authentication, user identification |
| Inventory & session | Counting sessions, item quantities, product data, export records | Core service functionality |
| Device & usage | Device type, OS version, app version, anonymized usage events | Compatibility, product improvement |
| Support | Emails and messages sent to our support channels | Customer support |
5. Device Permissions
- Camera — used exclusively for barcode scanning via ML Kit (Android) and VisionKit (iOS). Camera data is processed entirely on-device and is never transmitted to our servers.
- Bluetooth — used for connecting to BLE-enabled weighing scales (AiLink, MASSEC, and kitchen scales). Bluetooth data is used only for real-time weight readings during counting sessions and is not stored.
6. Legal Basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)) — processing necessary to provide the onedown.ai service under your organization's agreement.
- Legitimate interest (Art. 6(1)(f)) — security logging, error monitoring, and anonymized product analytics to maintain and improve the platform.
- Consent (Art. 6(1)(a)) — where required for optional features, obtained with clear opt-in mechanisms.
7. Subprocessors
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Hosting, D1/R2 storage, CDN | EU |
| PostHog | Anonymized product analytics | EU cloud |
| Bugsink (Sentry-compatible) | Error monitoring & crash reporting | EU (self-hosted) |
| Amazon SES | Transactional email delivery | EU |
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.
8. Cookies
The onedown.ai web application at app.onedown.ai uses session cookies for authentication. These are strictly necessary cookies required for the application to function and do not track you across other websites.
The marketing site at onedown.ai uses anonymized analytics via PostHog. No advertising cookies or third-party trackers are used.
9. Data Retention
Your account data is retained for as long as your account remains active. Synchronization events are retained server-side for approximately 90 days for sync integrity, then pruned automatically.
Upon account deletion, all personal data and associated content are permanently deleted within 30 days.
10. Security
All data in transit is protected with TLS/HTTPS encryption. Authentication uses server-side session management with scrypt password hashing. All infrastructure is hosted within the European Union.
11. Your Rights
Under GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your account and all associated data.
- Portability — request your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
To exercise any of these rights, contact privacy@onedown.ai.
You may also lodge a complaint with the Croatian Personal Data Protection Agency (AZOP) at azop.hr.
12. Children & Changes
onedown.ai is a B2B platform not directed at anyone under 16, and we don't knowingly collect data from children.
We may update this policy over time. We'll flag material changes by email or in-app; continued use after that means you accept the update.