Privacy Policy
Table of Contents
1 Data Controller
The data controller responsible for the processing of your personal data in connection with the Armalog platform is:
Data Controller
Armanov d.o.o.
Dobrave 3, 1236 Trzin, Republic of Slovenia
Email: armalog@armalog.com
Platform: armalog.com
Armanov d.o.o. has not appointed a Data Protection Officer (DPO), as it does not meet the mandatory thresholds for DPO appointment under GDPR Article 37. All data protection enquiries should be directed to the contact email above. We endeavour to respond to all data-related requests within 30 days, in accordance with GDPR Article 12(3).
2 Scope & Applicability
This Privacy Policy applies to all personal data processed in connection with:
- The Armalog web platform available at armalog.com and any subdomains;
- The registration and maintenance of user accounts on the Platform;
- All content created by users on the Platform (firearm records, shooting logs, ammo data, maintenance records, uploaded media);
- Transactional system emails sent by the Platform to registered users;
- Communications between you and Armanov d.o.o. in connection with the Platform;
- Promotional communications sent by Armanov d.o.o. to Free Tier users who have provided their consent.
This Policy does not apply to third-party websites or services that may be linked from the Platform. The Platform is operated from the Republic of Slovenia and is subject to EU law, including the GDPR.
3 Data We Collect
We collect and process the following categories of personal data. This section reflects the complete scope of data that may appear in a personal data export requested under GDPR Article 15.
3.1 Account & Registration Data
| Data Element | Description | Required? |
|---|---|---|
| User ID | Internal numeric identifier assigned at registration | Automatic |
| Username (login name) | Unique login identifier chosen at registration | Yes |
| Display name / nickname | Name displayed within the Platform interface | Yes |
| Email address | Used for login, transactional emails, and (Free Tier) promotional emails | Yes |
| Password | Stored exclusively as a cryptographic hash — never in plain text | Yes |
| Account registration date | Timestamp recorded automatically at registration | Automatic |
| Currency preference | User-selected currency for displaying ammo cost data | Optional |
| Marketing consent status | Whether the user has consented to receive promotional emails (Free Tier) | Automatic |
| Profile picture | Optional profile image uploaded by the user; stored on Platform servers | Optional |
3.2 User-Generated Content
The following data is entered voluntarily by the user for the purpose of using the Platform's core features. All User Content is strictly private and not shared with other users.
| Data Category | Examples |
|---|---|
| Firearm records | Weapon name, type, caliber, purchase date, seller info, zero distance, maintenance rules |
| Shooting session logs | Date, rounds fired, location (freetext), notes, linked weapon, linked ammo |
| Ammo inventory data | Ammo type, caliber, manufacturer, purchase quantity, price paid, date |
| Maintenance records | Maintenance rules, service dates, notes, round counts at service |
| QR code tokens | Unique tokens linked to weapon records for rapid session logging |
| PIN hashes | Hashed PIN codes for optional QR code protection (never stored in plain text) |
3.3 Uploaded Media Files
When you upload images to the Platform — including weapon gallery photos and your profile picture — these files are stored on the Platform's servers and are accessible via a URL in the format armalog.com/wp-content/uploads/[year]/[month]/[filename]. These URLs are included in personal data exports. Uploaded media is associated with your account and is deleted upon account deletion.
Supported file types are JPEG, PNG, and WebP. Maximum file size per upload is 2 MB.
3.4 Session Tokens & Login Data
For security and authentication purposes, the Platform records and retains the following data for each active login session:
| Data Element | Purpose |
|---|---|
| Session token expiration date | Controls how long a login session remains valid (typically 14 days) |
| IP address (per session) | Security monitoring; identification of suspicious or unauthorised access |
| User Agent string (per session) | Browser and device type used for the session (e.g. Chrome on Android) |
| Last login timestamp | Date and time of the most recent login activity for this session token |
Multiple concurrent session tokens may be active if you log in from different devices or browsers. Session token data is visible in personal data exports as the "Session Tokens" section. Session tokens are deleted when they expire or when the user logs out.
3.5 Transactional Email Logs
The Platform logs all system-generated transactional emails for the purpose of delivery verification, debugging, and audit trail. The following data is recorded for each sent email:
| Data Element | Description |
|---|---|
| mail_id | Internal unique identifier for the logged email |
| Timestamp | Date and time the email was sent |
| Host / sending IP | IP address of the outgoing mail server |
| Receiver email address | The email address the message was sent to |
| Subject line | Email subject (e.g. "Account confirmation", "Password reset") |
| Message content | Full HTML content of the sent email |
| Headers | Email headers, including content type |
| Plugin version | Version of the email plugin used at the time of sending |
Transactional emails logged by the Platform include: account registration confirmation, email verification, password reset, maintenance alert notifications, and any other system-generated service communications. Promotional marketing emails are not logged in this system. Email logs are visible in personal data exports as the "Mails" section.
3.6 Technical & Usage Data
| Data Element | Purpose |
|---|---|
| IP address | Security, fraud prevention, server log analysis |
| Browser type and version | Technical compatibility and security monitoring |
| Device type | Platform optimisation |
| Pages visited and timestamps | Server logs for security and performance monitoring |
| REST API request logs | Security and debugging (retained for limited period) |
| QR scan timestamps | Recorded as part of session log audit trail |
3.7 Payment Data (Pro Tier)
If you subscribe to the Pro Tier, payment processing is handled exclusively by our third-party payment providers (Stripe and/or PayPal). We do not collect, store, or process your credit card number, bank account details, or any other financial account information on our servers. We receive only confirmation of payment and basic billing information (e.g., billing country, subscription status) from the payment provider.
3.8 Data We Do Not Collect
- Special categories of personal data as defined in GDPR Article 9 (health data, racial or ethnic origin, political opinions, etc.);
- Data from individuals under 18 years of age;
- Precise GPS location data (location fields in session logs are optional freetext entered by the user);
- Biometric data of any kind;
- Data from third-party social networks beyond what is provided during optional Google Sign-In authentication.
4 How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Account creation & management | Email, username, password hash, User ID | Contract (Art. 6(1)(b)) |
| Providing core Platform features | All user-generated content | Contract (Art. 6(1)(b)) |
| Sending transactional system emails | Email address, account data | Contract (Art. 6(1)(b)) |
| Logging transactional emails for delivery verification | Email log data (Section 3.5) | Legitimate interests (Art. 6(1)(f)) |
| Maintaining login sessions | Session tokens, IP, User Agent (Section 3.4) | Contract / Legitimate interests (Art. 6(1)(b)(f)) |
| Storing uploaded media | Image files and their URLs (Section 3.3) | Contract (Art. 6(1)(b)) |
| Sending promotional emails (Free Tier) | Email address, name | Consent (Art. 6(1)(a)) |
| Processing Pro Tier payments | Email, payment confirmation from provider | Contract (Art. 6(1)(b)) |
| Platform security & fraud prevention | IP address, session data, request logs | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations | As required by applicable law | Legal obligation (Art. 6(1)(c)) |
| Service improvement & debugging | Anonymised technical/usage data, email logs | Legitimate interests (Art. 6(1)(f)) |
| Notifying users of material changes | Email address | Legal obligation / Contract (Art. 6(1)(b)(c)) |
We do not use your personal data for automated decision-making or profiling within the meaning of GDPR Article 22 that produces legal or similarly significant effects on you.
5 Legal Basis for Processing
- Contract (Article 6(1)(b)): Processing necessary for the performance of the contract — providing access to the Platform and its features following registration.
- Consent (Article 6(1)(a)): Where you have given explicit consent, including for sending promotional communications to Free Tier users. You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Legal obligation (Article 6(1)(c)): Processing necessary to comply with applicable law, including tax and accounting requirements and responses to binding legal orders.
- Legitimate interests (Article 6(1)(f)): Processing for platform security, fraud prevention, email delivery verification, session management, and service improvement, provided such interests are not overridden by your fundamental rights. You have the right to object to processing on this basis.
6 Marketing Communications
6.1 Free Tier Users
When you register for a Free Tier account, you explicitly consent to receiving occasional promotional communications from Armanov d.o.o. by email (maximum once per month). These may include product announcements, promotional offers, and Armalog feature updates. The legal basis is your consent (GDPR Article 6(1)(a)), documented and timestamped at the point of registration.
6.2 Withdrawing Consent & Upgrading
If you wish to stop receiving promotional communications, you may upgrade to the Pro Tier at any time from within your account settings. Upon upgrade, promotional communications will cease immediately. Downgrading back to the Free Tier reinstates the promotional email consent as a condition of free access.
6.3 Pro Tier Users
Pro Tier users do not receive promotional communications from Armanov as a condition of their subscription and will not be included in marketing sends.
6.4 Transactional Communications
Regardless of tier or marketing preferences, all users receive transactional system emails necessary for the operation of their account. These include: account registration confirmation, email verification, password reset, maintenance alert notifications, payment receipts, and material policy change notifications. These cannot be opted out of while your account remains active.
7 Data Sharing & Third Parties
We do not sell your personal data. We do not share your personal data with any third party for their own marketing purposes. We share data only in the following limited circumstances:
7.1 Service Providers (Data Processors)
| Provider | Role | Data Shared | Location |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting & infrastructure | All data stored on Platform servers, including user content, session data, email logs, and uploaded media | Germany (EU) |
| Stripe Inc. | Payment processing (Pro Tier) | Email, billing country, subscription data | USA (SCCs) |
| PayPal Holdings Inc. | Payment processing (Pro Tier) | Email, transaction data | USA (SCCs) |
| SMTP / email infrastructure | Transactional email delivery | Recipient email address, email content | EU |
7.2 Legal Requirements
We may disclose personal data if required by applicable law, court order, or binding instruction from a competent regulatory authority. We will, to the extent permitted by law, notify you of any such disclosure.
7.3 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the relevant third party under obligations no less protective than this Policy.
7.4 No Other Sharing
Your User Content — firearm records, session logs, ammo data, maintenance records, uploaded media, session tokens, and email logs — is never shared with any third party for any purpose other than hosting on Hetzner's infrastructure as described above.
8 International Transfers
The Platform is hosted on servers located within the European Economic Area (EEA) (Hetzner, Germany). Your data is primarily processed within the EEA.
Our payment processors (Stripe and PayPal) are based in the United States. Transfers to these providers are carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission. Both providers maintain comprehensive GDPR compliance programmes.
We do not transfer your personal data to any country outside the EEA unless an appropriate safeguard under GDPR Chapter V is in place.
9 Cookies & Tracking Technologies
9.1 Strictly Necessary Cookies Only
The Platform uses only cookies that are strictly necessary for its operation. These cookies do not track you across other websites, do not collect data for advertising or analytics, and cannot be disabled without significantly impairing Platform functionality.
9.2 Cookies Set by the Platform
| Cookie Name / Type | Purpose | Duration | Type |
|---|---|---|---|
| WordPress session cookie | Maintains your logged-in session on the Platform | Session / up to 14 days | Strictly necessary |
| WordPress auth cookie | Authenticates your identity to the Platform's backend | Session / up to 14 days | Strictly necessary |
| WordPress nonce / security token | Protects API requests against CSRF attacks | Session | Strictly necessary / security |
Because only strictly necessary cookies are used, your consent to cookies is not required under GDPR or the ePrivacy Directive. A cookie information notice is displayed on the Platform for transparency purposes.
9.3 Future Cookie Usage
Should we introduce any new cookies in the future — particularly analytics or preference cookies — we will update this Policy accordingly and obtain your prior consent where required by applicable law.
9.4 Browser Controls
You can control and delete cookies through your browser settings. Note that deleting or blocking session cookies will prevent you from logging into the Platform.
10 Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (email, credentials, username) | Duration of account + 30 days after deletion request | Service provision; grace period for accidental deletion |
| User Content (firearm records, logs, ammo, maintenance) | Duration of account + 30 days | Service provision; data portability |
| Uploaded media files | Duration of account + 30 days | Service provision |
| Session tokens | Until expiry (max 14 days) or logout | Authentication security |
| Session token records (in export) | Duration of account | Security audit trail |
| Transactional email logs | 12 months from date of sending | Delivery verification, debugging, service continuity |
| Marketing consent records | Duration of consent + 3 years after withdrawal | Legal compliance; proof of lawful consent |
| Payment / billing records (Pro Tier) | 7 years from transaction date | Slovenian accounting and tax law (ZGD-1, ZDDV-1) |
| Server access logs (IP, timestamps) | Up to 90 days | Security monitoring and fraud prevention |
| Support correspondence | 3 years from last communication | Legitimate interests; dispute resolution |
Upon expiry of the applicable retention period, data is securely deleted or anonymised in a manner that prevents re-identification.
11 Data Security
We implement appropriate technical and organisational security measures to protect your personal data. Our measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS;
- Password security: Passwords are stored exclusively as cryptographic hashes — never in plain text;
- PIN security: Optional QR PIN codes are stored as cryptographic hashes, never in plain text;
- Session security: Session tokens are uniquely generated per login, time-limited, and invalidated upon logout;
- Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis;
- Secure infrastructure: The Platform is hosted on Hetzner's infrastructure within Germany (EU), operating under strict data protection and security standards;
- Regular updates: We maintain regular software and security updates for the Platform infrastructure;
- User isolation: All user data is logically separated — each user can access only their own content.
11.1 Personal Data Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) within 72 hours of becoming aware, in accordance with GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with GDPR Article 34.
12 Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. To exercise any of them, contact us at armalog@armalog.com. We will respond within 30 days. We may request proof of identity before processing your request.
Obtain confirmation of whether we process your data and receive a copy, including a full personal data export. (GDPR Art. 15)
Have inaccurate data corrected and incomplete data completed. Most account data can be updated directly in your account settings. (GDPR Art. 16)
"Right to be forgotten." Request deletion of your personal data where it is no longer necessary or where you withdraw consent. Certain data may be retained for legal compliance. (GDPR Art. 17)
Request that we restrict processing of your data in certain circumstances, for example while accuracy is being verified. (GDPR Art. 18)
Receive your personal data in a structured, machine-readable format (CSV/PDF) via the Platform's export feature, or request a full data export by email. (GDPR Art. 20)
Object to processing based on legitimate interests (Art. 6(1)(f)). We will cease such processing unless we can demonstrate compelling legitimate grounds. (GDPR Art. 21)
Where processing is based on consent (e.g., promotional emails), withdraw consent at any time by upgrading to Pro. Withdrawal does not affect prior processing. (GDPR Art. 7(3))
Not to be subject to decisions based solely on automated processing producing legal effects. We do not engage in such processing. (GDPR Art. 22)
12.1 How to Request Account and Data Deletion
To request complete deletion of your account and all associated personal data, send an email to armalog@armalog.com from your registered email address with the subject line "Data Deletion Request". We will process your request within 30 days. Note that certain data (e.g., billing records) may be retained for the minimum period required by law as set out in Section 10.
12.2 Personal Data Export
In accordance with GDPR Article 15, you may request a full export of all personal data we hold about you. This export includes: account data, user-generated content, uploaded media file URLs, active session token records, and transactional email logs. To request your export, contact us at armalog@armalog.com with the subject line "Data Export Request".
12.3 Right to Lodge a Complaint
Slovenian Supervisory Authority
Informacijski pooblaščenec (Information Commissioner)
Dunajska cesta 22, 1000 Ljubljana, Republic of Slovenia
Website: www.ip-rs.si · Email: gp.ip@ip-rs.si · Tel: +386 1 230 9730
You may also lodge a complaint with the supervisory authority in your country of habitual residence or place of work within the European Union.
13 Children's Privacy
The Platform is not directed at individuals under the age of 18 years. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will take immediate steps to delete such data. If you believe your child under 18 has registered, contact us immediately at armalog@armalog.com.
14 Changes to This Policy
We reserve the right to update this Privacy Policy at any time. Changes will be published on this page with an updated version number and effective date. For material changes — particularly those affecting your rights, the categories of data collected, how we use your data, or our data sharing practices — we will notify registered users by email at least 30 days before the changes take effect.
Your continued use of the Platform after the effective date of any updated Policy constitutes acceptance of the updated Policy.
Version History
Version 1.1 — 14 April 2026: Updated to explicitly document session token data (Section 3.4), transactional email logs (Section 3.5), and uploaded media file storage (Section 3.3). Updated data retention table (Section 10) to include email log and session token retention periods. Added GDPR Art. 15 data export information (Section 12.2).
Version 1.0 — [initial publication date]: Initial Privacy Policy.
15 Contact & Complaints
For all questions, requests, or concerns regarding this Privacy Policy or our data processing practices, please contact us:
Data Controller — Armanov d.o.o.
Dobrave 3, 1236 Trzin, Republic of Slovenia
Email: armalog@armalog.com
Platform: armalog.com
We aim to respond to all data protection requests within 30 days of receipt. For complex requests, we may extend this by a further two months, notifying you within the initial 30-day period (GDPR Art. 12(3)).
This Privacy Policy (Version 1.1) is effective from 14 April 2026. Armanov d.o.o. reserves all rights not expressly granted herein.