Privacy Policy

This privacy policy explains how Auto Gas Gaga (hereinafter: "we", "our", "the workshop") collects, uses, stores, and protects your personal data when you use our website gaga.ba and related services.

We comply with the provisions of the Law on Personal Data Protection of Bosnia and Herzegovina ("Official Gazette of BiH" No. 49/06, 76/11, 89/11) and apply the principles of the EU General Data Protection Regulation (GDPR) as a best-practice standard.

1. Data Controller

The controller of your personal data is:

Auto Gas Gaga Njegoševa 44 Banja Luka, Republika Srpska Bosnia and Herzegovina

Phone: +387 65 701 308 Email: info@gaga.ba

For any questions regarding the protection of personal data, you may contact us at the address, phone number, or email listed above.

2. Data We Collect

We collect only the data necessary to provide our services. Data is grouped by collection source:

2.1 Appointment Booking Form

When you book an appointment through our website, we collect the following data: full name, phone number, email address (optional), vehicle make, model, and year, description of symptoms or faults, and preferred appointment date.

2.2 Inquiry Form

When you submit an inquiry, we collect: full name, phone number, vehicle data (make, model, fuel type), description of symptoms or questions, and free-text message.

2.3 Feedback Form

Through a one-time feedback token, we collect: your name, service rating, and text comment. This form is linked to a specific intervention on your vehicle.

2.4 Customer Portal (E-Service Book)

To access the customer portal at /knjizica, you use your phone number and a PIN code. The portal allows you to view your vehicles, scheduled appointments, and intervention history. Session data is stored in a signed cookie.

2.5 Basic Technical Data

Our hosting provider (Vercel) automatically logs your IP address and user-agent header in server logs. This data is used exclusively for security purposes and technical diagnostics, not for tracking your behavior on the site.

3. Purpose of Data Processing

We process your data for the following purposes:

Appointment management: scheduling, confirmation, and reminders for service appointments.

Customer communication: responding to inquiries, sending notifications about repair status and intervention completion.

Warranty services and history: maintaining a complete service history of your vehicle within the E-Service Book, tracking warranty periods on installed parts.

Feedback: collecting your ratings and comments to improve service quality.

We do not use your data for automated marketing, profiling, or sending promotional messages.

4. Legal Basis for Processing

We process your data on the following legal grounds:

Performance of a contract (Art. 6(1)(b) GDPR, Art. 5 of the BiH Law on Personal Data Protection): processing is necessary to provide the services you requested, including appointment booking, performing repairs, and maintaining the service book.

Legitimate interest (Art. 6(1)(f) GDPR): communication with you regarding the status of your vehicle, notifications about repair completion, and security logs.

Legal obligation: retention of business documentation in accordance with BiH tax and accounting regulations.

We do not seek consent for marketing activities because we do not conduct them. If we introduce marketing communication in the future, we will request your explicit consent.

6. Data Transfers Outside Bosnia and Herzegovina

Our website hosting (Vercel) and database (Supabase) are located in the European Union, which provides an adequate level of personal data protection.

Notifications via WhatsApp and Viber messages pass through the international infrastructure of Meta and Rakuten. These companies apply Standard Contractual Clauses and appropriate technical safeguards for data transfers outside the EU.

For any data transfer outside BiH, we ensure that your data is always processed with appropriate safeguards in accordance with the BiH Law on Personal Data Protection and GDPR principles.

7. Data Retention Period

We retain data in accordance with its collection purpose:

Inquiries and feedback: retained indefinitely for the workshop's operational history, unless you request deletion.

Customer portal and intervention history: retained indefinitely as they form the basis of the E-Service Book. Complete service history is a core feature that our clients expect and rely on.

Notification logs (WhatsApp/Viber messages): retained for 2 years from the date of sending, after which they are automatically deleted.

Technical logs (Vercel server logs): retained for 30 days per Vercel's default settings.

8. Your Rights

In accordance with the BiH Law on Personal Data Protection and GDPR principles, you have the following rights:

Right of access: you may request information about what data we hold about you and how we use it.

Right to rectification: you may request correction of inaccurate or incomplete data.

Right to erasure: you may request deletion of your data, except where we are legally obligated to retain it.

Right to restriction of processing: you may request that we restrict the processing of your data in certain circumstances.

Right to object: you may object to the processing of your data based on legitimate interest.

Right to data portability: you may request a copy of your data in a structured, commonly used, and machine-readable format.

Right to withdraw consent: if you have given consent for processing, you may withdraw it at any time.

To exercise any of these rights, contact us at info@gaga.ba or call +387 65 701 308. We will respond to your request within 30 days.

If you believe we have violated your rights, you have the right to file a complaint with the Personal Data Protection Agency of Bosnia and Herzegovina (AZLP BiH), Dubrovačka 6, 71000 Sarajevo, www.azlp.ba.

9. Cookies

Our website uses a minimal number of cookies, all strictly functional:

agg_customer: session cookie for the customer portal (E-Service Book). Set only when you log in to the portal. Contains an encrypted session token. Expires on browser close or session timeout.

sb-*-auth-token: session cookie for the admin panel. Used exclusively by the workshop owner for managing service data. Not relevant to website visitors.

We do not use cookies for analytics, tracking, or marketing. Our site has no Google Analytics, Facebook Pixel, Hotjar, or any other tracking tools. We do not track your behavior on the site.

10. Data Security

We apply appropriate technical and organizational measures to protect your data:

All communication with our website is conducted via HTTPS protocol (TLS encryption).

The database is protected by Supabase Row Level Security (RLS) policies that ensure each user can access only their own data.

PIN codes for the customer portal are stored in hashed form using the bcrypt algorithm. The original PIN is not stored anywhere in the system.

Administrative access is protected by Supabase authentication with signed session cookies.

Database access is restricted to authorized application servers; there is no public access.

11. Minors

Our website and services are not intended for persons under 16 years of age. We do not knowingly collect personal data of minors. If we learn that we have collected data of a minor without parental or guardian consent, we will take steps to delete it immediately.

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy. In the event of significant changes, we will post a notice on our website. The date of the last update is noted at the top of this page.

We recommend that you periodically review this page to stay informed of any changes.

13. Data Protection Contact

For any questions, requests, or complaints regarding the protection of your personal data, you may contact us: