Amadria Park, Šibenik
1-2 OCTOBER 2026
REGISTER NOW REGISTER NOW REGISTER NOW
Amadria Park, Šibenik
1-2 OCTOBER 2026
REGISTER NOW REGISTER NOW REGISTER NOW

Privacy Policy

DEFCROS 2026 – Privacy Policy

General Data Protection Regulation (GDPR) (EU) 2016/679 Compliance

Version: 1.0 | Date: January 2026
Effective Date: January 6, 2026

1. Introduction and Commitment to Privacy

Sky Fort Systems d.o.o. (“We,” “Us,” “Our,” or “Organizer“) operates DEFCROS Public Safety & Defense Expo 2026 (“Event“). We are committed to protecting your privacy and ensuring you have a positive experience on our platforms and at our Event.

This Privacy Policy explains how we collect, use, process, and protect your personal data when you register for, participate in, or attend the Event. This Policy applies to all participants including Exhibitors, Sponsors, Delegations, and Business Visitors (collectively, “Participants” or “You“).

We comply fully with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws in Croatia and the European Union.

2. Identity of the Data Controller and Supervisory Authority

2.1 Data Controller

The data controller responsible for your personal data is:

Sky Fort Systems d.o.o.
Gospodarska zona 10
31000 Osijek
Croatia
OIB (Tax ID): 88167585767
Email: defcros@defcros.com
Phone: +385 98 871 949

2.2 Data Protection Officer

While not legally mandated, we have appointed an internal Data Protection Officer to oversee our privacy practices. For data protection inquiries, please contact: defcros@defcros.com

2.3 Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority:

Croatian Personal Data Protection Agency (Agencija za zaštitu podataka)
Selska cesta 130
10000 Zagreb
Croatia
Email: info@azop.hr
Website: www.azop.hr

3. What Personal Data We Collect

3.1 Categories of Personal Data

We collect the following categories of personal data, depending on your participant category and the services you receive:

Category Examples Legal Basis
Identification Data Full name, job title, company name Contractual necessity
Contact Information Email address, phone number, postal address Contractual necessity & communication
Professional Information Job function, industry, company size, professional affiliations Contractual necessity & legitimate interest
Event Data Badge information, session attendance, booth/sponsorship details Contractual necessity & legitimate interest
Payment Information Payment method (processed via Stripe; we do NOT retain full card details) Contractual necessity
Communication Preferences Opt-in/opt-out preferences for marketing, newsletters Consent & legitimate interest
Technical Data IP address, browser type, device type, cookie identifiers Legitimate interest & legal obligation
Accessibility Needs Any mobility or dietary requirements, accessibility accommodations Contractual necessity & legal obligation

3.2 Sensitive Data

We DO NOT intentionally collect sensitive personal data, such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

Exception: If you voluntarily disclose such information in a free-text field (e.g., “dietary requirements” including religious considerations), we will treat it as sensitive data and apply heightened protections.

4. How We Collect Your Data

4.1 Direct Collection

We collect data directly from you when you:

  • Complete the registration form on www.defcros.com or via Fillout.com (forms platform)
  • Submit a sponsorship agreement or delegation registration
  • Create an exhibitor account
  • Communicate with us via email, phone, or in-person
  • Visit our Event and provide information onsite
  • Scan your badge or participate in onsite lead capture

4.2 Indirect Collection

In limited circumstances, we may receive your personal data from:

  • Your organization (if registering as part of a delegation or group)
  • Exhibitors or Sponsors (if they nominate you for event information or tickets)

5. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following lawful grounds:

5.1 Contractual Necessity (Article 6(1)(b))

We process data necessary to fulfill our contract with you, including:

  • Event registration and confirmation
  • Stand/booth allocation and logistics
  • Payment processing
  • Badge generation and onsite access
  • Providing services or benefits associated with your participation

5.2 Legitimate Interest (Article 6(1)(f))

We process data for our legitimate business interests, including:

  • Event organization & improvement: Analyzing attendance patterns, optimizing floor layouts, improving services
  • Marketing & promotion: Sending event information, promotional materials, future event updates (subject to your consent and opt-out rights)
  • Legal compliance: Maintaining records for audit, tax, and regulatory purposes
  • Fraud prevention & security: Detecting unauthorized access or misuse of the Event
  • Networking facilitation: Sharing attendee lists with Exhibitors, Sponsors, and Delegations (subject to opt-out rights)

These legitimate interests do not override your fundamental rights to privacy and data protection.

5.3 Consent (Article 6(1)(a))

We collect explicit, informed consent for:

  • Email marketing: Receiving newsletters, promotional materials, and follow-up communications
  • Data sharing: Sharing your information with Exhibitors, Sponsors, or third parties for networking purposes
  • Cookies & tracking: Using non-essential cookies and analytics tools
  • Photography/recording: Recording or photographing you at the Event for promotional purposes

Consent is freely given, specific, informed, and unambiguous. You may withdraw consent at any time by contacting us at defcros@defcros.com.

5.4 Legal Obligation (Article 6(1)(c))

We process data as required by:

  • Croatian employment law
  • EU tax and accounting regulations
  • Event safety and security regulations
  • Export control and sanctions compliance checks

6. Purposes of Processing

6.1 Core Event Purposes

We process your personal data for the following purposes:

  1. Event Registration & Confirmation

    • Process your registration, issue confirmation emails, and send event updates
    • Allocate stand space, sponsorship benefits, or delegate passes

  1. Event Organization & Logistics

    • Create badges and credentials
    • Manage onsite access and security
    • Coordinate meals, accommodations, or special services
    • Communicate about build-up, schedules, and procedural changes

  1. Payment Processing

    • Process exhibitor fees, sponsorship payments, and any charges
    • Issue invoices and financial records
    • Prevent fraud and unauthorized transactions

  1. Lead Generation & Networking (Exhibitors & Sponsors)

    • Capture business visitor information for exhibitor/sponsor follow-up
    • Create attendee lists for networking and business development
    • Facilitate introductions between complementary organizations

  1. Event Analytics & Improvement

    • Analyze attendance demographics, session popularity, and floor traffic
    • Gather feedback via surveys and post-event questionnaires
    • Optimize future Event planning, design, and services

  1. Safety, Security & Compliance

    • Maintain security and prevent unauthorized access
    • Conduct background checks or sanctions screening (where applicable for defense/public safety roles)
    • Comply with export control and trade compliance regulations
    • Respond to legal requests from law enforcement

6.2 Marketing & Communication Purposes

  1. Event Marketing & Promotion

    • Send promotional materials and event updates (prior to and after the Event)
    • Invite you to future DEFCROS editions
    • Share case studies or testimonials (with consent)

  1. Email Marketing

    • Send newsletters, product updates, and industry news (where you have opted in)
    • Communicate changes, announcements, or important notices

  1. Photography, Recording & Media

    • Photograph or record the Event for promotional, educational, or archival purposes
    • Use images/videos in marketing materials, social media, and press releases
    • Publish case studies or participant spotlights featuring your company

7. How Long We Retain Your Data

7.1 Data Retention Schedule

Category of Data Retention Period Reason for Retention
Core Registration Data (name, email, org) 3 years Event archives, attendee history, future event planning
Payment & Financial Records 7 years Croatian tax law requirements (OIB law)
Event Logistics (badges, access logs) 1 year Legal/audit requirements, operational reference
Marketing Communications Until opt-out Your email preference and consent
Exhibitor/Sponsor Data 5 years Contractual records, rebooking/relationship management
Onsite Lead Capture (badge scan data) 1 year Exhibitor follow-up purposes; then deleted
Technical/Cookie Data 12 months Analytics & security purposes
Dietary/Accessibility Data 1 year Event service delivery; then deleted
Support Correspondence 2 years Dispute resolution, record-keeping

7.2 Deletion Upon Request

If you request erasure (the “right to be forgotten”) per GDPR Article 17, we will delete your data within 30 days, except where retention is required by:

    • Legal or contractual obligations (e.g., tax records, liability disputes)
    • Legitimate, compelling business interests
    • Credible allegations of fraud or misconduct

We will inform you if deletion is refused and explain the legal basis for retention.

8. Who We Share Your Data With

8.1 No Data Resale

We DO NOT SELL, rent, or resell participant data to third parties for their independent commercial use.

Your data is not a product and will not be shared with unrelated companies for their marketing or business purposes.

8.2 Data Sharing with Event Participants

We share attendee data with other Event participants for legitimate business purposes:

  1. Exhibitors & Sponsors:

  • Business Visitor names, titles, companies, and email addresses (attendee list shared)
  • Badge scan data (captured via exhibitor lead capture technology, if you are scanned)
  • Purpose: Enabling exhibitors/sponsors to follow up on leads and facilitate networking
  • Your Control: You may opt out of data sharing at registration or request a non-scannable badgeDelegations:
    • Delegation member names, organizations, and titles included on delegation lists
    • Shared with Exhibitors, other Sponsors, and Business Visitors for networking
    • Your Control: Opt out via email to defcros@defcros.com at least 72 hours before the Event

8.3 Third-Party Service Providers (Data Processors)

We share your personal data with carefully selected third-party service providers that help us operate the Event. All third-party processors have signed Data Processing Agreements (DPAs) in compliance with GDPR Article 28.

These processors may only use your data on our instructions and are bound by strict confidentiality and security obligations.

8.3.1 List of Third-Party Processors

Service Provider Purpose Data Shared Location GDPR Compliance
Google (Google Workspace, Google Analytics, Google Forms) Email hosting, website analytics, form submissions Name, email, IP address, analytics events Multiple (EU & US) Data Processing Agreement; Standard Contractual Clauses (SCC) for non-EU transfers
Stripe Payment processing, invoicing Name, email, payment method, transaction details Multiple (EU & US) Data Processing Agreement; PCI-DSS certified; SCC for non-EU transfers
Fillout.com Online registration form platform Name, email, job title, organization, contact details US Data Processing Agreement; SCC for US transfers
Airtable Event database management, registration records Name, email, organization, ticket info, dietary needs US Data Processing Agreement; SCC for US transfers
Make.com (formerly Integromat) Workflow automation, data integration between platforms Name, email, organization (as needed for integration) Multiple (EU & US) Data Processing Agreement; SCC for non-EU transfers
Zapier Application integration, automated workflows Limited data fields required for integrations (emails, names, organization) US Data Processing Agreement; SCC for non-EU transfers
Brevo (formerly Sendinblue) Email marketing, newsletter distribution Name, email, communication preferences Multiple (EU & US) Data Processing Agreement; EU processor; GDPR compliant
ProtonMail Encrypted email communication Name, email address, communication content Switzerland Data Processing Agreement; Swiss-EU data transfer adequacy; end-to-end encryption

8.3.2 Sub-Processors

These third-party processors may use sub-processors (i.e., processors of processors) to deliver their services. Examples include:

  • Stripe: Third-party fraud detection services, banking partners, payment networks
  • Google: Cloud infrastructure providers, analytics sub-processors
  • Airtable & Zapier: Cloud hosting providers, integration partners

We require all sub-processors to maintain the same GDPR compliance standards. For a current list of sub-processors, contact defcros@defcros.com.

8.4 Legal Compliance & Law Enforcement

We may disclose your personal data to:

  • Government authorities or law enforcement agencies if required by law, court order, or regulatory investigation
  • Croatian public health authorities (in the event of a health emergency requiring contact tracing)
  • Tax authorities for compliance with accounting and tax laws

We will inform you of any such disclosure, except where legally prohibited.

8.5 Business Transfers

If Sky Fort Systems d.o.o. is acquired, merged, or sold, your personal data may be transferred as part of the transaction. We will notify you of any material change in data handling practices.

9. International Data Transfers

9.1 Transfers Outside the EEA

Some of our third-party service providers are located in countries outside the European Economic Area (EEA), including the United States and Switzerland.

For transfers to the US (Stripe, Google, Fillout.com, Airtable, Make.com, Zapier): These processors rely on Standard Contractual Clauses (SCCs) between the EU data controller/processor and the US processor, as established by the GDPR and EU Commission adequacy decisions. SCCs ensure your data receives adequate protections even if the third country’s laws differ from the GDPR.

For transfers to Switzerland (ProtonMail): Switzerland has been granted an adequacy decision by the EU Commission, meaning Swiss data protection laws are deemed equivalent to GDPR.

9.2 Your Rights Regarding International Transfers

You have the right to:

  • Request information about the safeguards used in international transfers
  • Request a copy of the applicable Standard Contractual Clauses
  • Object to transfers where you reasonably believe your rights are not protected

Contact defcros@defcros.com for transfer documentation.

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files placed on your device by websites you visit. They allow us to remember your preferences, recognize you on return visits, and understand how you use our website.

10.2 Types of Cookies We Use

Cookie Type Purpose Consent Required
Essential/Necessary Enable core website functionality (authentication, security, load balancing) No (legal obligation)
Analytical Track website usage, page views, referral sources, user behavior via Google Analytics Yes (legitimate interest; opt-out available)
Functional Remember preferences, language settings, registration data Yes (legitimate interest)
Marketing/Advertising Track you across websites for targeted advertising on third-party platforms Yes (explicit consent required)

10.3 How to Manage Cookies

  1. Browser Settings: Most browsers allow you to refuse cookies or alert you when cookies are being set. Consult your browser’s “Help” section for instructions.

  2. Opt-Out Links: You may opt out of specific analytics services:

  1. Cookie Consent Banner: When you first visit our website, a consent banner allows you to accept or reject non-essential cookies.

10.4 Third-Party Analytics

We use Google Analytics to understand website visitor behavior, identify popular content, and improve our website. Google Analytics does not personally identify you but tracks aggregated usage data via cookies and similar technologies.

For more information, see Google’s Privacy Policy.

11. Your Rights Under the GDPR

11.1 Your Data Protection Rights

You have the following rights under the GDPR:

Right of Access (Article 15)

You have the right to request a copy of your personal data and information about how we process it.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

You can request deletion of your personal data under certain circumstances (the “right to be forgotten”). Exceptions apply where retention is legally required.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while a dispute is resolved.

Right to Data Portability (Article 20)

You can request your data in a structured, commonly used, machine-readable format (e.g., CSV) to transfer it to another organization.

Right to Object (Article 21)

You can object to processing based on legitimate interest or direct marketing. Upon your objection, we will cease that processing unless we have compelling legal grounds.

Right to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affects you. We do not use fully automated decision-making processes.

Right to Withdraw Consent (Article 7)

Where processing is based on consent (e.g., marketing emails), you can withdraw consent at any time. Withdrawal does not affect processing that occurred before withdrawal.

11.2 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to:

defcros@defcros.com

Subject Line: “Data Subject Request – [Your Right, e.g., Access, Deletion, Portability]”
Include:

    • Your full name
    • Email address
    • Specific request and the right(s) you are exercising
    • Supporting information if applicable

Response Timeframe: We will respond within 30 calendar days of receiving your complete request. Complex requests may be extended by 60 additional days with notice.

No Fee: Requests are typically provided free of charge. We may charge a reasonable fee or refuse manifestly unfounded or repetitive requests.

12. Security Measures

12.1 Data Security Practices

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

Technical Safeguards

  • Encryption in Transit: All data transmission to/from our website and payment processors uses SSL/TLS encryption (HTTPS)
  • Encryption at Rest: Sensitive data (passwords, payment details) is encrypted in our databases
  • Access Controls: Only authorized personnel can access personal data; access is role-based and logged
  • Firewalls & Intrusion Detection: Network security to prevent unauthorized access
  • Regular Security Audits: Third-party security assessments of critical systems

Organizational Safeguards

  • Data Protection by Design: Privacy considered in all new systems and processes
  • Confidentiality Agreements: All staff sign binding confidentiality/NDA agreements
  • Data Minimization: We collect only data necessary for stated purposes
  • Access Logging: All data access is recorded and monitored for suspicious activity
  • Incident Response Plan: Procedures in place to respond to data breaches (see Section 13)

12.2 Limitations

While we apply industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security against sophisticated cyberattacks, insider threats, or unforeseen vulnerabilities. You use our services at your own risk, though we take all reasonable precautions.

13. Data Breach Notification

13.1 Notification Procedure

If we discover a data breach affecting your personal data, we will:

  1. Notify you promptly without undue delay (typically within 72 hours of discovering the breach)

  2. Notify the Croatian Data Protection Agency if the breach poses a high risk to your rights and freedoms

  3. Provide clear information about:

    • What data was affected
    • What happened and when
    • What you should do to protect yourself
    • Our contact information for further inquiries

13.2 Exceptions

We may not notify you if:

  • The data was encrypted and the decryption key was not compromised
  • We have reasonable assurance the breach was not discovered by unauthorized persons
  • Notification would compromise a law enforcement investigation

14. Changes to This Privacy Policy

14.1 Updates & Amendments

We may update this Privacy Policy at any time to reflect changes in our data practices, legal requirements, or other factors. Changes will be effective upon posting to www.defcros.com.

14.2 Significant Changes

If we make material changes that reduce your privacy rights or expand data processing in ways not previously disclosed, we will:

  • Provide at least 30 days’ notice before changes take effect
  • Email notification to registered participants (where contact information is available)
  • Post a clear notice on our website

Your continued participation in the Event or use of our website after changes are posted constitutes acceptance of the updated Privacy Policy.

15. Children & Minors

15.1 Age Restriction

Our Event and related services are not directed to children under 16 years of age. We do not knowingly collect personal data from individuals under 16.

If we become aware that we have collected data from a child under 16 without verifiable parental consent, we will delete that data immediately.

15.2 Parental Consent

If you are between 16 and 18 years old, you may participate with explicit parental/guardian consent. A parent or guardian should review this Privacy Policy and confirm understanding before your registration is finalized.

16. Contact Information & Requests

16.1 Data Protection Inquiries

For questions, requests, or concerns regarding this Privacy Policy or our data practices:

Sky Fort Systems d.o.o. – Data Protection Team
Email: defcros@defcros.com
Phone: +385 98 871 949
Mailing Address:
Gospodarska zona 10
31000 Osijek
Croatia

Response Time: We aim to respond within 5 business days.

16.2 Supervisory Authority

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency:

Croatian Personal Data Protection Agency (Agencija za zaštitu podataka)
Selska cesta 130
10000 Zagreb
Croatia
Email: info@azop.hr
Website: www.azop.hr
Phone: +385 1 4609 000

17. Additional Information for Specific Participant Categories

17.1 Exhibitors

As an Exhibitor, we collect additional data related to stand allocation, build-up schedules, and exhibitor personnel. Your data may be shared with:

  • Co-exhibitors and contractors building/managing your stand
  • Security and venue management for access control
  • Sponsors (if you have opted in for networking)

Your rights: You may request a copy of your exhibitor record, including all stored communications and logistics details.

17.2 Sponsors

As a Sponsor, we collect data related to sponsorship package, promotional activities, and branding. Your logo and organization name may be used in Event marketing materials as part of the sponsorship agreement.

Your rights: You may request removal of your branding from future marketing materials by notifying us in writing.

17.3 Delegations

As a Delegation member, your data is included on a group list shared with Exhibitors and Sponsors for networking purposes. You may opt out of this sharing by contacting us at least 72 hours before the Event.

Your rights: You can request that your name be removed from delegation lists sent to third parties.

17.4 Business Visitors

As a Business Visitor, your data may be captured via badge scanning at Exhibitor booths. You may request a non-scannable badge at registration if you do not wish to be tracked by exhibitors.

Your rights: You may request an opt-out list at any time; exhibitors must honor your request not to be contacted.

18. Compliance & Legal Framework

18.1 Applicable Laws

This Privacy Policy is governed by and interpreted in accordance with:

  • GDPR (EU) 2016/679 – General Data Protection Regulation
  • Croatian Law on Personal Data Protection (OZ, 2018)
  • Croatian Act on Electronic Communications (if applicable)
  • PECR (UK) – Privacy and Electronic Communications Regulations (if you are a UK resident)

18.2 Data Protection Impact Assessment (DPIA)

For large-scale or sensitive data processing activities, we conduct Data Protection Impact Assessments to identify and mitigate privacy risks. A summary of our DPIA is available upon request.

19. Glossary of Key Terms

Term Definition
Personal Data Any information relating to an identified or identifiable natural person (e.g., name, email, IP address)
Processing Any operation performed on personal data, including collection, storage, use, deletion
Data Controller The entity (usually Sky Fort Systems) that determines the purposes and means of data processing
Data Processor A third party (e.g., Stripe, Google) that processes data on the controller’s instructions
Data Subject You – the individual whose personal data is processed
Consent Freely given, specific, informed, and unambiguous agreement to processing
Legitimate Interest A lawful basis for processing data where the organization’s interests are balanced against your rights
Right to Be Forgotten Your right to request erasure of personal data (subject to exceptions)
Data Portability Your right to receive your data in a machine-readable format
Breach Unauthorized disclosure, loss, or access to personal data

20. Document Version & History

Version Date Changes
1.0 January 6, 2026 Initial Privacy Policy for DEFCROS 2026

21. Acknowledgment & Acceptance

By registering for or participating in DEFCROS 2026, you acknowledge that:

  • You have read and understood this Privacy Policy
  • You consent to the collection, processing, and use of your personal data as described herein
  • You understand your rights under the GDPR and how to exercise them
  • You agree to the data sharing arrangements outlined in Section 8

This Privacy Policy is effective as of January 6, 2026.

For questions or to exercise your rights, contact defcros@defcros.com

Last Updated: January 6, 2026

Scroll to top