Security and GDPR
Your data, your venue, your right.
A concise summary of how Patrono protects data, which subprocessors we use, and what rights you have under GDPR. No legal jargon, just concrete answers.
How we protect data
Four things that actually matter.
Data inside the EU
We host Patrono on infrastructure inside the European Union, with databases and the application layer in regions that do not cross EU borders. GDPR is not an extra obligation, it is the default framework we operate in.
Encryption in transit and at rest
All data between the browser and Patrono runs over TLS 1.3. Databases and backups are encrypted at rest (AES-256). Passwords are stored using the bcrypt algorithm, never in plain text.
Role-based access
Staff see only what their role requires. A waiter does not see food cost, a shift manager does not see contracts, the bookkeeper does not see schedules. An audit log records every change to key data.
Backup and recovery
Daily automated backups with 30-day retention, weekly snapshots with 12-month retention. In an incident the RTO is under 4 hours. Point-in-time recovery for critical tables.
Data and retention
What we store, what we do not, for how long.
What we store
Venue data (name, VAT number, address), staff data (name, contact, role, shift types), revenue data from your connected POS, items and recipes, HACCP records, and documents you upload yourself.
What we DO NOT store
Patrono does not store card numbers, guest tax IDs, health files of staff, or any data that does not flow through your legitimate business process.
Retention
Business data is kept for the duration of the subscription plus 90 days. After that, data is deleted or exported as you choose. Records about former staff are kept under retention periods set by Croatian labor law.
Subprocessors
Who else touches your data.
Vendors we share parts of the infrastructure with, for hosting, database and email. All inside the EU.
| Name | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application and static asset hosting | EU (Frankfurt) |
| Managed Postgres provider | Primary database, encrypted at rest | EU |
| Resend | Transactional email (support, notifications, password reset) | EU |
| CAUTUS SISTEMI d.o.o. | Development and support (Zagreb, Croatia) | HR |
Your rights
What you can request as a user.
GDPR rights apply to all your data in Patrono. Send an email and we respond within 30 days, usually much sooner.
- Right to access the data we store about your venue or staff
- Right to correct inaccurate data
- Right to delete data no longer needed for the contract
- Right to data portability in machine-readable formats (CSV, JSON)
- Right to object to processing and to withdraw consent for optional processing
- Right to file a complaint with the Croatian Personal Data Protection Agency (AZOP)
Questions about security or privacy?
Write to podrska@getpatrono.com. We respond within 24 hours on business days.