Privacy policy
Last updated: 06/07/2026
This policy explains how White Rook DOO, the operator of Elegant Render, processes personal data when you visit the site, request an estimate, place an order, use the portal, or contact us.
1. Controller
The controller is Društvo za grafički dizajn, proizvodnju, trgovinu i usluge, White Rook DOO Kovačica, JNA 25, 26210 Kovačica, Serbia. You can contact us at kontakt@elegantrender.rs.
White Rook DOO is established outside the European Union. Appointment of an EU representative under GDPR article 27 is pending and must be completed before public launch. The appointed representative will be added to the imprint.
2. Data we process
- Identity and contact data, such as name, email, phone, company, and country.
- Account and portal data, such as login details, project messages, order status, and support history.
- Billing and payment data, such as buyer type, invoice details, PayPal transaction references, and payment status.
- Project files and instructions, such as plans, photos, references, room notes, and uploaded deliverables.
- Technical data, such as IP address, device, browser, logs, consent choices, and security events.
- Analytics and marketing data, where you have given consent.
3. Purposes and legal bases
- To provide estimates, create orders, deliver files, and manage revision rounds - contract performance or pre-contract steps.
- To process payments, invoices, refunds, accounting, and tax records - contract performance and legal obligations.
- To secure accounts, prevent abuse, diagnose errors, and preserve service integrity - legitimate interests.
- To respond to support, complaints, and legal requests - contract performance, legitimate interests, and legal obligations.
- To measure analytics, advertising performance, and session replay - consent where required.
- To send service emails about orders, payments, files, and account access - contract performance or legitimate interests.
4. Processors and recipients
We use service providers for hosting, database and storage, email, analytics, payments, error monitoring, security, AI processing, and customer relationship management. These providers process data under contract or under their own legal obligations where they act as independent controllers, such as payment providers.
Current categories include Vercel, Supabase, Auth.js-related authentication infrastructure, Resend, PayPal, PostHog, Google Analytics and Google Tag Manager, Sentry, OpenAI or other AI providers used for AI Studio, antivirus/file scanning providers, and Bitrix24.
5. International transfers
Serbia does not currently have a European Commission adequacy decision. Because we are established in Serbia and use international providers, personal data can be transferred outside the European Economic Area.
Where GDPR transfer rules apply, we rely on appropriate safeguards such as Standard Contractual Clauses, provider data processing terms, EU-region hosting where available, transfer impact assessments, encryption in transit, access controls, and data minimisation.
6. Retention
We keep personal data only as long as needed for the purpose for which it was collected, including order delivery, accounting, tax, dispute handling, security, and legal obligations. Project files may be retained for support, revision, and audit purposes, then deleted or archived according to operational retention rules.
7. Your GDPR rights
Depending on the situation, you may have the right to access, rectify, erase, restrict, object to processing, receive a copy of your data, withdraw consent, and lodge a complaint with a data protection authority.
To exercise your rights, contact kontakt@elegantrender.rs. We may need to verify your identity before acting on a request.
8. Cookies and consent
Optional analytics, marketing, and session recording technologies are controlled through consent choices. Details are in the cookie policy.
9. Security
We use technical and organisational measures such as access control, encrypted transport, role-based permissions, logging, file scanning, and incident response procedures. No online system can be guaranteed perfectly secure, but we design the service to reduce risk and limit access to people and processors who need it.

