Privacy Policy
1. General Provisions
1.1. Data Controller
The controller of personal data is:
INDIVIDUUM DOO (hereinafter — the "Company")
Address: Kraljevačka 68, 11010, Belgrade (Voždovac), Serbia
Registration No.: 21782050
Tax ID (PIB): 112981959
Email: help@kiki.express
1.2. Purpose of the Policy
This Privacy Policy (hereinafter — the "Policy") describes what personal data the Company collects when you use its mobile application and website (hereinafter — the "Service"), and how the Company processes, stores, and protects that data.
1.3. Acceptance of the Policy
Use of the Service constitutes the User's agreement with the terms of this Policy. When registering, the User confirms that they have reviewed the Policy by checking the corresponding box.
If the User does not agree with the terms of the Policy, the User must cease using the Service.
1.4. Governing Law
The processing of personal data is carried out in accordance with:
The Personal Data Protection Act of the Republic of Serbia (Zakon o zaštiti podataka o ličnosti, "ZZPL")
The General Data Protection Regulation of the European Union (GDPR) — for the processing of data of EU residents
2. What Data We Collect
2.1. Data Provided by the User at Registration
First and last name (or business name of a legal entity)
Mobile phone number
Email address
Password (stored in encrypted form; the Company does not have access to the plaintext)
For legal entities — company details (name, Registration No., Tax ID, address)
2.2. Data Provided When Placing an Order
Pickup address for the Shipment
Delivery address for the Shipment
Recipient's name and contact phone number
Description, weight, and category of the Shipment
Declared value of the Shipment (where applicable)
Instructions for the Courier
2.3. Payment Data
For payments by bank card:
Bank card data is processed directly by the payment provider in accordance with PCI DSS standards
The Company does not store full bank card data
The Company receives a card token and payment status from the payment provider
For cash payments:
Payment data is not transmitted through the Service
2.4. Technical Data
When the App is used, the following data is collected automatically:
IP address of the device
Device type, model, operating system, and OS version
App version
Device identifier (Advertising ID, where consent has been given)
App usage logs (login times, actions, errors)
Push token for sending notifications
2.5. Geolocation
With the User's consent, the App accesses the device's geolocation to:
Determine the User's current location
Provide address suggestions
Calculate delivery distance and price
The User may withdraw consent for geolocation use in their device settings. Without access to geolocation, some App features may be unavailable.
2.6. Communications with Customer Support
The content of the User's communications with customer support and the Company's responses are retained for the purpose of:
Ensuring service quality
Analyzing common issues
Resolving disputes
2.7. Marketing Data
With the User's consent, the Company processes:
Order history for personalizing offers
Engagement with marketing communications (email opens, link clicks)
Preferences regarding types of services
3. Purposes and Legal Bases for Processing
3.1. Performance of a Contract
Purpose: providing delivery services, processing Orders, settlements with Users, customer support Data: registration data, Order data, payment data, support communications Legal basis: Article 6(1)(b) GDPR — performance of a contract with the data subject Compliant with ZZPL.
3.2. Compliance with Legal Obligations
Purpose: complying with tax and accounting laws, responding to requests from competent authorities Data: financial information regarding Orders and payments Legal basis: Article 6(1)(c) GDPR — compliance with a legal obligation Retention period: in accordance with the requirements of applicable law (for financial records — no less than 10 years)
3.3. Legitimate Interests of the Company
Purpose: ensuring Service security, preventing fraud, analyzing and improving the Service, defending the Company's rights in disputes Data: technical data, usage logs, support communications Legal basis: Article 6(1)(f) GDPR — legitimate interests of the controller Balancing of interests: the Company's interest in protecting against fraud and improving the Service does not override the fundamental rights of Users
3.4. Consent
Purpose: marketing communications, background use of geolocation, behavioral analytics Data: contact data for communications, geolocation, marketing data Legal basis: Article 6(1)(a) GDPR — consent of the data subject Withdrawal of consent: at any time through the App settings or by submitting a request to customer support
4. Sharing of Data with Third Parties
4.1. Couriers
The following information necessary for fulfilling an Order is shared with Couriers:
Sender's name and contact phone number
Pickup address
Recipient's name and contact phone number
Delivery address
Description of the Shipment
Delivery instructions
Couriers are required to maintain the confidentiality of the data they receive and to process it solely for the purpose of fulfilling the Order.
4.2. Payment Providers
For card payments, data is transmitted to the payment provider for payment processing. The payment provider processes data in accordance with its own privacy policy and PCI DSS standards.
4.3. Technology Providers
The Company uses the following providers to support the Service:
Google Firebase (Google Ireland Limited) — data hosting, authentication, analytics, push notifications. Data is stored on servers in the EU and the United States
Yandex — mapping services, geocoding (through the APIs provided)
Email providers — sending transactional and marketing emails
SMS providers — sending SMS notifications and OTP codes
Data processing agreements have been entered into with these providers, ensuring an appropriate level of protection.
4.4. Government Authorities
Data may be shared with government authorities of the Republic of Serbia in cases provided for by law, including:
In response to a court order or other requests from competent authorities
With tax authorities — with respect to financial information
With law enforcement — in cases relating to the investigation of offenses
4.5. Transfers of Data Outside Serbia and the EU
When the Service is used, some data may be stored on servers outside the Republic of Serbia and the EU (in particular, on Google's infrastructure in the United States). Such transfers are carried out on the basis of:
European Commission adequacy decisions
Standard Contractual Clauses (SCCs)
Other protective mechanisms provided for under the GDPR and the ZZPL
5. Data Retention Periods
Category of Data
Retention Period
Active account data - While the account is active
Data after account deletion - Anonymization within 30 days
Order history - 10 years (required by tax and accounting law)
Financial records - 10 years
Customer support communications - 3 years from the closing of the request
Marketing consents - Until consent is withdrawn
Technical logs - 90 days
Push tokens - Until the account is deleted or notification consent is withdrawn by disabling the feature in the app
6. Rights of Data Subjects
In accordance with applicable law, the User has the following rights:
6.1. Right to Information
The User has the right to receive information about the processing of their personal data, including through this Policy and upon request to customer support.
6.2. Right of Access
The User has the right to request a copy of all of their personal data processed by the Company. Requests may be submitted through customer support or by email. A response will be provided within 30 days.
6.3. Right to Rectification
The User has the right to request the correction of inaccurate or incomplete data. The User can correct basic data themselves through the App settings.
6.4. Right to Erasure ("Right to Be Forgotten")
The User has the right to request the deletion of their personal data in the following cases:
The data is no longer needed for the purposes of processing
The User has withdrawn consent
The data was processed unlawfully
Deletion is available through the App or upon request to customer support. The right to erasure does not apply to data that the Company is required by law to retain (financial records and similar).
6.5. Right to Restriction of Processing
The User has the right to request restriction of the processing of their data in the cases provided for by law.
6.6. Right to Data Portability
The User has the right to receive their data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
6.7. Right to Object
The User has the right to object to the processing of their data, including for direct marketing purposes. Upon objection to marketing, processing for that purpose ceases immediately.
6.8. Right to Withdraw Consent
The User has the right to withdraw any previously given consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
6.9. Right to Lodge a Complaint
The User has the right to lodge a complaint with the supervisory authority:
Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti (Commissioner for Information of Public Importance and Personal Data Protection)
Address: Bulevar kralja Aleksandra 15, 11000 Belgrade
Email: office@poverenik.rs
Website: www.poverenik.rs
6.10. Exercising Your Rights
To exercise any of the rights listed above, the User may contact the Company:
Through customer support in the App
By email: help@kiki.express
The Company responds to requests within 30 days of receipt. In complex cases, this period may be extended by 60 days, with notice to the User.
Rights may be exercised free of charge. In the case of manifestly unfounded or excessive requests, the Company reserves the right to charge a reasonable fee or refuse to act on the request.
7. Cookies and Similar Technologies
7.1. What Cookies Are
Cookies are small text files stored on the User's device when using a website. The mobile App uses similar technologies (local storage, device identifiers).
7.2. Which Cookies Are Used
Essential cookies — necessary for the operation of the Service (authentication, saving preferences)
Analytics cookies — used to analyze how the Service is used (Firebase Analytics)
Marketing cookies — used to personalize advertising (with consent)
7.3. Managing Cookies
The User can manage the use of cookies through their browser settings or App settings. Disabling essential cookies may make it impossible to use the Service.
8. Data Security
The Company implements organizational and technical measures to protect personal data, including:
Encryption of data in transit (TLS/SSL)
Encryption of sensitive data at rest
Access controls for employees and partners
Regular security audits
Data backups
Monitoring of suspicious activity
8.1. Data Breach Notification
In the event of a personal data breach, the Company will:
Notify the Commissioner for Personal Data Protection (Poverenik) within 72 hours of becoming aware of the breach
Notify affected Users in cases of high risk to their rights and freedoms
9. Minors
The Service is not intended for use by individuals under 18 years of age. The Company does not knowingly collect personal data from individuals under 18.
If the Company becomes aware of an account belonging to a minor, that account will be deleted and the data anonymized.
Parents (legal guardians) who discover that their child has provided personal data to the Company may contact the Company to request deletion of the data.
10. Changes to the Policy
The Company reserves the right to modify this Policy. Users will be notified of material changes through:
The App
Email
The website
Notification will be provided no less than 14 calendar days prior to the changes taking effect.
Continued use of the Service after notification constitutes acceptance of the updated version.
11. Contact Information
For any questions regarding the processing of personal data, please contact us by email at: help@kiki.express
Published on May 20, 2026. Version 2.1.2.