Change language
Change language
This Privacy Policy is designed to ensure the protection of personal data processed by PHARMACY INSTITUTION "NORAPHARM", in accordance with the Law on Personal Data Protection ("Official Gazette of RS", No. 87/2018). It applies to customers, website visitors, and users of the "RORI" mobile application. Last updated: March 20, 2026
Data Controller: PHARMACY INSTITUTION "NORAPHARM" Registered address: Belgrade – Kaluđerica, Grocka, Vojvode Stepe Stepanovića 9/lok 1 Registration number: 17907484 Tax ID: 110138757 Data Protection Officer: Marija Mladenović Contact: 063-8952-662 | marija.mladenovic@norapharm.rs
We process only the data that is necessary, for clearly defined purposes, in a lawful and transparent manner. Data is stored securely and is not shared with third parties without a legal basis.
3a. Customer / User Account During registration, we collect the following data: • First and last name • Email address • Phone number • Residential address and delivery address • Year of birth – solely for the purpose of age verification, to prevent the purchase of certain products by minors For legal entities: company name, registration number, registered address, delivery address, contact phone. Legal basis: Performance of contract (Article 12, Paragraph 1, Item 2 of the LPDP). Retention period: During the existence of the account; upon account deletion, data is permanently removed within 30 days. 3b. Purchase Agreement Data is collected for order processing and delivery: first name, last name, address, phone, email, billing information. Retention period: 3 years from the conclusion of the agreement, in accordance with legal obligations. 3c. Therapy Reservation First and last name, phone, email address – for the purpose of reserving and collecting therapy. Retention period: 3 years. 3d. Ask a Pharmacist – Online Consultation By entering this section and sending a message to the pharmacist, the user is considered to be informed of the following processing conditions: • Data that the user voluntarily provides (gender, age, weight, health condition, symptoms, etc.) is processed solely for the purpose of pharmaceutical counseling and recommending appropriate therapy • Data is not used for any other purpose and is not shared with third parties • All data from the conversation is permanently deleted 48 hours after the conversation ends • Processing is carried out based on voluntary consent given by the user upon entering the section and sending a message Note for app users: A visible notice about these conditions is displayed before the start of each conversation with the pharmacist. 3e. Geolocation Geolocation data is collected exclusively during active delivery, based on prior consent given by the user in device settings. Outside of that period, geolocation is neither collected nor stored.
Your data may be accessible to the following processors, with whom we have concluded data processing agreements: 4a. Infrastructure and Hosting Digital Ocean LLC – hosting services Server location: Frankfurt, Germany (EU) Data Processing Agreement has been concluded 4b. Email Communication Mailjet SAS (Sinch Group) – sending transactional and marketing emails Headquarters: France (EU) Data processed: email address, name Data Processing Agreement has been concluded 4c. Analytics Google Analytics 4 (Google LLC) – analysis of app and website usage Company headquarters: USA; processing via Google EU infrastructure Data processed: pseudonymized user behavior data, visit statistics IP addresses are pseudonymized (truncated) before processing Users can decline analytics cookies via the consent banner on the website Amplitude Inc. – mobile app and website analytics Data processing location: EU Data processed: pseudonymized user behavior data, events, sessions Data is not used for direct advertising purposes Legal basis for analytics: Legitimate interest of the controller (Article 12, Paragraph 1, Item 6 of the LPDP) – improving app and website functionality, usage analysis, and fraud prevention. 4d. Marketing and Advertising Meta Platforms Ireland Ltd. (Facebook/Instagram) – marketing SDK and conversion tracking On iOS devices: use of Meta SDK is subject to App Tracking Transparency (ATT) prompt On Android devices: listed in the Data Safety section of Google Play Store On the website: Meta Pixel is activated only after the user's consent to marketing cookies 4e. Phone Number Verification Twilio Inc. – sending SMS messages for phone number verification during registration Headquarters: USA; processing via Twilio infrastructure Data processed: user's phone number Purpose: sending a one-time verification code (OTP) via SMS The phone number is forwarded to Twilio solely for the purpose of delivering the verification SMS message Data Processing Agreement has been concluded 4f. Delivery Address Entry Google Maps Platform (Google LLC) – address autocomplete and geocoding Company headquarters: USA; processing via Google EU infrastructure Data processed: delivery address entered by the user (search text, selected address, geographic coordinates) 4g. Message Translation in the App Anthropic PBC (Claude API) – automatic translation of messages into Serbian within the app's chat functionality Headquarters: USA Data processed: exclusively the message text (message body); personal identification data is not forwarded Anthropic does not use forwarded data for training its models (Zero Data Retention)
Certain data processors listed in Section 4 are headquartered in the United States of America (Google LLC, Meta Platforms Inc., Twilio Inc., Anthropic PBC). In such cases, your data may be transferred outside the territory of the European Union. For all international data transfers, we apply appropriate safeguards in accordance with Article 65 of the LPDP, including: • Standard Contractual Clauses (SCC) adopted by the European Commission • EU–U.S. Data Privacy Framework (DPF) – for certified processors • Technical and organizational security measures (encryption, access control, data retention policies) More information about applicable safeguards can be obtained upon request by contacting the Data Protection Officer.
On the Rori.app website, we use the following cookie categories: • Essential cookies – always active, necessary for the functioning of the website • Analytics cookies (Google Analytics) – activated only with your consent • Marketing cookies (Meta Pixel) – activated only with your consent Upon your first visit to the website, a consent banner is displayed that allows you to accept or decline non-essential cookies. You can change your decision at any time.
We have implemented appropriate technical and organizational protection measures: • Communication with servers is protected by SSL/TLS encryption (HTTPS) • Access to data is limited to employees who need it for their work • Servers are located in the EU (Frankfurt), with EU security rules applied • Financial transactions are processed through PCI-DSS compliant partners
Data is retained for as long as necessary for the purpose for which it was collected: • User account – during the existence of the account + 30 days after deletion • Purchase agreement – 3 years • Therapy reservation – 3 years • Ask a Pharmacist – 48 hours after the end of the conversation • Marketing consent – until consent is withdrawn • Geolocation – exclusively during active delivery, not stored permanently
In accordance with the LPDP, you have the following rights: • Right of access – you may request information about which data we process • Right to rectification – you may request correction of inaccurate data • Right to erasure ("right to be forgotten") – you may request deletion of data • Right to restriction of processing – you may request temporary suspension of processing • Right to data portability – you may obtain a copy of data in electronic form • Right to object – particularly in the case of direct marketing • Right to withdraw consent – at any time, without any consequences for you You can submit requests to: 063-8952-662 or via email at marija.mladenovic@norapharm.rs. If you believe your rights have been violated, you may file a complaint with the Commissioner for Information of Public Importance and Personal Data Protection (www.poverenik.rs).
We reserve the right to amend this Privacy Policy. All changes will be published on this page with an indication of the date of the last amendment. We recommend that you periodically check the current version.
Pharmacy Institution "NORAPHARM" Vojvode Stepe Stepanovića 9/lok 1, Belgrade – Kaluđerica Tel: 063-8952-662 Data Protection Officer: Marija Mladenović This Privacy Policy is effective as of March 20, 2026.
