rSQ logo

GDPR Compliance

Last updated: February 2026

1. Our Commitment to GDPR

Rounded Square d.o.o. (registration number: 9572660000, VAT: SI31966837), with its registered office at Zgornje Hoče 6C, 2311 Hoče, Slovenia, is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). The GDPR standardizes data protection law across all EU/EEA member states and imposes strict rules on controlling and processing personally identifiable information. We take our obligations seriously and have implemented comprehensive measures to ensure full compliance.

2. Data Processing Principles

We process personal data in accordance with the core principles set out in Article 5 of the GDPR:

  • Lawfulness, fairness and transparency: We process data lawfully, fairly, and in a transparent manner. We always inform data subjects about the processing of their personal data.
  • Purpose limitation: We collect data for specified, explicit, and legitimate purposes and do not further process it in a manner that is incompatible with those purposes.
  • Data minimization: We ensure that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
  • Accuracy: We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Inaccurate data is erased or rectified without delay.
  • Storage limitation: We keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.
  • Integrity and confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.
  • Accountability: We are responsible for, and are able to demonstrate compliance with, all of the above principles.
3. Lawful Bases for Processing

We only process personal data where we have a lawful basis to do so under Article 6 of the GDPR. The lawful bases we rely on include:

  • Consent (Article 6(1)(a)): The data subject has given clear consent for us to process their personal data for a specific purpose.
  • Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
  • Legal obligation (Article 6(1)(c)): Processing is necessary for compliance with a legal obligation to which we are subject.
  • Legitimate interests (Article 6(1)(f)): Processing is necessary for the purposes of our legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
4. Your Rights Under GDPR

If you are a resident of the European Economic Area (EEA), you have the following rights under the GDPR:

  • Right of access (Article 15): You have the right to obtain confirmation as to whether personal data concerning you is being processed, and to request a copy of that data.
  • Right to rectification (Article 16): You have the right to request the correction of inaccurate personal data and to have incomplete data completed.
  • Right to erasure (Article 17): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing ("right to be forgotten").
  • Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data under certain circumstances.
  • Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Rights related to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

To exercise any of these rights, please contact us at info@roundedsq.com. We will respond to your request within 30 days. If we need more time, we will inform you of the reason and extension period (up to two additional months).

5. Technical and Organizational Measures

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit (TLS/SSL) and at rest where appropriate.
  • Access controls ensuring that only authorized personnel can access personal data on a need-to-know basis.
  • Regular security assessments and penetration testing of our systems.
  • Employee training on data protection and security awareness.
  • Incident response procedures for prompt detection, reporting, and investigation of data breaches.
  • Regular review and updating of our security practices.
6. Data Breach Notification

In the event of a personal data breach, we will notify the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) within 72 hours of becoming aware of the breach, where feasible, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also inform those individuals without undue delay, providing clear information about the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.

7. Data Protection Impact Assessments

Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, we carry out a Data Protection Impact Assessment (DPIA) prior to processing. This assessment evaluates the necessity, proportionality, and compliance measures of the processing, as well as the risks to data subjects and the measures to mitigate those risks.

8. International Data Transfers

Where we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards may include:

  • Transfers to countries recognized by the European Commission as providing an adequate level of data protection.
  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Binding Corporate Rules where applicable.
9. Data Processing Agreements

Where we engage third-party processors to process personal data on our behalf, we enter into Data Processing Agreements (DPAs) in accordance with Article 28 of the GDPR. These agreements ensure that processors provide sufficient guarantees to implement appropriate technical and organizational measures and comply with GDPR requirements.

10. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. For Slovenia, the supervisory authority is:

  • Informacijski pooblaščenec (Information Commissioner)
  • Dunajska cesta 22, 1000 Ljubljana, Slovenia
  • Phone: +386 1 230 97 30
  • Website: www.ip-rs.si
11. Changes to This Statement

We may update this GDPR Compliance statement from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.

12. Contact Us

If you have any questions about this GDPR Compliance statement, or if you would like to exercise your rights, please contact us:

  • Rounded Square d.o.o.
  • Zgornje Hoče 6C, 2311 Hoče, Slovenia
  • Email: info@roundedsq.com
  • Registration Number: 9572660000
  • VAT: SI31966837