Terms of privacy and data processing​

Ambacia handles your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and other applicable laws.

Ambacia follows basic GDPR principles when handling your personal data. We only collect data that is strictly necessary and relevant for each situation, we handle it fairly and legally, and we always make sure it’s kept safe from unauthorized access. We keep your data only as long as necessary for the stated purpose, and if personal data becomes inaccurate, we make sure to quickly correct or remove it, ensuring the accuracy of your data.

Data controller

Ambacia IT Connect d.o.o. with registered seat in Zagreb, Ulica Charlesa Darwina 6F, PIN: 65365985145 (hereinafter: Ambacia IT Connect), together with its affiliated companies:

  • a) AMBACIA d.o.o. with registered seat in Zagreb, Ulica Charlesa Darwina 8, PIN: 85634586995 (hereinafter: Ambacia d.o.o.);
  • b) Ambidextre d.o.o. with registered seat in Zagreb, Ulica Charlesa Darwina 6F, PIN: 20320070461 (hereinafter: Ambidextre),


provides various services related to employment, including but not limited to recruitment, staffing, employment mediation, employment agency services, services to connect IT teams or companies with potential clients to collaborate on various projects or providing various IT services independently (hereinafter: Services).

For the purposes of this Privacy Policy, Ambacia IT Connect, Ambacia d.o.o. and Ambidextre are considered Ambacia’s entities.

When providing recruitment services as described below under point a) of Purposes, which services are primarily regulated by this Privacy Policy, Ambacia IT Connect, acts as a data controller.

When providing services connected to the „Luminary IT“ services, each Ambacia’s entity on various occasions and for the Purposes stated within this Privacy Policy under point b) below, can be considered a data controller or data processor and, sometimes, jointly with another Ambacia’s entity or entities, a joint controller.

For all inquiries and complaints regarding the security and privacy of your personal data, and as well as to ascertain the specific role of an Ambacia’s entity in your particular case, please reach out to us via email at: [email protected].

Legal basis for the processing

Generally, we might process your personal data based on 3 legal bases:
  • a) Legitimate interest (e.g., when we contact you via social media);
  • b) Consent (e.g., when you agree that we contact you if employment opportunity occurs);
  • c) Legal obligation (e.g., when we receive a legitimate request for information from the competent authority).

The purposes of the processing, time period of storing data

Ambacia collects and uses your data for the following purposes (hereinafter: Purposes):

a) Conducting the recruitment process and connecting you with potential employers

Ambacia acts as a recruiter so, it is within our legitimate interest to ensure that we acquire appropriate, talented candidates to provide to our clients.

Generally, we source individuals online, on professional social networking platforms, to find suitable candidates for a specific position. In this case we do not collect more data than what is strictly necessary and relevant for such position.

We always use our sources lawfully.

When you make contact with us directly through our web site, phone, email or any of our social network, or when you apply for our job posting, you are consenting to Ambacia acting as an agent for you in your pursuit of an employment position with a third party until you either opt-out (which you can do at any stage) or we decide to cease in promoting you to potential employers.

When you provide us with your personal data information for employment purposes, whether on your own initiative or ours, we will exclusively use it for the specific position you are currently applying for. Such data will only be retained throughout the job application process.

Alternatively, you have the option to give us your consent to keep your data for two years after the closure of the relevant job contest. In that case, if a position matching your profile and qualifications arises during this period, we will get in touch with you.

You have the option, at any time, to withdraw your consent at [email protected].

The withdrawal of your consent does not affect the lawfulness of processing based on consent before your withdrawal.
Also, your satisfaction is our top priority. To consistently deliver the highest quality of Services to you, our clients and all future users of our Services, we highly value your feedback. It is within our legitimate interest to ask for your feedback regarding your satisfaction with the Services provided and the working conditions at the employer to whom we have referred you.

For that purpose (getting your feedback), we process only your first name, last name, e-mail address, mobile/phone number. We will process the respective data only for as long as necessary to fulfill the purpose of processing. We will contact you within a reasonable time frame and only as necessary for the purpose of obtaining your feedback.

b) Provision of the „Luminary IT“ services

Once we establish contact with you, whether we reached out to you or vice versa, as per agreement, we can discuss a collaboration that goes beyond recruitment in terms of connecting you with future employers or clients. This collaboration may involve working with various of our clients, business partners, including ourselves (Ambacia’s entities), on different legal bases.

For the above purposes, Ambacia may collect:

  • Identification and contact information such as: name, surname, date of birth, photograph e-mail address, mobile/phone number, residential address;
  • Professional data: data related to your previous employment and education, including all data from CV, your references;
  • Social network hyperlinks, communication platforms usernames.


We also collect other, Internet browser data, which is regulated in a separate cookie policy.

Only with your explicit consent can we collect special category data. This includes both health  data and data on criminal records. Employers sometimes request such data, as they are part  of special job requirements. Such data will only be retained throughout the job application  process.

Where we store your data and who do we share your data with

Within Ambacia, access to your personal data is limited to essential information only and is shared internally with our employees as necessary.
For the successful execution of our Services, we share your data with your potential employers – our clients and sometimes with Ambacia’s entities as stated in this Privacy Policy. To offer the best Services, we partner with carefully selected companies and digital service providers and use their tools and services.

Companies we cooperate with have their servers within the EU, so if we store your data using such tools and services, it is always within EU.

We may be legally obliged to disclose your personal data within the legal process, or court order from governmental authorities, for the purposes of law enforcement, national security, anti-terrorism, or other issues that are related to public security.

You may request a full list of the parties to whom we disclose your data by contacting us at [email protected].

Third country data transfers

We strive to process most of your data within the EU. However, in the future, we may use some third-party tools from providers outside the EU. In line with GDPR, personal data can be transferred to a third country or international organization if they guarantee sufficient protection. However, some countries lack adequacy decisions. In these situations, in accordance with GDPR we transfer your data with extra safeguards in place.

For more information, please contact us at [email protected].

Your rights under GDPR

  1. Right to be informed (GDPR Article 13 and 14) – within this Privacy Policy and also on your request, you can obtain identity information on Ambacia’s entities, contact data, the purposes of the processing and the legal basis for the processing of data, recipients, transfers to third countries, storage period, ability to withdraw consent, etc;
  2. Right of access (GDPR Article 15) – you have a right to ask us if and which of your personal are being processed, where, why, for how long and who are they shared with;
  3. Right to rectification (GDPR Article 16) – you have a right to correct and supplement incomplete personal data;
  4. Right to erasure or right to be forgotten with additional stipulations, among others if personal data has been made public (GDPR Article 17) – you can ask us to delete your personal data if they are no longer necessary in relation to the purpose of the processing, in case you have withdrawn your consent to the processing, etc;
  5. Right to restriction of processing (GDPR Article 18) – in certain situations you have the right to request that the processing be limited with the exception of storage and some other types of processing;
  6. Right to data portability (GDPR Article 20) – means you have the right to receive your personal data previously provided to us in a structured form and in a commonly used and machine-readable format and transmit it to another controller if the processing is carried out by automated means and is based on the consent or contract;
  7. Right to object (GDPR Article 21) – in certain circumstances, depending on the purposes for processing and legal basis for processing, you can object to the processing of your personal data;
  8. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on you (GDPR Article 22) – (this is just a legal possibility – we won’t be deciding on your rights based on automated processing).


At any time, you have the right to lodge a complaint with a supervisory body. The supervisory body in the Republic of Croatia is Croatian Personal Data Protection Agency, Zagreb, Selska cesta 136, e-mail: [email protected].

If data was collected based on your consent, you can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

For more information and for executing your rights, please contact us at [email protected].

If you do not provide personal data to Ambacia, we will not be able to connect you with your potential employers and provide you with the opportunity for employment. Furthermore, we will not be able to establish any other collaboration.

Name and Surname