NEW VE ERP 2026 Platform is live — bringing finance, operations, and AI copilots into one system. Discover →
EN | Partner Portal Investors Careers
Home / Legal / Privacy Policy
Legal

Privacy Policy

Last updated: 11 May 2026. This policy describes how Virtual Era Ltd. collects, uses, discloses, and protects personal data. It applies to our website, our services, and our client engagements. Anchored to Kosovo Law No. 06/L-082 on Personal Data Protection, the EU General Data Protection Regulation (GDPR), the eIDAS Regulation, and the NIS2 Directive.

1. Introduction

Virtual Era Ltd. ("Virtual Era", "we", "our", "us") is committed to protecting the privacy of our clients, partners, website visitors, candidates, suppliers, and other individuals whose personal data we process in the course of our operations across the Republic of Kosova, Albania, North Macedonia, Montenegro, and any other jurisdiction in which we operate or to which we direct our services.

This Privacy Policy explains how we collect, use, disclose, and protect personal data. It is anchored to Kosovo Law No. 06/L-082 on Personal Data Protection ("the Law"), Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), Regulation (EU) No 910/2014 on electronic identification and trust services ("eIDAS"), and Directive (EU) 2022/2555 on measures for a high common level of cybersecurity ("NIS2"), together with the equivalent national implementations of these instruments in our other operating markets.

2. Who we are

Virtual Era Ltd. is a limited-liability company incorporated in the Republic of Kosova under Company No. 810522351, with registered headquarters at Rr. Agim Ramadani, Hy. C3, Nr. 2, 10000 Prishtina, Republic of Kosova.

For the purposes of Article 4(7) GDPR and the equivalent provisions of Kosovo Law No. 06/L-082, Virtual Era acts as a data controller in respect of personal data we collect in our own business activities (e.g. enquiries via our website, recruitment, sales, marketing, partner relationships). For client engagements where we process personal data on behalf of a client, we act as a data processor; the scope of that processing is governed by the Data Processing Agreement ("DPA") executed with the client.

Our Data Protection Officer (DPO) can be contacted at dpo@virtualera.net or by post at the registered headquarters above marked for the attention of the DPO.

3. What personal data we collect

We collect and process the following categories of personal data:

  • Identification and contact data — name, work email address, work telephone, employer, job title, country of residence or business.
  • Professional data — for recruitment candidates: CV, employment history, education, references, professional certifications, work-permit status (where lawfully required).
  • Engagement data — meeting notes, support tickets, training attendance, communications history, contracts and related correspondence.
  • Technical and usage data — IP address, device and browser identifiers, log data, cookie identifiers (see our Cookie Policy for detail).
  • Client-instructed data — where we process data on behalf of a client under a DPA, the categories are defined in the DPA's processing schedule.

We do not knowingly collect personal data from minors. Our services are directed at organisations and the professionals who represent them.

4. Legal bases for processing

We rely on the following lawful bases under Article 6(1) GDPR and the corresponding provisions of Kosovo Law No. 06/L-082:

  • Contract performance (Article 6(1)(b)) — to deliver services to clients, manage engagements, and perform our employment and supplier contracts.
  • Legitimate interests (Article 6(1)(f)) — for prospect outreach to identified business contacts, recruitment activity, partner relationship management, fraud prevention, network and information security, and the establishment, exercise, or defence of legal claims. Where we rely on legitimate interests we conduct a documented balancing test and respect data subject objections.
  • Consent (Article 6(1)(a)) — for marketing communications to individuals (where applicable), for certain cookies, and for any processing involving special categories of data under Article 9(2)(a). Consent is freely given, specific, informed, and withdrawable at any time without affecting the lawfulness of processing before withdrawal.
  • Legal obligation (Article 6(1)(c)) — to comply with tax, accounting, anti-money-laundering, employment, and other statutory or regulatory obligations in our operating jurisdictions.

5. How we use personal data

Personal data is used to:

  • Deliver the services our clients have engaged us to provide.
  • Respond to enquiries and manage business relationships with clients, prospective clients, partners, and suppliers.
  • Recruit new staff and process employment-related information.
  • Send transactional communications, and (where consented or otherwise lawful) commercial communications about our services, events, and content.
  • Maintain the security, integrity, and resilience of our information systems — including in accordance with Article 21 NIS2 and Article 32 GDPR.
  • Comply with our legal, regulatory, and corporate-governance obligations.

We do not sell personal data to third parties under any circumstances.

6. Disclosure to third parties

We disclose personal data only where necessary and only to the following categories of recipient:

  • Sub-processors — vetted providers of cloud, communications, security, professional services, and similar functions, each bound by written contracts compliant with Article 28 GDPR. A current sub-processors register is available on request to dpo@virtualera.net.
  • Professional advisers — legal counsel, auditors, tax advisers, insurers, each bound by professional confidentiality.
  • Public authorities — where we are required by law to disclose personal data to law-enforcement, regulators, tax authorities, or courts in our operating jurisdictions.
  • Authorised business partners — vendors and partners with whom we collaborate to deliver client engagements, where the disclosure is explicitly authorised by the data subject or by the underlying contract.

7. International transfers

Where personal data is transferred outside the European Economic Area or outside the territories afforded an equivalent level of protection by the European Commission, we rely on the transfer mechanisms permitted under Chapter V GDPR and the equivalent provisions of Kosovo Law No. 06/L-082. These include:

  • European Commission adequacy decisions (where applicable);
  • Standard Contractual Clauses adopted by the European Commission, combined with documented transfer-impact assessments;
  • Binding Corporate Rules where the recipient is part of a group with approved BCRs;
  • Specific derogations under Article 49 GDPR, used only on an exceptional basis.

8. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, plus any period required by applicable law. Indicative retention periods:

  • Sales and CRM contact data: up to thirty-six (36) months from last meaningful interaction, after which the record is anonymised or deleted.
  • Recruitment data for unsuccessful candidates: up to twelve (12) months unless the candidate consents to retention in our talent pool.
  • Client engagement records and DPAs: for the duration of the engagement plus the statutory limitation period thereafter.
  • Financial and accounting records: as required by tax law in each operating market — typically a minimum of ten (10) years in Kosova.
  • Security and audit logs: typically twelve (12) months, longer where required for active investigation.

Specific retention periods can be obtained on request from our DPO.

9. Your rights

Under GDPR and the equivalent provisions of Kosovo Law No. 06/L-082, you have the following rights in respect of your personal data:

  • Right of access (Article 15) — to obtain confirmation of whether we process your personal data and, if so, a copy.
  • Right to rectification (Article 16) — to have inaccurate data corrected and incomplete data completed.
  • Right to erasure (Article 17) — subject to the lawful grounds for retention.
  • Right to restrict processing (Article 18).
  • Right to data portability (Article 20) — for data processed on the basis of consent or contract by automated means.
  • Right to object (Article 21) — including an unconditional right to object to direct marketing.
  • Right not to be subject to automated decision-making (Article 22). Virtual Era does not currently make decisions producing legal or similarly significant effects on individuals solely on the basis of automated processing.
  • Right to withdraw consent at any time, where processing is based on consent.
  • Right to lodge a complaint with the competent supervisory authority — in Kosova, the Information and Privacy Agency (IPA), and in each EU member state the national data protection authority.

To exercise any of these rights, contact our DPO at dpo@virtualera.net. We will respond within one month of receiving a verifiable request, with one further extension of up to two months where the request is complex (Article 12 GDPR).

10. Security

We implement administrative, technical, and physical security measures appropriate to the risk presented by our processing activities, consistent with Article 32 GDPR and Article 21 NIS2. Measures include:

  • Access control on a least-privilege and need-to-know basis.
  • Encryption of personal data in transit (TLS 1.2 and above) and at rest.
  • Network segmentation, firewalls, and continuous endpoint monitoring.
  • Regular vulnerability assessment, penetration testing, and security review.
  • Documented incident-response and business-continuity procedures.
  • Staff training on data protection and information security at induction and annually thereafter.
  • Supplier and sub-processor due diligence and contractual security obligations.

In the unlikely event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach (Article 33 GDPR; comparable provisions of Kosovo Law No. 06/L-082) and, where the breach is likely to result in a high risk, communicate the breach to affected individuals without undue delay (Article 34 GDPR).

11. Trust services and electronic identification (eIDAS)

Where Virtual Era processes personal data in connection with the issuance or verification of qualified electronic signatures, qualified electronic seals, qualified time stamps, qualified electronic registered delivery services, or other trust services as defined under eIDAS, such processing is conducted in accordance with the additional requirements of eIDAS and any national implementing legislation. Use of trust services in client engagements is documented in the applicable engagement contract.

12. Cookies and similar technologies

Our use of cookies and similar technologies is described in detail in our Cookie Policy, which forms part of this Privacy Policy.

13. Children

Our services are not directed at children below the age of sixteen (16) years and we do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact our DPO.

14. Changes to this policy

We may amend this Privacy Policy from time to time to reflect changes in our processing activities or in applicable law. The "Last updated" date at the top of this policy indicates when it was last revised. Material changes will be communicated to data subjects through prominent notice on our website and, where appropriate, by direct communication.

15. Contact

For any question about this Privacy Policy or about our processing of personal data, please contact:

  • Data Protection Officer: dpo@virtualera.net
  • Legal team: legal@virtualera.net
  • Postal: Virtual Era Ltd., Attn: Data Protection Officer, Rr. Agim Ramadani, Hy. C3, Nr. 2, 10000 Prishtina, Republic of Kosova.