Back to Home

Privacy Policy

Last updated: 2026-02-19

Data Controller

Vaclav Dovnar, an individual cybersecurity consultant based in Serbia.

All data protection requests (access, rectification, erasure, and other rights under GDPR) must be submitted exclusively through the privacy request form at the bottom of this page. This ensures proper processing, tracking, and timely response within the 30-day period required by law.

For business inquiries unrelated to data protection, use the contact form on the main page.

What Data We Collect and Why

Contact Form

When you submit our contact form, we collect the following information:

  • Name, email address, Telegram handle, company website, role, message, and selected project interests — to respond to your inquiry and discuss potential consulting services
  • Hashed IP address (SHA-256, non-reversible), browser type, country, and submission timestamp — to protect against abuse and spam

Processing is based on Article 6(1)(b) GDPR — necessary steps taken at your request prior to entering into a contract. Anti-abuse metadata is processed under Article 6(1)(f) — our legitimate interest in protecting the service from abuse.

We retain inquiry data for 12 months from submission. If we enter into a business relationship, data is retained for the duration of that relationship plus any legally required period. Anti-abuse metadata (IP hash, user agent, Cloudflare Ray ID) is deleted after 90 days. You may request deletion at any time.

Website Analytics

We use Umami (umami.is), a privacy-focused analytics platform, to understand how visitors use our website. Umami collects:

  • Page views, referrer URL, browser type, operating system, device type, country, and screen size

Umami does not collect IP addresses, does not use cookies, does not assign personal identifiers, and does not track visitors across websites. All data is aggregated and anonymized. No cookie consent banner is required.

Article 6(1)(f) GDPR — our legitimate interest in understanding website usage to improve content and services.

No Marketing, No Data Sales

We do not use your data for marketing purposes. We do not send newsletters, promotional emails, or follow-up campaigns unless you explicitly request them. We do not sell, rent, or trade your personal data to third parties. Your data is used solely to respond to your inquiry and, if applicable, to provide consulting services.

Who Receives Your Data

We share your data with the following service providers who help us operate this website and respond to your inquiries:

ProviderPurposeCountrySafeguards
Cloudflare, Inc.Website hosting, content delivery, form processing, and data storage (Cloudflare D1 with EU jurisdiction)United StatesEU Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework
Umami Software, Inc.Privacy-focused website analytics (no personal data collected)United StatesNo personal data is collected or transferred — all analytics are fully anonymized
Telegram Messenger Inc.Internal controller notification — a summary of the inquiry (name, contact method, project type) is forwarded to the controller's private channel to enable timely response. No technical metadata (IP, user agent, CF-Ray) is transmitted.United Arab Emirates / United KingdomData is transmitted to a private channel accessible only to the controller. Telegram acts as a communication tool, not as a data processor. Telegram privacy policy: telegram.org/privacy

Sharing Data to Provide Services

If we enter into a consulting engagement, we may share relevant data with trusted third parties strictly as necessary to deliver the agreed services — for example, with subcontractors, auditors, or certification bodies involved in your project. In such cases, we will inform you in advance, ensure appropriate data protection agreements are in place, and share only the minimum data necessary. We never share your data for purposes unrelated to the services you requested.

International Data Transfers

Your data may be processed outside the European Economic Area (EEA) by our infrastructure providers. For transfers to the United States, we rely on EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. Our analytics provider (Umami) does not collect personal data, so no personal data transfer occurs for analytics purposes. Form submission data is stored in Cloudflare D1 with EU jurisdiction enabled, ensuring data residency within the European Union.

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of your data
  • Right to rectification — correct inaccurate data
  • Right to erasure — request deletion of your data ('right to be forgotten')
  • Right to restrict processing — limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interest

To exercise any of these rights, submit a request through the dedicated privacy form below. Do not use the general contact form — privacy requests submitted through other channels may not be processed within the required timeframe.

You also have the right to lodge a complaint with a supervisory authority. The relevant authority is the Commissioner for Information of Public Importance and Personal Data Protection of the Republic of Serbia (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) — poverenik.rs

Cookies and Tracking

This website does not use cookies. We do not use Google Analytics, Facebook Pixel, advertising scripts, or any other tracking technologies that follow you across the internet. Our analytics tool (Umami) is completely cookie-free and collects no personally identifiable information. Because no cookies or personal tracking are used, no cookie consent banner is needed.

Automated Decision-Making

We do not use automated decision-making or profiling as defined in Article 22 GDPR. All decisions regarding your data are made by the site operator personally.

Source of Data

We collect personal data only directly from you through our website forms. We do not obtain your data from third parties.

Age Restriction

Our services are directed at business professionals and are not intended for individuals under 16 years of age. We do not knowingly collect data from minors.

Records of Processing Activities

We maintain Records of Processing Activities (ROPA) in accordance with Article 30 GDPR, documenting all processing operations, their purposes, legal bases, and safeguards.

Data Security

We implement appropriate technical and organizational measures to protect your data, including: encrypted transmission (HTTPS/TLS for all connections), hashed IP storage (SHA-256 with salt, non-reversible), anti-bot protection (token-based verification), rate limiting (to prevent abuse), and access controls on data storage. For detailed information about our security measures, see our Security page.

Changes to This Policy

We may update this policy from time to time. The latest version is always available at this URL with the 'Last updated' date shown at the top. For material changes, we will note the changes on this page.

Exercise Your Privacy Rights

Use the form below to submit a data protection request. We will confirm receipt and respond within 30 days.

This form collects only the minimum data necessary to process your privacy request (Article 5(1)(c) GDPR). Your request is stored until fulfilled and deleted within 30 days of completion.