Privacy Policy
Last updated: March 18, 2026
This Privacy Policy explains how I collect, use, store and protect your personal data when you visit this website or use the contact form. It applies to all pages under mjovancevic.com and its language subpaths (/en/, /hr/).
1. Who is responsible for your data?
2. What data I collect and why
2.1 Contact form
When you submit the contact form, I collect:
| Data | Purpose | Legal basis |
|---|---|---|
| Full name | To address you in my response | Art. 6(1)(b) GDPR — pre-contractual steps |
| Email address | To reply to your message | Art. 6(1)(b) GDPR |
| Phone number (optional) | To contact you if you prefer a call | Art. 6(1)(a) GDPR — consent |
| Subject & message | To understand and respond to your inquiry | Art. 6(1)(b) GDPR |
I do not use your contact data for marketing, newsletters, or any purpose other than responding to your inquiry.
2.2 Analytics & website usage
I use Google Analytics 4 (GA4) and Google Tag Manager (GTM) to understand how visitors use this website. This may include pages visited, time spent, browser/device type, approximate geographic location (country/city), referral source, and interactions with page elements.
Legal basis: Art. 6(1)(a) GDPR — your consent, given via the cookie consent banner. No analytics data is collected until consent is given. You may withdraw consent at any time via the cookie settings link in the footer.
Google LLC processes analytics data. Transfers to the USA are covered by Standard Contractual Clauses. See Google's Privacy Policy.
2.3 Cookies
Strictly necessary (no consent required)
| Cookie | Purpose | Duration |
|---|---|---|
| mj_admin | Admin panel authentication session | 8 hours |
Analytics cookies (consent required)
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
| _ga | Google Analytics | Distinguishes unique users | 2 years |
| _ga_* | Google Analytics | Session state | 2 years |
| _gid | Google Analytics | Distinguishes users | 24 hours |
| _gat | Google Analytics | Throttles request rate | 1 minute |
GTM may load additional third-party tags. Any such tags will be listed here as activated.
3. How long I keep your data
| Data type | Retention period |
|---|---|
| Contact form submissions | 12 months from submission, then permanently deleted |
| Analytics data | 14 months (configured in Google Analytics) |
| Admin session cookies | 8 hours |
4. Who I share your data with
I do not sell, rent or trade your personal data. I share data only with these processors to operate the website:
Vercel Inc. — Hosting.
Processes server logs and request metadata. USA, transfers via SCCs.
Privacy policyNeon Inc. — Database.
Stores contact form submissions (name, email, subject, message, hashed IP). AWS us-east-1, transfers via SCCs.
Privacy policyResend Inc. — Email delivery.
Sends me a notification when you submit the contact form. Your email is used as reply-to only. USA, transfers via SCCs.
Privacy policyGoogle LLC — Analytics & tag management.
Anonymised usage data, cookies (consent only). USA, transfers via SCCs.
Privacy policy
5. Your rights under GDPR
You have the following rights under Regulation (EU) 2016/679:
- →
Access (Art. 15) — request a copy of your data
- →
Rectification (Art. 16) — request correction of inaccurate data
- →
Erasure (Art. 17) — request deletion of your data
- →
Restriction (Art. 18) — request limits on how your data is used
- →
Portability (Art. 20) — request your data in a machine-readable format
- →
Object (Art. 21) — object to processing based on legitimate interests
- →
Withdraw consent (Art. 7(3)) — withdraw analytics consent at any time
To exercise any right, email: info@mjovancevic.com — I will respond within 30 days.
You also have the right to lodge a complaint with the Croatian supervisory authority:
Agencija za zaštitu osobnih podataka (AZOP)
Martićeva ulica 14, 10 000 Zagreb
https://azop.hr | azop@azop.hr | +385 1 4609 000
6. Data security
- [✓]
All data in transit is encrypted via HTTPS/TLS
- [✓]
IP addresses in the contact form database are cryptographically hashed (one-way, non-reversible)
- [✓]
Database access is restricted and authenticated
- [✓]
Admin access is password-protected with time-limited sessions
- [✓]
All third-party processors are evaluated for GDPR compliance
7. International data transfers
Vercel, Neon, Resend and Google are US-based. All transfers are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR.
8. Children's privacy
This website is not directed at children under 16. If you believe a minor has submitted data through this site, contact info@mjovancevic.com and I will delete it immediately.
9. Changes to this policy
The "Last updated" date at the top reflects the most recent version. Material changes will be noted on the website.