en English bg Български de Deutsch ar العربية cs Čeština da Dansk el Ελληνικά es Español et Eesti fi Suomi ru Русский tr Türkçe fr Français hu Magyar id Bahasa Indonesia it Italiano ja 日本語 ko 한국어 lt Lietuvių lv Latviešu nb Norsk Bokmål nl Nederlands pl Polski pt Português ro Română sk Slovenčina sl Slovenščina sv Svenska uk Ukrainian zh 中文 sr Srpski hr Hrvatski
Siniša Dagary
Siniša Dagary

GDPR Privacy Notice

Last Updated: April 6, 2026

This General Data Protection Regulation (GDPR) Privacy Notice ("Notice") supplements the information contained in our general Privacy Policy and applies solely to all visitors, users, and others who reside in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland. We adopt this notice to comply with the GDPR and any terms defined in the GDPR have the same meaning when used in this Notice.

1. Data Controller and Contact Details

For the purposes of the GDPR, the Data Controller responsible for your personal data is:

While we are not legally required to appoint a formal Data Protection Officer (DPO) under Article 37 of the GDPR, we take data protection seriously and ensure that all processing activities comply fully with applicable data protection law. Any data protection inquiries can be directed to the contact details above.

2. Data Minimization Principle (Article 5)

We adhere strictly to the principle of data minimization as required under Article 5(1)(c) of the GDPR. This means we only collect and process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We regularly review the data we hold and delete or anonymize any data that is no longer necessary for its original purpose.

3. Legal Basis for Processing Personal Data (Article 6)

We will only process your personal data when we have a legal basis to do so. The legal bases we rely on are:

  • Consent (Article 6(1)(a)): You have given clear and informed consent for us to process your personal data for a specific purpose, such as subscribing to our newsletter or accepting non-essential cookies. You may withdraw consent at any time.
  • Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract, such as providing consulting services.
  • Legal Obligation (Article 6(1)(c)): Processing is necessary for compliance with a legal obligation to which we are subject, such as retaining financial records for tax and accounting purposes.
  • Legitimate Interests (Article 6(1)(f)): Processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your fundamental rights and freedoms. Examples include website security, fraud prevention, and improving our services. We always conduct a balancing test before relying on this basis.

4. Summary of Processing Activities (Article 30)

In accordance with our obligation to maintain a Record of Processing Activities (RoPA) under Article 30 of the GDPR, the following is a summary of our key processing activities:

  • Website Visitors: Data types include IP address, browser type, pages visited, and time spent on site. Legal basis: Legitimate Interests (analytics and security) and Consent (for non-essential cookies). Purpose: to understand how our website is used and to improve user experience.
  • Newsletter Subscribers: Data types include name and email address. Legal basis: Consent. Purpose: to send marketing communications, updates, and educational content about our services.
  • Clients / Consulting: Data types include name, contact details, professional information, and project-related data. Legal basis: Contract and Legal Obligation. Purpose: to deliver contracted services, manage client relationships, and comply with applicable legal and financial obligations.
  • Affiliates / Partners: Data types include name, contact details, and performance data. Legal basis: Contract and Legitimate Interests. Purpose: to manage partnership agreements, track referrals, and process affiliate commissions.

5. Third-Party Data Processors (Article 28)

We use trusted third-party service providers (Data Processors) to help us operate our business. All processors are bound by Data Processing Agreements (DPAs) and are contractually required to process your data only on our instructions and in compliance with the GDPR. Our key processors include:

  • Google Ireland Limited — providing analytics (Google Analytics), advertising (Google Ads), and workspace services (Gmail, Google Workspace). Privacy Policy: policies.google.com/privacy
  • Meta Platforms Ireland Limited — providing social media advertising and the Meta Pixel for conversion tracking. Privacy Policy: facebook.com/privacy/policy
  • LinkedIn Ireland Unlimited Company — providing professional networking and LinkedIn advertising services. Privacy Policy: linkedin.com/legal/privacy-policy
  • Stripe Inc. — providing payment processing services for client invoices and transactions. Privacy Policy: stripe.com/privacy
  • Make (Celonis) — providing workflow automation and integration services used to connect our business tools and automate internal processes. Privacy Policy: make.com/en/privacy-notice

6. Data Retention Schedule (Article 5)

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The following retention periods apply:

  • Website Analytics Data: 14 months — aligned with Google Analytics default retention settings and sufficient to identify trends across seasonal cycles.
  • Newsletter / Marketing Data: Until you unsubscribe — we retain subscriber data for as long as you remain on our mailing list. You may unsubscribe at any time via the link in any email.
  • Client / Consulting Records: Duration of the service relationship plus 5 years — retained to manage ongoing or future engagements and to satisfy potential legal claims within the applicable limitation period.
  • Financial / Payment Records: 10 years — retained to comply with tax law, accounting regulations, and financial reporting obligations applicable in Slovenia and other relevant jurisdictions.
  • Affiliate / Partner Data: Duration of the partnership plus 5 years — retained to manage the partnership relationship and to handle any post-termination disputes or commission queries.

Once the applicable retention period has expired, your personal data is securely deleted or anonymized so that it can no longer be associated with you.

7. Special Categories of Data (Article 9)

We do not intentionally collect or process any "Special Categories" of personal data as defined under Article 9 of the GDPR. This includes, but is not limited to, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. If we ever become aware that such data has been inadvertently submitted, we will delete it promptly and without undue delay.

8. Children's Data (Article 8)

Our services are not intended for or directed at children. We do not knowingly collect personal data from children under the age of 16. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at info@sinisadagary.com and we will take steps to delete such information from our systems without undue delay.

9. Automated Decision-Making and Profiling (Article 22)

We use third-party analytics and advertising tools that may engage in a degree of automated processing, including the creation of interest-based profiles for advertising purposes. However, we do not use automated decision-making that produces legal effects or similarly significantly affects you as an individual, as described in Article 22 of the GDPR. No purely automated decisions are made about you based on your personal data. You have the right to object to profiling for direct marketing purposes at any time by contacting us at info@sinisadagary.com.

10. Your Rights Under the GDPR

If you are a resident of the EEA, the United Kingdom, or Switzerland, you have the following data protection rights under applicable law:

  • Right to Access (Article 15): You have the right to request a copy of the personal data we hold about you and to obtain information about how we process it.
  • Right to Rectification (Article 16): You have the right to request that we correct any inaccurate or incomplete personal data we hold about you without undue delay.
  • Right to Erasure / "Right to be Forgotten" (Article 17): You have the right to request that we delete your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
  • Right to Restrict Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while the accuracy of your data is being contested.
  • Right to Object to Processing (Article 21): You have the right to object to the processing of your personal data where we are relying on legitimate interests as our legal basis, or where we are processing your data for direct marketing purposes.
  • Right to Data Portability (Article 20): Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to Withdraw Consent (Article 7(3)): Where we are relying on your consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of any processing carried out prior to withdrawal.

To exercise any of these rights, please contact us at info@sinisadagary.com. We will respond to your request within one month of receipt. In complex or numerous cases, we may extend this period by a further two months, in which case we will notify you within the first month and provide reasons for the extension.

11. Data Breach Notification (Articles 33–34)

We have implemented appropriate technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. In the event that a personal data breach occurs, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, where it is feasible to do so and where the breach is likely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk to your rights and freedoms, we will also communicate the breach to you directly without undue delay, unless one of the exemptions set out in Article 34(3) of the GDPR applies.

12. International Data Transfers (Cross-Border Data Flows)

Your personal data may be transferred to and processed in countries outside the EEA and the United Kingdom, including the United States, where some of our third-party service providers are based. In such cases, we ensure that appropriate safeguards are in place to protect your data in accordance with the GDPR. The legal mechanisms we rely on include:

  • EU-U.S. Data Privacy Framework: Where applicable, we rely on the adequacy decision for the EU-U.S. Data Privacy Framework adopted by the European Commission, which permits the transfer of personal data to certified U.S. organizations.
  • Standard Contractual Clauses (SCCs): Where the EU-U.S. Data Privacy Framework does not apply, we use the Standard Contractual Clauses approved by the European Commission as the legal mechanism for data transfers to third countries.
  • UK Adequacy Regulations / Swiss FDPIC: For transfers from the United Kingdom, we rely on the UK's own adequacy regulations and approved transfer mechanisms. For transfers from Switzerland, we rely on the guidance of the Swiss Federal Data Protection and Information Commissioner (FDPIC).

13. Complaints to Supervisory Authorities

You have the right to lodge a complaint with a Data Protection Authority (DPA) if you believe that our processing of your personal data infringes the GDPR or applicable national data protection law. The relevant supervisory authorities are:

  • For users in Slovenia: Information Commissioner (Informacijski pooblascenec) — www.ip-rs.si
  • For users in Serbia: Commissioner for Information of Public Importance and Personal Data Protection — www.poverenik.rs
  • For other EEA users: Please contact your local national data protection authority. A full list of EEA supervisory authorities is available on the European Data Protection Board website at edpb.europa.eu.

We would, however, appreciate the opportunity to address your concerns directly before you approach a supervisory authority. Please do not hesitate to contact us first at info@sinisadagary.com.

Cookie Consent

We use cookies to enhance your experience on our website. By continuing to use our site, you consent to the use of cookies. For more information, please review our legal policies: