Privacy policy

Effective: 4 June 2026

This policy explains how WIDGET collects, uses and protects your data when you visit our website or contact us. We comply with the General Data Protection Regulation (GDPR) and the Croatian act implementing it.

Who we are (Data Controller)

Your personal data is controlled by:

  • WIDGET, sole proprietorship for IT services, owner Eduard Ravnić
  • Registered seat: Dršćevka 7, 52000 Pazin, Croatia
  • OIB (tax ID): 81377241097
  • Obrt registration number (MBO): 98821083
  • Registered with: Upravni odjel za gospodarstvo, izdvojeno mjesto rada Pazin
  • Legal status: paušalni obrt (flat-rate craft business), outside the VAT system
  • Privacy contact: [email protected]

What we collect and the legal basis

We collect data in two ways, each on the matching GDPR legal basis:

  • Website visits: page viewed, anonymised IP address, country (via Cloudflare headers), browser type, referrer and session ID. Legal basis: legitimate interest in the security and stability of the site.
  • Contact form: name and email and - if you provide them - company name, phone and your message. Legal basis: taking steps at your request prior to entering a contract, or your consent.

Why we use it

  • Answering enquiries: to reply to your message and, where relevant, discuss your project.
  • Traffic analytics: which pages work and where visitors come from, based on anonymous aggregate statistics (consent only).
  • Security and stability: basic traffic logs to protect and correctly operate the site.

Cookies and analytics

Essential cookies store your cookie choice and are required for the site to work; they do not require consent.

Analytics cookies (Google Analytics 4) are only set after your explicit consent via the cookie bar at the bottom of the page; measurement is anonymised (IP anonymisation) and stores no name or email. You can change your choice anytime via "Cookie settings" in the footer.

Who we share with (sub-processors)

We do not sell your data. We share it only with technical service providers who process it on our behalf, under DPA / Standard Contractual Clauses where applicable:

  • Hetzner Online GmbH (Germany / Finland): server and database hosting.
  • Cloudflare, Inc. (USA): DNS, CDN, web application firewall and bot protection (relying on the EU-U.S. Data Privacy Framework).
  • Sendinblue SAS / Brevo (France): notification and transactional email delivery.
  • Google Ireland Ltd. (Ireland): Google Analytics 4, only with your consent, anonymised statistics.

How long we keep it

  • Enquiry messages: up to 2 years, or until you request deletion.
  • Analytics logs: 14 months (GA4 default retention).
  • Email delivery logs: 12 months.

Your rights

Under GDPR you have the right to:

  • Request access to your data and correction of inaccurate data.
  • Request deletion ("right to be forgotten").
  • Request restriction of processing of your data.
  • Request data portability in a structured format.
  • Object to processing.
  • Withdraw consent for analytics at any time.
  • File a complaint with the Croatian Data Protection Agency (AZOP), Selska cesta 136, 10000 Zagreb.

Contact

For any question or request related to this policy, write to [email protected]. We reply within one business day.