Loading...
Legal

Privacy Policy

Draft v0 — not yet legal-reviewedLast updated 2026-06-09

This privacy notice is a working draft prepared for review. It reflects how the product handles personal data today and our intended posture under the Serbian Law on Personal Data Protection (ZZPL) and the EU General Data Protection Regulation (GDPR). It will be revised based on counsel's feedback before paid subscriptions launch.

1. Who is the data controller

The data controller for personal data processed through Siterka is the Siterka team, reachable at admin.siterka@gmail.com. The controller decides why and how your personal data is processed, in line with the Serbian Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti, "ZZPL") and, where applicable, the EU General Data Protection Regulation ("GDPR").

If you have questions about this policy, would like to exercise your rights, or wish to lodge a complaint, please use the contact details in the final section. We aim to respond to all data-protection requests within thirty (30) days.

2. What personal data we collect

When you register an account we collect the email address and chosen display name you provide, plus a hashed password. When you build a profile you may add identifying information such as your first and last name, city, role, languages, photographs, and a free-text bio. Caregivers may publish a rate, availability, and trust signals; parents may publish details about the care they are seeking.

When you use the platform we collect message contents (subject to administrator review before relay), bookmarks, ratings, blog posts, and any uploads. We log technical metadata such as IP address, user-agent string, timestamp, and the URLs you visit in order to operate the service, prevent abuse, and diagnose problems. We use a strictly necessary session cookie to keep you logged in and a preference cookie to remember your chosen language and theme.

We do not collect special categories of personal data (such as health, religion, political opinion, or biometric data) from you in the ordinary course of operation. If you choose to disclose such information voluntarily — for example in a free-text bio — please do so with care, as the data will be visible according to the visibility settings of the surface where you posted it.

3. Lawful basis for processing

We rely on the following lawful bases under ZZPL Art. 12 and GDPR Art. 6: (a) performance of a contract with you — to provide the account, listings, messaging, and subscription features you have requested; (b) our legitimate interests — to keep the platform safe, prevent fraud, moderate user content, and improve the product, balanced against your rights; and (c) your consent — for any optional features that go beyond core service operation.

Where processing is based on consent you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Withdrawing consent for non-core features may mean we can no longer provide those features; core service operation does not depend on consent.

4. Service providers (processors)

We rely on a small set of carefully chosen service providers to operate the platform. These providers process personal data only on our instructions and under written agreements that meet the requirements of Art. 45 ZZPL / Art. 28 GDPR. The current list is: DigitalOcean (hosting and database in the European Union), Cloudflare (DNS and edge network), Resend (transactional email delivery — verification, password reset, and notifications), and — only when you opt in via the cookie consent banner — Google LLC operating Google Analytics 4 in the United States and Ireland (page-view counts and aggregate usage statistics with IP-anonymisation enabled).

We do not sell, rent, or trade your personal data to third parties for advertising. We do not embed third-party advertising trackers. Google Analytics processes data only after you opt in via the consent banner; if you decline or have not yet chosen, the GA4 script is not loaded at all. If we ever introduce a new processor that involves a meaningful change in how your data is handled we will update this list and, where required, give you advance notice.

5. How long we keep your data

We keep your account data for as long as your account is active. If you self-suspend, your data remains on file but is hidden from the public; if you delete your account, your profile and posts are removed and your account record is erased except where law or legitimate interest requires retention. Encrypted database backups are kept for up to thirty (30) days for disaster recovery and then overwritten.

Messages are retained for as long as both participants keep their accounts; if either party deletes their account, message contents become inaccessible to that party while a copy may be retained for the other party's records. Aggregated and anonymised analytics may be kept indefinitely as they no longer identify you.

6. Your rights

You have the following rights under ZZPL and GDPR: access to your data; rectification of inaccurate data; erasure (the "right to be forgotten"); restriction of processing; portability of data you have provided to us in a structured, machine-readable format; objection to processing based on legitimate interest; and the right not to be subject to a decision based solely on automated processing that produces legal effects.

Most of these rights can be exercised directly from your profile settings: edit data, self-suspend, or hard-delete your account. For requests that are not self-serve — such as a structured data export or a question about a specific processing activity — please email admin.siterka@gmail.com from the address registered on your account so we can verify your identity.

We will respond to verified requests within thirty (30) days. We may extend this period by a further sixty (60) days for complex requests, in which case we will notify you of the extension and the reasons within the original window. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

7. Children

Siterka is intended for adults. We do not knowingly collect personal data from children under 18, and we do not allow children to register accounts. If you believe a child has registered, please contact admin.siterka@gmail.com and we will delete the account and any associated personal data without undue delay.

8. International transfers

Our primary infrastructure is hosted in the European Union (DigitalOcean, region FRA1). Where personal data is transferred outside Serbia or the EU — for instance to email-delivery providers — we rely on appropriate safeguards under ZZPL Art. 64–65 and GDPR Chapter V, including Standard Contractual Clauses where required. You can request a copy of the safeguards in place for a specific transfer by emailing us.

9. Security

We protect your data using a layered set of technical and organisational measures: TLS 1.2+ for data in transit, encrypted database storage at rest, hashed passwords, server-side authorization checks at every endpoint, principle-of-least-privilege access for the small team that operates the service, and audit logging for moderation actions. We keep our infrastructure patched and we monitor for unusual activity.

No system is perfectly secure. You can help by choosing a strong, unique password, keeping your devices up to date, and not sharing your account credentials with anyone. If you notice suspicious activity on your account, change your password immediately and contact us at admin.siterka@gmail.com.

10. Personal data breaches

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two (72) hours where required, and inform affected users without undue delay. The notification will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures we are taking in response.

11. Complaints

If you believe we have not handled your personal data in line with applicable law, you have the right to lodge a complaint with the Serbian supervisory authority — the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) — at poverenik.rs.

Where you reside in another EU/EEA country you may also lodge a complaint with your local supervisory authority. We would, however, appreciate the chance to address your concern first — please email admin.siterka@gmail.com.

12. Changes to this policy

We may update this policy as the product changes or as the legal landscape evolves. The current version, with the date of last update, will always be at /privacy. For material changes that affect your rights we will give you reasonable advance notice by email or an in-product banner.

13. Contact

For all privacy-related questions or requests, please email admin.siterka@gmail.com. For urgent security concerns, admin.siterka@gmail.com.