Privacy Policy

This Privacy Policy explains how personal data is processed when you visit renekrajnc.com (the "Site"). The Site is a personal portfolio operated by an individual based in the European Union. We respect your privacy and only process the personal data that is strictly necessary to operate the Site, respond to your enquiries, and keep the Site secure. By using the Site you acknowledge that you have read this Policy. If you do not agree with it, please do not use the Site.

The data controller responsible for your personal data under the GDPR is Rene Krajnc, based in Maribor, Slovenia. For any privacy-related question, request, or complaint you can contact us at info@renekrajnc.com. We will respond to verified requests without undue delay and at the latest within 30 days, in line with Article 12(3) GDPR.

We collect only the data needed to operate the Site and respond to you. Specifically:

• Contact form data: the name, email address, and message you submit through the contact form.
• Communication content: any further correspondence you send to us by email.
• Technical data: IP address, user agent, referrer, and timestamps recorded in server access and security logs by our hosting provider.
• Anti-abuse signals: a reCAPTCHA token and the score Google returns, used to block automated form submissions.
• Preference data: your selected theme (light or dark), stored locally in your browser; this never leaves your device.

We process your personal data only for clearly defined purposes and only where we have a valid legal basis under Article 6(1) GDPR:

• To answer your enquiry sent via the contact form — legal basis: pre-contractual or contractual measures and our legitimate interest in responding to messages (Art. 6(1)(b) and (f) GDPR).
• To protect the contact form against spam and abuse using Google reCAPTCHA — legal basis: your prior consent given via the cookie banner (Art. 6(1)(a) GDPR).
• To keep the Site available and secure (server logs, rate-limiting, abuse detection) — legal basis: our legitimate interest in operating a secure service (Art. 6(1)(f) GDPR).
• To remember your theme preference — this is stored locally and is not a legal-basis question under GDPR because no personal data is processed by us, but it relies on a strictly necessary technical mechanism.
• To comply with legal obligations such as responding to verified data subject requests or lawful authority requests — legal basis: legal obligation (Art. 6(1)(c) GDPR).

The Site uses a minimal number of cookies and local storage entries. We do not use advertising cookies, cross-site tracking, or behavioural profiling.

• Strictly necessary: a 'theme' value stored in your browser's localStorage so the Site remembers your light/dark choice. No consent is required for this because it is strictly necessary to deliver the service you requested.
• Functional / security (consent-based): when you accept cookies, we load Google reCAPTCHA v3 on the contact page. reCAPTCHA may set cookies on Google domains and collect technical data to distinguish humans from bots.
• Consent management: a small 'cookie-consent-v1' entry is stored in your browser's localStorage to remember your choice between Accept and Reject. You can change your choice at any time via the 'Cookie preferences' link in the footer.

We never sell personal data. We only share it with a small set of trusted service providers acting as data processors on our behalf, each bound by an appropriate data processing agreement:

• Resend (Resend, Inc., USA) — transactional email delivery for contact form messages. See <resendLink>Resend's privacy policy</resendLink>.
• Google reCAPTCHA (Google Ireland Ltd / Google LLC, USA) — bot and abuse protection on the contact form, only loaded after you accept cookies. See <googleLink>Google's privacy policy</googleLink>.
• Vercel (Vercel Inc., USA) — hosting, content delivery, and server logging. See <vercelLink>Vercel's privacy policy</vercelLink>.

Some of the processors listed above are based in the United States. Where personal data is transferred outside the European Economic Area, the transfer is protected by appropriate safeguards under Chapter V GDPR — typically the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. You can request a copy of the safeguards in place by contacting us at info@renekrajnc.com.

We keep personal data only for as long as it is needed for the purpose it was collected for, or as required by law:

• Contact form messages and related email correspondence: up to 12 months after our last exchange, unless an ongoing business relationship or a legal obligation requires longer retention.
• Server access and security logs: up to 30 days, after which they are deleted or anonymised by our hosting provider.
• reCAPTCHA assessments: retained by Google for the periods described in their privacy policy; we do not store the raw token after verification.
• Cookie consent record: stored locally in your browser until you clear it or change your choice.

Subject to the conditions in the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — obtain confirmation of whether we process your data and a copy of it.
• Right to rectification (Art. 16) — have inaccurate or incomplete data corrected.
• Right to erasure (Art. 17) — request deletion of your data where the legal grounds for processing no longer apply.
• Right to restriction (Art. 18) — restrict processing in defined situations, for example while you contest accuracy.
• Right to data portability (Art. 20) — receive data you provided to us in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests, including direct outreach.
• Right to withdraw consent (Art. 7(3)) — withdraw any consent you have given at any time, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint — file a complaint with a supervisory authority, in particular the Slovenian Information Commissioner (<dpaLink>Informacijski pooblaščenec</dpaLink>) or the authority in your EU country of residence.

We use industry-standard measures to keep your data safe in transit and at rest:

• All traffic to the Site is encrypted in transit via TLS (HTTPS).
• Strict Content Security Policy, HSTS, and other security headers are configured at the framework level.
• Secrets such as API keys are stored in environment variables on the hosting platform and never exposed to the browser.
• Google reCAPTCHA v3 protects the contact form against automated abuse.
• We do not collect payment data, special-category data, or government identifiers through the Site.

The Site is intended for a general professional audience and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data through the Site, please contact us at info@renekrajnc.com and we will delete it without undue delay.

We may update this Privacy Policy from time to time to reflect changes in our practices, third-party services, or legal requirements. The current version is always available on this page and the Last updated date at the top of the page is the authoritative version marker. Material changes will be highlighted on the Site before they take effect.

If you have any question about this Privacy Policy, want to exercise a data subject right, or would like to raise a concern, please reach out at info@renekrajnc.com or via the contact page. We aim to respond to all verified requests within 30 days, in line with Article 12(3) GDPR.