1. Controller
The controller of your personal data is Mykhailo Koblychenko s.p., Dimičeva ulica 9, 1000 Ljubljana, Slovenija, tax number SI40790215, registration number 7522967000. Contact: media4estate@gmail.com.
We process personal data in accordance with Regulation (EU) 2016/679 («GDPR») and the Slovenian Personal Data Protection Act (ZVOP-2, Ur. l. 163/22).
2. What we process and why
| Purpose | Data | Lawful basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| User account & login | Name, email, hashed password, language preference | 6(1)(b) — performance of the contract (service use) | Until account deletion; then deleted immediately |
| Idea submissions & AI analysis | Idea title, description, problem, solution, target audience, attachments | 6(1)(b) — contract | Until account deletion or user-initiated removal |
| Sign in with Google | Google user ID, email, name (provided by Google) | 6(1)(b) — contract; 6(1)(a) — consent at the OAuth screen | Same as account |
| Transactional emails (review notifications, password reset) | Email address, message body | 6(1)(b) — contract | Email delivery logs ~30 days at processor |
| Security & abuse prevention (rate-limiting, server logs) | IP address, user-agent, request timestamps | 6(1)(f) — legitimate interest in service security | Server logs: max 30 days; rate-limit counters: minutes |
| Cookie consent record | Your consent choice and timestamp | 6(1)(c) — legal obligation (proof of consent) | 12 months, then re-prompt |
3. Recipients and subprocessors
We share personal data only with the following processors, each under a written data-processing agreement:
| Processor | Purpose | Country | Transfer basis |
|---|---|---|---|
| Anthropic, PBC (Claude API) | AI analysis of submitted ideas | USA | SCCs (Art. 46 GDPR, Decision (EU) 2021/914, Module 2) per Anthropic Commercial Terms / DPA. Not DPF-certified. |
| Resend, Inc. | Sending transactional email | USA | EU–US Data Privacy Framework adequacy (Art. 45 GDPR, decision of 10 Jul 2023); SCC fallback. |
| Google Ireland Ltd. / Google LLC (Sign in with Google) | Federated authentication | Ireland / USA | Controller-to-controller; for US elements: DPF adequacy (Art. 45) + SCC fallback. |
| Hosting provider (Next.js application + MySQL database) | Service hosting and database storage | EU/EEA region (configured) | Processed within EU/EEA. If a non-EEA region is used, SCCs apply. |
We do not currently use Google Analytics, Meta Pixel, Sentry, runtime Google Fonts, or third-party advertising networks. If we introduce any of these in future, this policy will be updated and (where applicable) added to the consent banner before they are loaded.
4. International transfers
Some processors are located in the United States. Transfers rely on: (a) the EU Commission's adequacy decision for the EU–US Data Privacy Framework of 10 July 2023 where the recipient is DPF-certified, or (b) Standard Contractual Clauses pursuant to Art. 46 GDPR and Commission Implementing Decision (EU) 2021/914, Module 2 (controller-to-processor). We do not rely on Art. 49(1)(b) for routine or systematic transfers.
5. Your rights (GDPR Art. 15–22)
- Access (Art. 15) — receive a copy of your data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — delete your account and personal data.
- Restriction (Art. 18) — freeze processing.
- Data portability (Art. 20) — receive your data in a machine-readable format.
- Objection (Art. 21) — object to processing based on legitimate interest.
- Not be subject to automated decision-making with legal effect (Art. 22) — AI analysis is informational and is not a solely-automated decision with legal effect.
- Withdraw consent at any time (where consent is the basis), without affecting prior lawful processing.
- Lodge a complaint with Informacijski pooblaščenec Republike Slovenije (IP-RS) or another competent supervisory authority.
To exercise any right, write to media4estate@gmail.com. We respond within 1 month (Art. 12(3)), extendable by up to 2 further months for complex requests. Free of charge.
6. Security
- Passwords stored using bcrypt (cost ≥10).
- Session cookies: HttpOnly, Secure (in production), SameSite=Lax.
- Rate-limiting on authentication endpoints.
- HTTPS in production; no PII is written to runtime logs deliberately.
- Access to the production database is restricted to the controller.
7. Children
The service is intended for users aged 18 and over. We do not knowingly collect personal data from children under 16. If we learn that a child has provided personal data without verified parental consent, we will delete it.
8. Automated decision-making
The AI analysis produced for each idea is a content output intended to assist the user. It does not, by itself, produce legal effects on the user and is not used to take solely-automated decisions about the user within the meaning of Art. 22 GDPR.
9. Data breaches
In case of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the supervisory authority within 72 hours of becoming aware (Art. 33 GDPR) and, where the risk is high, the affected users without undue delay (Art. 34).
10. DPO
A Data Protection Officer is not required under Art. 37 GDPR for a small business that does not carry out large-scale systematic monitoring or large-scale special-category processing. The contact for all data-protection enquiries is media4estate@gmail.com.
11. Changes to this policy
We will keep this policy up to date. Material changes will be communicated by updating the «Last updated» date at the top of this page and, where appropriate, by email or a banner on the service.