napravi.site
Platforma napravi.site obrađuje lične podatke u skladu sa GDPR (Uredba EU 2016/679) i Zakonom o zaštiti podataka o ličnosti RS (Sl. glasnik RS br. 87/2018). Privatnost je za nas osnovno pravo, ne prateća obaveza.
| Uloga | Ko | Za koje podatke | Odgovornost |
|---|---|---|---|
| Rukovalac (Controller) | Operator napravi.site | Podaci o Tenant nalogu, pretplati, logovi | Puna GDPR odgovornost |
| Obrađivač (Processor) | Operator napravi.site | Podaci krajnjih korisnika Tenantovih sajtova | Obrada po uputstvima Tenanta |
| Rukovalac (Controller) | Tenant (korisnik platforme) | Podaci sopstvenih krajnjih korisnika/kupaca | Puna GDPR odgovornost prema krajnjim korisnicima |
Korisnici platforme (Tenanti) koji prikupljaju podatke svojih kupaca sami su odgovorni za GDPR usklađenost. Tenanti koji zahtevaju formalni DPA dokument mogu nas kontaktirati na privacy@napravi.site.
| Pravni osnov | GDPR član | Primenjen na |
|---|---|---|
| Izvršenje ugovora | čl. 6(1)(b) | Registracija, upravljanje nalogom, naplata, pružanje usluge |
| Legitimni interes | čl. 6(1)(f) | Bezbednost, prevencija prevara, server logovi, support |
| Zakonska obaveza | čl. 6(1)(c) | Računovodstvena dokumentacija, zahtevi organa vlasti |
| Saglasnost | čl. 6(1)(a) | Marketing emailovi, newsletter (opoziv uvek moguć) |
| Delatnost | Kategorije podataka | Primici | Rok čuvanja |
|---|---|---|---|
| Upravljanje korisničkim nalozima | Identifikacioni, kontakt | Interni sistemi | Trajanje naloga + 30 dana |
| Procesiranje pretplata | Finansijski, Stripe ID | Stripe | 10 godina |
| Pružanje CMS funkcija | Korisnički sadržaj | Cloudinary, baza | Trajanje naloga |
| Bezbednosni logovi | IP, session, timestamp | Server log sistem | 90 dana |
| SMS notifikacije | Broj telefona, tekst | BulkGate | 30 dana (log) |
| AI prevodi sadržaja | Tekstualni sadržaj | OpenAI API | Nije trajno čuvano |
| Pružalac | Zemlja | Mehanizam zaštite |
|---|---|---|
| Stripe, Inc. | SAD | Standardne ugovorne klauzule (SCCs) |
| Cloudinary Ltd. | SAD/EU | SCCs + EU Data Center opcija |
| OpenAI, Inc. | SAD | Standardne ugovorne klauzule (SCCs) |
| Meta (Instagram) | SAD | SCCs (za EU korisnike) |
| LinkedIn Corp. | SAD | SCCs (za EU korisnike) |
Koristimo najnovije SCCs usvojene od Evropske komisije (Odluka 2021/914) za sve transfere podataka van EU.
Imenovanje DPO trenutno nije zakonski obavezno s obzirom na obim obrade. Operator je ipak odredio kontakt za zaštitu podataka:
Ako platforma pređe pragove po GDPR čl. 37(1), Operator će bez odlaganja imenovati DPO i objaviti mu kontakt podatke.
Kopija svih ličnih podataka koje čuvamo o vama, sa informacijama o svrsi i osnovu obrade.
Ispravka netačnih ili nepotpunih podataka u najkraćem mogućem roku.
„Pravo na zaborav" — kada podaci više nisu potrebni ili je saglasnost povučena.
Privremeno zaustavljanje obrade dok se rešava prigovor ili provera tačnosti.
Vaši podaci u strukturiranom, mašinski čitljivom formatu (JSON/CSV).
Prigovor na obradu zasnovanu na legitimnom interesu — uvek bez obrazloženja.
Pravo da ne budete podvrgnuti odlukama zasnovanim isključivo na automatizovanoj obradi.
Povlačenje saglasnosti u svakom trenutku, bez uticaja na prethodnu zakonitu obradu.
Operator može odbiti zahtev ako je: očigledno neosnovan, ponavljajući, ili bi ugrozio prava trećih lica. O odbijanju ćemo vas obavestiti sa obrazloženjem i uputiti na pravo na pritužbu.
| Vremenski okvir | Radnja | Ko |
|---|---|---|
| 0-24 sata | Identifikacija, sadržavanje i procena povrede | Tehnički tim Operatora |
| 24-72 sata | Prijava Povereniku RS (ako rizik postoji) | Operator (zakonska obaveza) |
| 72 sata | Obaveštenje pogođenih ispitanika (ako visok rizik) | Operator → Korisnici |
| Po sanaciji | Izveštaj o povredi, korektivne mere, revizija | Operator |
Kontaktirajte nas odmah na security@napravi.site ili privacy@napravi.site.
Platforma napravi.site ne prikuplja, ne obrađuje niti zahteva posebne kategorije podataka: rasno/etničko poreklo, politička mišljenja, verska uverenja, genetske/biometrijske podatke, zdravstvene podatke, podatke o seksualnoj orijentaciji.
Tenantima je izričito zabranjeno da putem platforme prikupljaju posebne kategorije podataka bez eksplicitne saglasnosti i odgovarajuće pravne osnove po GDPR čl. 9(2).
Platforma ne vrši automatizovano donošenje odluka koje bi proizvelo pravne efekte (GDPR čl. 22). Jedina automatizovana obrada:
📧 privacy@napravi.site — rok: 48h (potvrda) / 30 dana (rešenje)
| Nadzorni organ | Jurisdikcija | Kontakt |
|---|---|---|
| Poverenik za informacije od javnog značaja i zaštitu podataka RS | Republika Srbija | poverenik.rs |
| DPA nadležnog EU člana | EU/EEA | edpb.europa.eu/about-edpb/board/members |
Kontaktirajte tim za zaštitu podataka za bilo kakva pitanja ili zahteve.
napravi.site processes personal data in compliance with GDPR (EU Regulation 2016/679) and the Serbian Personal Data Protection Act (Official Gazette RS No. 87/2018). Privacy is a fundamental right for us, not a compliance afterthought.
| Role | Who | For Which Data | Responsibility |
|---|---|---|---|
| Controller | napravi.site Operator | Tenant account data, subscriptions, logs | Full GDPR responsibility |
| Processor | napravi.site Operator | End-user data of Tenant sites | Processing per Tenant instructions |
| Controller | Tenant (platform user) | Their own end-users' / customers' data | Full GDPR responsibility toward end users |
Platform users (Tenants) who collect personal data from their own customers are independently responsible for GDPR compliance. Tenants requiring a formal Data Processing Agreement (DPA) document may contact us at privacy@napravi.site.
| Legal Basis | GDPR Article | Applied To |
|---|---|---|
| Performance of contract | Art. 6(1)(b) | Registration, account management, billing, service provision |
| Legitimate interests | Art. 6(1)(f) | Security, fraud prevention, server logs, support |
| Legal obligation | Art. 6(1)(c) | Accounting records, law enforcement requests |
| Consent | Art. 6(1)(a) | Marketing emails, newsletter (always revocable) |
| Processing Activity | Data Categories | Recipients | Retention |
|---|---|---|---|
| User account management | Identity, contact | Internal systems | Account lifetime + 30 days |
| Subscription processing | Financial, Stripe ID | Stripe | 10 years (legal obligation) |
| CMS service provision | User content | Cloudinary, database | Account lifetime |
| Security logs | IP, session, timestamp | Server log system | 90 days |
| SMS notifications | Phone number, text | BulkGate | 30 days (log) |
| AI content translations | Text content | OpenAI API | Not persistently stored |
| Provider | Country | Transfer Mechanism |
|---|---|---|
| Stripe, Inc. | USA | Standard Contractual Clauses (SCCs) |
| Cloudinary Ltd. | USA/EU | SCCs + EU Data Center option |
| OpenAI, Inc. | USA | Standard Contractual Clauses (SCCs) |
| Meta (Instagram) | USA | SCCs (for EU users) |
| LinkedIn Corp. | USA | SCCs (for EU users) |
We use the latest SCCs adopted by the European Commission (Decision 2021/914) for all data transfers to the USA and other third countries without an adequate level of protection.
Pursuant to GDPR Art. 37, a formal DPO appointment is currently not legally required given the scale of processing. However, the Operator has designated a Data Protection Contact:
If the platform scales to meet the thresholds under GDPR Art. 37(1)(b) or (c), the Operator will appoint a DPO without delay and publish their contact details.
Obtain a copy of all personal data we process about you, along with information on purpose and legal basis.
Request correction of inaccurate or incomplete personal data without undue delay.
"Right to be forgotten" — when data is no longer necessary or consent has been withdrawn.
Request temporary suspension of processing while a dispute or accuracy check is resolved.
Receive your data in a structured, machine-readable format (JSON/CSV) for transfer to another controller.
Object to processing based on legitimate interest or for direct marketing — always without justification.
Right not to be subject to decisions based solely on automated processing that produce legal effects.
Revoke consent at any time without affecting the lawfulness of processing before withdrawal.
The Operator may refuse a request if it is: manifestly unfounded, repetitive, or would infringe the rights and freedoms of third parties. You will be informed of refusals with reasoning and your right to lodge a complaint.
| Timeframe | Action | Responsible Party |
|---|---|---|
| 0-24 hours | Identification, containment, and breach assessment | Operator technical team |
| 24-72 hours | Report to Serbian DPA (if risk exists) | Operator (legal obligation) |
| 72 hours | Notification of affected data subjects (if high risk) | Operator → Users |
| Post-remediation | Breach report, corrective measures, audit | Operator |
Contact us immediately at security@napravi.site or privacy@napravi.site.
napravi.site does not collect, process, or request special categories of personal data as defined in GDPR Art. 9: racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, or data concerning sexual orientation.
Tenants are strictly prohibited from collecting special categories of data through the platform without explicit consent and an appropriate legal basis under GDPR Art. 9(2).
The platform does not perform automated decision-making that produces legal or similarly significant effects (GDPR Art. 22). The only automated processing in use:
📧 privacy@napravi.site — Response: 48h (confirmation) / 30 days (resolution)
| Supervisory Authority | Jurisdiction | Contact |
|---|---|---|
| Commissioner for Information of Public Importance and Personal Data Protection | Republic of Serbia | poverenik.rs |
| Competent EU Member State DPA | EU/EEA (your country of residence) | edpb.europa.eu/about-edpb/board/members |
You may file a complaint with a supervisory authority at any time, without first contacting the Operator, although direct communication is recommended as a first step.
Contact our data protection team for any questions or requests.