Privacy policy
Your privacy matters to us. Here we explain what personal data we collect, how we use it, and what your obligations and rights are.
This document was prepared in good faith but is not a substitute for a legal review. Before publication and before collecting any real data, we recommend that a lawyer or a data protection specialist review and adapt this text in line with the Serbian Personal Data Protection Act and the GDPR.
1. Data controller
The controller of your personal data within the meaning of the Personal Data Protection Act ("Official Gazette of the RS", No. 87/2018) and the General Data Protection Regulation (GDPR) is Udruženje za retke bolesti VHL Srbije.
For any questions regarding the processing of your personal data, you can contact us by email at udruzenje.vhlsrbija@gmail.com.
2. What data we collect
We collect only the data that is necessary for the operation of the site and for achieving the specific purpose for which you provided it:
- Contact form: first and last name, email address, message content. We use them solely to reply to you.
- Membership application: first and last name, contact details and, optionally, additional information you choose to share (e.g. patient status, family member).
- Technical data: aggregated visit statistics (number of visits, general location, device type), anonymised, without tracking individual users.
3. Legal basis for processing
We base the processing of your data on the following legal grounds:
- Your consent (Article 12 of the Act / Article 6.1.a GDPR), for optional data you choose to share (e.g. details in a membership application).
- The association's legitimate interest (Article 12 of the Act / Article 6.1.f GDPR), to respond to your enquiry and for basic communication.
- Legal obligation, where processing is necessary to fulfil the association's legal obligations.
4. Special categories of data (health data)
If, in contacting us, you mention a health condition (your own or a family member's), that constitutes a special category of data and stricter protection rules apply. We never share such data without your explicit consent and do not publish it without prior written consent.
5. With whom we share data
We do not sell your personal data. We share it only with a limited number of service providers who help us run the site (hosting, email delivery), and only to the extent necessary:
- Vercel (site hosting) - USA/EU, subject to standard data transfer clauses.
- Sanity.io (CMS) - EU, GDPR-compliant.
- Resend or a similar email service - for delivering replies to your enquiries (once the email integration is activated).
6. How long we keep data
- Contact messages: up to 2 years from the last communication, after which they are deleted.
- Membership: for the duration of membership and for an additional period of up to 5 years after it ends, in line with legal obligations.
7. Your rights
In accordance with the Act and the GDPR, you have all of the following rights with respect to your personal data:
- Right of access - find out what data we hold about you
- Right to rectification - inaccurate data is corrected
- Right to erasure ("the right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to certain processing
- Right to withdraw consent at any time
- Right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection (poverenik.rs)
8. Data security
We apply reasonable technical and organisational protection measures, HTTPS across the entire site, controlled access for administrators, regular backups and software updates. Nevertheless, no system on the internet is 100% secure; in the event of an incident we will act in accordance with the statutory deadlines and notify you and the competent authorities where required.
9. Cookies
For details about the cookies the site uses, see the separate Cookie policy.
10. Changes to this policy
We may update this policy from time to time. The date of the last update is shown at the top of the page. Material changes will be announced through a news post on the site.