Privacy policy

Last updated: 25 May 2026

1. Data controller

The dogodki.today portal is managed by BOREO – Regional Hub for NGOs of the Notranjska-Karst Region. Contact for personal data protection questions: dogodkinvo@mcp.si.

2. What data is processed

  • E-mail address (for event notifications)
  • Phone number (optional; for SMS notifications)
  • Name (optional; for personalizing notifications)
  • Location (optional; for "near me" notifications — explicitly shared by the user)
  • Subscription preferences (which categories/organizers you follow, how often)
  • Push subscription endpoint (for browser push notifications)
  • Session token (cookie "narocnik_token", to identify the logged-in user)

3. Legal basis

For all the data listed above, the legal basis is the individual's consent (GDPR Art. 6(1)(a)). You give your consent by actively clicking (email confirmation via magic-link or phone via SMS PIN). You can withdraw your consent at any time via the "Unsubscribe" link in any message, or on the /moje page.

4. Purpose of processing

We use your data exclusively to send notifications about events that match your preferences (category, organizer, location, time before the event). We do not share your data with third parties for marketing or analytics purposes.

5. Third parties

  • Google Maps — on some pages we display Google Maps. The script is only loaded after your consent (by clicking "Load map"). Google may set cookies and collect IP addresses. More: policies.google.com/privacy
  • Push providerji (Google FCM, Apple APNs, Mozilla autopush) — for browser push notifications. Notification content is encrypted (VAPID); the provider only sees metadata (endpoint, ID).
  • SMS in e-pošta — We send SMS via our own modem (smstools3), and emails via PHPMailer with a DKIM signature from our own server. No third-party providers.

6. Your rights

  • Right of access: you can see all your data and subscriptions on <a href="/moje">/moje</a>.
  • Right to rectification: changes on <a href="/moje">/moje</a> (name, phone, location, preferences).
  • Right to erasure ("right to be forgotten"): the "Delete me" button on <a href="/moje">/moje</a> or the "Delete all my data" link in any email/SMS.
  • Right to restriction of processing: uncheck notification channels or schedules on <a href="/moje">/moje</a>.
  • Right to object: every email/SMS contains an "Unsubscribe" link.

7. Data retention period

We retain your data until you cancel your subscription. Upon cancellation, the data is immediately deleted. Unconfirmed subscribers are deleted after 7 days; inactive subscribers (more than 5 years without activity) receive a warning and are then deleted.

8. Security

  • TLS (HTTPS) for all transfers between your browser and the server
  • PINs and tokens are cryptographically signed (HMAC) or hashed (bcrypt)
  • Cookies: HttpOnly, Secure, SameSite=Lax
  • CSRF protection for all actions

9. Complaint

If you believe we are violating your rights, you can file a complaint with the Information Commissioner of the Republic of Slovenia (Dunajska 22, 1000 Ljubljana).

10. Contact

For any questions regarding personal data protection: dogodkinvo@mcp.si.