Privacy Policy

Who we are

This site (webnestify.org) is operated by Webnestify Education, o. z., a registered civic association (občianske združenie) based in Slovakia. For any question about personal data, write to [email protected].

Address for postal correspondence: Karpatské námestie 7770/10A, 831 06 Bratislava – Rača, Slovakia.

Summary

We run this site with a strong privacy-first posture:

• No advertising cookies, no cross-site trackers, no behavioural profiling.
• Analytics is a self-hosted instance of Plausible — cookieless and anonymised.
• Fonts, images, and scripts are served from our own domain — no Google Fonts, no CDN fingerprinting.
• The only cookies set are strictly necessary security cookies from our CDN (Cloudflare).

What data we process, and why

Analytics — Plausible Analytics (self-hosted)

We run our own instance of Plausible Analytics at pa.webnestify.org, hosted on Hetzner servers in Germany (EU). Plausible does not use cookies, does not track individuals, and does not share data with third parties. It processes anonymised, aggregated traffic data only: page paths, referrers, country-level geolocation, device type, and browser family. IP addresses are hashed with a daily rotating salt and are not retained.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — we need aggregate traffic data to understand which pages help visitors and to improve the site.

Contact form — Web3Forms

When you submit a contact form, we use Web3Forms as a processor to forward your submission to our inbox. The data you send (your name, email address, message, and any other fields you fill in) passes through Web3Forms' servers briefly and is then delivered to [email protected].

Web3Forms retains form submissions for up to 90 days for delivery reliability and abuse prevention. We keep contact correspondence in our inbox for up to 24 months unless the conversation is still active.

Legal basis: consent by action (Art. 6(1)(a)) — you choose to send us a message — and preparation of a potential agreement (Art. 6(1)(b)) when you ask us about a talk, workshop, or partnership.

Bot protection — Cloudflare Turnstile

Some forms use Cloudflare Turnstile to verify that the submission comes from a human and not an automated script. Turnstile does this by collecting limited, privacy-preserving browser signals (timing, canvas rendering, environment checks) and sending them to Cloudflare for scoring. Turnstile does not set tracking cookies and does not identify individual users across sites.

Legal basis: legitimate interest (Art. 6(1)(f)) — we need to keep our forms usable against spam and abuse.

Hosting and CDN — Cloudflare

This site is hosted on Cloudflare Pages and served through Cloudflare's global CDN. Cloudflare's edge servers process each request, including your IP address and the page you are requesting, in order to deliver the page and to protect the site from attacks. Cloudflare may set the following strictly necessary cookies for security:

• __cf_bm — bot management, ~30 minutes lifetime.
• cf_clearance — set only after a visitor passes a security challenge.

These cookies fall under the strictly-necessary exemption in Article 5(3) of the ePrivacy Directive and therefore do not require consent. See the Cloudflare Privacy Policy and the Cloudflare Cookie Policy for details.

Newsletter (planned)

We plan to offer an opt-in email newsletter, using a self-hosted instance of Listmonk running on our own EU infrastructure. Subscription will be double opt-in: you enter your email, we send you a confirmation link, and only after you click it do we add you to the list. You can unsubscribe at any time with a single click from the footer of any newsletter email.

Data we would store: your email address, your optional name, the topics you subscribed to, and the timestamp of your consent and confirmation. Email delivery is handled by Postmark (Wildbit, LLC, USA, with EU Standard Contractual Clauses), which receives the message and your email address only for the moment needed to transmit the email, and retains delivery metadata for debugging.

Legal basis: consent (Art. 6(1)(a)).

Server logs

Cloudflare keeps short-term edge logs (typically a few hours) containing IP addresses, timestamps, request paths, and user-agents. These logs are used to mitigate attacks and to debug infrastructure issues. We do not use them for analytics or profiling.

Cookies used on this site

The only cookies this site can set are strictly necessary security cookies from Cloudflare:

• __cf_bm — Cloudflare Bot Management — 30 minutes.
• cf_clearance — Cloudflare challenge clearance — up to 30 days, only after an interactive challenge.

We do not use analytics cookies, advertising cookies, A/B testing cookies, or any third-party tracking pixels.

Who we share data with (processors)

We work with a small number of service providers who process personal data on our behalf. Each is bound by a Data Processing Agreement.

• Cloudflare, Inc. (US, with EU Standard Contractual Clauses) — hosting, CDN, Turnstile bot protection. DPA.
• Web3Forms — contact-form relay. See their privacy policy.
• Hetzner Online GmbH (Germany, EU) — infrastructure hosting for our Plausible instance and any self-hosted services. DPA.
• Postmark / Wildbit, LLC (US, with EU Standard Contractual Clauses) — transactional and newsletter email delivery (once the newsletter launches). EU privacy.

We never sell personal data. We never share data with advertising networks.

Where data is stored

Analytics and self-hosted services are stored on Hetzner servers in Germany. Static site assets are served from Cloudflare's global edge — when you visit from the EU, Cloudflare normally serves you from an EU point of presence. Form submissions pass briefly through Web3Forms' infrastructure; check their current privacy policy for specifics.

How long we keep data

• Plausible analytics — aggregated, anonymised, kept indefinitely (no individual data).
• Contact form submissions in Web3Forms — up to 90 days.
• Contact correspondence in our inbox — up to 24 months unless still active.
• Cloudflare edge logs — a few hours.
• Newsletter subscriptions (once launched) — until you unsubscribe, or you ask us to delete the record.

Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you (Art. 15).
• Ask us to correct inaccurate data (Art. 16).
• Ask us to erase your data (Art. 17).
• Ask us to restrict or object to processing (Art. 18, 21).
• Receive your data in a portable format (Art. 20).
• Withdraw consent at any time, where consent is the legal basis.

To exercise any of these rights, email [email protected]. We reply within 30 days.

If you believe we have mishandled your data, you have the right to lodge a complaint with the Slovak Office for Personal Data Protection (Úrad na ochranu osobných údajov SR), dataprotection.gov.sk.

Changes to this policy

When we change how we handle data — for example when we launch the newsletter, or add a new processor — we update this page and bump the "last updated" date at the top.