Legal

Privacy Policy

This Privacy Policy explains how Dejan Vujić (“Controller”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data when you visit this website and use its public AI features, including the Digital Twin chat and Digital Storyteller summary.

Last updated: 2026-05-15

Back to site

Who operates this site?

This website is operated from the Republic of Serbia by Dejan Vujić. Where applicable, we aim to comply with the Serbian Law on Personal Data Protection and, for users in the European Union / European Economic Area, the principles and standards of the GDPR.

Who is the controller?

The controller of personal data processed through this website is Dejan Vujić.

For privacy-related questions, requests, or complaints, contact: [email protected].

What data we process

Depending on how you use the website, we may process the following categories of data:

  • messages, prompts, and any text you submit through the public AI chat;
  • voice input converted to text by your browser's Web Speech API, where you choose to use the optional microphone feature — the audio is processed entirely on your device by the browser and only the resulting text transcript is sent to the server;
  • limited conversation history sent with your request for continuity of the chat experience;
  • AI-generated outputs returned by the system;
  • technical and request metadata, such as request ID, session ID, endpoint, latency, model name, token usage, and status or error information;
  • security and anti-abuse data, such as a hashed version of your IP address, origin, referrer information where available, and user-agent data;
  • consent records, including whether required privacy, AI processing, and necessary storage confirmations were accepted, the consent version, and acceptance timestamp;
  • site interaction event logs relating to key actions such as clicks on resume, email, LinkedIn, GitHub, CTA buttons, and consent actions;
  • session data stored in a strictly necessary website session cookie;
  • browser-side sessionStorage data used to preserve chat continuity and storyteller output in the active tab;
  • browser cache data stored by the optional service worker for offline support — this includes static assets only (CSS, JS) and never includes personal data or conversation content;
  • your email address, if you voluntarily use the "Export chat by email" feature — used solely to deliver the one-time transcript and not retained by us after delivery;
  • Content Security Policy (CSP) violation reports, which may include URL fragments and browser environment data, automatically submitted to the server when your browser detects a policy violation;
  • human-verification data related to Google Recaptcha, where enabled.

We do not intentionally request special categories of personal data (such as health data, biometric data, political opinions, religious beliefs, or other sensitive information) through the public AI features. Please do not submit sensitive, confidential, proprietary, or third-party personal data.

Sources of personal data

We collect personal data:

  • directly from you, when you type a message, click a tracked action, provide consent, use the microphone for voice input, or request a chat export by email;
  • automatically from your browser or device, when requests are made to the website, or when the browser sends CSP violation reports;
  • from security and infrastructure providers used to protect and operate the service.

Why we process personal data

We process personal data for the following purposes:

  • to provide the Digital Twin and Digital Storyteller functionality you explicitly request;
  • to maintain session continuity and keep the AI features working in the active browser session;
  • to record and demonstrate required user consent choices for privacy, AI processing, and necessary storage;
  • to secure the service, prevent abuse, enforce rate limits, and detect malicious traffic;
  • to log technical and interaction events, diagnose failures, monitor performance, and improve service integrity and reliability;
  • to keep limited records necessary for audit, incident response, rights handling, and service protection;
  • to comply with applicable legal obligations and respond to lawful requests.

Legal bases for processing

Where GDPR or equivalent Serbian rules apply, the legal basis may differ depending on the activity:

  • Performance of a requested service - for processing strictly necessary to return the AI response you requested through the public interface.
  • Legitimate interests - for service security, fraud and abuse prevention, rate limiting, infrastructure protection, technical logging, service diagnostics, and maintaining core site operation.
  • Consent - where we rely on your explicit confirmation for AI-feature access, required disclosures, or any future optional processing that legally requires consent.
  • Legal obligation - where retention, disclosure, or other processing is required by law or necessary to establish, exercise, or defend legal claims.

The fact that we ask for confirmation before unlocking AI features does not mean every related processing activity relies exclusively on consent as a legal basis. Some operational and security processing may still rely on legitimate interests or legal obligation where applicable.

AI processing and third-party provider disclosure

This website uses the Anthropic Claude API to generate responses for the Digital Twin and Digital Storyteller features. The currently configured model is claude-haiku-4-5-20251001.

When you use these features, the content you submit may be transmitted to Anthropic for processing so the requested output can be generated.

AI-generated responses may be inaccurate, incomplete, or inappropriate in some cases. The AI features are informational only and are not intended as legal, medical, financial, employment, or other regulated advice.

Consent and how it works

Before using the AI features, users are asked to confirm three required statements: agreement to this Privacy Policy, acknowledgment of AI-provider processing, and acknowledgment of strictly necessary cookie/session storage use.

If you do not provide those confirmations, you can still browse the website, but the AI features remain unavailable.

If you previously accepted and want to withdraw that consent record, you may use the withdrawal option below. Withdrawal does not retroactively invalidate processing already carried out before the withdrawal, but it will prevent further use of the AI features until new consent is provided.

Required AI-feature consent is not currently active in this browser session.

Security, logging, and anti-abuse measures

To protect the website and its AI endpoints, we use technical and organizational measures such as origin checks, request validation, security headers, rate limiting, session controls, logging, output sanitization, infrastructure monitoring, and human-verification controls.

For security reasons, we may keep a hashed form of the client IP address rather than the plain IP address in certain internal records.

Google reCAPTCHA

This website uses Google reCAPTCHA v3 to protect AI features from spam, bots, and automated abuse. reCAPTCHA operates invisibly in the background and assigns a risk score to each request based on behavioral signals. By using the AI features, your interactions are subject to the Google Privacy Policy and Terms of Service.

Cloudflare Web Analytics

This website uses Cloudflare Web Analytics to measure page performance, traffic volume, and basic visit patterns. This helps us understand how the site is used and improve reliability and content quality.

Cookies and browser storage

This website does not use advertising cookies. It does use Cloudflare Web Analytics to measure visits and performance. It does use strictly necessary storage technologies to operate the AI features and preserve session continuity.

  • Session cookie - used to maintain basic session continuity, including AI session state and consent state; not used for advertising or profiling; may persist for up to 30 days unless cleared earlier.
  • Session storage - used in the active browser tab to keep the current chat transcript and storyteller output available during the active session; expires automatically after approximately 30 minutes of inactivity or earlier if cleared.
  • Consent state - stored server-side in session state and reflected in the active browser session so the site knows whether AI-feature access should remain unlocked.
  • Cloudflare Web Analytics - used to measure pageviews, performance, and high-level usage patterns for this website.
Storage item Purpose Retention
Session cookie Keeps consent state, AI session continuity, and server-side session integrity working across requests. Up to 30 days or earlier if the session is cleared.
sessionStorage chat cache Preserves the visible chat transcript, follow-up continuity, and Digital Storyteller output inside the active browser tab. Approximately 30 minutes of inactivity in the active tab, or earlier if the tab/browser storage is cleared.
Consent session state Allows the site to know whether AI features should remain unlocked in the current browser session. For the life of the active session unless withdrawn or expired sooner.
Google reCAPTCHA token Verifies that protected AI requests appear to come from a human user rather than automated abuse traffic. Token is generated per request and scored server-side. Short-lived, request-scoped token; not stored server-side.

Data recipients

Personal data may be disclosed or made available only where necessary to:

  • Anthropic, as the AI service provider used to generate responses;
  • Google Recaptcha, for bot and abuse protection where enabled;
  • Cloudflare, for Web Analytics where enabled;
  • hosting, infrastructure, database, logging, or security service providers involved in operating the website;
  • professional advisers, competent authorities, or counterparties, where disclosure is legally required or necessary to protect rights and claims.

International transfers

Some service providers used to operate the website or AI features may process data outside Serbia and/or outside the EEA. Where such transfers occur, we aim to rely on an applicable legal transfer mechanism and appropriate safeguards required under applicable law, such as contractual safeguards, adequacy mechanisms, or another valid transfer basis.

Data retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy.

  • AI interaction records, technical logs, audit events, event tracking logs, and related metadata are generally retained for up to 30 days, unless a shorter or longer period is required for security, incident handling, rights handling, or compliance reasons.
  • Consent records are retained at least for the duration necessary to demonstrate that consent was recorded and to operate the service securely, and may also be subject to the same general retention window for audit events.
  • Session-related data is retained for the life of the session or until the session expires.
  • Browser-side sessionStorage remains only in the active browser session and is removed when the browser tab/session ends, the storage expires, or you clear it.
  • Data may be deleted, anonymized, or aggregated earlier where it is no longer needed.

Your rights

Subject to applicable law and depending on your jurisdiction, you may have the right to:

  • request access to your personal data;
  • request correction of inaccurate data;
  • request deletion of your data;
  • request restriction of processing;
  • object to processing based on legitimate interests;
  • request data portability, where applicable;
  • withdraw consent, where processing is based on consent;
  • lodge a complaint with a competent supervisory authority.

To exercise your rights, contact [email protected] and clearly describe your request. We may request additional information reasonably necessary to verify your identity before acting on the request. Where applicable law sets a response period, we aim to respond within that legal timeframe.

In addition, you can exercise your right to erasure for your current session directly within the application. This will immediately delete all messages, AI transaction logs, events, and feedback associated with your active session from our database.

Complaints to supervisory authorities

If you believe your personal data has been processed unlawfully, you may lodge a complaint with the competent supervisory authority.

In Serbia, the competent authority is the Commissioner for Information of Public Importance and Personal Data Protection. Information is available at poverenik.rs. If you are located in the EU/EEA, you may also have the right to contact the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement.

Children

This website is not intended for children. We do not knowingly collect personal data from children through the public AI features. If you believe that a child has submitted personal data through this website, contact us so that we can review and delete the data where appropriate.

Automated decision-making

The AI features on this website generate informational outputs, but they are not intended to make decisions that produce legal effects or similarly significant effects about individuals.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The updated version will be published on this page with a revised “Last updated” date. Where changes materially affect disclosures or consent behavior, the consent version may also change.

Contact

For any privacy request, complaint, or question regarding this Privacy Policy, contact: [email protected].