Privacy Policy and Cookie Policy

Introduction
Your privacy is important to us. This policy explains how we collect, use, and protect personal data in accordance with the GDPR and the regulations of the Republic of Croatia. "We," "us," and "the portal" refer to Karlobag.eu.

1) Data Controller
CroDodo, vl. Domagoj Skledar, Vilima Korajca 5, 10000 Zagreb, Croatia, EU
Privacy contact: karlobag.eu@gmail.com
Server: EU (Germany – Hetzner Online GmbH).

2) What data we collect
Data you provide to us yourself (e.g., contact form, story tip) and technical data collected automatically when using the site (IP address, cookie identifiers, device/browser information, server logs).

3) Purposes and legal bases
– Responding to inquiries and editorial communication: legitimate interest (Art. 6(1)(f)).
– Traffic analysis and service improvement: consent (non-essential cookies).
– System security and abuse prevention: legitimate interest; logs and protective measures.
– Fulfillment of legal obligations: Art. 6(1)(c) where applicable (e.g., requests from authorities).
We do not make decisions with legal effect solely based on automated processing without human supervision.

4) Recipients and transfers
Hosting: Hetzner Online GmbH (EU/DE).
E-mail: Google Ireland Limited (possible transfers to Google LLC USA with SCC/DPF, when applicable).
Analytics/Ads: Google Analytics 4, Google AdSense (active only with consent).
Statistics: Statcounter (pseudonymized analytics according to their documentation).
Content sharing: ShareThis and/or social media buttons (cookies after your interaction and/or consent).
We do not sell or rent data to third parties.

5) Retention periods
Inquiries: up to 12 months from the last communication (unless a legal claim requires longer).
Server logs: typically 30–90 days.
Analytics (GA4): up to 14 months (EU IP processing is limited/anonymized).
Cookies: according to type and purpose (see below).

6) Your rights
Access, rectification, erasure, restriction of processing, portability, objection, and the right to object to decisions based solely on automated processing. Request: karlobag.eu@gmail.com. Complaint: AZOP, Ulica Metela Ožegovića 16, 10000 Zagreb, azop@azop.hr.

7) Exercising your rights
Send an e-mail with the subject "GDPR request" and a description; for data protection purposes, we may request reasonable identity verification. We generally respond within 30 days (with the possibility of a legal extension).

8) Security
HTTPS, access controls, backups, logging, and other protective measures.

9) Children and minors
For consent-based services, consent can be given by a person aged 16+; younger individuals require consent from a parent/guardian (Republic of Croatia).

10) Protection of journalistic sources
We protect the anonymity of sources, except in legally prescribed exceptions.

11) Data processors and third parties
Hetzner Online GmbH (hosting), Google Ireland Limited (e-mail), Google Analytics 4 (analytics), Google AdSense (ads), Statcounter (statistics), ShareThis (sharing), Facebook SDK (social plug-ins).

Audience Measurement (EMFA)
For statistics, we use Google Analytics 4 and Statcounter; non-essential cookies and personalized ads are activated only after your consent in the "Privacy Settings."

12) Changes to this policy
We update the policy from time to time; changes are published here with a new effective date.

Cookie Policy
A) What are cookies and similar technologies
"Cookies" are small files on your device; we also include local storage, pixels, SDKs. For anything not strictly necessary, we ask for prior consent (banner/"Privacy Settings").
B) Categories
– Strictly necessary: session, security (essential for site operation).
– Analytical: statistics (GA4) – active only after consent.
– Marketing: personalized ads and measurement (AdSense) – with consent.
– Social media and sharing: ShareThis and/or social plug-ins – with interaction and/or consent.
C) Google Analytics 4 (EU focus)
For EU traffic, IP data is used solely for coarse geolocation and is then discarded; processing takes place on EU servers before any further processing. We use GA4 only after consent; retention up to 14 months.
D) Managing consent
You can change/withdraw your consent at any time – open settings. You can also manage cookies through your browser (Chrome, Firefox, Edge, Safari).
E) Summary of cookies used on Karlobag.eu
Necessary (first-party: karlobag.eu)
ASP.NET_SessionId — duration: session — purpose: maintain user session — provider: Karlobag.eu
__RequestVerificationToken — duration: session — purpose: CSRF protection — provider: Karlobag.eu (if active)
Analytical (Google Analytics 4)
_ga — 2 years — distinguish users — Google Analytics 4
_ga_30SBP6PLXE — 2 years — maintain session state — Google Analytics 4
_gid — 24 hours — distinguish users — Google Analytics 4
Marketing / advertising (Google AdSense)
__gads — 13 months — measure ad interaction — Google AdSense
__gpi — 13 months — profiling and measurement — Google AdSense
IDE — up to 13 months — advertising cookie (third-party *.doubleclick.net) — Google
Sharing and social networks
stid — 12 months — identifier — ShareThis
_stidv — 12 months — additional identifier — ShareThis
st_samesite — 12 months — protection parameter — ShareThis
__sharethis_cookie_test__ — session — check settings — ShareThis
fr — up to 3 months — Facebook advertising/plug-in — Facebook
sb — up to 2 years — security/login — Facebook
datr — up to 2 years — security and integrity — Facebook
Statistics (Statcounter)
sc_is_visitor_unique — up to 2 years — distinguish visitors — Statcounter
is_unique — up to 5 years — visit statistics — Statcounter

Contact
karlobag.eu@gmail.com

Date of last change: 09/09/2025.