Legal
Privacy Policy
Last updated: 18 May 2026
Version 2.0. Slovenian is the primary, legally prevailing version. This English version is informational; in case of conflict, the Slovenian version prevails.
Summary: Funkie processes the minimum personal data required to operate the app and websites. No ads, no third-party trackers, no data selling. All servers in the EU. You have the right to access, rectify, erase, and complain, contact: support@funkie.si.
1. Data Controller
The controller of personal data in relation to the Funkie application (iOS, later Android), website https://funkie.si, and business platform https://business.funkie.si is:
Marvix Digital d.o.o.
Marušičeva ulica 7, 6000 Koper, Slovenia
Company registration number: 9836802000
VAT ID: SI70710015
Privacy email: support@funkie.si
General email: support@funkie.si
Hereinafter: "we", "Funkie", "controller".
Data Protection Officer (DPO): Funkie is not required to appoint a DPO under Article 37 GDPR and Article 46 of the Slovenian Personal Data Protection Act (ZVOP-2) because (a) we are not a public authority, (b) we do not perform large-scale systematic monitoring of individuals, and (c) we do not process special categories of personal data at scale. All privacy enquiries should be addressed to support@funkie.si.
2. Scope
This notice applies to the processing of personal data of individuals who:
- use the Funkie mobile app (iOS, later Android) as registered users or guests;
- visit the funkie.si website;
- subscribe to the launch notification (newsletter);
- sign up as activity providers on the business.funkie.si platform;
- contact us via forms or email.
3. Personal data we process, legal basis, and purpose
In line with the principles of purpose limitation and data minimisation (Article 5 GDPR), we process only the personal data strictly necessary to achieve the purposes set out below.
3.1 Funkie mobile app users
| Data | Legal basis | Purpose | Retention |
|---|---|---|---|
| Email address | 6(1)(b) - contract | Account creation, sign-in, magic code delivery | Until account deletion or erasure request |
| Funkie user ID (UUID) | 6(1)(b) - contract | Internal user identification | Until account deletion |
| User role (guest/user) | 6(1)(b) - contract | Distinguishing between usage modes | Until account deletion |
| Password (bcrypt-hashed) | 6(1)(b) - contract | Authentication (only if user sets a password) | Until account deletion. Stored only as a one-way bcrypt hash (cost 12) |
| Authentication tokens (JWT access + refresh) | 6(1)(b) - contract | Session maintenance, secure API communication | Access token: 15 minutes. Refresh token: 7 days. Hashed in DB, plaintext only in iOS Keychain |
| Magic sign-in code (6 digits) | 6(1)(b) - contract | Passwordless sign-in | 10 minutes, then automatically deleted |
| Email verification status | 6(1)(b) - contract | Confirming email authenticity | Until account deletion |
| Location (lat/lng) | 6(1)(b) - contract | Showing activities by distance. Used in-query only, NEVER stored | Not stored. Discarded immediately after the query returns |
| Favourite activities | 6(1)(b) - contract | User experience personalisation | Until removed by user or account deletion |
| First-party analytics events: activity ID, event type (view, favourite add/remove, navigate click, phone/email/website click), timestamp | 6(1)(f) - legitimate interest | Service improvement, anonymous statistics for providers, debugging. Stored on our own EU server. No third-party access | 24 months, then automatically deleted. Upon account deletion, userId in events is set to NULL (anonymised) |
Legitimate interest assessment, analytics events: Usage telemetry is necessary for service maintenance and development, for showing providers statistics about their listings, and for diagnosing issues. Events contain no location or sensitive data. The balance between our interest and your rights favours processing because the data is minimal, stays in the EU, is never used for marketing, and is anonymised upon account deletion. You may object at any time at support@funkie.si (Article 21 GDPR).
Contract necessity assessment, location: Location is essential to the core service (finding activities near the user). If location permission is denied, the app remains functional with a manual city picker. Location is transmitted to the server over an encrypted connection per query, used for the response, and discarded, not logged, not stored.
3.2 funkie.si website visitors
The website is static. We do not use Google Analytics, Facebook Pixel, or any third-party trackers. No third-party cookies. Browser localStorage is used only for:
- storing the language preference and a flag indicating consent for technical local storage ("funkie-cookies-accepted").
See our Cookie Policy.
3.3 Launch newsletter signup
| Data | Legal basis | Purpose | Retention |
|---|---|---|---|
| Email address | 6(1)(a) - consent | Sending a one-time launch notification | Until consent withdrawal or up to 60 days after public launch |
| Source of subscription (e.g. web_sl, web_en) | 6(1)(f) - legitimate interest | Channel analytics | Stored with the subscription |
| Subscription timestamp | 6(1)(c) - proof of consent | Demonstrating valid consent | 3 years after consent withdrawal |
Consent can be withdrawn at any time by emailing support@funkie.si or via the unsubscribe link in every email we send.
3.4 Activity providers (business.funkie.si)
If you sign up as an activity provider, we process additional data:
| Data | Legal basis | Purpose | Retention |
|---|---|---|---|
| Contact person's name and surname | 6(1)(b) - contract | Contract communication | Contract duration + 5 years (statute of limitations) |
| Email address | 6(1)(b) - contract | Authentication, communication | Contract duration + 5 years |
| Business name, tax/registration numbers, address | 6(1)(b) + 6(1)(c) - contract + tax law | Contract conclusion, invoicing | 10 years after end of fiscal year (Slovenian ZDavP-2 Art. 43) |
| Contact phone number | 6(1)(b) - contract | Sign-up and support communication | Contract duration + 5 years |
| Activity type, city, message at signup | 6(1)(b) - contract | Platform fit review | Contract duration + 2 years |
| Selected plan and locked price | 6(1)(b) - contract | Contract performance, billing | Contract duration + 10 years (accounting records) |
| Listing content (activity name, description, photos, prices, contact info) | 6(1)(b) - contract | Display in Funkie app | Contract duration. Listing taken down within 7 days of termination, archived for 12 months for potential reactivation |
| Accounting records (invoices, received documents) | 6(1)(c) - tax and accounting law | Slovenian ZDDV-1, ZDavP-2, ZGD-1 compliance | 10 years after end of fiscal year |
3.5 Contact form and support
If you contact us via form or email, we process the data you provide (name, email, business name, message) under:
- Article 6(1)(b) GDPR for pre-contractual activities;
- Article 6(1)(f) GDPR for general enquiries (legitimate interest in responding).
Retention: 2 years from last contact, except for pre-contract communications leading to a contract (then the retention in 3.4 applies).
3.6 What we do NOT process
- Special categories of personal data (health, sexual orientation, religion, political opinions, biometrics);
- Payment card or financial data (provider invoices are settled outside the Funkie system);
- Private communication content between users (none exists in the app);
- Advertising identifiers (IDFA on iOS), Facebook Pixel, Google Analytics, Google Tag Manager;
- Third-party trackers on the website or in the app;
- Data from children under 16 (see section 11).
4. Recipients - processors
We do not sell, rent, or share your personal data with third parties for their own purposes. For service delivery we engage the following processors under Article 28 GDPR:
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Hetzner Online GmbH | Server, database, application hosting | Germany (EU) | Signed |
| Neoserv d.o.o. | SMTP for outbound email (sign-in codes, provider notifications) | Slovenia (EU) | Signed |
| Apple Inc. | iOS app distribution via App Store. Apple acts as an independent controller for App Store user data | USA (Apple EU-US Data Privacy Framework + SCC) | Apple DPLA |
All processors have access strictly to data necessary for their service and are contractually bound to confidentiality and GDPR-compliant personal data protection.
5. Transfers outside the EEA
All our servers, databases, SMTP services, and processors are in the EU/EEA (Hetzner in Germany, Neoserv in Slovenia). We do not transfer your personal data to third countries.
Exception: Apple Inc. When you download Funkie from the App Store, Apple processes certain data (your Apple ID, device) in the US. Apple relies on the EU-US Data Privacy Framework adequacy decision and standard contractual clauses. For App Store data, Apple is an independent controller, not our processor.
6. Security of processing
We implement appropriate technical and organisational measures to protect personal data:
- All communication between app/site and servers is encrypted (HTTPS/TLS 1.2+, HSTS);
- Authentication tokens are stored in iOS Keychain (secure system storage), server-side as one-way bcrypt hashes;
- Passwords are never stored in plaintext - bcrypt cost 12;
- Database is not publicly accessible (Docker-internal network only);
- Server is protected by firewall, fail2ban, and automated security updates;
- Production SSH access is key-based only, no passwords;
- System logs limited to 12 months retention;
- Regular encrypted-at-rest backups;
- Regular system and application updates.
7. Personal data breach
In the unlikely event of a personal data breach posing a risk to the rights and freedoms of individuals, we will notify the Slovenian Information Commissioner within 72 hours (Article 33 GDPR). If the breach poses a high risk, we will also notify affected individuals without undue delay (Article 34 GDPR).
8. Automated decision-making and profiling
Funkie does not perform automated decision-making within the meaning of Article 22 GDPR, including profiling that would have legal or similarly significant effects. Sorting activities by distance is a display feature, not a decision in a legal sense.
9. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15 GDPR) - request a copy of all data we hold about you.
- Right to rectification (Article 16 GDPR) - correct inaccurate data in your profile or by email.
- Right to erasure / "right to be forgotten" (Article 17 GDPR) - request deletion. In-app: Profile → Delete account. By email: support@funkie.si. Exceptions: data we must retain by law (10-year accounting records).
- Right to restriction of processing (Article 18 GDPR).
- Right to data portability (Article 20 GDPR) - we provide your data in structured, machine-readable format (JSON). Available in-app or by email request.
- Right to object (Article 21 GDPR) - object to processing based on legitimate interest (e.g., analytics events).
- Right to withdraw consent (Article 7 GDPR) - withdrawal does not affect processing prior to withdrawal.
Exercise rights by emailing support@funkie.si. We will respond without undue delay, no later than one month from receipt (extendable by two months in complex cases, with notice). Exercise is free of charge unless requests are manifestly unfounded or excessive.
10. Right to lodge a complaint
If you believe processing of your personal data infringes GDPR or ZVOP-2, you may lodge a complaint with the supervisory authority:
Information Commissioner of the Republic of Slovenia
Dunajska cesta 22, 1000 Ljubljana, Slovenia
Phone: +386 (0)1 230 97 30
Email: gp.ip@ip-rs.si
Web: www.ip-rs.si
You may also contact us first - we are happy to resolve issues directly.
11. Children
The Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors under 16. By registering, you confirm you are at least 16 years old. If we learn that we have collected data from a person under 16 without valid parental consent, we will delete it without delay. Report such cases to support@funkie.si.
12. Updates to this policy
We may update this privacy policy occasionally. For material changes we will notify you via the app or by email at least 30 days before the change takes effect. The current version and last-updated date are always shown at the top of this page.
13. Contact
Marvix Digital d.o.o.
Marušičeva ulica 7, 6000 Koper, Slovenia
Privacy email: support@funkie.si
General email: support@funkie.si
This privacy policy is drafted in compliance with Regulation (EU) 2016/679 (GDPR), the Slovenian Personal Data Protection Act (ZVOP-2, Official Gazette RS no. 163/22), and the Slovenian Electronic Communications Act (ZEKom-2). The Slovenian version is the primary and prevailing version. View Slovenian version.