Legal
Privacy Policy
Last updated: April 6, 2026
Notice to individuals under Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of personal data.
The controller of your personal data in relation to the Funkie application and the website https://funkie.si/ is:
MARVIX DIGITAL d.o.o.
Marusiceva ulica 7,
6000 Koper - Capodistria,
Slovenia
Company reg. no. 9836802000
VAT ID no. SI 70710015
Email: privacy@funkie.si
Website: https://funkie.si
(hereinafter: "we", "us", "our", "Funkie", or "the company")
A Data Protection Officer has not been appointed. Please reach out to us with any privacy-related inquiries or requests at privacy@funkie.si.
Purpose of this notice
This notice describes how our organization processes and protects the personal data of individuals who use the Funkie mobile application (iOS and Android) and the website at funkie.si (hereinafter collectively: "the Service").
Unless otherwise stated, terms used in this notice (e.g. personal data, processing, controller, processor) have the same meaning as in the General Data Protection Regulation (GDPR).
We may update this notice from time to time. In the event of substantial changes, we shall inform individuals via the app or by email.
1. What data we process, legal basis, and purpose
1.1 User account data
| Data | Legal basis | Purpose | Retention |
|---|---|---|---|
| Email address | Contract performance (Art. 6(1)(b)) | Account creation, authentication via magic code login, essential service communications | Until account deletion or upon request |
| User role (guest/user) | Contract performance (Art. 6(1)(b)) | Service functionality, access control | Duration of account |
| Favorite activities | Contract performance (Art. 6(1)(b)) | Personalization of user experience | Until removed by user or account deletion |
1.2 Technical data
| Data | Legal basis | Purpose | Retention |
|---|---|---|---|
| Location (latitude/longitude) | Legitimate interest (Art. 6(1)(f)) | Show nearby activities sorted by distance. Transmitted to API but never stored | Not stored |
| Authentication tokens (JWT) | Contract performance (Art. 6(1)(b)) | Session management, secure authentication | Access: 1 hour. Refresh: 7 days. Hashed in database |
| Magic login codes | Contract performance (Art. 6(1)(b)) | Passwordless authentication | 10 minutes, then automatically deleted |
| Guest identifier (UUID) | Legitimate interest (Art. 6(1)(f)) | Allow browsing without account | 30 days of inactivity, then purged |
Legitimate interest assessment (location): Location is transmitted only when the user actively requests nearby activities. It is never stored, logged, or associated with the user's account. The user can deny location permission at the device level at any time, and the app remains fully functional without it.
Legitimate interest assessment (guest identifier): A temporary identifier allows users to browse activities without creating an account. It contains no personal information and is automatically purged after 30 days of inactivity.
1.3 Launch notification (website)
| Data | Legal basis | Purpose | Retention |
|---|---|---|---|
| Email address | Consent (Art. 6(1)(a)) | Send a one-time notification when the Funkie app launches | Until notification is sent, then deleted. Can be withdrawn at any time by emailing privacy@funkie.si |
1.4 What we do NOT collect
- No names, phone numbers, or dates of birth
- No passwords (we use passwordless magic code authentication)
- No analytics or tracking cookies on the website
- No advertising identifiers or third-party tracking
- No browsing history or device fingerprinting
- No payment or financial data
2. Data storage and security
Your data is stored on servers located in the European Union:
- Hetzner Online GmbH (Falkenstein, Germany) - server hosting and data processing
Security measures in place:
- All data transmitted over encrypted connections (HTTPS/TLS)
- Authentication tokens stored in device secure storage (iOS Keychain / Android Keystore)
- Refresh tokens hashed (bcrypt) before database storage
- Database not publicly accessible (localhost binding only)
- Server secured with firewall and fail2ban
2.1 Data breach notification
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner within 72 hours and inform affected individuals without undue delay, as required by Articles 33 and 34 of the GDPR.
3. Data sharing and processors
We do not sell, rent, or share your personal data with third parties for their own purposes.
The following processors may access your data in order to provide the Service:
| Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting, infrastructure | Germany (EU) |
| Self-hosted SMTP (on Hetzner) | Sending magic code login emails and launch notifications | Germany (EU) |
We have entered into Data Processing Agreements (Art. 28 GDPR) with all processors listed above.
No data is transferred outside the European Economic Area (EEA). No automated decision-making or profiling is performed.
4. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) - request a copy of all data we hold about you
- Right to rectification (Art. 16) - correct any inaccurate data
- Right to erasure (Art. 17) - request deletion of your account and all associated data
- Right to data portability (Art. 20) - receive your data in a structured, machine-readable format
- Right to restriction (Art. 18) - request we limit processing of your data
- Right to object (Art. 21) - object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) - where processing is based on consent
To exercise any of these rights, email us at privacy@funkie.si. We will respond within one month as required by the GDPR.
You also have the right to lodge a complaint with the supervisory authority:
Information Commissioner of the Republic of Slovenia
Dunajska cesta 22, 1000 Ljubljana
www.ip-rs.si
Email: gp.ip@ip-rs.si
5. Cookies
Our website uses only technically necessary cookies. For detailed information about the cookies we use, please see our Cookie Policy.
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies on the website or in the app.
6. Children's privacy
The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at privacy@funkie.si and we will promptly delete it.
7. Contact
For any questions about this privacy policy, your personal data, or to exercise your rights:
MARVIX DIGITAL d.o.o.
Marusiceva ulica 7, 6000 Koper, Slovenia
Email: privacy@funkie.si
General inquiries: info@funkie.si