Privacy Policy

Last updated: 4 June 2026

This English translation is provided for convenience. The Croatian-language version is the authoritative text in case of any discrepancy or legal dispute.

1. Data controller

The controller of personal data processed in connection with the souvie.link service is currently Lucian Tutunović, an individual operator, Gorenščak 1, 10000 Zagreb, Republic of Croatia (the "Controller", "we", "us"). Full operator details are on the Impressum page.

The Service is currently operated by an individual as a temporary arrangement. Once the operator's successor company is established, it will become the controller for the data described here, and you will be notified. Our Merchant of Record (see clause 3) is a separate, independent controller for the payment data it processes as seller of record.

Contact for privacy matters: info@souvie.link. We have not appointed a Data Protection Officer because we do not meet the criteria in Art. 37 GDPR; you may contact us directly at the address above.

2. What data we process, why, and on what legal basis

2.1 Account data

• Data: email address, language preference (locale).
• Purpose: creating and managing your paid souvie.link, sign-in via magic link, transactional email (receipts, expiry warnings).
• Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Retention: for the validity period of your souvie.link plus 11 years thereafter for accounting purposes (Croatian General Tax Act).

2.2 Payment data

• Data: the active payment provider's order / session / capture identifiers, amount, currency, payment status, payment kind, timestamps. We do not receive or store your card or bank account details — those are processed solely by the active payment provider.
• Seller of record: our Merchant of Record — an independent third-party payment company (see clause 3) that sells and invoices the souvie.link to you.
• Purpose: processing your purchase, issuing receipts, reconciling refunds and disputes.
• Legal basis: performance of a contract (Art. 6(1)(b)) and legal obligation under accounting and tax law (Art. 6(1)(c)).
• Retention: 11 years from the end of the tax year (Croatian General Tax Act).

2.3 Souvie.link content

• Data: the slug (short code) and the destination URL you set, plus timestamps of creation, last update, and expiry.
• Purpose: performing the redirect, allowing you to edit the destination, showing the expiry notice.
• Legal basis: performance of a contract (Art. 6(1)(b)).
• Retention: guaranteed for the entire 5-year validity period, plus 30 days after expiry; the slug is then permanently retired and cannot be reissued, and the destination URL is deleted.

2.4 Magic-link authentication tokens

• Data: a hashed one-time token tied to your account, with creation and expiry timestamps.
• Purpose: securing your sign-in.
• Legal basis: performance of a contract and legitimate interest in account security (Art. 6(1)(b) and (f)).
• Retention: tokens expire automatically; consumed tokens are kept for at most 30 days for audit purposes, then deleted.

2.5 Technical data (server logs, geolocation)

• Data: IP address (used at request time for country-level geolocation via the CF-IPCountry header or local MaxMind GeoLite2 lookup, in order to default the interface language), HTTP headers, and standard request metadata. Web-server access logs may include IP, timestamp, request path and user-agent.
• Purpose: serving the requested page in the right language, abuse prevention, debugging, and security incident response.
• Legal basis: legitimate interest in operating a secure service (Art. 6(1)(f)).
• Retention: raw access logs are kept for up to 30 days. IP addresses used for geolocation are processed at request time and not stored alongside your account.

2.6 Free-QR generator

The free QR code generator runs entirely in your browser. The URL you paste into it is never transmitted to our servers and is never stored. We do not have access to it.

3. Recipients (processors and third parties)

We share personal data only with the following recipients, and only as needed to provide the Service:

• Our Merchant of Record — an independent third-party payment company that acts as seller of record: it processes your payment, issues the invoice and remits any applicable VAT. It acts as an independent controller for that processing under its own privacy policy, which is linked at checkout. (The specific provider is being finalised; this page will name it once live.)
• Sendinblue SAS (Brevo) — transactional email delivery (magic links, receipts, expiry warnings). Processor; data centres in the EU. See brevo.com/legal/privacypolicy.
• Google LLC / Google Ireland Ltd. — only if you choose to use the Google Photos integration on the Create page (see §6 below).
• plus.hr — hosting provider for the application and database (data centre in the EU).
• Cloudflare, Inc. — CDN and DDoS protection in front of the site; processes connection metadata in transit.
• State authorities — where we are required to disclose data under Croatian or EU law (e.g. court orders, tax inspection).

We do not sell your personal data. We do not use your data for advertising, profiling or targeted marketing.

4. International transfers

Our Merchant of Record, Google and Cloudflare may transfer data to the United States. Such transfers are covered by the EU–US Data Privacy Framework adequacy decision (where the recipient is certified) and/or by the European Commission's Standard Contractual Clauses (Module 2 or 3). You may request copies of the relevant transfer safeguards at info@souvie.link.

5. Your rights under the GDPR

As a data subject you have the right to:

• access your personal data (Art. 15);
• rectification of inaccurate data (Art. 16);
• erasure ("right to be forgotten") (Art. 17), subject to legal retention obligations;
• restriction of processing (Art. 18);
• data portability (Art. 20);
• object to processing based on legitimate interest (Art. 21);
• withdraw consent at any time, where processing is based on consent (Art. 7(3));
• lodge a complaint with the supervisory authority — in Croatia, the Agencija za zaštitu osobnih podataka (AZOP), Selska cesta 136, 10000 Zagreb, azop.hr.

To exercise any of these rights, email info@souvie.link. We will respond within one month, extendable by two further months for complex requests (Art. 12(3) GDPR).

6. Google Photos integration

The Create page offers an optional flow that creates an empty shared album in your Google Photos library, which you can then share with guests and use as the destination of your souvie.link. This integration uses Google's OAuth 2.0 with the photoslibrary.appendonly scope and runs primarily in your browser.

6.1 What data is accessed

• Your Google account identifier and the OAuth access token issued for the session, both held in your browser only.
• The ID of the empty album we create on your behalf, returned by Google's API.
• The share URL of that album, which you copy and paste back into the Create form so that the souvie.link can redirect to it.

6.2 What data is not accessed

• We do not read, list, download, copy or transfer any of your existing photos or videos.
• We do not access your other albums, contacts, or any Google service other than the album we created.
• The photoslibrary.appendonly scope, by its design, does not grant the ability to read existing media.

6.3 What we store

On our servers we store only the share URL you paste back, as the destination URL of your souvie.link (see §2.3 above). We do not store your Google access token or refresh token on our servers.

6.4 Limited Use disclosure

souvie.link's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

In particular, data received from Google APIs is used only to provide the user-facing feature you requested (creating the empty shared album), is not transferred to others except as necessary to provide that feature in compliance with the User Data Policy, is not used for advertising, and is not read by humans except as expressly permitted under the User Data Policy (e.g. with your explicit consent or for security investigations).

6.5 Revoking access

You can revoke the access you granted at any time from your Google Account: visit myaccount.google.com/permissions, find "souvie.link", and click "Remove access". Revoking access does not affect the album already created or the souvie.link that points to it.

7. Children

The Service is not intended for children under 16. We do not knowingly process personal data of children under 16. If you believe we hold such data, please contact us and we will delete it.

8. Security

We implement appropriate technical and organisational measures (Art. 32 GDPR), including TLS-encrypted transport for all requests, hashed authentication tokens, principle-of-least-privilege scopes for third-party APIs, and segregated production access. No system is perfectly secure; in the event of a personal-data breach likely to result in a high risk to your rights we will notify you in accordance with Art. 34 GDPR.

9. Cookies and local storage

See the separate Cookie Policy.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the latest version.