Privacy Policy

1. Data Controller

The data controller for processing of personal data in connection with the Web Summer Camp conference (the “Conference”) is:
Netgen d.o.o.
Savska cesta 182, 10000 Zagreb, Croatia
Company registration number (OIB): 56703914419
Email: [email protected]
For all data protection inquiries, you may contact our data protection officer at: [email protected] (or such other address as may be published on our website from time to time).

2. Scope of This Policy

This Privacy Policy applies to the processing of personal data of all individuals who:
visit the Web Summer Camp website at websummercamp.com;
register for or attend the Conference (including speakers, sponsors, and companions);
subscribe to our newsletter or other communications;
interact with us via email, social media, or other channels in connection with the Conference.
This Policy does not cover third-party websites linked from our website. We encourage you to review the privacy policies of any third-party services you access.

3. Categories of Personal Data, Legal Basis, and Purpose of Processing

The following table sets out the categories of personal data we process, the legal basis under Regulation (EU) 2016/679 (“GDPR”) for each processing activity, and the corresponding purposes.

Category: Registration & Identity Data
Data Elements: Full name, email address, company name, job title
Legal Basis (GDPR): Performance of contract (Art. 6(1)(b) GDPR)
Purpose: Processing conference registration, issuing tickets/invoices, on-site check-in, logistics

Category: Optional Participant Data
Data Elements: Dietary requirements, accessibility needs, T-shirt size
Legal Basis (GDPR): Explicit consent (Art. 6(1)(a) GDPR; Art. 9(2)(a) for special-category data where dietary preferences may reveal health conditions or religious beliefs)
Purpose: Catering arrangements, ensuring venue accessibility, preparing conference merchandise. Provided voluntarily by the participant at registration; may be withheld without affecting registration

Category: Communication Data
Data Elements: Email address, communication preferences, correspondence history
Legal Basis (GDPR): Consent (Art. 6(1)(a)) for marketing; Legitimate interest (Art. 6(1)(f)) for operational communications
Purpose: Sending event-related updates, logistics information, and (where opted-in) newsletters and promotional material including the alumni newsletter

Category: Technical & Website Data
Data Elements: IP address, browser type, device information, pages visited, cookies
Legal Basis (GDPR):Legitimate interest (Art. 6(1)(f)) for website security and analytics; Consent (Art. 6(1)(a)) for non-essential cookies
Purpose: Ensuring website security, preventing abuse, compiling anonymised usage statistics, improving the website

Category: Photo & Video Data
Data Elements: Photographs and video recordings captured at the conference by official photographers/videographers
Legal Basis (GDPR): Legitimate interest (Art. 6(1)(f)) for event documentation and promotion
Purpose: Documenting the event, sharing official photos with participants during and for 7 days after the conference, post-event promotional materials

Category: Feedback & Survey Data
Data Elements: Responses to post-event surveys, session ratings, written feedback
Legal Basis (GDPR): Legitimate interest (Art. 6(1)(f)) in improving the quality and content of the Conference
Purpose: Evaluating event quality, improving future editions of the conference, aggregated reporting

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

4. Photographs and Video Recordings

4.1 Capture at the Conference

Official photographers and/or videographers engaged by the Organiser will be present at the Conference and will capture photographs and video recordings in common and conference areas of the hotel venue. Participants will be informed of the presence of photographers via signage at the venue entrance and in conference session rooms, as well as in the registration confirmation email.

4.2 Legal Basis

The legal basis for capturing and processing photographs and videos is our legitimate interest (Article 6(1)(f) GDPR) in documenting and promoting the Conference. We have assessed that this interest is proportionate and does not override participants’ rights, given that the Conference is a professional industry event held in designated conference areas of the hotel venue where participants have a reasonable expectation that event photography will occur. Photography and videography are limited to conference sessions, workshops, networking areas, and communal event spaces; private hotel areas (guest rooms, spa, etc.) are excluded.

4.3 Sharing of Official Photos with Participants

Official Conference photographs will be made available to registered participants through a dedicated access link (or equivalent mechanism) under the following terms:
Access period: Photos will be shared with participants during the Conference and remain accessible for a period of seven (7) calendar days after the last day of the Conference (the “Access Period”).
Permitted use during the Access Period: Participants may view, download, and share the official photographs for personal, professional, and social-media use, provided that such use does not misrepresent the Conference or infringe the rights of other individuals depicted.
Termination of access: After the expiry of the Access Period, participant access to the photo-sharing platform will be revoked. Any photographs not downloaded during the Access Period will no longer be available to participants.
Organiser’s continued use: The Organiser retains the right to use official photographs and videos for its own promotional, archival, editorial, and marketing purposes, subject to applicable law. The Organiser will periodically review retained visual materials for continued relevance (see Section 9).

4.4 Opting Out

If you do not wish to be photographed or filmed, you may:
notify us in advance at [email protected] so that we can take reasonable steps to accommodate your preference;
approach the official photographers/videographers on-site and request not to be included;
request removal of specific images after the event by contacting us with sufficient detail to identify the images concerned (e.g., description of the image, approximate time and location at the venue, or a reference photo of yourself).
Upon receipt of a valid removal request, we will remove or blur the identified images within ten (10) business days to the greatest extent technically possible. We will use reasonable efforts to honour opt-out requests made in advance or on-site, but cannot guarantee the complete exclusion of incidental appearances in wide-angle or crowd shots.

5. Newsletter and Marketing Communications

Newsletter subscription and associated data is processed by us using HubSpot as a data processor. The legal basis for processing your email address for marketing purposes is your consent (Article 6(1)(a) GDPR), obtained at the time of subscription. You may opt out of marketing communications at any time by clicking the unsubscribe link in any email or by contacting us directly. Opting out of marketing will not affect transactional or operational communications related to your Conference registration.

6. Sources of Personal Data

We collect personal data from the following sources:
Directly from you: when you register for the Conference, subscribe to our newsletter, submit feedback, or correspond with us.
From sponsors: where a sponsor purchases Conference tickets on behalf of their employees or invitees, the sponsor may provide us with the attendee’s name, email address, and company affiliation. In such cases, the sponsor is responsible for ensuring that it has a lawful basis to share your data with us, and we process it under Article 6(1)(b) (performance of contract) or Article 6(1)(f) (legitimate interest in administering the Conference).
From public sources: for speakers, we may collect professional biography information, headshot photographs, and social media handles from publicly available sources (speaker’s personal website, LinkedIn, conference speaker profiles) for the purpose of promoting the Conference programme. The legal basis is our legitimate interest (Article 6(1)(f) GDPR).
Where we have not obtained personal data directly from you, we will inform you of the source and the categories of data concerned in accordance with Article 14 GDPR, no later than one month after obtaining the data or at the time of first communication, whichever is earlier.

7. Data Processors and Third-Party Services

We engage the following categories of third-party data processors, each of which processes personal data strictly on our instructions and subject to appropriate data processing agreements (Article 28 GDPR):
Analytics: Google Analytics 4 (website usage statistics; IP addresses are not logged or stored by GA4 by design; Google Signals is disabled; analytics cookies require prior consent). 
Advertising pixels: Facebook (Meta) Pixel for website activity tracking and retargeting. The Meta Pixel is activated only after you have provided consent via our cookie consent mechanism. For details, consult the Meta Privacy Policy.
Email marketing: HubSpot (newsletter distribution and subscriber management).
Infrastructure: DigitalOcean (cloud hosting and server infrastructure).
Photography: The official Conference photographer/videographer, engaged as an independent contractor, processes images of identifiable individuals on our behalf and is subject to a data processing agreement.
Where any of these processors transfer personal data outside the European Economic Area (EEA), such transfers are safeguarded as follows: transfers to processors in the United States (Google, Meta, HubSpot) are covered by the EU–U.S. Data Privacy Framework adequacy decision (European Commission implementing decision of 10 July 2023), provided the recipient is certified under the Framework; for all other processors, Standard Contractual Clauses (SCCs) adopted by the European Commission apply.

8. Cookies and Tracking Technologies

8.1 What Are Cookies

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites function efficiently and to provide information to the site operators.

8.2 Categories of Cookies We Use

Strictly necessary cookies: These are essential for the operation of our website (e.g., session management, cookie consent preferences). They are placed without your consent as they are required to provide the services you have requested. Legal basis: Legitimate interest (Article 6(1)(f) GDPR) and Article 5(3) of the ePrivacy Directive.
Analytics cookies: We use Google Analytics cookies to collect anonymised, aggregated data about how visitors use our website (pages visited, session duration, traffic sources). These cookies are placed only after you have provided consent via our cookie consent banner. Legal basis: Consent (Article 6(1)(a) GDPR).
Marketing cookies: The Facebook (Meta) Pixel and any associated cookies are used to track website activity for the purpose of serving targeted advertisements on Meta platforms. These cookies are placed only after you have provided consent. Legal basis: Consent (Article 6(1)(a) GDPR).

8.3 Managing Your Cookie Preferences

You may manage your cookie preferences at any time by:
clicking the “Cookie Settings” link in the footer of our website to adjust your consent preferences;
configuring your browser to block or delete cookies (note that disabling strictly necessary cookies may impair website functionality);
using browser extensions or privacy tools that block tracking technologies.
Withdrawing consent for analytics or marketing cookies will not affect the lawfulness of processing carried out prior to withdrawal.

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:
Registration data: retained for the duration of the Conference and up to 12 months thereafter for operational follow-up (e.g., sharing post-event materials, resolving queries). After 12 months, registration data is deleted unless you have separately consented to receive the alumni newsletter, in which case your name and email address are retained until you opt out.
Optional participant data (dietary requirements, accessibility needs, T-shirt size): deleted within 12 months after the Conference, as it is no longer necessary for any processing purpose.
IP addresses (server logs): purged on a monthly basis.
Newsletter and alumni subscriber data: retained until you withdraw consent (unsubscribe).
Participant access to official photos: revoked after 7 calendar days following the Conference. The Organiser’s own archival copies of photographs and videos are retained for the purpose of promoting current and future editions of the Conference and for historical archival purposes, and are reviewed periodically for continued relevance.
Survey and feedback data: retained in anonymised/aggregated form

10. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. Third-party services we use (such as Meta and Google) may engage in profiling under their own data controllership and privacy policies; we refer you to those policies for further detail.

11. Your Rights Under the GDPR

Subject to the conditions and exceptions set out in the GDPR, you have the following rights in relation to your personal data:
Right of access (Article 15) – to obtain confirmation of whether your data is being processed and, if so, a copy of the data.
Right to rectification (Article 16) – to have inaccurate data corrected or incomplete data completed.
Right to erasure (Article 17) – to request deletion of your data where it is no longer necessary, or where you withdraw consent.
Right to restriction of processing (Article 18) – to request that processing be limited in certain circumstances.
Right to data portability (Article 20) – to receive your data in a structured, commonly used, machine-readable format.
Right to object (Article 21) – to object to processing based on legitimate interest, including profiling.
Right to withdraw consent (Article 7(3)) – where processing is based on consent, to withdraw that consent at any time.
To exercise any of these rights, contact our data protection contact person at [email protected]. In order to protect your data from unauthorised access, we may need to verify your identity before processing your request. We will respond within one month of receipt of your request, as required by Article 12(3) GDPR. If we need to extend this period (by up to a further two months due to the complexity or volume of requests), we will inform you of the reasons for the delay within the initial one-month period.

12. Complaints

If you are dissatisfied with how we process your personal data, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (Agencija za zaštitu osobnih podataka – AZOP):
AZOP
Ulica Metela Ožegovića 16, 10000 Zagreb, Croatia
Website: azop.hr
You also have the right to lodge a complaint with the supervisory authority of your habitual residence or place of work, if different.

13. Children

The Conference and our website are not intended for children under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected data from a person under 18, we will delete that data promptly.

14. Cancellation of the Conference

In the event that the Conference is cancelled and will not be rescheduled, we will delete all personal data collected in connection with the Conference within 60 days of the cancellation announcement, except where retention is required by law (e.g., tax and accounting records) or where you have separately consented to receive ongoing communications (e.g., the alumni newsletter).

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we provide. Material changes will be communicated via our website and, where appropriate, by email to registered participants. The “Last updated” date at the top of this Policy indicates the most recent revision.

16. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Croatia, without regard to its conflict-of-law provisions. Any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts in Zagreb, Croatia, without prejudice to your right to lodge a complaint with a supervisory authority under Article 77 GDPR or to an effective judicial remedy under Article 79 GDPR before the courts of your habitual residence.

17. Contact

For any questions or concerns regarding this Privacy Policy or our data processing practices, please contact:
Netgen d.o.o.
Attn: Data Protection Officer
Savska cesta 182, 10000 Zagreb, Croatia
Email: [email protected]