offgrid logo
  • home
  • services
  • features
  • contact
  • blog

  • Follow us on social media:

    EN | SR
EN | SR
Login
← Back to home

Privacy Policy

Last updated: [EFFECTIVE DATE]

This Privacy Policy explains what personal data we collect through our website and through the Offgrid content management platform (the "CMS"), how we use it, and the rights you have. We aim to be transparent and to collect only what we genuinely need.

Who we are

The data controller is [COMPANY LEGAL NAME], a company organised under the laws of the Republic of Serbia, with its registered office at [STREET ADDRESS], Valjevo, Serbia. For any privacy-related question you can reach us at [CONTACT EMAIL].

Scope of this policy

This policy applies to our public marketing website, to the CMS platform we provide to our clients, and to public-facing websites we operate for our own brand on the same infrastructure. It does not apply to third-party websites built by us that are operated by our clients under their own privacy policies.

What we collect

We collect personal data in the following situations:

1. When you use the contact form

We store the name, email address, subject and message you send us so we can reply. Submissions are saved in our database and forwarded to our internal inbox.

2. When you subscribe to our newsletter

We store the email address you provide so we can send you our newsletter. We do not share it with third parties for marketing. You can unsubscribe at any time using the link in any newsletter email.

3. When you hold a CMS account

If you have been granted an account on the CMS (typically because you are our client), we store your username, email address, hashed password, role, two-factor authentication state, language preference and active workspace. We never store passwords in plaintext.

4. Authentication data

When you log in to the CMS we issue a JSON Web Token (JWT) that is stored in an httpOnly cookie on your device. We also keep a per-account token version counter so that we can invalidate all sessions after a password change, password reset or logout. If two-factor authentication is enabled we temporarily store a short-lived, hashed verification code linked to your account.

5. API key metadata

Each CMS workspace can generate API keys for its frontend website to read content. We store a SHA-256 hash of the key (never the plaintext), a short prefix for display, the creation date, the expiry date, the active/revoked state, and the timestamp of the most recent use. We use these records to authenticate API calls and to let workspace owners rotate or revoke keys.

6. Uploaded content and media

Content you publish through the CMS — blog posts, images, gallery photos, page sections, FAQ entries — is stored in our database and, for media, in our cloud object storage. You and your end users can identify the workspace this content belongs to, but the content itself is treated as your data.

7. Inquiries received through your websites

If a visitor submits a contact form on a website powered by the CMS, the submission (name, email, subject, message, IP address and timestamp) is stored in the workspace that owns the website. If you choose to reply through the CMS, we also fetch the corresponding email thread from the inbox you configured, solely to display it to you. We do not read or index the contents of unrelated emails.

8. Technical and security logs

Our servers automatically record technical information necessary to operate the service: IP addresses, request paths, timestamps, response codes, user-agent strings, and rate-limit events (such as repeated failed logins or excessive requests). These logs are used for diagnostics, abuse prevention, and security incident response.

9. When you simply browse the site

We use Google Analytics 4 to understand which pages are visited, how visitors arrive, and how the site performs. Analytics data is collected via cookies set by Google and shared with Google LLC in accordance with their privacy policy. See the Cookie Policy for the full list of analytics cookies.

Why we process this data

  • To respond to your inquiries and deliver the newsletters you have subscribed to.
  • To operate the CMS, authenticate you, attribute content to the correct workspace, and serve API requests from your frontends.
  • To protect the platform against abuse, brute-force attacks, and unauthorised access.
  • To understand how visitors use our marketing website and improve it.
  • To comply with legal obligations and to establish, exercise or defend legal claims.

Legal basis (GDPR)

We process contact-form and newsletter data on the basis of your explicit request and consent (Art. 6(1)(a)/(b) GDPR). We process CMS account, authentication, API key and uploaded-content data on the basis of the contract under which we provide the platform to you (Art. 6(1)(b) GDPR). We process technical and security logs on the basis of our legitimate interest in operating a secure service (Art. 6(1)(f) GDPR). We process analytics data on the basis of our legitimate interest in understanding and improving the site (Art. 6(1)(f) GDPR).

How long we keep it

We keep personal data only for as long as we need it for the purpose it was collected, or as required by law. Typical retention periods:

  • Contact-form submissions: up to 24 months from receipt.
  • Newsletter subscriptions: until you unsubscribe.
  • CMS account data: for the duration of the account, plus [RETENTION PERIOD] after closure to handle any post-termination obligations.
  • Uploaded content and media: until you delete it through the CMS, or [RETENTION PERIOD] after account closure, whichever comes first.
  • Technical and security logs: typically 90 days, longer where required for an ongoing investigation.
  • Analytics data: in line with Google Analytics' default retention period.

Who we share data with

We do not sell your personal data. We share it only with the service providers (sub-processors) listed below, each of which is bound by appropriate contractual safeguards:

  • Amazon Web Services, Inc. — cloud infrastructure and object storage (S3) for uploaded media. Data is stored in the region configured for the deployment (typically within the European Economic Area).
  • MongoDB Atlas — managed database hosting for accounts, content and inquiries.
  • Mailjet (Sinch group) — transactional and newsletter email delivery, including two-factor authentication codes and password reset links.
  • Google LLC — Google Analytics 4 traffic measurement.
  • Google LLC — Gmail IMAP, only when retrieving the reply thread of an inquiry to display it in the CMS.

International data transfers

Some of our sub-processors are based outside the European Economic Area, in particular in the United States. Where data is transferred internationally, we rely on the Standard Contractual Clauses adopted by the European Commission and, where applicable, on the EU–US Data Privacy Framework, to ensure an equivalent level of protection.

Your rights

If the GDPR or a substantially similar regime applies to you, you have the following rights:

  • The right to access the personal data we hold about you.
  • The right to ask us to correct inaccurate or incomplete data.
  • The right to ask us to delete your data where there is no overriding legal reason for us to keep it.
  • The right to ask us to restrict processing while a dispute is resolved.
  • The right to receive a copy of the data you provided in a structured, machine-readable format.
  • The right to object to processing based on our legitimate interests.
  • The right to lodge a complaint with the Serbian Commissioner for Information of Public Importance and Personal Data Protection (Poverenik), or with your local supervisory authority.

How to request deletion

To delete a newsletter subscription, click the unsubscribe link in any newsletter email. To delete a CMS account or any specific personal data we hold about you, send a request to [CONTACT EMAIL] from the email address associated with the data. We will verify the request and complete it within 30 days, unless we are legally required to retain specific records.

International visitors

Our service is intended for visitors and clients in the European Union, the United States, and other regions. By using the service from outside the European Economic Area you understand that your data will be transferred to and processed in jurisdictions that may have different data protection laws than your own.

Security

We use industry-standard practices to protect your data: HTTPS in transit, bcrypt-hashed passwords, SHA-256-hashed API keys, short-lived signed JSON Web Tokens, two-factor authentication for CMS accounts, rate-limited public endpoints, restricted database access, and HTTP security headers including a strict Content Security Policy. No system is perfectly secure, but we take protection seriously.

Children

The CMS is a professional tool not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

Changes to this policy

We may update this policy as the platform and our practices evolve. Material changes will be reflected in the "Last updated" date at the top of this page, and where appropriate we will notify CMS account holders by email.

Independent web studio building modern, blazing-fast websites with a custom CMS that puts you in control. Based in Valjevo, Serbia.

Studio

  • Services
  • CMS Features
  • blog
  • Client login

Legal

  • Privacy Policy
  • Cookie Policy
  • Terms of Service
  • Legal Notice
  • Cookie preferences

contact

  • offgrid-webdesign@contact.com
  • contact
  • Based in Valjevo, Serbia
offgrid.

© 2026 Offgrid. All rights reserved.

Follow us on social media:

Built with Offgrid CMS

We use cookies

We use essential cookies to keep the site working, and optional analytics cookies to understand how it's used. You decide. Read the Cookie Policy

  • Essential cookies

    Strictly necessary for the service to function. Without them, you cannot log in to the CMS or complete secured actions. Essential cookies do not require prior consent.

  • Functional cookies

    Remember preferences such as your chosen language or colour theme so that the site loads the way you left it. They are not used for tracking or advertising.

  • Analytics cookies

    Help us understand how visitors use our marketing website in aggregate. They are set by Google Analytics 4 and may involve a transfer of data to Google LLC.