This Privacy Policy explains how the Master in Computational Finance (MCF) program at the School of Computing, Union University, Belgrade (“MCF”, “we”, “us”, or “our”) collects, uses, stores, and protects your personal data when you visit our website at https://mcf.raf.edu.rs (the “Website”) or otherwise interact with us.
We process personal data in accordance with the Serbian Law on Personal Data Protection (“Zakon o zaštiti podataka o ličnosti”, Official Gazette of the Republic of Serbia No. 87/2018), which is aligned with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). If you are located in the European Union or the European Economic Area, the GDPR also directly applies to our processing of your personal data.
1. Data Controller
The controller of your personal data is:
Master in Computational Finance (MCF) School of Computing, Union University Knez Mihailova 6/VI 11000 Belgrade, Serbia
Email: mcf@raf.rs Program Director: Prof. Branko Urošević · burosevic@raf.rs · +381 69 535 5810
For all privacy-related questions, requests, or complaints, please contact us using the details above.
2. Personal Data We Collect
We collect the following categories of personal data:
a) Information you provide directly:
- Contact form submissions: name, email address, phone number, inquiry category, and the content of your message
- Application form submissions: first name, last name, citizenship, country of residence, email, phone, prior education (university and department), employment status, current employer, program selection (Master Degree or Short-Cycle), scholarship interest, and uploaded documents (CV, prior diplomas, motivation letter where applicable)
- Lead magnet downloads (when active): name, email address, and stated interest
b) Information collected automatically when you visit the Website:
- IP address, browser type and version, operating system
- Device type, screen resolution, referring URL
- Pages visited, time spent, clicks, and other usage data
- Cookie data (see Section 10)
c) Information from third-party services:
- If you interact with our LinkedIn, Instagram, or YouTube content, those platforms may share aggregated analytics with us in accordance with their own policies
We do not knowingly collect special categories of personal data (e.g., health, religion, political opinions) through our forms. If such information appears in documents you voluntarily upload (e.g., a CV), it is processed solely in the context of your application.
3. Legal Basis for Processing
We process your personal data on the following legal bases under the GDPR and Serbian law:
| Purpose | Legal basis |
|---|---|
| Responding to your inquiries (contact form) | Your consent and the steps taken prior to entering into a contract |
| Processing your application to the MCF program | Contract (steps prior to entering into and performing the educational services contract) |
| Sending you marketing or program-related communications | Your consent, which you may withdraw at any time |
| Improving our Website, services, and security | Our legitimate interests in operating and developing our program |
| Complying with legal obligations (tax, accreditation, records retention) | Legal obligation |
You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
4. How We Use Your Personal Data
We use your personal data to:
- Respond to your inquiries and provide information about the MCF program
- Process and evaluate your application, including communicating with you about admissions interviews and decisions
- Verify your prior academic credentials, including coordinating nostrification with Union University for foreign degrees
- Administer your participation in the program (registration, classes, examinations, certification)
- Send program-related communications (deadlines, schedule changes, opportunities)
- Send marketing communications, including newsletters and event invitations, only where you have given consent
- Provide and improve our Website, content, and services
- Ensure the security of our Website and prevent fraud or abuse
- Comply with applicable legal, regulatory, and accreditation obligations
We do not use automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you.
5. Sharing Your Personal Data
We share your personal data only with the following categories of recipients, and only to the extent necessary for the purposes set out above:
Our team: Program Director (Prof. Branko Urošević) and Program Coordinator process applications and communications. Access is on a need-to-know basis.
Service providers (data processors): We use the following third parties to operate our Website and services. We have data processing agreements in place where required:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Website hosting, content delivery, security, basic analytics | EU + global edge network |
| Resend, Inc. | Transactional email delivery (form notifications, application confirmations) | United States (Standard Contractual Clauses) |
| Supabase, Inc. | Database storage and file storage for application data | UK (London) — covered by EU adequacy decision |
| Sanity, Inc. | Editorial content management (no personal data of applicants) | EU + United States |
| Google LLC (Google Analytics 4) | Website analytics | United States (Standard Contractual Clauses + IP anonymization enabled) |
| Vimeo, Inc. | Hosting of video content (e.g., student testimonials with consent) | United States (Standard Contractual Clauses) |
Partner institutions: With your explicit consent, we may share your CV or application materials with corporate scholarship sponsors (e.g., Ominimo, Banca Intesa, or others where applicable) for the limited purpose of scholarship selection.
Public authorities: Where required by law, including for accreditation reporting (National Accreditation Body of the Republic of Serbia), tax compliance, or response to lawful requests by competent authorities.
We do not sell your personal data, and we do not share it for the marketing purposes of third parties.
6. International Data Transfers
Some of our service providers process personal data outside Serbia and the European Economic Area, including in the United Kingdom and the United States. Where this occurs, we ensure adequate safeguards through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Service providers participating in EU-U.S. Data Privacy Framework
- The EU adequacy decision for the United Kingdom, under which transfers to the UK receive protection essentially equivalent to that within the EEA
- Technical measures including encryption in transit and at rest
You may request a copy of the safeguards we apply by contacting us at mcf@raf.rs.
7. Data Retention
We retain your personal data only as long as necessary for the purposes for which it was collected:
| Data category | Retention period |
|---|---|
| Contact form submissions (general inquiry) | 12 months from submission, or until you request deletion |
| Application form submissions (not admitted) | 24 months from submission, then deleted |
| Application form submissions (admitted participants) | Duration of program + 10 years (academic record retention required by Serbian law on higher education) |
| Marketing consent records | Until you withdraw consent + 12 months |
| Website analytics (Google Analytics 4) | 14 months (default GA4 retention) |
| Server logs and security records | 90 days |
After the retention period, your personal data is securely deleted or fully anonymized.
8. Your Rights
You have the following rights under the Serbian Law on Personal Data Protection and the GDPR:
- Right of access - Obtain confirmation that we process your personal data and receive a copy
- Right to rectification - Correct inaccurate or incomplete personal data
- Right to erasure (“right to be forgotten”) - Have your personal data deleted under certain conditions
- Right to restriction of processing - Limit how we process your personal data under certain conditions
- Right to data portability - Receive your personal data in a structured, machine-readable format and transmit it to another controller
- Right to object - Object to processing based on legitimate interests, and to direct marketing at any time
- Right to withdraw consent - Withdraw consent at any time, without affecting prior lawful processing
- Right not to be subject to automated decision-making - We do not make decisions affecting you solely by automated means
To exercise any of these rights, contact us at mcf@raf.rs. We will respond within one month, with a possible extension of two further months for complex requests. Identity verification may be required to protect your data.
You also have the right to lodge a complaint with the supervisory authority - see Section 13.
9. Data Security
We implement technical and organizational measures to protect your personal data, including:
- Encryption in transit (HTTPS/TLS 1.3 for all Website traffic)
- Encryption at rest for stored personal data and uploaded documents (Supabase, Cloudflare)
- Static site architecture - our Website does not run a server-side application that could be compromised, dramatically reducing attack surface
- Access controls - access to personal data is restricted to authorized team members with named accounts and multi-factor authentication
- Form protection - anti-bot verification (Cloudflare Turnstile), rate limiting, and server-side input validation
- Signed URLs for downloading uploaded documents - links expire after a limited time
- Regular security review - periodic audits of our infrastructure, dependencies, and access logs
- Incident response - in the event of a personal data breach, we will notify the supervisory authority within 72 hours and affected individuals where required
No method of transmission or storage is 100% secure, but we apply industry-standard practices to safeguard your data.
10. Cookies and Similar Technologies
Our Website uses cookies and similar technologies for the following purposes:
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Site functionality, security (Cloudflare bot protection, session cookies) | No (essential) |
| Analytics | Understand how visitors use our Website (Google Analytics 4 with IP anonymization) | Yes (your consent via cookie banner) |
| Functional | Remember your preferences (e.g., locale, accepted cookie notice) | Yes |
On your first visit, you will see a cookie consent banner allowing you to accept, reject, or customize non-essential cookies. You may change your preferences at any time by clicking “Cookie settings” in the Website footer.
You can also manage cookies through your browser settings. Note that disabling strictly necessary cookies may affect Website functionality.
11. Children’s Data
Our program is designed for adult applicants who have completed (or are completing) a higher education degree. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have collected personal data of a minor, please contact us at mcf@raf.rs so we can take appropriate action.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The “Last updated” date at the top reflects the most recent version. Significant changes will be communicated through a prominent notice on our Website or, where appropriate, by email to registered applicants.
We encourage you to review this Privacy Policy periodically.
13. Supervisory Authority
If you believe that our processing of your personal data violates applicable law, you have the right to lodge a complaint with the supervisory authority:
For Serbia: Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) Bulevar kralja Aleksandra 15, 11000 Beograd, Serbia Web: https://www.poverenik.rs Email: office@poverenik.rs
For EU residents: You may also lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.
14. Contact Us
For any questions, requests, or concerns about this Privacy Policy or our processing of your personal data, please contact:
Master in Computational Finance School of Computing, Union University Knez Mihailova 6/VI, 11000 Belgrade, Serbia Email: mcf@raf.rs Program Director: burosevic@raf.rs
We aim to respond to all privacy inquiries within one month.
This Privacy Policy is published in English. A Serbian translation may be made available for reference; in case of discrepancy between language versions, the English version prevails for international applicants, and the Serbian version prevails for Serbian residents to the extent required by local law.