Please note that this document applies to the website policy only and doesn’t apply to the product policy itself.
Last modified on 12.4.2021
Data controller and contact details
This policy applies to the processing (use) of any personal data carried out by the company YFLab d.o.o. (the Controller) or which is carried out on behalf of the Controller.
Information about the Controller:
Celovška cesta 150, 1000 Ljubljana.
Tax No.: SI 79155049, Registration No.: 8727155000
E: [email protected]
T: +386 51 894 440
What personal data we process
- Basic contact details (name, telephone number, e-mail address);
- Data about the use of our websites (clicks on links, time spent) and data about the response to our emails (whether the email was opened, which links were clicked on);
- The information we need to fulfil the contract and deliver the goods purchased (subject of purchase, price, delivery address, delivery time, method of payment, date of payment, details of complaints, invoice details, etc.).
Legal bases for the processing of personal data
We may process your personal data on the following legal bases:
- Where it is necessary for the performance of our legal obligations (e.g. invoicing for goods purchased);
- where the processing of your personal data is necessary for the conclusion and performance of a contract you have entered into with us or because you have requested a quotation from us;
- where you have given your consent to the processing of your personal data for a specific processing purpose, in which case you always have the right to withdraw your consent;
- where we have a legitimate interest in processing your personal data (when we send you an email in case you have left the shopping basket on our website without completing your purchase).
- Purposes of processing personal data
- We may use your personal data for one or more of the following purposes:
- communicating with you about the provision of our services and responding to your enquiries;
- to enter into a contract and to perform our obligations under that contract;
- marketing communications (sending emails and SMS messages);
- to pursue any legal claims and resolve disputes;
- for statistical analysis of the sale of our goods and the use of our websites;
How long we keep your personal data and what happens to it after that
We retain basic personal data for as long as you are a registered user of our websites.
Personal data that we process on the basis of your consent is retained permanently or until you withdraw that consent. We keep data on invoices issued for 10 years from the date of issue.
We retain the data necessary for the conclusion and performance of a contract between you and us for 5 years from the performance of the contract (delivery of the goods).
After the expiry of the retention period, we effectively delete or anonymise the personal data, which means that we process it in such a way that it can no longer be linked to you or attributed to you.
Voluntary provision of data and consequences of non-provision
The provision of personal data is voluntary. You are not obliged to provide us with personal data, but if you do not provide it, you cannot enter into a contract with us (as we need it to deliver your order). We will specify what information is such that providing it will have the consequences set out above each time we collect personal data from you.
Who has access to your personal data
We do not pass on your personal data or make it available to third parties (outside YFLab d.o.o.), except to those who have a written contract with us, on the basis of which they carry out certain data processing tasks and are obliged to comply with the legislation on the processing and protection of personal data (so-called “contract processors”). The contractual processors to whom we provide personal data are:
- Marketing service providers;
- providers of sending e-mails;
- providers of text messaging services;
- software solution providers;
- delivery services.
Contract processors may only process personal data within the scope of our instructions and may not process personal data for their own purposes. They, together with their employees, are committed to protecting the confidentiality of your personal data.
Contract processors do not export personal data to third countries (outside the member states of the European Economic Area – these are EU member states plus Iceland, Norway and Liechtenstein).
What rights do you have in relation to your personal data, how can you withdraw your consent to processing and what are the consequences of withdrawal?
You have the following rights in relation to your personal data:
To request from us at any time:
- To confirm whether we are processing your personal data;
- access to personal data and the following information: the purposes of the processing; the types of personal data; the users or categories of users to whom the personal data have been or will be disclosed, in particular users in third countries or international organisations; the envisaged period of retention of the personal data or, if this is not possible, the criteria to be used to determine this period; the existence of automated decision-making, including profiling, and the reasons therefor, as well as the relevance to you and the foreseeable consequences for you of such processing;
- one (free) copy of the personal data in the format you specify (if the request is made by electronic means of communication and you do not request otherwise, the copy will be provided in electronic form); we may charge a reasonable fee, taking into account costs, for additional copies you request;
- correction of incorrect personal data;
Restriction of processing where:
- you contest the accuracy of the personal data, for a period which allows us to verify the accuracy of the personal data;
- the processing is unlawful and you object to the erasure of the personal data and instead request the restriction of its use;
- we no longer need the personal data for the purposes of the processing, but you need the personal data for the establishment, exercise or defence of legal claims;
- deletion of all personal data (right to be forgotten) if the prerequisites set out in Article 17 of the GDPR are met, and in particular if you withdraw your consent to the processing of personal data;
- the extraction of personal data in a structured, commonly used and machine-readable format, with the right to transmit this data to another controller without hindrance from us;
- stop using your personal data for direct marketing purposes, including profiling;
- not to be subject to a decision based solely on automated processing, including profiling, provided that the conditions set out in Article 22 of the GDPR are met.
- the right to lodge a complaint against us with the Information Commissioner if you consider that the processing of your personal data breaches the General Data Protection Regulation.
Procedure for exercising your rights
You may address your requests concerning the exercise of your rights in relation to your personal data in writing to any of the contacts listed at the top of this document under Data Controller and contact details.
We may request additional information from you for the purposes of reliable identification in the event that you exercise your rights in relation to personal data, and we may refuse to take action only if we can demonstrate that we cannot identify you reliably.
We must respond to your request to exercise your rights in relation to personal data without undue delay and at the latest within one month of receipt of your request.