Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

[LAWYER NOTE: If required, appoint a Data Protection Officer (DPO) and list their contact details here]

2. What Personal Data We Collect

2.1. Account Registration Data

• Email address (mandatory)
• Password (encrypted, not stored in plain text)
• Marketing consent status
• Email verification status

2.2. Order and Delivery Data

[LAWYER NOTE: If you collect this data during checkout, list it here]

• Name
• Delivery address
• Phone number
• Billing information

2.3. Transaction Data

• Order history
• Purchase amounts
• Payment method (we do NOT store full credit card numbers)

2.4. Technical Data

• IP address
• Browser type and version
• Device information
• Cookies (see Cookie Policy section)
• Website usage analytics (via Google Analytics)

2.5. Communication Data

• Customer support inquiries
• Email correspondence
• Feedback and reviews

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

3.1. Contract Performance (Art. 6(1)(b) GDPR)

Processing is necessary to:

• Create and manage your account
• Process and fulfill your orders
• Provide customer support
• Send transactional emails (order confirmations, shipping updates)

3.2. Legal Obligation (Art. 6(1)(c) GDPR)

Processing is necessary to comply with:

• Tax and accounting obligations
• Consumer protection regulations
• Record-keeping requirements
• [LAWYER NOTE: Any specific chemical/research product tracking requirements]

3.3. Legitimate Interest (Art. 6(1)(f) GDPR)

Processing is necessary for:

• Fraud prevention and security
• Website functionality and optimization
• Business analytics (anonymized where possible)

3.4. Consent (Art. 6(1)(a) GDPR)

With your explicit consent, we process data for:

• Marketing communications - You can opt in during registration or later
• Cookies - Non-essential cookies require consent
• Newsletter - Promotional emails about new products and offers

✅ You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

4. How We Use Your Data

5. Data Sharing and Third Parties

We share your data only when necessary and with appropriate safeguards:

5.1. Service Providers (Data Processors)

• Resend - Transactional and marketing email delivery (GDPR-compliant, EU servers)
• Google Analytics - Website analytics (anonymized IP, GDPR mode enabled)
• [LAWYER NOTE: Payment processor] - Payment processing
• [LAWYER NOTE: Shipping carriers] - Order fulfillment and delivery
• [LAWYER NOTE: Hosting provider] - Data storage and infrastructure

All processors are bound by Data Processing Agreements (DPAs) and GDPR obligations.

5.2. Legal Requirements

We may disclose data when required by law, court order, or government authority.

5.3. Business Transfers

In case of merger, acquisition, or sale, your data may be transferred to the new entity (with notice to you).

5.4. We DO NOT

• ❌ Sell your personal data to third parties
• ❌ Share data for third-party marketing without consent
• ❌ Transfer data outside EU/EEA without adequate safeguards

6. International Data Transfers

[LAWYER NOTE: If any service providers are outside EU/EEA, detail the transfer mechanisms:]

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Privacy Shield successor frameworks

Example: "Google Analytics data may be transferred to the US under Google's GDPR compliance framework."

7. How Long We Keep Your Data

After the retention period, data is securely deleted or anonymized beyond recovery.

8. Your Data Protection Rights (GDPR)

Under GDPR and ZVOP-2, you have the following rights:

How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: [LAWYER NOTE: Insert privacy/DPO email]
• We will respond within 30 days (GDPR requirement)
• We may request identity verification for security

Right to Lodge a Complaint

If you believe we have violated your data protection rights, you can file a complaint with:

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

Technical Measures

• ✅ HTTPS/TLS encryption for all data transmission
• ✅ Password hashing (bcrypt/Argon2)
• ✅ Secure server infrastructure
• ✅ Regular security updates and patches
• ✅ Access controls and authentication
• ✅ Encrypted database backups

Organizational Measures

• ✅ Staff data protection training
• ✅ Data Processing Agreements with all processors
• ✅ Regular security audits
• ✅ Incident response procedures

Data Breach Notification

In case of a personal data breach likely to result in a risk to your rights, we will:

• Notify the Slovenian supervisory authority within 72 hours (GDPR Art. 33)
• Notify affected individuals without undue delay if high risk (GDPR Art. 34)

10. Cookies and Tracking

We use cookies for:

Essential Cookies (No Consent Required)

• Session management (login state)
• Shopping cart functionality
• Security features

Analytics Cookies (Consent Required)

• Google Analytics (anonymized IP, GDPR mode)
• Website usage statistics

Marketing Cookies (Consent Required)

• [LAWYER NOTE: If using remarketing/advertising cookies, list here]

You can manage cookie preferences via your browser settings or our cookie banner. Refusing non-essential cookies will not affect core website functionality.

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect data from minors. If we discover such data, we will delete it immediately.

12. Changes to This Policy

We may update this policy to reflect legal, regulatory, or operational changes. Material changes will be notified via email or prominent platform notice.

13. Contact Us

For any questions about this Privacy Policy or to exercise your rights, contact: