fbpx

Protection of personal data

1. General

KMG KLEMEN MAČEK sp, registry number: 7153244000 (hereinafter referred to as "we") is the administrator of users' personal data and undertakes to protect the confidentiality of personal data and the privacy of users of the website www.mariposacoffeeroasters.si. We will use the collected personal data exclusively to provide the services we offer. We respect the confidentiality of personal data and the privacy of our website users, so we will do everything necessary to protect them from any violations and abuses. Users' personal data is one of the areas to which we pay extreme care and attention, as we are aware of the sensitive nature of this area.

Passing on the user's personal data is necessary in certain cases so that we can fulfill our obligations to the user. Collected personal data is permanently protected in accordance with the Personal Data Protection Act (Official Gazette of the RS, No. 94/07) (ZVOP-1), the Electronic Communications Act (Official Gazette of the RS, No. 109/12, 110/13, 40/ 14 - ZIN-B, 54/14 - od. US, 81/15 and 40/17) and the General Data Protection Regulation (GDPR).

2. Authorized person for the protection of personal data

If you have any questions regarding our personal data protection policy or the way your personal data is handled, you can contact our authorized person (company owner) for personal data protection via e-mail info@mariposacoffeeroasters.si.

3. Purposes of processing and basis for data processing

When you use our Services, we collect various types of information about you, such as your username and password, your contact information, and other preferences. We track what items you view in our online store, through which device, and which of our offers sent via e-mail interested you. Based on this, we create additional data in order to be able to provide you with offers according to your wishes and to be able to improve our online store and services in the future.

If you make a purchase or create an account with us, we also process your first and last name, your orders and the information you set on your account or submit in the order form:

  • identification data, which mainly include first and last name, username and password and VAT ID, if you are a legal entity;
  • contact details, which include personal data with the help of which we can contact you, especially e-mail address, telephone number, delivery address, account address and your profiles on social networks;
  • your settings, which includes information about your account, in particular stored delivery addresses, profiles, subscriptions to newsletters, memberships in loyalty programs, shopping lists, searched for items ("interested in", "followed by price"), your ratings and comments about items and services ;
  • information about your orders, which mainly include data on the ordered items and the method of payment, including the bank account number, as well as data on complaints;
  • information about your online habits, that is, information about the items and services you search for, the links you click on, how you search and navigate through our website, and information about the devices you use to access the web, such as your IP address and associated location, device ID , its technical parameters, such as operating system, version, screen resolution, selected browser and its version, as well as data obtained from cookies and similar device recognition technologies;
  • information about your behavior in connection with reading messages, which we send to you, especially the time required to open the message and information about the devices from which you access the web, such as the IP address and the location associated with it, the device ID, its technical parameters, such as the operating system, version, screen resolution, selected browser and its version;
  • derived data, which includes personal data obtained from your settings, data about items you purchase from us, data about your online habits and behavior in connection with reading the messages we send you; it mainly concerns data about gender, age, financial situation, consumer habits and attitude towards various items and services;

We also collect personal data through cookies for the purpose of ensuring better functionality and user experience, security, smooth operation of the website and counting users on the website. You can read more information about cookies and which cookies we use at connection.

KMG is not responsible for the correctness, completeness and up-to-dateness of data entered by users.

3.1. Processing based on legitimate interest:

We also process data about your behavior on websites on the basis of our legitimate interest (that is, without your consent), for the purpose of preparing customized offers and tailored advertisements that we display online.

If you make a purchase from us, we retain your identification and contact information and your order information based on our legitimate interest (without your consent) for the purposes of protecting legal claims and our internal records and controls. 

3.2. Processing based on consent to the processing of personal data: 

Data processing may be based on the consent given by the user. Consent may, for example, refer to information about offers and services, preparation of offers adapted to individual user habits or provision of value-added services. The notification is carried out through the channels chosen by the user in the consent. Email notification involves providing an email address to an external processor for the purpose of displaying the company's advertising messages while browsing the web.

The data subject can withdraw or change their consent at any time in the same way as the consent was given or in a different way as we define, while we reserve the right to identify the user. Withdrawal or change of consent only applies to data processed on the basis of consent. The last user consent we receive is valid. The possibility of revocation of consent does not constitute a withdrawal right in the user's business relationship with us.

Consent can be given by one of the parents, a foster parent or a guardian for a minor child who, according to the current legislation, cannot give consent on their own. Such consent will be valid until one of the parents, foster or guardian, or the child himself, when he acquires this right in accordance with the applicable legislation, revokes or changes it.

3.3. Transmission of data to third parties and transmission of data to third countries (countries that are not members of the European Union or the European Economic Area)

If this is consistent with the purpose for which personal data is processed under EU law and Slovenian regulations, we can also forward personal data to our processors, who process it in accordance with our instructions.

  • to persons who perform individual processing tasks for the company, such as, for example: preparation and sending of invoices or data analytics, maintenance and development of services, when these tasks include the processing of personal data to the extent necessary;
  • persons who perform sales and marketing services for the company, including sales and marketing in the field, or cooperate with the company in the field of marketing and sales of its own services or services of third parties, to the extent necessary for such tasks as part of the purposes and grounds, defined in this Policy.
  • KMG will only entrust the delivery service with the necessary information for the delivery of the products purchased in the online store (recipient information and delivery address). KMG will contact the user via e-mail if this is necessary to make a purchase in the online store, and via a contact phone number only if it is in the process of registration or there were problems with the purchase in the online store.

Companies to which we provide personal data for the purpose of sending invoices, accounting services, providing payment services and delivering ordered goods:

  • PRONET, Kranj, doo, Ljubljanska cesta 24B, Kranj, 4000 Kranj, Slovenia;
  • TEHNOLOGIKA doo, Sneberska cesta 101A, Ljubljana, 1260 LJUBLJANA-POLJE;
  • STRIPE, Inc., 510 Townsend Street, San Francisco, California, USA;
  • MailChimp, The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, USA.

Companies to which we provide personal data for the purpose of advertising, performing analytics, marketing and creating personalized offers:

  • Google Ireland Limited (registered number: 368047), with registered office at Gordon House, Barrow Street, Dublin 4, Ireland;
  • Facebook Ireland Limited, with registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02 X525, Ireland;
  • MailChimp, The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, USA.

If the company is connected or taken over by another company, personal data is transferred to the transferee in accordance with the law. By using our services, you consent to further processing of your personal data by the acquirer.

3.4. Personal data retention period

Billing data and related contact data on individuals may be kept for the purpose of fulfilling contractual obligations until full payment for the service or, at the latest, until the expiry of the statute of limitations in relation to an individual claim, which can range from one to five years by law. Invoices are kept for 10 years after the end of the year to which the invoice refers in accordance with the law governing value added tax. If traffic data is processed based on the individual's consent for the purpose of marketing services, selling goods or providing value-added services, this data may be processed to the extent necessary for as long as it is necessary for such marketing or services. All other data that is obtained for the purposes of information and direct marketing is kept until cancellation.

During the management of personal data, the individual has the possibility of viewing and updating data in the database upon request.

4. The rights of individuals in relation to the processing of personal data

We guarantee users the exercise of their rights without undue delay and in any case within one month of receiving the request. In order to exercise individual rights, we can extend the deadline for a maximum of two additional months, taking into account the complexity and number of requests. If we extend the deadline, we will notify the user of each such extension within one month of receiving the request along with the reasons for the delay. Requests regarding individual rights are accepted at the email address info@mariposacoffeeroasters.si.

Where a data subject makes a request by electronic means, the information shall be provided by electronic means whenever possible, unless otherwise requested by the data subject. When there is a legitimate doubt regarding the identity of an Individual who submits a request regarding one of his rights, the company may request the provision of additional information that is necessary to confirm the identity of the individual to whom the personal data relates.

If the data subject's requests are manifestly unfounded or excessive, in particular because they are repeated, we may charge a reasonable fee, taking into account the administrative costs of providing the information or message or taking the requested action, or refuse to act on the request

We provide individuals with the following rights in relation to the processing of personal data:

  • the right to access data,
  • right to rectification,
  • right to erasure ("right to be forgotten"),
  • the right to limit processing,
  • the right to data portability.

4.1. Right to access data 

The individual to whom the personal data relates has the right to obtain confirmation as to whether personal data is being processed in relation to him and, when this is the case, access to personal data and additional information related to the processing of personal data, which includes:

  • processing purposes;
  • types of personal data;
  • users or categories of users to whom personal data has been or will be disclosed, in particular users in third countries or international organizations;
  • where possible, the intended period of retention of personal data or, if this is not possible, the criteria used to determine this period;
  • the existence of the right to request from the controller the correction or deletion of personal data or the limitation of the processing of personal data in relation to the individual to whom the personal data relate, or the existence of the right to object to such processing;
  • the right to file a complaint with a supervisory authority;
  • where personal data is not collected from the Individual, all available information regarding its source;
  • the existence of automated decision-making, including profiling, and meaningful information about the reasons for it, as well as the meaning and intended consequences of such processing for

Based on the individual's request, we provide a copy of his personal data that is being processed. For additional copies of data requested by the data subject, we may charge a reasonable fee subject to administrative costs.

4.2. Right to rectification 

The data subject has the right to have inaccurate personal data concerning him corrected without undue delay. Taking into account the purposes of the processing, the individual to whom the personal data relates has the right to complete incomplete personal data, including the submission of a supplementary statement.

4.3. Right to erasure ("right to be forgotten")

The individual to whom the personal data relates has the right to obtain that we delete the personal data relating to him without undue delay, and we have the obligation to delete the personal data without undue delay:

  • when personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • when the Individual revokes the consent that is the basis for data processing, there is no other legal basis for the processing;
  • when the Individual objects to the processing on the basis of the company's legitimate interest, and there are no overriding legal reasons for their processing;
  • when the Individual objects to processing for direct marketing purposes;
  • when personal data must be deleted to fulfill a legal obligation in accordance with EU law or the Slovenian legal order; when it comes to data relating to the provision of information society services, improperly collected from a child who cannot provide such data in accordance with applicable legislation.

In the case of directory or otherwise published data, we take reasonable steps, including technical ones, to notify controllers processing personal data that the Data Subject requests them to delete any links to that personal data or their copies.

4.4. The right to restriction of processing

The data subject has the right to have the company restrict processing when:

  • The individual disputes the accuracy of the data, namely for a period that allows the administrator to verify the accuracy of the personal data;
  • the processing is illegal and the Individual opposes the deletion of personal data and instead requests a restriction of their use;
  • we no longer need the personal data for the purposes of processing, but the individual to whom the personal data relates needs them to assert, implement or defend legal claims;
  • the individual has objected to the processing until it is verified whether the controller's legitimate reasons prevail over the reasons of the data subject

4.5. The right to data portability 

The data subject has the right to receive personal data relating to him held by the company in a structured, commonly used and machine-readable format and the right to transmit this data to another controller without hindered by the company to which the personal data was provided, when the processing is based on the consent of the Individual or a contract and the processing is carried out by automated means.

4.6. The right to object

The data subject has the right, based on reasons related to his special situation, to object to the processing of personal data at any time if it is based on legitimate interests pursued by the company or a third party. the company ceases to process personal data, unless it proves imperative reasons for processing that override the interests, rights and freedoms of the Individual to whom the personal data relate, or for the assertion, implementation or defense of legal claims.

Where personal data is processed for the purposes of direct marketing, the individual has the right to object at any time to the processing of personal data relating to him for the purposes of such marketing, including profiling in so far as it is related to such direct marketing. Insofar as direct marketing is based on consent, the right to object can be exercised by withdrawing the personal consent given.

4.7. The right to file a complaint regarding the processing of personal data

An individual can send a possible complaint regarding the processing of personal data to the email address info@mariposacoffeeroasters.si.

Likewise, every individual to whom personal data relates has the right to file a complaint directly with the Information Commissioner if he believes that the processing of personal data concerning him violates Slovenian or EU regulations in the field of personal data protection.

If an individual has exercised the right to access data at the company and, after receiving the company's decision, believes that the personal data he received is not the personal data he requested, or that he did not receive all the requested personal data, before filing a complaint with the Information file a reasoned complaint with the company to the authorized representative within 15 days. the company must decide on the complaint as a new request within five working days.