The CartFox Privacy and Personal Data Protection Policy (hereinafter: Policy) provides information about how DFVU d.o.o. Družba za posredništvo (hereinafter: Controller) collects, stores, and processes the personal data of:
(Hereinafter the above cumulatively referred to as: individual or you).
The Controller acts as a joint controller in respect of the personal data of the recipients (natural persons) of messages, together with the individual subscriber of CartFox services whose users or customers are the recipients of CartFox messages.
The Controller acts as an independent (sole) data controller with regard to the personal data of the contact persons – natural persons who are contacted via CartFox services on behalf of the Controller.
The Terms of Service for the use of CartFox and the website are available here.
All questions and inquiries regarding the processing of personal data, including claims and data subject requests, can be sent to firstname.lastname@example.org.
During the provision of CartFox services the personal data of website visitors under the Controller’s control and users of the Subscriber’s applications and/or websites is processed. A Subscriber is a legal entity that enters into a subscription contract on the website to use the CartFox services, which enable sending of electronic messages (e-mail, SMS, instant messaging applications) to designated recipients.
More specifically the following personal data about individuals is processed by the below listed services:
The e-mail address and telephone number data of an individual, using a website under the control of the Subscriber (joint controller) or the Controller are collected automatically and may be used to send communication to the individuals only following the below listed preconditions:
Based on the preferences of an individual the Controller may collect below personal data when the individual visits the website, such as:
Contact persons of the Subscribers
During the the provision of CartFox services to the Subscribers below listed information may be collected from the contact persons. The provision of data is optional, but without it the Controller might not be able to provide certain services or fulfil specific requests. Such data includes:
The Controller collects and processes the personal data of individuals on the following legal bases and for the following purposes:
A.1. This legal basis serves to process personal data of those individuals, which have given their consent to receive electronic communications. Based on an individual’s consent personal data within the Cartfox service is processed in two ways:
The purpose of the processing of personal data is to inform the individual about their (intended) purchase as the messages sent by CartFox services contain the following information:
The primary purpose of these messages is transactional communication, even though they may in certain situations encourage recipients to purchase items or services on the website or in the application of the joint controller, the Cartfox subscriber. The messages are aimed to notify an individual regarding the business relationship with the Controller or Subscriber (e.g notifications related to the purchase).
The individual may withdraw the consent at any time, without any adverse consequences for themselves. This may be done by using the unsubscribe options contained in an individual message sent to the individual by the CartFox service, or alternatively by sending a message to email@example.com. The consent withdrawal only applies to the processing of personal data within the CartFox service. For other types of processing, contact the CartFox Subscriber directly.
B.1. On this legal basis, the controller processes personal data within the Cartfox service only of those individuals who:
The purpose of the processing is the same as in section A. above.
The individual may at any time request that the Controller stops the processing of their personal data based on legitimate interest, without any adverse consequences for themselves. This may be done by using the unsubscribe options contained in an individual message sent to the individual by the CartFox service, or alternatively by sending a message to firstname.lastname@example.org. The consent withdrawal only applies to the processing of personal data within the CartFox service. For other types of processing, contact the CartFox Subscriber directly.
B.2. The IP address of the network from which the individual accessed the website, URL (domain) of all visited webpages on the website, and the date and time of the visit to each webpage on the website are processed by the Controller on the basis of its legitimate interest to prevent, detect, and sanction any abuse or attempted abuse of the website.
B.3. The Controller processes the personal data of the Subscribers’ contact persons for the purpose of concluding and fulfilling subscription contracts between the Controller and the Subscribers, for the provision of technical service, and for the purpose of providing evidence.
In situations where the legal basis is consent, personal data is stored until consent of an individual is withdrawn. After the withdrawal of consent the data is stored but not used to send communication to an individual using such personal for 90 more days for the purposes of communication logging and for evidence of communication related to potential claims from the Subscribers.
In case the legal basis is legitimate interest, personal data is store for 90 days from the date the individual enters the data into the related web form or for 90 days from the date the individual unsubscribes from receiving CartFox communication.
The data on website visitors will be stored for 12 months from the date of acquisition, with the exception of the data required as evidence in proceedings, which will be stored for the duration of the proceedings and for as long as it is possible to request a revision of the proceedings under the law.
The data on contact persons of the subscribers will be stored for 3 years after the termination of the subscription, i.e., for 3 years from the use of credit balance after which the credit balance is no longer topped up. This is a general limitation period between economic entities.
In case of a purchase, the data is stored in accordance with the applicable legislation (e.g., for VAT purposes in line with ZDDV-1).
After the expiry of the retention period, the Controller shall effectively and permanently delete or anonymize the personal data so that they can no longer be linked to a specific individual.
Within the Controller’s organisation, access to personal data is limited to those persons whose nature of work requires such access. The access by such persons shall be protected by an efficient authentication system and a record of access to personal data shall be kept.
The Subscriber as a joint controller does not have access to personal data, but only to aggregated and thus anonymized data (e.g., the number of messages sent, the number of purchases via messages sent, etc.) from which it is not possible to identify the individual. If the Subscriber uses the data export module within CartFox, it shall have access to the personal data of recipients, namely to all the data referred to in section A. and may also export and use this data outside CartfFx. The Subscriber shall be solely responsible for the lawfulness of the processing of such exported data.
The Controller may entrust certain tasks regarding the personal data to third parties (hereinafter: Processors). Processors may process the personal data of users only within the limits of the Controller’s authority (written contract or other legal act) and for the purposes as defined in this Policy. Under no circumstances may the Processors process personal data for their own purposes or interests or for the purposes or interests of third parties. Controller ensures that a Data Processing Agreement is in place with all of its Processors, which defines the necessary personal data processing details.
The personal data processors who have access to personal data is the Company which sends SMS messages on behalf of the Controller.
The Controller and Processors shall not transfer personal data to third countries (countries outside the European Economic Area: EU Member States and Iceland, Norway, and Liechtenstein) or international organizations.
The Controller pays special attention to the security of personal data processing. Personal data are protected to the fullest extent possible – considering risks involved in their processing – against loss, destruction, alteration, processing for purposes other than those for which they were collected, and against unauthorized access and disclosure.
The controller has implemented internal procedures in place in the event of security incidents involving personal data.
With regard to their personal data, individuals have the following rights which they may exercise at any time exercise contacting the controller via the e-mail address email@example.com.
For the purposes of reliable identification in the event of the exercise of rights relating to personal data, the Controller may request additional information from the individual and may refuse to act only if the Controller can prove that the individual cannot be reliably identified.
The Controller shall respond to the individual’s request to exercise their rights with regard to personal data without undue delay and at the latest within one month of the receipt of the request.
Right to withdraw consent: if the individual consented to the processing of their personal data, they can withdraw their consent at any time by following the instructions listed in paragraph “A. Individual’s Consent”. The consent withdrawal shall not have any adverse consequences for the individual, other than the fact that the controller might no longer be able to provide them service or services that cannot be provided without the personal data to which the consent withdrawal relates.
Right of access to personal data: the individual has the right to obtain confirmation from the Controller as to whether or not personal data concerning them are being processed, and, if so, the individual has the right to request access to the personal data and certain information about the data processing.
Right to rectification of personal data: the individual has the right to have inaccurate personal data concerning them rectified by the controller.
Right to erasure of personal data (right to be forgotten): the individual may request from the controller to erase their personal data if at least one of the following grounds applies:
Right to restriction of processing: the individual may request from the controller to restrict the data processing where at least one of the following grounds applies:
Right to data portability: the individual has the right to receive their personal data, which they have provided to the controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to third parties without hindrance from the controller, where:
The individual also has the right to have the personal data transmitted directly from one Controller to another, where technically feasible.
Right to object to the processing: the individual has the right to object at any time to processing of personal data which is necessary for the purposes of the legitimate interests pursued by the controller and/or third party, including profiling; the Controller shall no longer process personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual or for the establishment, exercise or defense of legal claims.
Where personal data are processed for marketing purposes, the individual has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the individual objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to lodge a complaint with a supervisory authority: the individual has the right to lodge a complaint with a supervisory authority (Information Commissioner, Dunajska cesta 22, 1000 Ljubljana, firstname.lastname@example.org, +386 (0)1 280 77 00), if the individual considers that the processing of personal data infringes data protection rules.