Privacy and Personal Data Protection Policy

Table of Contents

Introductory Provisions, Joint Management, and Information About (Joint) Controller

The CARTFOX Privacy and Personal Data Protection Policy (hereinafter: Policy) provides information about how DFVU d.o.o. Družba za posredništvo (hereinafter: controller) collects, stores, and processes:

  1. the personal data of natural persons processed in the context of the CARTFOX service (hereinafter: Cartfox);
  2. the personal data of natural persons – visitors of the CARTFOX website, available at https://app.cartfox.io (hereinafter: website);
  3. the personal data of the contact persons of its subscribers (legal persons who have concluded a subscription contract with the controller for the sending of electronic messages);

(hereinafter: individual or you).

The controller acts as a joint controller in respect of the personal data of the recipients of messages, together with the individual subscriber whose users or customers are the recipients of messages.

The controller acts as an independent (sole) controller with regard to the personal data of the contact persons of its subscribers. 

This Policy also contains all the information about your rights in relation to your personal data.

In addition to this Policy, the Cookie Policy also governs the processing of personal data.

The Terms and Conditions of the use of Cartfox and the website are available here.

Controller:

  • Short name: DFVU d.o.o.;
  • Company seat and address: Liparjeva cesta 6A, 1234 Mengeš, Slovenia;
  • Registration number: 7193548000;
  • Registered in the registry of the District Court of Nova Gorica under the entry number 2016/50019;
  • VAT ID: SI 35983175 (liable for VAT);
  • Contact telephone number: +386 (0)68 694 914;
  • Contact e-mail: [email protected].

Contact Person of the Controller and Data Protection Officer

The controller’s contact person for all questions regarding the processing of personal data is Simon Terbovšek. Your questions and inquiries, including claims, can be sent to [email protected].

The data protection officer is JK Group d.o.o., Stegne 27, 1000 Ljubljana, [email protected], + 386 (0)590 91 794.

Collection, Storage, and Processing of Personal Data

In the Cartfox service, we process the personal data of website visitors and users of our subscribers’ applications. A subscriber is a legal entity that enters into a subscription contract on the website to use the Cartfox service. The Cartfox service enables the sending of electronic messages to registered telephone numbers (SMS, instant messaging applications) and e-mail addresses. 

We collect and further process the following personal data about individuals:

In the Cartfox service:

  • e-mail address;
  • telephone number;
  • information about the website or application through which the e-mail address and/or telephone number was provided;
  • information about the sending of the messages:
    • message type (SMS, instant messaging application (type of application), e-mail);
    • the date of sending;
    • time of sending;
    • the content of the message sent (e.g., abandoned cart, discount notification, etc.);
  • information about an undelivered message (the date and time of receipt of the undeliverability notification);
  • information about the performed action (e.g., purchase of an item in the abandoned cart, purchase of a discounted item, etc.).

The e-mail address and telephone number data are collected automatically when entered by the individual on the website or in the application of the joint controller, the Cartfox subscriber.

From every website visitor:

  • the IP address from which the individual accessed the website;
  • the country and location of the network, including the company, from which the individual accessed the website (where this is possible based on the IP address);
  • a unique ID number (generated automatically);
  • URLs (domains) of all visited webpages on the website:
  • the date and time of the visit to each webpage on the website;
  • the duration of the visit to each webpage on the website;
  • the number of webpages visited on the website during each website visit;
  • the URL of the webpage from which the individual came to each webpage on the website.

This data is collected automatically and without the individual’s intervention, using cookies and similar technologies. Details on the use of cookies and similar technologies, and instructions for disabling their use are described in the Cookie Policy

This data is collected automatically and without the individual’s intervention.

From the contact persons of the subscribers:

  • the name and surname (if this information is disclosed in communication);
  • the position within the company (if this information is disclosed in communication);
  • e-mail address (if this information is disclosed in communication);
  • contact telephone number (if this information is disclosed in communication);
  • the name of the company;
  • the date on which the credit was topped up;
  • information about sent messages;
  • information about the prices of sent messages;
  • the content of the communication (if communication exists).

The information is collected from the contact persons. The provision of data is optional, but without it the controller might not be able to provide certain services or fulfill specific requests.

Purpose and Legal Basis for Personal Data Processing

The controller collects and processes the personal data of individuals on the following legal bases and for the following purposes:

A. Individual’s Consent

A.1. On this legal basis, the controller processes personal data within the Cartfox service of those individuals who have given their consent to the joint controller, the Cartfox subscriber, to receive electronic communications.

The purpose of the processing of this data is to encourage recipients to purchase items or services on the website or in the application of the joint controller, the Cartfox subscriber.

The individual may withdraw the consent at any time, without any adverse consequences for themselves. The easiest way to do this is to send us a message at [email protected]. The consent withdrawal only applies to the processing of personal data within the Cartfox service. For other types of processing, contact the joint controller (the Cartfox subscriber) directly.

B. Legitimate interest

B.1. On this legal basis, the controller processes personal data within the Cartfox service of those individuals who have not given their consent to the joint controller, the Cartfox subscriber, to receive electronic communications.

The purpose of the processing is the same as in section A. above.

The individual may at any time request that the controller stops the processing of their personal data based on legitimate interest, without any adverse consequences for themselves. The easiest way to do this is to send us a message at [email protected]. The request only applies to the processing of personal data within the Cartfox service. For other types of processing, contact the joint controller (the Cartfox subscriber) directly.

B.2. The IP address of the network from which the individual accessed the website, URL (domain) of all visited webpages on the website, and the date and time of the visit to each webpage on the website are processed by the controller on the basis of its legitimate interest to prevent, detect, and sanction any abuse or attempted abuse of the website.

B.3. The controller processes the personal data of the subscribers’ contact persons for the purpose of concluding and fulfilling subscription contracts between the controller and the subscribers, for the provision of technical service, and for the purpose of providing evidence.

Retention Period of Personal Data and Procedure After its End

The retention period of personal data within the Cartfox service is determined by the joint controller.

The data on website visitors will be stored for 12 months from the date of acquisition, with the exception of the data required as evidence in proceedings, which will be stored for the duration of the proceedings and for as long as it is possible to request a revision of the proceedings under the law.

The data on contact persons of the subscribers will be stored for 3 years after the termination of the subscription, i.e., for 3 years from the use of credit balance after which the credit balance is no longer topped up. This is a general limitation period between economic entities.

After the expiry of the retention period, the controller shall effectively and permanently delete or anonymize the personal data so that they can no longer be linked to a specific individual.

Access to Personal Data

Within the controller, access to personal data is limited to those persons whose nature of work requires such access. The access by such persons shall be protected by an efficient authentication system and a record of access to personal data shall be kept.

The joint controller, i.e., the subscriber, does not have access to personal data, but only to aggregated and thus anonymized data (e.g., the number of messages sent, the number of purchases via messages sent, etc.) from which it is not possible to identify the individual. If the joint controller, i.e. the subscriber, uses the data export module within Cartfox, it shall have access to the personal data of recipients, namely to all the data referred to in section A. within Cartfox, and may also export and use this data outside Cartfox. The subscriber shall be solely responsible for the lawfulness of the processing of such exported data.

The controller may entrust certain tasks regarding the personal data to third parties (hereinafter: processors). Processors may process the personal data of users only within the limits of the controller’s authority (written contract or other legal act) and for the purposes as defined in this Policy. Under no circumstances may the processors process personal data for their own purposes or interests or for the purposes or interests of third parties.

The personal data processors who have access to personal data are:

  • the accounting company;

The controller and processors shall not transfer personal data to third countries (countries outside the European Economic Area: EU Member States and Iceland, Norway, and Liechtenstein) or international organizations.

Security of Personal Data Processing

The controller pays special attention to the security of personal data processing. Personal data are protected to the fullest extent possible – considering risks involved in their processing – against loss, destruction, alteration, processing for purposes other than those for which they were collected, and against unauthorized access and disclosure.

The controller has strict internal procedures in place in the event of security incidents involving personal data.

Individual’s Rights with Regard to Personal Data and the Procedure for Exercising Them

With regard to their personal data, individuals have the following rights which they may exercise at any time exercise contacting the controller via the e-mail address [email protected] or via the data protection officer JK Group d.o.o., Stegne 27, 1000 Ljubljana, [email protected], + 386 (0)590 91 794.

For the purposes of reliable identification in the event of the exercise of rights relating to personal data, the controller may request additional information from the individual and may refuse to act only if the controller can prove that the individual cannot be reliably identified.

The controller shall respond to the individual’s request to exercise their rights with regard to personal data without undue delay and at the latest within one month of receipt of the request.

Right to withdraw consent: if the individual consented to the processing of their personal data, they can withdraw their consent at any time. The consent withdrawal shall not have any adverse consequences for the individual, other than the fact that the controller might no longer be able to provide them service or services that cannot be provided without the personal data to which the consent withdrawal relates.

Right of access to personal data: the individual has the right to obtain confirmation from the controller as to whether or not personal data concerning them are being processed, and, if so, the individual has the right to request access to the personal data and certain information about the data processing.

Right to rectification of personal data: the individual has the right to have inaccurate personal data concerning them rectified by the controller.

Right to erasure of personal data (right to be forgotten): the individual may request from the controller to erase their personal data if at least one of the following grounds applies:

  • the data are no longer necessary for the purposes for which they were collected and processed;
  • the individual withdraws their consent and there is no other legal basis for the processing;
  • the individual objects to the data processing and there are no overriding legitimate grounds for the processing;
  • the data have been unlawfully processed;
  • the data have to be erased for compliance with legal obligations under EU law or the law of the Member State to which the controller is subject;
  • the data have been collected in relation to the offer of information society services.

Right to restriction of processing: the individual may request from the controller to restrict the data processing where at least one of the following grounds applies:

  • the individual contests the accuracy of the data for a period enabling the controller to verify the accuracy of the data;
  • the processing is unlawful, and the individual opposes the erasure of the data and requests the restriction of their use instead;
  • the controller no longer needs the data for the purposes of processing, but they are required by the individual for the establishment, exercise, and defense of legal claims;
  • the individual has objected to processing pending the verification whether the legitimate grounds of the controller override those of the individual.

Right to data portability: the individual has the right to receive their personal data, which they have provided to the controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to third parties without hindrance from the controller, where:

  • – the processing is based on consent or a contract, and
  • – the processing is carried out by automated means.

The individual also has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Right to object to the processing: the individual has the right to object at any time to processing of personal data which is necessary for the purposes of the legitimate interests pursued by the controller and/or third party, including profiling; the controller shall no longer process personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual or for the establishment, exercise or defense of legal claims.

Where personal data are processed for marketing purposes, the individual has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the individual objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to lodge a complaint with a supervisory authority: the individual has the right to lodge a complaint with a supervisory authority (Information Commissioner, Dunajska cesta 22, 1000 Ljubljana, [email protected], +386 (0)1 280 77 00), if the individual considers that the processing of personal data infringes data protection rules.

This Privacy Policy applies as of 1 August 2022.

Provisions that must be included in the Privacy Policy/Personal Data Protection Policy of the Subscriber

The controller uses Cartfox for sending electronic messages to individuals (SMS, instant messaging applications, e-mails). The Cartfox Privacy Policy and information about the Cartfox provider are available here. The controller manages personal data together with the Cartfox provider.

Personal data of individuals processed within Cartfox include:

  • e-mail address;
  • telephone number;
  • information about the website or application through which the e-mail address and/or telephone number was provided;
  • information about the sending of the messages:
    • message type (SMS, instant messaging application (type of application), e-mail);
    • the date of sending;
    • time of sending;
    • the content of the message sent (e.g., abandoned cart, discount notification, etc.);
  • information about an undelivered message (the date and time of receipt of the undeliverability notification);
  • information about the performed action (e.g., purchase of an item in the abandoned cart, purchase of a discounted item, etc.).

Personal data (e-mail, phone number) are transferred automatically to the joint controller, the Cartfox provider, when an individual provides the data on the website or within the controller’s application. 

The legal basis for processing of personal data when using the Cartfox service is:

  • the consent of the individual (for recipients who consented to receiving messages);
  • the controller’s legitimate interest (for recipients who have not consented to receiving messages).

Each message received contains easy unsubscribe instructions. By unsubscribing, the recipient only unsubscribes from receiving Cartfox messages. If you wish to unsubscribe from all communications sent by the controller, you can contact us at [email protected]

The purpose of processing personal data within Cartfox is to encourage recipients to purchase products or services on the website or in the controller’s application, or to verify their willingness to enter into a contract (e.g., in the case of abandoned cart messages).

Personal data collected within Cartfox are not disclosed to third parties (other than the joint controller, the Cartfox provider) and the controller has no access to them. Within Cartfox, the controller can only access reports including aggregated and thus anonymized data (e.g., the number of messages sent, the number of purchases via messages sent, etc.).

Personal data processed within Cartfox are not transferred to third countries or international organizations, which means they are not transferred or exported outside the territory of EU Member States.

Information about the retention period of the personal data processed within Cartfox, about the protection of such personal data, and about the rights of individuals relating to their personal data is available in the CARTFOX Privacy and Personal Data Protection Policy. For more information contact us at [email protected] or the data protection officer JK Group d.o.o., Stegne 27, 1000 Ljubljana, [email protected], + 386 (0)590 91 794.