The CartFox Privacy and Personal Data Protection Policy (hereinafter: Policy) provides information about how DFVU d.o.o. Družba za posredništvo (hereinafter: Controller) collects, stores, and processes the personal data of:

1. natural persons processed in the context of the CartFox service (hereinafter: Cartfox);
2. natural persons as visitors of the CartFox website, available at https://app.cartfox.io (hereinafter: website);
3. the personal data of the contact persons of CartFox Subscribers (legal persons who have concluded a subscription contract with the Controller for the sending of electronic messages – hereinafter: Subscriber);

(Hereinafter the above cumulatively referred to as: individual or you).

The Controller acts as a joint controller in respect of the personal data of the recipients (natural persons) of messages, together with the individual subscriber of CartFox services whose users or customers are the recipients of CartFox messages.

The Controller acts as an independent (sole) data controller with regard to the personal data of the contact persons – natural persons who are contacted via CartFox services on behalf of the Controller.

This Policy also contains all the information about the rights of natural persons in relation to their personal data. In addition, the Cookie Policy also governs the processing of personal data.

The Terms of Service for the use of CartFox and the website are available here.

Controller details:

• Short name: DFVU d.o.o.;
• Company seat and address: Liparjeva cesta 6A, 1234 Mengeš, Slovenia;
• Registration number: 7193548000;
• Registered in the registry of the District Court of Nova Gorica under the entry number 2016/50019;
• VAT ID: SI 35983175 (liable for VAT);
• Contact telephone number: +386 (0)68 694 914;
• Contact e-mail: sales@dfvu.org.

Controller Contact Details

All questions and inquiries regarding the processing of personal data, including claims and data subject requests, can be sent to info@dfvu.org.

Collection, Storage, and Processing of Personal Data

During the provision of CartFox services the personal data of website visitors under the Controller’s control and users of the Subscriber’s applications and/or websites is processed. A Subscriber is a legal entity that enters into a subscription contract on the website to use the CartFox services, which enable sending of electronic messages (e-mail, SMS, instant messaging applications) to designated recipients.

More specifically the following personal data about individuals is processed by the below listed services:

CartFox service

• e-mail address;
• telephone number;
• information about the website or application through which the e-mail address and/or telephone number was provided;
• information about the sending of the messages:
  • message type (SMS, instant messaging application (type of application), e-mail);
  • the date of sending;
  • time of sending;
  • the content of the message sent (e.g. purchase related notifications, abandoned cart, discount notification, etc.);
• information about an undelivered message (the date and time of receipt of the undeliverability notification);
• information about the performed action (e.g., purchase of an item in the abandoned cart, purchase of a discounted item, etc.).

The e-mail address and telephone number data of an individual, using a website under the control of the Subscriber (joint controller) or the Controller are collected automatically and may be used to send communication to the individuals only following the below listed preconditions:

• an individual has added at least one item in the cart within a web shop;
• an individual has provided their communication information (e-mail and/or telephone number);
• the message contains wording related to the (potential) purchase by the individual.

Website visitor:

Based on the preferences of an individual the Controller may collect below personal data when the individual visits the website, such as:

• the IP address from which the individual accessed the website;
• the country and location of the network, including the company, from which the individual accessed the website (where this is possible based on the IP address);
• a unique ID number (generated automatically);
• URLs (domains) of all visited webpages on the website:
• the date and time of the visit to each webpage on the website;
• the duration of the visit to each webpage on the website;
• the number of webpages visited on the website during each website visit;
• the URL of the webpage from which the individual came to each webpage on the website.

This data is collected using cookies and similar technologies in accordance with the individual’s preferences made when visiting the website. Details on the use of cookies and similar technologies, and instructions for disabling their use are described in the Cookie Policy, which is made accessible on the website itself and when the users are stating their preferences.

Contact persons of the Subscribers

During the the provision of CartFox services to the Subscribers below listed information may be collected from the contact persons. The provision of data is optional, but without it the Controller might not be able to provide certain services or fulfil specific requests. Such data includes:

• the name and surname (if this information is disclosed in communication);
• the position within the company (if this information is disclosed in communication);
• e-mail address (if this information is disclosed in communication);
• contact telephone number (if this information is disclosed in communication);
• the name of the company;
• the date on which the credit was topped up;
• information about sent messages;
• information about the prices of sent messages;
• the content of the communication (if communication exists).

Purpose and Legal Basis for Personal Data Processing

The Controller collects and processes the personal data of individuals on the following legal bases and for the following purposes:

1. A. Individual’s Consent

A.1. This legal basis serves to process personal data of those individuals, which have given their consent to receive electronic communications. Based on an individual’s consent personal data within the Cartfox service is processed in two ways:

• by the Controller on the websites under its control. In this case the Controller acts as a sole controller.
• by the Subscriber on the websites or applications under its control together with the Controller. In this case the Subscriber and Controller act as joint controllers.

The purpose of the processing of personal data is to inform the individual about their (intended) purchase as the messages sent by CartFox services contain the following information:

• • Order confirmations;
  • Delivery updates;
  • After purchase receipts;
  • Cart abandonment reminders.

The primary purpose of these messages is transactional communication, even though they may in certain situations encourage recipients to purchase items or services on the website or in the application of the joint controller, the Cartfox subscriber. The messages are aimed to notify an individual regarding the business relationship with the Controller or Subscriber (e.g notifications related to the purchase).

The individual may withdraw the consent at any time, without any adverse consequences for themselves. This may be done by using the unsubscribe options contained in an individual message sent to the individual by the CartFox service, or alternatively by sending a message to info@dfvu.org. The consent withdrawal only applies to the processing of personal data within the CartFox service. For other types of processing, contact the CartFox Subscriber directly.

1. Legitimate interest

B.1. On this legal basis, the controller processes personal data within the Cartfox service only of those individuals who:

• have added at least one item in the cart within a web shop; and
• have provided their communication information (e-mail and/or telephone number).

The purpose of the processing is the same as in section A. above.

The individual may at any time request that the Controller stops the processing of their personal data based on legitimate interest, without any adverse consequences for themselves. This may be done by using the unsubscribe options contained in an individual message sent to the individual by the CartFox service, or alternatively by sending a message to info@dfvu.org. The consent withdrawal only applies to the processing of personal data within the CartFox service. For other types of processing, contact the CartFox Subscriber directly.

B.2. The IP address of the network from which the individual accessed the website, URL (domain) of all visited webpages on the website, and the date and time of the visit to each webpage on the website are processed by the Controller on the basis of its legitimate interest to prevent, detect, and sanction any abuse or attempted abuse of the website.

B.3. The Controller processes the personal data of the Subscribers’ contact persons for the purpose of concluding and fulfilling subscription contracts between the Controller and the Subscribers, for the provision of technical service, and for the purpose of providing evidence.

Retention Period of Personal Data and Procedure After its End

In situations where the legal basis is consent, personal data is stored until consent of an individual is withdrawn. After the withdrawal of consent the data is stored but not used to send communication to an individual using such personal for 90 more days for the purposes of communication logging and for evidence of communication related to potential claims from the Subscribers.

In case the legal basis is legitimate interest, personal data is store for 90 days from the date the individual enters the data into the related web form or for 90 days from the date the individual unsubscribes from receiving CartFox communication.

The data on website visitors will be stored for 12 months from the date of acquisition, with the exception of the data required as evidence in proceedings, which will be stored for the duration of the proceedings and for as long as it is possible to request a revision of the proceedings under the law.

The data on contact persons of the subscribers will be stored for 3 years after the termination of the subscription, i.e., for 3 years from the use of credit balance after which the credit balance is no longer topped up. This is a general limitation period between economic entities.

In case of a purchase, the data is stored in accordance with the applicable legislation (e.g., for VAT purposes in line with ZDDV-1).

After the expiry of the retention period, the Controller shall effectively and permanently delete or anonymize the personal data so that they can no longer be linked to a specific individual.

Access to Personal Data

Within the Controller’s organisation, access to personal data is limited to those persons whose nature of work requires such access. The access by such persons shall be protected by an efficient authentication system and a record of access to personal data shall be kept.

The Subscriber as a joint controller does not have access to personal data, but only to aggregated and thus anonymized data (e.g., the number of messages sent, the number of purchases via messages sent, etc.) from which it is not possible to identify the individual. If the Subscriber uses the data export module within CartFox, it shall have access to the personal data of recipients, namely to all the data referred to in section A. and may also export and use this data outside CartfFx. The Subscriber shall be solely responsible for the lawfulness of the processing of such exported data.

The Controller may entrust certain tasks regarding the personal data to third parties (hereinafter: Processors). Processors may process the personal data of users only within the limits of the Controller’s authority (written contract or other legal act) and for the purposes as defined in this Policy. Under no circumstances may the Processors process personal data for their own purposes or interests or for the purposes or interests of third parties. Controller ensures that a Data Processing Agreement is in place with all of its Processors, which defines the necessary personal data processing details.

The personal data processors who have access to personal data is the Company which sends SMS messages on behalf of the Controller.

The Controller and Processors shall not transfer personal data to third countries (countries outside the European Economic Area: EU Member States and Iceland, Norway, and Liechtenstein) or international organizations.

Security of Personal Data Processing

The Controller pays special attention to the security of personal data processing. Personal data are protected to the fullest extent possible – considering risks involved in their processing – against loss, destruction, alteration, processing for purposes other than those for which they were collected, and against unauthorized access and disclosure.

The controller has implemented internal procedures in place in the event of security incidents involving personal data.

Individual’s Rights with Regard to Personal Data and the Procedure for Exercising Them

With regard to their personal data, individuals have the following rights which they may exercise at any time exercise contacting the controller via the e-mail address info@dfvu.org.

For the purposes of reliable identification in the event of the exercise of rights relating to personal data, the Controller may request additional information from the individual and may refuse to act only if the Controller can prove that the individual cannot be reliably identified.

The Controller shall respond to the individual’s request to exercise their rights with regard to personal data without undue delay and at the latest within one month of the receipt of the request.

Right to withdraw consent: if the individual consented to the processing of their personal data, they can withdraw their consent at any time by following the instructions listed in paragraph “A. Individual’s Consent”. The consent withdrawal shall not have any adverse consequences for the individual, other than the fact that the controller might no longer be able to provide them service or services that cannot be provided without the personal data to which the consent withdrawal relates.

Right of access to personal data: the individual has the right to obtain confirmation from the Controller as to whether or not personal data concerning them are being processed, and, if so, the individual has the right to request access to the personal data and certain information about the data processing.

Right to rectification of personal data: the individual has the right to have inaccurate personal data concerning them rectified by the controller.

Right to erasure of personal data (right to be forgotten): the individual may request from the controller to erase their personal data if at least one of the following grounds applies:

• the data are no longer necessary for the purposes for which they were collected and processed;
• the individual withdraws their consent and there is no other legal basis for the processing;
• the individual objects to the data processing and there are no overriding legitimate grounds for the processing;
• the data have been unlawfully processed;
• the data have to be erased for compliance with legal obligations under EU law or the law of the Member State to which the Controller is subject;
• the data have been collected in relation to the offer of information society services.

Right to restriction of processing: the individual may request from the controller to restrict the data processing where at least one of the following grounds applies:

• the individual contests the accuracy of the data for a period enabling the controller to verify the accuracy of the data;
• the processing is unlawful, and the individual opposes the erasure of the data and requests the restriction of their use instead;
• the Controller no longer needs the data for the purposes of processing, but they are required by the individual for the establishment, exercise, and defense of legal claims;
• the individual has objected to processing pending the verification whether the legitimate grounds of the controller override those of the individual.

Right to data portability: the individual has the right to receive their personal data, which they have provided to the controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to third parties without hindrance from the controller, where:

• the processing is based on consent or a contract, and
• the processing is carried out by automated means.

The individual also has the right to have the personal data transmitted directly from one Controller to another, where technically feasible.

Right to object to the processing: the individual has the right to object at any time to processing of personal data which is necessary for the purposes of the legitimate interests pursued by the controller and/or third party, including profiling; the Controller shall no longer process personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual or for the establishment, exercise or defense of legal claims.

Where personal data are processed for marketing purposes, the individual has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the individual objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to lodge a complaint with a supervisory authority: the individual has the right to lodge a complaint with a supervisory authority (Information Commissioner, Dunajska cesta 22, 1000 Ljubljana, gp.ip@ip-rs.si, +386 (0)1 280 77 00), if the individual considers that the processing of personal data infringes data protection rules.

This Privacy Policy applies as of 1 April 2023.