Privacy and Personal Data Protection Policy

Table of Contents


(hereinafter referred to as “Policy” or “Privacy Policy”)

Last update of the Policy: December 5, 2022

This Policy describes DFVU d.o.o. Družba za posredništvo (hereinafter referred to as the “Controller”) policies and procedures on collecting, processing, transferring, storing, using, and disclosing the User’s information when the User uses the Website and tells the User about privacy rights and how the law protects the User.

The Company uses the User’s Personal Data that the Users of the Company’s Services provide. Using the Website or Services, the User agrees to collect and use information following this Policy. 

The Policy complies with Articles 12, 13 and 14 of the GDPR.



The words in which the initial letter is capitalised have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear singular or plural.


For the purposes of this Policy:

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

“Company”, “us”, “we”, “our”, or “DFVU d.o.o. Družba za posredništvo” means DFVU d.o.o., with a principal place of business at Liparjeva cesta 6A, 1234 Mengeš, Slovenia, registration number: 7193548000.

Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data, an online identifier, etc.

“Processing” means any operation or set of operations that are performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Services” or “Companys Services” means the Cartfox service enables the sending of electronic messages to registered telephone numbers (SMS, instant messaging applications) and e-mail addresses.

“The User”, “you”, or “your” means any person who is responding to an invitation to participate in a survey via  Company’s Website.

“Usage Data” refers to data collected automatically, either generated using the Website infrastructure (for example, the duration of a visit, website usage, and the number of users).

“Website” means the Company’s web platform for the User’s mobile devices or computers which can be used through a browser without downloading, under the name of, and it is not affiliated with any other websites, companies, brands, organisations, or similarly named entity resembling it.


  1. The Controller acts as a joint controller in respect of the Personal Data of the recipients of messages, together with the individual subscriber whose users or customers are the recipients.

The Controller acts as an independent (sole) controller with regard to the personal data of the contact persons of its Users. 

This Policy also contains all the information about your rights in relation to your Personal Data.

The Controller:

  • Short name: DFVU d.o.o.;
  • Company seat and address: Liparjeva cesta 6A, 1234 Mengeš, Slovenia;
  • Registration number: 7193548000;
  • Registered in the registry of the District Court of Nova Gorica under the entry number 2016/50019;
  • VAT ID: SI 35983175 (liable for VAT);
  • Contact telephone number: +386 (0)68 694 914;
  • Contact e-mail:
  1. The Controller’s contact person for all questions regarding the processing of personal data is Simon Terbovšek. Your questions and inquiries, including claims, can be sent to

The Data Protection Officer is JK Group d.o.o., Stegne 27, 1000 Ljubljana,, + 386 (0)590 91 794.


Personal Data:

If the User is personally invited as a contact person of a landlord or property manager that has contracted the Company to survey their tenants for them, or if the User is a business contact or user of another service or company that have contracted the Company to survey them in some other respect, certain identifiable information that can be used to contact or identify the User will have been provided to Company from said parties.

Personally identifiable information may include but is not limited to:

  • e-mail address;
  • telephone number;
  • information about the website or application through which the e-mail address and/or telephone number was provided;
  • information about the sending of the messages:

message type (SMS, instant messaging application (type of application), e-mail);

the date of sending;

time of sending;

the content of the message sent (e.g., abandoned cart, discount notification, etc.);

  • information about an undelivered message (the date and time of receipt of the undeliverability notification);
  • information about the performed action (e.g., purchase of an item in the abandoned cart, purchase of a discounted item, etc.).

From the contact persons of the Users:

  • the name and surname (if this information is disclosed in the communication);
  • the position within the company (if this information is disclosed in the communication);
  • e-mail address (if this information is disclosed in the communication);
  • contact telephone number (if this information is disclosed in the communication);
  • the name of the company;
  • the date on which the credit was topped up;
  • information about sent messages;
  • information about the prices of sent messages;
  • the content of the communication (if communication exists).

The information is collected from the contact persons. The provision of data is optional, but without it, the controller might not be able to provide certain services or fulfil specific requests.

The e-mail address and telephone number data are collected automatically when entered by the individual on the website or in the application of the joint controller, the Services subscriber.

The Company has the right, at any time at its sole discretion, to request you confirm your Personal Data as documents confirming your identity.


Usage Data is collected automatically when using the Website.

Usage Data may include information, type of the Device, pages that the User visits, the time and date of the visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When the User accesses the Website by or through a Device, Company may collect certain information automatically, including, but not limited to:

  • the IP address from which the individual accessed the website;
  • the country and location of the network, including the company, from which the individual accessed the website (where this is possible based on the IP address);
  • a unique ID number (generated automatically);
  • URLs (domains) of all visited webpages on the website;
  • the date and time of the visit to each webpage on the website;
  • the duration of the visit to each webpage on the website;
  • the number of webpages visited on the website during each website visit;
  • the URL of the webpage from which the individual came to each webpage on the website.

This data mentioned above is collected automatically and without the individual’s intervention.


The Company might use Cookies and similar tracking technologies to track the activity on Company’s Website and store certain information. Tracking technologies are beacons, tags, and scripts to collect and track information and improve and analyse the Website. The technologies that Company uses may include:

  • Cookies or Browser Cookies. A cookie is a small file placed on the User’s Device. You can instruct the browser to refuse all Cookies or to indicate when Cookie is being sent. However, if the User does not accept Cookies, the User may not be able to use some parts of the Website.
  • Flash Cookies. Certain features of the Website may use locally stored objects (or Flash Cookies) to collect and store information about the User’s preferences or activity on the Website. Flash Cookies are not managed by the same browser settings as those used for Browser Cookies.
  • Web Beacon. Certain sections of the Website and Company’s emails may contain small electronic files known as Web Beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit Company, for example, to count guests who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).

Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on the User’s personal Devices when the User goes offline, while Session Cookies are deleted as soon as the User closes the web browser.

The Company may use both Session and Persistent Cookies for the following purposes:

Necessary/Essential Cookies

Type: Session Cookies

Administered by the Company

Purpose: These Cookies may be essential for providing the User with services available through the Website and enabling the User to use some of its features. They can help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that the User has asked for may be inaccessible.

Cookies Policy/Notice Acceptance Cookies

Type: Persistent Cookies

Administered by the Company

Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

Functionality Cookies

Type: Persistent Cookies

Administered by the Company

Purpose: These Cookies allow Company to remember the choices the User makes when using the Website, such as remembering the User’s login details or language preference. The purpose of these Cookies is to provide the User with a more personal experience and to avoid the User having to re-enter preferences every time the User uses the Website.

Advertising Cookies

Administered by the Company

Purpose: Those cookies can be turned on and off by the Website to deliver our potential customers the best advertising experience. They do not contain personal information and are based on the User’s actions over the Website.

Google Analytics

Personal data and information obtained by way of such cookies concern the use that Users make of the Website and will be transmitted from the User’s browser to Google Inc., with registered office at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States of America, and stored on the company’s servers. Google’s norms on privacy, which we kindly invite you to read, are available at the following URL:

The information on personal data concerning Google Analytics services is available at the following URL:

Browsing Data

Computer systems and procedures responsible for the correct functioning of the Website automatically acquire, whilst operating, some Personal data concerning your browsing history. For instance, within this category, Company may find:

  • IP addresses;
  • Number of accesses to the Website;
  • Visited pages;
  • Date and time of access;
  • Browser type;
  • Adopted operating system.

Data voluntarily provided by you

Data freely and optionally provided by Users via email to one of the email addresses indicated on the Website or in this Information may be acquired for purposes communicated to Users from time to time. Besides email addresses required to answer Users, additional Personal data included within the same communication received by Company may be processed. Personal data collected will be retained and processed solely to preserve them and send correspondence for no further purpose.


Company may use Personal Data for the following purposes:

To provide and maintain the Website, including monitoring the usage of the Website.

To manage the User’s requests: To attend to and manage the User’s requests to Company.

For other purposes: Company may use the User’s information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of Company’s promotional campaigns, and evaluating and improving the Website, products, and services, marketing, and the User’s experience.

Company may share the User’s Personal Data in the following situations:

  • With service providers: Company has the right to share the User’s Personal Data with service providers to monitor and analyse the use of the Website and to contact the User.
  • With Affiliates: Company has the right to share the User’s Personal Data with Companys affiliates, in which case Company will require those affiliates to honour this Privacy Policy. Affiliates include Company’s parent Olaisen Holding AS and any other subsidiaries, joint venture partners or other companies that Company controls or that are under common control with Company.
  • With business partners: Company has the right to share the User’s Personal Data with the company that has contracted a survey by Company of their tenants, users, customers, business relationships, employees or others.
  • With the User’s Consent: Company has the right to disclose the User’s personal information for any other purpose with the User’s consent.


The Company will retain the User’s Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. 

The Company will retain and use the User’s Personal Data to the extent necessary to comply with Company’s legal obligations (for example, if we are required to retain the User’s Personal Data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period, except when this Personal Data is used to strengthen the security or improve the functionality of the Website.


The User’s information, including Personal Data, processing by the Company’s operating offices and in any other places where the parties involved in the processing are located. This information may be transferred to — and maintained on — computers outside the User’s state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of the User’s jurisdiction.

The User’s consent to this Privacy Policy, followed by submission of such information, represents the User’s agreement to that transfer.

Company will take all steps reasonably necessary to ensure that the User’s Personal Data is treated securely and following this Privacy Policy, and no transfer of the User’s Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of the User’s Personal Data and other personal information.


Business Transactions

If Company is involved in a merger, acquisition or asset sale, the User’s Personal Data may be transferred. The Company will provide notice before the User’s Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, Company may be required to disclose the User’s Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

Company may disclose the User’s Personal Data in the good faith belief that such action is necessary to:

  • Comply with legal obligations.
  • Protect and defend the rights or property of the Company.
  • Prevent or investigate possible wrongdoing in connection with the Website.
  • Protect the personal safety of the User of the Website or the public.
  • Protect against legal liability.


The Company’s Website does not address anyone under 18 (eighteen). The Company does not knowingly collect personally identifiable information from anyone under 18 (eighteen). Please contact us if the User is a parent or guardian and is aware that the child has provided the Company with Personal Data.

If Company becomes aware that Company has collected Personal Data from anyone under the age of 18 (eighteen) without verification of parental consent, the Company takes steps to remove that Personal Data from Company’s servers or/and any storage used by Company.

If Company needs to rely on consent as a legal basis for processing the User’s information and the User’s country requires consent from a parent, Company may require the User’s parent’s consent before Company collects and use that information.


The Company takes all reasonable steps to protect information received from the User from accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access. The Company has put in place appropriate physical, technical and administrative measures to safeguard and secure the User’s information, and Company uses privacy-enhancing technologies such as encryption. If you have any questions about the security of your personal information, you can contact us via email:


The Company’s Website may contain links to other websites that Company does not operate. If the User clicks on a third-party link, the User will be directed to that third party’s website. The Company strongly advises the User to review the Privacy Policy of every site that the User visits.

The Company has no control over and assumes no responsibility for the content, privacy policies or practices of any third-party sites or services.


The Company may update the Policy from time to time. The Company will notify the User and third parties of any changes by posting the new Policy on this page.

The Company has the right to update the Policy. The Company will inform the User and third parties by updating the “Last Updated” date at the top of this Policy.

The User and third parties are advised to review this Policy periodically for any changes. This Privacy Policy changes are effective when posted on this page.


The legal basis for processing the User’s Personal Data is Art. 6 sec. 1 a) b), f) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals about the processing of personal data and the free movement of such data and repealing Directive 95/46 / MI Laws UE.L.2016.119.1 (GDPR), where the legitimate interest of Company is related to providing the Website for the User.

Personal Data will be processed until an objection to data processing or termination is made, but no longer than 10 (ten) years.

The User has the right to access, correct, delete, or restrict his or her Personal Data or to object to the processing, as well as the right to transfer the Personal Data and the right to complain to the supervisory authority.

In the case of obtaining data and processing them based on Art. 6 sec. a) GDPR – the User has the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out based on consent to its withdrawal.

In accordance with GDPR, Company is a data controller for the Personal Data collected from all categories of data subjects listed above, with the following exceptions: the Company is a data processor of the User logs, administrative user logs, and some account settings information. In addition, the Company is a data processor for any of the content provided by the User through the Website that transit. Where the Company is a data processor, the Company processes data on its user’s behalf under their data processing instructions.


With regard to their Personal Data, you have the following rights, which you may exercise at any time exercise contacting the Controller via the e-mail address or via the Data Protection officer JK Group d.o.o., Stegne 27, 1000 Ljubljana,, + 386 (0)590 91 794.

For the purposes of reliable identification in the event of the exercise of rights relating to Personal Data, the Controller may request additional information from you and may refuse to act only if the Controller can prove that the individual cannot be reliably identified.

The Controller shall respond to your request to exercise their rights with regard to the Personal Data without undue delay and, at the latest, within one month of receipt of the request.

Right to withdraw consent: if you consented to process your Personal Data, you could withdraw your consent at any time. The consent withdrawal shall not have any adverse consequences for you other than the Controller might no longer be able to provide you service or services that cannot be provided without the Personal Data to which the consent withdrawal relates.

Right of access to personal data: you have the right to obtain confirmation from the Controller as to whether or not Personal Data concerning them are being processed, and if so, you have the right to request access to the Personal Data and certain information about the data processing.

Right to rectification of personal data: have the right to have inaccurate Personal Data concerning you rectified by the Controller.

Right to erasure of personal data (right to be forgotten): you may request the Controller to erase your personal data if at least one of the following grounds applies:

  • the data are no longer necessary for the purposes for which they were collected and processed;
  • you withdraw your consent, and there is no other legal basis for the processing;
  • you object to the data processing, and there are no overriding legitimate grounds for the processing;
  • the data have been unlawfully processed;
  • the data have to be erased for compliance with legal obligations under EU law or the law of the Member State to which the Controller is subject;
  • the data have been collected in relation to the offer of information society services.

Right to restriction of processing: you may request from the Controller to restrict the data processing where at least one of the following grounds applies:

  • you contest the accuracy of the data for a period enabling the controller to verify the accuracy of the data;
  • the processing is unlawful, and the individual opposes the erasure of the data and requests the restriction of your use instead;
  • you no longer need the data for the purposes of the processing, but the individual requires them for the establishment, exercise, and defence of legal claims;
  • you have objected to processing pending the verification of whether the controller’s legitimate grounds override yours.

Right to data portability: you have the right to receive your Personal Data, which they have provided to the Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to third parties without hindrance from the Controller, where:

  • the processing is based on consent or a contract, and
  • the processing is carried out by automated means.

You have the right to have the Personal Data transmitted directly from one controller to another, where technically feasible.

Right to object to the processing: you have the right to object at any time to the processing of Personal Data which is necessary for the purposes of the legitimate interests pursued by the Controller and/or the third party, including profiling; the Controller shall no longer process Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual or for the establishment, exercise or defence of legal claims.

Where Personal Data are processed for marketing purposes, you have the right to object at any time to the processing of Personal Data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the individual objects to processing for direct marketing purposes, the Personal Data shall no longer be processed.

Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint with a supervisory authority (Information Commissioner, Dunajska cesta 22, 1000 Ljubljana,, +386 (0)1 280 77 00), if you consider that the processing of Personal Data infringes data protection rules.


If you have an unresolved privacy or data use concern that the Company has not addressed satisfactorily, please contact us via email


If you have any questions about this Policy, you can contact us:

  • by email: