Privacy policy

We respect your privacy and handle your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Slovenian Personal Data Protection Act (ZVOP-2).

Data controller

Trgovina na stojnicah Nika Horjak s.p.
Matteottijeva ulica 7, 6330 Piran, Slovenia
Email: lobo.dar@gmail.com
Phone: +386 40 555 464

What data we collect

We collect personal data only when you actively give it to us, in three situations:

• When you place an order — name, billing/shipping address, email, phone (optional). Payment data (card details) is processed directly by our payment provider Stripe and never stored by us. We never see or hold your full card number.
• When you contact the studio — name, email, and the message you write.
• When you subscribe to the studio letter — email address and (optionally) first name.

We do not knowingly collect data from anyone under the age of 16. We do not buy or rent third-party data.

How we use your data

• To process and ship orders, issue invoices and confirmations.
• To respond to enquiries you send through the contact form.
• To send the studio letter (only if you subscribed) — typically once per season. You can unsubscribe from any newsletter at any time.
• To meet our legal obligations under Slovenian tax and accounting law (invoices retained for 10 years per ZDavP-2).

Legal basis

• Order processing: contractual necessity (Art. 6(1)(b) GDPR).
• Newsletter: explicit consent (Art. 6(1)(a) GDPR).
• Invoicing/accounting retention: legal obligation (Art. 6(1)(c) GDPR).

Who we share data with

We share data only with carefully selected service providers who are GDPR-compliant:

• Stripe (Ireland) — handles checkout and payment processing. Customers are redirected to Stripe's secure hosted checkout to complete each order; Stripe is the only party that sees your card data.
• Pošta Slovenije / GLS / DHL — shipping carriers (only the data needed to deliver your order).
• MailerLite (Lithuania) — newsletter delivery (only if you subscribed).
• Vercel / Netlify — website hosting (server logs only, no personal content).

We never sell your data to third parties.

Cookies & tracking

We use only the bare minimum cookies needed to run the shop:

• Essential cookies — required for the cart and checkout to work. No consent needed under GDPR.

We do not run analytics on this site. We do not use Google Analytics, Facebook Pixel, or any cross-site tracking cookies.

How long we keep your data

• Order records and invoices: 10 years (Slovenian tax law).
• Contact form messages: 24 months, then deleted.
• Newsletter subscriber list: until you unsubscribe.
• Server logs: 30 days.

Your rights

Under GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data erased ("right to be forgotten") — except where we must keep it to meet legal obligations.
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent at any time (e.g. for the newsletter).

To exercise any of these rights, email lobo.dar@gmail.com. We will respond within 30 days.

Right to lodge a complaint

If you believe we have mishandled your data, you may file a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec): www.ip-rs.si.

Changes to this policy

We may update this policy occasionally. The "last updated" date below will reflect the latest version. Material changes will be communicated via the studio letter to subscribers.