Privacy Policy
Data Controller and Contact Information
This policy applies to the processing (use) of any personal data carried out by GlobalPharmacia Group d.o.o. (the controller) or performed on behalf of the controller.
Controller Information:
GlobalPharmacia Group d.o.o.
Poklukarjeva ulica 27, Ljubljana, 1000 Ljubljana
VAT ID: SI 88507114
Registration Number: 9037934000
Phone: +386 6 971 9709
Email: info@heka-supplements.com
Personal Data We Process
- Basic contact information (name, surname, phone number, email address)
- Data on the use of our websites (link clicks, time spent) and response data to our emails (whether the message was opened, which links were clicked)
- Data needed to fulfill a contract and deliver purchased goods (item purchased, price, delivery address, delivery time, payment method, payment date, complaint data, invoice data, etc.)
Legal Bases for Processing Personal Data
We may process your personal data based on the following legal grounds:
- When necessary to fulfill our legal obligations (e.g., issuing invoices for purchased goods)
- When processing is necessary to conclude and fulfill a contract you have entered into with us or requested an offer from us
- When you have given consent for specific processing purposes, with the right to withdraw consent at any time (e.g., personalized notifications about our offers based on profiling)
- When we have a legitimate interest in processing your personal data
Purposes of Processing Personal Data
We may use your personal data for one or more of the following purposes:
- Communicating with you regarding the provision of our services and responding to your inquiries
- Concluding and fulfilling obligations under a contract
- Marketing communications (sending emails, postal mail, and SMS)
- Marketing communications based on tailored offers and messages, creating user profiles, or grouping for differentiated marketing content. Profiling includes tracking an individual’s activity (e.g., time spent on specific content, interests, and email engagement) and past purchase frequency and value
- Enforcing legal claims and resolving disputes
- Statistical analyses of sales and website usage
How Long We Store Your Personal Data and What Happens Next
- Basic personal data is stored as long as [specify, e.g., you are a registered user, subscriber, etc.]
- Data processed based on your consent is retained indefinitely or until you withdraw consent
- Invoicing data is stored for 10 years from the issuance date
- Contract data is retained for 10 years from contract fulfillment (product delivery)
After the retention period, we effectively delete or anonymize personal data, making it no longer associable with you.
Voluntary Provision of Data and Consequences of Non-Disclosure
The provision of personal data is voluntary. You are not obliged to provide personal data, but failure to do so may prevent access to certain services or contract formation. We will specify which data is necessary when we collect personal data.
Who Has Access to Your Personal Data
We do not share or provide access to your personal data to third parties (outside of GlobalPharmacia Group d.o.o.) except to those under a written agreement with us, performing data-related tasks, and obligated to comply with data protection laws (data processors). Data processors may only process personal data following our instructions and may not use it for their purposes. They are required, along with their employees, to maintain the confidentiality of your personal data. Personal data processors do not transfer data outside of the European Economic Area (EEA – EU member states, Iceland, Norway, and Liechtenstein).
Your Rights Regarding Personal Data and Withdrawing Consent
You have the following rights regarding your personal data:
- Request confirmation whether we process your personal data
- Access to your personal data and the following information: processing purposes; types of personal data; recipients or categories of recipients with whom personal data has been or will be shared, particularly those in third countries or international organizations; the anticipated retention period or criteria used to determine it; existence of automated decision-making, including profiling, and its rationale and impact on you
- One (free) copy of your personal data in a preferred format (provided electronically if requested electronically, unless specified otherwise); additional copies may incur a reasonable fee based on costs
- Correction of inaccurate personal data
- Restriction of processing when:
- You dispute the accuracy of personal data, allowing time for verification
- Processing is unlawful, and you oppose deletion and instead request usage restriction
- We no longer need personal data, but you require it to enforce, exercise, or defend legal claims
- Deletion of all personal data (right to be forgotten) if conditions under Article 17 of the General Data Protection Regulation (GDPR) are met, especially if you withdraw consent for processing
- Receive personal data in a structured, commonly used, and machine-readable format, with the right to transmit data to another controller without hindrance
- Opt-out of personal data use for direct marketing, including profiling
- Exemption from automated decision-making, including profiling, if conditions under Article 22 of the GDPR are met
- File a complaint with the Information Commissioner if you believe data processing violates the GDPR
Exercising Rights
You can send requests regarding personal data rights in writing to any contact listed under Data Controller and Contact Information at the top of this document. For reliable identification in exercising rights, we may request additional information, and may refuse action only if we cannot reliably identify you. We must respond to your data rights request without undue delay, within one month of receiving your request.