Privacy Policy

PART 1: PRIVACY POLICY

1. INTRODUCTORY PROVISIONS

Your privacy and the protection of your personal data are of paramount importance to us. This Privacy Policy (hereinafter: "Policy") describes how MARTINEC USLUGE d.o.o. (hereinafter: "Company" or "we") collects, uses, stores and protects your personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR), the Data Protection Act 2018 (as amended), and the Croatian Act on the Implementation of the General Data Protection Regulation (NN 42/18).

Please read this Policy carefully to understand our data protection practices.

Data Controller Information:

• Company Name: MARTINEC USLUGE d.o.o.

• PIN (OIB): 49072517234

• Headquarters: Šćitarjevo 100/1, 10410 Šćitarjevo, Croatia

• Telephone: +385 (0)91 503 7376

• Director: Dalibor Martinec

• Business Activity: Manufacture and sale of confectionery products, primarily cakes and pastries

• Email: kolaci.martinec@gmail.com

• Data Protection Officer (DPO): Not applicable - The Company, as a micro-enterprise, is not obliged to appoint a DPO. All data protection queries are handled by the Data Controller.

2. TRANSPARENCY ASSURANCE (GDPR Articles 13-14)

This Privacy Policy has been prepared in accordance with Article 13 of the General Data Protection Regulation and contains all mandatory information available to you:

• Identity of the Data Controller (Section 1)

• Purpose of data processing (Section 6)

• Legal basis for processing (Section 5)

• Recipients of data (Section 7)

• Data retention periods (Section 8)

• Your rights as a data subject (Section 9)

• Contact details of the Data Controller (Section 1)

• Contact details of the supervisory authority (Section 13)

• Information about data sources (Section 4)

• Information about automated decision-making (Section 9.7)

2.1. Information When Data Is Collected From a Third Party (GDPR Article 14)

If you have provided us with data about another person (for example, ordering a cake for someone's birthday and providing the recipient's name and address), this same Policy applies to that data.

What you should know:

• If we collect data from a third party, we are obliged to inform that person about the processing of their data within 30 days

• We recommend that you inform that person about the processing via this Policy

• That person has all the same rights as you do

3. WHAT PERSONAL DATA DO WE COLLECT

We collect only those personal data that are necessary to provide our services or that you have voluntarily provided. The data we collect may be of the following types:

3.1. Contact Information

• Full name

• Email address

• Telephone number

• Address (delivery/collection address)

• Place of residence

3.2. Order Information

• Type and quantity of products

• Order date and delivery/collection date

• Allergen data and dietary restrictions (vegan, gluten-free, dairy-free, etc.)

• Data about specific allergens (peanuts, shellfish, eggs, dairy products, tree nuts, sulphites, sesame, soya, etc.)

• Medical and health restrictions related to diet

• Special requests and customisations

3.3. Payment Information

• Payment method (cash, bank transfer, card, other)

• Bank account details (only if you have selected bank transfer)

• Transaction data (not stored – processed by the payment service provider)

3.4. Technical Information

• IP address of your device

• Browser type and version

• Operating system type and version

• Cookies and tracking technologies (detailed in Part 2)

• Information about your behaviour on the website (which pages you visited, how long you spent there)

3.5. Information from Contact Forms

• Content of messages you enter into contact forms

• Dates and time stamps of communication

• Topic of your enquiry

3.6. Information From Social Media (if you contacted us via social media)

• Your profile and public information from your page

• Messages and communication

4. HOW WE COLLECT DATA

We collect data in the following ways:

4.1. Directly From You

• Via contact forms on the website

• During telephone communication

• During in-person contact at our premises

• Via email communication

• During the ordering process

4.2. Automatically

• Through website analytics (Google Analytics or similar tools)

• Through cookies stored on your device

• Through tracking pixels (if used)

• Through website server logs

4.3. From Third Parties

• From Wix.com (our website service provider) - technical data

• From payment service providers - if you use bank transfer

• From Google, Facebook and Instagram - if you follow us or use their pixels

• From WhatsApp - if you use their service

4.4. Source of Data Not Provided by You

If data has been provided to us by a third party (for example, a friend who purchased a cake), we should have informed you of this. If you are unsure whether this has occurred, please contact us.

5. LEGAL BASIS FOR DATA PROCESSING

We process your data on the following legal bases:

5.1. Performance of a Contract (GDPR Article 6(1)(b))

We process data necessary to conclude and perform the contract for the sale and delivery of products, including:

• Data required for order communication

• Data for delivery/collection

• Data for payment

• Allergen and health data - necessary for food safety and to prevent anaphylaxis

Without this data, we cannot process your order.

5.2. Legal Obligation (GDPR Article 6(1)(c))

We process data to comply with:

• Tax obligations (tax authorities require sales data)

• Legal obligations (Consumer Protection Act, fiscal legislation, HACCP)

• Other statutory requirements

By law, we must retain this data regardless of your wishes.

5.3. Legitimate Interest (GDPR Article 6(1)(f))

We process data for:

• Service improvement - analysing website usage

• Security - protection against fraud and misuse

• Marketing (only if you have subscribed to a mailing list or were a customer and consented to communication)

• Dispute resolution - retention of evidence

We require this data for business purposes, and it does not adversely affect your rights.

5.4. Your Consent (GDPR Article 6(1)(a))

We process data with your explicit consent for:

• Marketing emails - newsletters

• SMS messages - order notifications and promotional messages

• Cookies - analytical and marketing cookies

• Additional communications that are not necessary for the service

You may withdraw consent at any time - simply let us know.

5.5. Special Categories of Data (GDPR Article 9)

We process data about health conditions (allergen data and dietary restrictions) in accordance with Article 9:

Legal basis:

• Article 9(2)(b) - For the protection of vital interests (preventing serious allergic reactions)

• Article 9(2)(h) - For health purposes

By placing an order and specifying allergens, you give us implicit consent to process that data.

6. PURPOSES FOR PROCESSING DATA

We use your data for the following purposes:

6.1. Provision of Services

• Processing your order

• Preparation and delivery of products

• Communication about order status

• Resolution of complaints and returns

• Enabling personal settings (for example, saved products or addresses)

6.2. Communication

• Responding to your enquiries via email, telephone or messages

• Sending order confirmations

• Sending delivery notifications

• Providing customer support

• Sending notifications about policy or service changes

6.3. Marketing (only with your consent)

• Sending newsletters

• Notifications about new products

• Offers and discounts

• Surveys and feedback

How to unsubscribe: All marketing emails contain an "Unsubscribe" button.

6.4. Security and Legal Obligations

• Protection against fraud

• Prevention of website misuse

• Prevention of unauthorised access

• Compliance with tax obligations

• Compliance with fiscal legislation obligations

• Compliance with health regulations

• Compliance with other legal obligations

• Retention of evidence in case of dispute or request from authorities

6.5. Analytics and Improvements

• Analysis of website usage

• Improvement of user experience

• Testing of new functionality

• Creation of aggregated (anonymised) reports

• Optimisation of website performance

7. WITH WHOM WE SHARE YOUR DATA

We never sell your data to third parties or share it with the market. However, we may share data with:

7.1. Service Providers (Data Processors)

Data may be passed to the following data processors in accordance with Article 28 GDPR:

• Wix.com LTD - website service provider and hosting

• Google LLC - web analytics (Google Search Console)

• Microsoft Corporation - web analytics (Bing Webmaster Tools)

• Payment providers - transaction processing

• Email services - sending messages and newsletters

• Telephone operators - SMS notifications

7.2. Legal Obligations

Data may be passed to:

• Tax authorities (FINA, tax administration) - for fiscal and tax purposes

• Customs authorities (if applicable) - for international shipments

• Law enforcement bodies (on the basis of a court order) - based on a court order or lawful request

• Other public bodies (as required by law)

• Health bodies - where necessary for supervision

We never provide data without a legal basis. If authorities request data, a court order or other lawful document is required.

7.3. Data Transfers Outside the EU/EEA

Some of our service providers are located outside the European Union:

• Google Search Console (USA - Google LLC)

• Bing Webmaster Tools (USA - Microsoft Corp.)

• Wix.com (Israel/USA)

How we protect your data:

• Standard Contractual Clauses (SCCs) have been concluded for all transfers

• Companies are bound by the EU data protection framework

• Additional protective measures are applied

Even if data goes to the USA or elsewhere, it is protected according to GDPR standards.

7.4. Other Cases

Data may be shared if:

• You have explicitly approved it

• It is necessary for the protection of your, our, or the public interest

• Ownership of the Company is transferred (the new owner would be bound by the same obligations)

8. HOW LONG WE RETAIN YOUR DATA

After these periods expire: Your data will be securely deleted or anonymised (anonymised means you can no longer be identified).

Exception for anonymised data: We retain anonymised data (which cannot be linked to you) for longer periods as it is not subject to GDPR.

9. YOUR RIGHTS

In accordance with GDPR, you have the following rights:

9.1. Right of Access (GDPR Article 15)

You have the right to find out what data we hold about you and how we use it.

• Request method: Send an email

• Response deadline: Up to 30 days

• Cost: Free - one request per year

9.2. Right of Rectification (GDPR Article 16)

If data is inaccurate, you have the right to request correction.

9.3. Right to Erasure – "Right to be Forgotten" (GDPR Article 17)

In certain circumstances, you can request that your data be deleted.

You can request erasure if:

• The data is no longer necessary for the purpose for which it was collected

• You withdraw the consent on which processing is based

• You object to the processing (Article 21)

• The data has been processed unlawfully

• There is a legal obligation to erase

Limitations - We will not be able to delete data if it is needed for:

• Fiscal legislation (7 years - legal obligation to the tax authority)

• Resolution of disputes or court request

• Refund possibility - we need proof of transaction (5 years)

• Health supervision or enforcement of Food Law

• Prevention of fraud (documentation of suspicious activities)

• Tax or accounting purposes

What we will do instead of deletion: If we cannot delete data, we will anonymise it (remove all information that could identify you).

How to exercise:

• Send an email: "I request deletion of my data"

• Attach proof of identity

• Response deadline: 30 days

9.4. Right to Restrict Processing (GDPR Article 18)

Instead of deletion, you can request that we restrict the use of your data.

Example: If you claim that data is inaccurate, you can request that we do not use it whilst we verify its accuracy.

Result: The data will be stored but will not be used unless we need it to resolve a dispute or protect your rights.

9.5. Right to Data Portability (GDPR Article 20)

You have the right to receive your data in a structured, machine-readable format so you can transfer it to another service provider.

Format: Usually CSV or Excel

Example: If you need your order data for another shop

How to exercise:

• Send an email: "I request portability of my data"

• Response deadline: 30 days

• Cost: Free

9.6. Right to Object (GDPR Article 21)

You can object to data processing:

Marketing communication - You can object at any time

• Unsubscribe from the newsletter (button in the email)

• Or contact us directly

Processing based on legitimate interest - You can object with a reason

• Example: "I do not wish you to analyse my behaviour on the website for marketing purposes"

• You must provide a reason

• We will consider your objection

9.7. Automated Decision-Making (GDPR Article 22)

You have the right not to be subject to decisions based solely on automated processing.

What this means: You cannot be rejected or approved without human review if the decision is made solely by a machine.

Our practice: We do not currently use automated decisions (for example, AI for approving or rejecting orders). All decisions are made by humans.

If this changes: We will inform you and give you the opportunity to object.

9.8. Right to Withdraw Consent (GDPR Article 7)

You may withdraw consent that you have given at any time (for example, for newsletters).

Result: Processing stops, but this does not affect the lawfulness of processing before withdrawal.

How to exercise:

• Click "Unsubscribe" in the email

• Or send us an email

9.9. Right to Lodge a Complaint (GDPR Article 77)

If you are unhappy with our response or believe we are breaching GDPR, you can lodge a complaint with the Croatian Personal Data Protection Agency (AZOP).

10. HOW TO EXERCISE YOUR RIGHTS

10.1. Procedure for Exercising Rights

To exercise any of the above rights:

1. Make a written request (email or post):

   • State exactly what you are requesting

   • Be specific (for example, "I request access to all my data" or "I request deletion of order data ABC")

2. Provide proof of identity:

   • Photocopy of identity card or passport

   • Or digitised version of identification documents

3. Send to:

   • Email: kolaci.martinec@gmail.com

   • Or in writing to: Šćitarjevo 100/1, 10410 Šćitarjevo, Croatia

4. Expect a response:

   • Response within 30 days of receipt of your request

   • If we require additional information, we will notify you

10.2. Refusal of Clearly Unfounded or Excessive Requests

If a request is:

• Clearly unfounded - for example, a request for data we have not collected or which does not concern you

• Excessive - for example, a request for the same data 10 times per month without reason

In such cases, we may:

• Request additional information to clarify the request

• Charge a reasonable fee for administrative and operational costs (but usually free)

• Refuse the request with detailed reasons

10.3. Information About Your Request

We will respond to all requests without delay and within a maximum of 30 days.

If the request is complex (for example, you require 1,000 pages of data), we may request an extension of the deadline to up to 90 days.

11. DATA SECURITY

We apply technical and organisational measures to protect data against unauthorised access, deletion or damage.

11.1. Technical Security Measures

• SSL/TLS encryption - All communication between your browser and the website is encrypted (you see a green padlock in the browser)

• HTTPS protocol - The website uses a secure protocol

• Firewall and antivirus - Protection against unauthorised access and malicious software

• Secure passwords - Only authorised employees can access data

• Regular backups - Prevention of data loss

• Software updates - Regular patches for security vulnerabilities

• Restricted database access - Only necessary employees have access

11.2. Organisational Security Measures

• Restricted employee access - Only certain staff have access to data

• Employee confidentiality - All employees are obliged to maintain confidentiality of data

• Data protection training - All employees are trained on GDPR and data protection

• Security policies - Clear rules for data use

• Access control - Recording of who accessed which data

11.3. Data Breach - Breach Notification (GDPR Articles 33-34)

If a data breach occurs (for example, unauthorised access, deletion or leakage of data):

What we will do:

1. Risk assessment - Within 72 hours we will assess whether the breach poses a risk to your security

2. Notify AZOP - If there is a risk, we will notify AZOP without delay

3. Notify you - If the breach poses a risk to your privacy, we will notify you

4. Transparency - We will not hide information from you

What you should know:

• The breach will be handled seriously

• You will have the right to compensation if you suffer damage

• You can lodge a complaint with AZOP

11.4. Limitation of Liability

Although we apply reasonable measures, no method is 100% secure.

12. COMPANY CONTACT - DATA CONTROLLER

MARTINEC USLUGE d.o.o.

Šćitarjevo 100/1, 10410 Šćitarjevo, Croatia

Telephone: +385 (0)91 503 7376

Email: kolaci.martinec@gmail.com

Director: Dalibor Martinec

13. SUPERVISORY AUTHORITIES

Personal Data Protection Agency (AZOP)

Selska cesta 130, 10000 Zagreb, Croatia

Telephone: +385 1 4609 000

Email: info@azop.hr

Web: www.azop.hr

14. CONSUMER PROTECTION ACT – ADDITIONAL INFORMATION

14.1. Receipt and Resolution of Complaints

If you are unhappy with a product or service:

• Complaint deadline: Up to 8 days from receipt of product (or as soon as you notice an error)

• How: Email to kolaci.martinec@gmail.com or by telephone

• What to include: Description of the problem and order number

• Our response: Within 15 days of receipt of the complaint

14.2. Right to Unilaterally Terminate Contract (Cooling-Off Period)

If you purchased online or at a distance (by telephone), you have the right to cancel your order:

• Deadline: 14 days from the date of order

• When termination is possible: Only if the product has not begun to be prepared

• Refund: If preparation has already begun, you may be required to pay a reasonable fee for work carried out

• How: Send an email with a request to terminate

Exception: The cooling-off period does not apply if you have explicitly requested preparation of the product before the deadline expires.

14.3. Alternative Dispute Resolution - Dispute Settlement

If you are unhappy with our handling of your complaint, you can contact:

• Croatian Consumer Association (HUZP)

  • Web: www.huzp.hr

  • Telephone: +385 1 46 333 66

• Local consumer protection body in your local community or city

PART 2: COOKIE POLICY

15. WHAT ARE COOKIES

A cookie is a small text file that a website stores on a user's device to improve experience, analytics and marketing.

15.1. How They Work

1. You visit a website

2. The website stores a cookie on your device

3. The cookie is stored on your device's hard drive or memory

4. On subsequent visits, the browser reads the cookie

5. The website recognises your device based on the cookie

15.2. What They Contain

• Unique ID identifiers (counting you as a device, not as a person)

• Settings (selected language, time zone, dark mode)

• Information about your behaviour on the website (which pages you visited)

• Marketing preferences (products that interest you)

15.3. What They Cannot Do

• Cannot access your hard drive or files

• Cannot see other files on your computer

• Cannot spread viruses or malicious software

• Cannot automatically download files

• Cannot run as a program

16. TYPES OF COOKIES

16.1. Essential Cookies

These cookies are mandatory for the website to function correctly. Your consent is not required because they are technically necessary (GDPR Article 82, ePrivacy Directive).

16.2. Analytical Cookies (with your consent)

We do not use analytics tools that require cookies. We do not issue analytical cookies.

16.3. Marketing Cookies (with your consent)

We do not use marketing tools that require cookies. We do not issue marketing cookies.

16.4. Third-Party Cookies

Third parties (Wix) use their own cookies on our site. We cannot control all their cookies, but they are related to services they provide.

Who uses them:

• Wix - for hosting and website management

Note: Even if you disable our cookies, these third parties use their own cookies according to their policies.

17. COOKIE CONSENT

In accordance with GDPR and the ePrivacy Directive:

• Essential cookies - Consent not required (Article 82 ePrivacy Directive, GDPR Article 6(1)(c))

• All other cookies - We require explicit consent before storage on your device

We only use essential cookies. We are not required to implement a cookie banner for granting or withdrawing consent.

18. HOW TO DISABLE COOKIES

18.1. In Your Browser

In the settings of Chrome, Firefox, Safari or Edge browser, you can block cookies.

18.2. Google Analytics

Install the add-on: Google Analytics Opt-out

18.3. Facebook Ads

In Facebook Settings > Ads > Ad Preferences.

19. POLICY UPDATES

This Policy may be updated at any time. We will notify you of significant changes by:

• Publishing a new version on the website with the update date noted

• Sending an email notification (if you are on our email list)

• Displaying a notification on the website (banner)

Important: By continuing to use the website after changes, you will be deemed to have accepted the new terms.

20. CONTACT FOR COOKIE QUESTIONS

MARTINEC USLUGE d.o.o.

Šćitarjevo 100/1, 10410 Šćitarjevo, Croatia

Telephone: +385 (0)91 503 7376

Email: kolaci.martinec@gmail.com

FINAL PROVISIONS

21. APPLICABLE LAW

These Policies are governed by the law of the Republic of Croatia and the General Data Protection Regulation (GDPR) of the European Union.

Competent courts: Court in Velika Gorica or Zagreb, Republic of Croatia.

22. ENTRY INTO FORCE

This Privacy Policy and Cookie Policy comes into force on the date of publication: 31 October 2025.

MARTINEC USLUGE d.o.o.

PIN (OIB): 49072517234

Šćitarjevo 100/1, 10410 Šćitarjevo, Croatia

Telephone: +385 (0)91 503 7376

Email: kolaci.martinec@gmail.com