Privacy Policy

Privacy Policy
Notice to data subjects under Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of personal data in 2.0.

The controller of personal data in connection with the website https://calmuu.pet/ and your other interactions with the sole trader Anja Uranjek s.p. is:

Anja Uranjek s.p.
 Vrbje 83c
 3312 Prebold
 Company registration number:7381751000
 VAT number: 62567853
 Email: info@calmuu.pet

(hereinafter: the “Organisation” or the “Company”)

The Organisation has not yet appointed a Data Protection Officer. All questions, requests, enquiries and other communications relating to the protection of personal data in the Organisation may be addressed to: info@calmuu.pet.

 

 

Introduction

Basic information about the Organisation and its mission

For this purpose, the Organisation collects, stores and otherwise processes certain information and data, including personal data, as provided for by the Personal Data Protection Act (ZVOP-2) and by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the General Data Protection Regulation or the GDPR).

Purpose and use of this notice

This notice describes how the Organisation processes the personal data of individuals who have entrusted their personal data directly to it as controller in connection with the website https://calmuu.pet (for example, when cookies are placed during a visit to the website, when completing and submitting a contact form, etc.).

Use of terms and changes to this notice

Unless otherwise indicated, the terms used in this notice (such as personal data, processing, controller, processor, etc.) have the same meaning as in the GDPR.

The expression “website” means https://calmuu.pet, including all associated subpages and related servers and systems.

Capitalised or defined terms in this notice (for example, “data subject”) shall, unless the context otherwise requires, include the plural and vice versa, and terms used in one grammatical gender shall include all genders (for example, “individual”).

The information and statements in this notice may be updated or amended from time to time; material updates will be announced on our website.

In the event of substantial changes (for example, concerning the legal bases and purposes of processing of personal data already collected), we will inform data subjects of the proposed changes by email or in another appropriate manner.

 

 

1. Overview of filing systems and types of personal data, categories of data subjects, envisaged retention periods, and legal bases, purposes and types of processing

1.1 Table of processing activities

Below is a summary of the main filing systems and processing activities.

Name of filing system

Types of personal data in the filing system

Categories of data subjects

Envisaged retention periods for personal data*

Legal basis for processing, purposes of processing and types of processing of personal data**

Data relating to a concluded contract (distance purchase)

Name of the purchaser and any other data collected at the final step of the purchase (i.e. contact details, telephone number, email address, delivery address)

Purchasers who conclude a distance contract with the Organisation (i.e. purchase via the website) and/or in relation to whom the Organisation issues an invoice for its services.

Until the expiry of the retention period or fulfilment of the purpose of processing for individual categories of personal data, whereby the Organisation may as a rule store data for a further 6 years after completion of the purchase, or longer where required (e.g. data on invoices, which are as a rule kept for at least 10 years under applicable law).

For the purposes of performance of the concluded contract (e.g. delivery of the product, issuing of an invoice), the Organisation may store and process the data in ways that are logically connected to the performance of the contract and the issuing of invoices (i.e. storage in the email system and in the back-end of the online shop, physical storage of the invoice, access, transmission, erasure, back-up).

Data on individuals who have already been customers of our online shop

Email address of an individual who has already been a customer of our online shop.

Individuals who have already purchased products from our online shop.

Until unsubscribing from electronic communications. The data subject may also request unsubscribing or erasure by sending a request to the Organisation’s official email address.

On the basis of a statutory exemption allowing this type of email communication, the Organisation may, until receipt of an objection/unsubscription by the data subject, store and process the data exclusively for the purpose of sending information, advice and other useful content regarding the Organisation’s services.

Data on individuals who have placed products in the basket but did not complete the purchase

Name of the purchaser and any other data collected at the final step of the purchase (i.e. contact details, telephone number, email address, delivery address, data on the product placed in the basket).

Individuals who have placed products in the basket but did not complete the purchase.

After sending one or two emails or SMS messages to the data subject in relation to the products in the basket, or at the latest within 1 month from the day on which the data subject left the last purchase step.

On the basis of negotiations for the conclusion of a contract and in accordance with the Organisation’s legitimate interests, the data may be stored and processed for a limited period for the purpose of continuing negotiations on the conclusion of the contract (i.e. storage in the email system, sending of SMS messages, access, transmission, erasure).

Data on individuals who communicate with the Organisation via email addresses and other communication channels

First name and/or surname, email address, telephone number and any personal data contained in the communication with the individual.

Individuals who, of their own volition, communicate with the Organisation (e.g. service enquiries, appointment arrangements, etc.).

Until the purposes of processing of the individual personal data for which they were collected have been achieved (e.g. until the end of the communication) or until 4 years have elapsed since the last communication.

On the basis of negotiations for the conclusion of a contract, the Organisation may process the data in ways connected with preparing a response (e.g. storage in the email system, archiving, access, transmission, erasure).

Data on individuals who have subscribed to receive informational emails from the Organisation

Email address of the individual.

Individuals who have given consent to receiving information about the Organisation’s products/services.

Until unsubscribing from electronic communications. The data subject may also request unsubscribing or erasure by sending a request to the Organisation’s official email address.

On the basis of the consent obtained, the Organisation may process the data exclusively for the purposes of sending informational messages (storage and use in the email-sending system).

Data on individuals applying for a job vacancy in the Organisation

First name and surname, email address, CV, cover letter, data on work experience, and other relevant data important for the selection procedure.

Individuals applying for job vacancies in the Organisation.

Until completion of the recruitment procedure, unless consent for a longer retention period has been obtained.

On the basis of negotiations for the conclusion of an employment contract, the Organisation may process the data for the purposes of the recruitment procedure (e.g. reviewing, structuring, communication, archiving).

Data obtained from visitors to the website by means of cookie technology providers

Data described in the dedicated Cookie Policy (e.g. IP address, session time, browser data, etc.).

Individuals who visit the website and install necessary or non-necessary cookies.

(See dedicated Cookie Policy.)

(See dedicated Cookie Policy.)

Data on individuals who have subscribed to receive commercial SMS messages from the Organisation

Telephone number of the individual.

Individuals who have given consent to receiving commercial SMS messages.

Until unsubscribing from SMS communications. The data subject may also request unsubscribing or erasure by sending a request to the Organisation’s official email address.

On the basis of the consent obtained, the Organisation may process the data exclusively for the purposes of sending SMS messages (storage and use in the SMS-sending system).

* The Organisation reserves the right, in certain cases based on its legitimate interests, to retain certain data for longer than the periods indicated above (e.g. in the event of inspection proceedings in relation to a service/prize draw/form), whereby in all such cases the Organisation will limit retention to those data that are strictly necessary to pursue such legitimate interests. The data subject may at any time request erasure of data by sending a request to the official email address indicated at the beginning of this document.

** In relation to the above-mentioned purposes (e.g. data storage), data may be transmitted for processing to the Organisation’s contractual partners (sub-processors), as listed in Section 3.3 of this notice. Sub-processors may process data only in connection with the performance of the tasks assigned to them and which are directly linked to the purposes being pursued.

 

 

1.2 The legal basis for processing personal data may be the performance of a contract or negotiations for concluding a contract

We may process personal data of data subjects on the basis of a concluded contract (e.g. performance of a service in our business premises) or on the basis of negotiations for concluding a contract (e.g. where a data subject contacts us through our official communication channels to obtain more information about our services).

In the situations described, you provide your personal data as part of contractual obligations or as part of negotiations for concluding a contract, and we therefore do not require your explicit consent for the above-mentioned processing of your personal data.

As a rule, you will not suffer any serious negative consequences if, in situations where we need your personal data in order to perform our services, you do not provide such data. However, such situations may significantly hinder or even prevent the performance of ordered services or our cooperation, in which case you will be informed of this in advance or subsequently.

 

 

1.3 The legal basis for processing your data may also be the law

The Organisation also processes personal data for the purposes of complying with statutory and other legal obligations, in particular those relating to tax and accounting (e.g. records of issued and received invoices, etc.), for example:

  • where an inspector or other public authority orders the Organisation, in accordance with the law, to provide personal data of a particular customer/visitor (e.g. in the context of inspection supervision under the Inspection Act (ZIN)),

  • where the Organisation processes personal data of a customer to whom it has issued an invoice; the Organisation processes that invoice and the customer’s data (e.g. personal name, contact details, etc.) on the basis of the Value Added Tax Act (ZDDV-1) (see Section 3.2), etc.

 

 

1.4 On the basis of the Organisation’s legitimate interests

We may also process certain personal data for the purposes of safeguarding our own legitimate interests. This may be the case, for example, where the processing of your data is necessary in the context of administrative, criminal or civil proceedings (e.g. where the Organisation must present a database as evidence in proceedings, otherwise the Organisation would incur a penalty or serious and irreparable harm). In such cases we will always process only those data which are strictly necessary for pursuing such legitimate aims.

The Organisation may also process a data subject’s personal data where the processing is necessary in order to protect the vital interests of the data subject (e.g. access to the address of an individual who is in immediate and serious danger to life).

 

 

1.5 On the basis of consent

As a rule, we do not make cooperation with us and the use of the Organisation’s services conditional upon your consent to personal data processing.

Nevertheless, the Organisation may also process your personal data on the basis of your explicit consent. Explicit consent of the data subject is a freely-given declaration of will by which the data subject agrees to the processing of specific personal data for a specific purpose (e.g. your consent to receiving our informational messages). In such cases we process those data specified in the relevant part of the table in Section 1 where it is indicated that the processing is based on consent.

You may withdraw from such communications at any time by following the link included in each such email, or by contacting us at the address indicated at the beginning of this document.

Our online advertising may also be based on your consent, where, during a visit to our website, you have consented to the installation of non-essential (advertising) cookies and tracking pixels of our advertising partners (e.g. installation of the Google Analytics cookie allowing us to advertise our services to you more easily on other websites, etc.). A detailed list of non-essential cookies of our advertising partners, the data processed by means of those cookies and the relevant retention periods is defined on the “Cookies” subpage.

The Organisation guarantees to the data subject the right to withdraw his or her explicit consent at any time in a simple manner, i.e. by contacting us at any time at the email address indicated at the beginning of this document.

Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.

If you do not give consent to the processing of personal data, give consent only partially, or (partially) withdraw your consent, we will, where possible, cooperate with you only to the extent of the consent given or in ways permitted by applicable law.

Consent is voluntary and, if you decide not to give it or later withdraw it, this will in no case prejudice your other rights or entail any additional costs or burdens for you.

 

 

2. How long do we store or otherwise process your personal data?

The retention period for personal data depends on the legal basis and purpose of processing for each category of personal data. As a rule, personal data are stored for as long as necessary to achieve the purpose for which the data were collected, or for as long as we are required to keep them under a legal obligation, and are then erased.

Where the retention period for specific data is not defined more precisely in the table in Section 1, the following applies:

  • Data related to a concluded contract or the provision of our services and the issuing of invoices. These are stored until the expiry of the retention period or fulfilment of the purpose of processing for individual categories of personal data, whereby the Organisation may as a rule store data for a further 6 years after completion of the cooperation, or longer (e.g. data on invoices). We store personal data of customers on invoices for 10 years, as this obligation is imposed on the Organisation by the Value Added Tax Act (ZDDV-1);

  • Data on individuals who communicate with the Organisation via email addresses and other communication channels available on the website are stored until the purposes of processing of the individual personal data for which they were collected have been achieved (e.g. until the end of the communication) or until 4 years have elapsed since the last communication with the data subject;

  • On the basis of your explicit consent to marketing communications or on the basis of our legitimate interest in advertising to persons who are already our customers, we store data until the person withdraws his or her consent;

  • Data on individuals applying for a job vacancy in the Organisation are stored until completion of the recruitment procedure, unless the Organisation has obtained explicit consent from the data subject for a longer retention period.

The Organisation may retain data for a further 15 days after the expiry of the above-mentioned retention periods in order to ensure that, within that period, destruction of stored data can be carried out across all data carriers and servers.

The data subject may at any time request erasure of data by sending a request to the Organisation’s official email address indicated at the beginning of this document.

 

 

3. Who processes your personal data within and outside the Organisation (recipients of personal data)?

3.1 Certain employees of the Organisation

Your personal data are processed by those employees of the Organisation who require access to the data in order to perform their work duties. All employees are bound by confidentiality and by obligations to protect personal data.

3.2 Public authorities

In certain cases provided for by applicable law, the Organisation must transmit your personal data to, or report them to, competent public authorities, as well as to authorities responsible for financial, tax or other supervision (e.g. the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec Republike Slovenije), etc.). In certain cases the Organisation is also obliged to transmit data to third parties where such a duty of transmission or disclosure is imposed on the Organisation by law or by the lawful entitlement of a third party.

3.3 Contractual processing of personal data

In addition to employees of the Organisation, users of personal data may also be employees of the Organisation’s processors, who may process personal data as confidential exclusively on behalf of the Organisation and within the limits of the data processing agreement which the Organisation has concluded with each such processor. Processors may process personal data only in accordance with the Organisation’s instructions (i.e. the agreement) and may not use the data for any of their own purposes.

The Organisation’s processors include in particular:

  • persons cooperating with us on the basis of service or copyright agreements (IT system maintainers, software developers, etc.);

  • payment service providers (e.g. Visa, Mastercard, PayPal);

  • providers of services for bulk sending of emails and the provider hosting our email server;

  • accountants and accounting services or accounting tools;

  • the provider of services for the development and hosting of the website (see Section 3.4).

The Organisation will not transmit your personal data to unauthorised third parties.

You can obtain an exact list of all the Organisation’s contractual sub-processors by sending a request to the email address indicated at the beginning of this document.

3.4 Website hosting service provider

Our website is hosted on the servers of a company, Shopify Inc.

3.5 Transfers of personal data to third countries and international organisations and protection measures for transferred data

As a rule, our Organisation does not transfer personal data to third countries (i.e. outside the territory of the European Union, Iceland, Norway and Liechtenstein – the European Economic Area, EEA) or to international organisations.

An exception to the above is the occasional transfer of certain technical and personal data to the servers of the processors referred to above whose registered offices or servers are located in the United States of America (e.g. automatic transfer of some data collected by cookies of Alphabet Inc., entry of email addresses into a commercial messaging tool of a service provider, acceptance of payment via a payment service provider, etc.). The relevant processors were members of the former “Privacy Shield” programme (https://www.privacyshield.gov/) and, after 12 July 2020, comply with and have adopted security measures concerning the receipt and transfer of data (e.g. standard contractual clauses) or have duly completed and achieved full self-certification in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data within the EU–US Data Privacy Framework 

You can obtain a list of all such sub-processors by sending a request to the email address indicated at the beginning of this document.

 

 

4. Processing and protection of special categories of personal data

In relation to our website and services, we do not encourage data subjects to provide special categories of personal data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data or biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation).

If the Organisation becomes aware of a situation in which such data are disclosed to it, it will ensure that the received data are adequately protected or that another appropriate course of action is taken.

 

 

5. What are your rights regarding your personal data and how can you exercise them?

In relation to this notice on the processing of personal data and in relation to the processing of your personal data by our Organisation and our processors, you may contact us at any time and without restriction via the email address indicated at the beginning of this Privacy Policy.

You may also use that address to send your requests and to exercise other rights relating to personal data and the GDPR.

As a data subject, the GDPR gives you the possibility of exercising the following rights vis-à-vis our Organisation:

  • Right to be informed: Data subjects have the right to be informed about the collection and processing of their personal data.

  • Right of access: Data subjects have the right to access their personal data and obtain information about how the data are processed, as well as a copy of the data themselves.

  • Right to erasure (“right to be forgotten”): Data subjects have the right to request erasure of their personal data in certain circumstances.

  • Right to withdraw consent: Where the processing of personal data is based on consent, data subjects have the right to withdraw their consent at any time without suffering any negative consequence.

  • Right to rectification: Data subjects have the right to request rectification of inaccurate or incomplete personal data. Where the data have been disclosed to third parties, we will, where possible, inform those third parties of the rectification.

  • Right to restriction of processing: Data subjects have the right to request restriction of the processing of their personal data. This right applies in certain cases, for example where the accuracy of the data is contested or where the data subject has objected to the processing.

  • Right to data portability: In certain cases, data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format. They may also request that their data be transmitted to another controller, where the processing is based on consent or a contract and the processing is carried out by automated means.

  • Right to object: Data subjects have the right to object to the processing of their personal data on the basis of legitimate interests or for reasons of public interest/exercise of official authority. In such cases we will cease that processing unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

  • Rights in relation to automated decision-making and profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. They also have the right to obtain human intervention, to express their point of view and to contest such decisions.

  • Right to lodge a complaint with a supervisory authority: If you believe that the processing of personal data relating to you carried out by our Organisation infringes data protection regulations, you may, without prejudice to any other (administrative or judicial) remedy, lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (in Slovenia this is the Information Commissioner):

    • Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec Republike Slovenije)
       Dunajska 22, 1000 Ljubljana
       Email: gp.ip@ip-rs.com
       Telephone: +386 (0)1 230 97 30
       Website: www.ip-rs.com

  • A list of other EU supervisory authorities and their contact details is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en#.edoms.

 

 

6. Existence of automated decision-making and profiling

The processing operations carried out by our Organisation do not involve automated decision-making, including profiling, based on your personal data.

 

 

7. Who can you contact for further information regarding the processing of personal data and your rights?

You may contact us at any time regarding the processing of your personal data at the email address indicated at the beginning of this document.

 

 

8. Protection of your personal data

Within the Organisation, personal data are carefully stored and protected by organisational, technical and logical-technical procedures and measures in order to protect the data against accidental or unlawful unauthorised access, destruction, alteration or loss, and unauthorised disclosure or other form of processing to which you have not explicitly consented.

To this end, the Organisation has adopted appropriate internal processes and implemented various measures (e.g. assignment, use and modification of passwords, locking of premises, offices and locations of servers and workstations, regular updating of supporting software and upgrading of vulnerable components, physical protection of materials containing personal data in specially designated places, staff training, etc.). The Organisation requires the same level of security from its processors.

 

 

9. Version and date of last update of this notice

The text of this notice constitutes version 1.0 of this document. This notice was last updated on 14 November 2025.