Privacy Policy

Effective date / Last updated: 1 July 2024.

This Privacy Policy describes how Lunette, obrt za proizvodnju, vl. Matea Grubišić ("Seller", "we", "us" or "our") collects, uses, shares and protects your personal data when you visit, use the services of, or make a purchase on our website www.lunete.com ("website") or otherwise communicate with us (collectively, "Services").

For the purposes of this Privacy Policy, "you" and "your" refers to you as a user of our Services, whether you are a customer, visitor to the website or another person whose data we have collected in accordance with this Privacy Policy. "Personal data" means any information relating to you by which you can be identified.

Please read this Privacy Policy carefully.

Changes to this Privacy Policy

We reserve the right to periodically update this Privacy Policy to reflect changes in our data collection and processing practices, changes in legal regulations or other operational, legal or regulatory reasons. The revised Privacy Policy will be published on the website with an updated "Last updated" date. All changes take effect on the date of publication unless otherwise stated.

How we collect your personal data

To provide our Services, we collect personal data about you from various sources, depending on your interaction with us:

Information you provide directly:

We collect information you directly provide us when using our Services, such as:

  • Contact details: First name, last name, address, email address, phone number.
  • Order information: Data required to process and fulfil your order, including billing and delivery address, payment details (which are most often collected directly by our payment processors), details of ordered products.
  • Account information: If you create a user account, we collect your username, password and other account management data.
  • Communication information: Information you provide when you contact us by email, phone or other support channels.

Data we collect automatically:

When you visit or use our website, we may automatically collect certain data about your interaction and use ("Usage data"). This data may be collected via cookies and similar technologies. Usage data may include information about your device, browser type, operating system, IP address, time of visit, pages viewed, links clicked and your behaviour on the website.

Data we receive from third parties:

We may receive data about you from third parties that provide services on our behalf, such as:

  • Payment processors: Our payment processing service providers (e.g. Stripe for card payments, banks for bank transfers) collect and process payment data to enable secure transactions. We ourselves typically do not have direct access to all the details of your card, only to confirmation of successful payment.
  • Platform service providers: The platform on which our webshop is hosted may collect data necessary for the webshop to operate.
  • Delivery service providers: We receive information necessary to organise the delivery of your ordered products.
  • Analytics service providers: Services such as Google Analytics collect data about traffic and user behaviour on our website for analysis purposes.

All information received from third parties will be processed in accordance with this Privacy Policy. Please also see the section "Third-party websites and links".

How we use your personal data

We use your personal data for the following purposes, based on the appropriate legal bases under the General Data Protection Regulation (GDPR):

Providing Services and contract performance: (Legal basis: contract performance, Art. 6(1)(b) GDPR)

  • To process and fulfil your orders (including payment processing, packaging and delivery).
  • To manage your user account (if you create one).
  • To communicate with you about your orders, payments, returns, exchanges or other transactions.
  • To provide customer support and respond to your enquiries.

Marketing and advertising: (Legal basis: your consent, Art. 6(1)(a) GDPR, or legitimate interest, Art. 6(1)(f) GDPR, depending on the specific activity and your status)

  • To send marketing and promotional materials (by email, SMS) about our products and offers, if you have consented (e.g. newsletter sign-up) or if we have a legal basis (e.g. legitimate interest for direct marketing to existing customers, with the option to unsubscribe).
  • To personalise content and advertisements shown to you on our website and other platforms.
  • To analyse the effectiveness of our marketing campaigns.

Security and fraud prevention: (Legal basis: legitimate interest, Art. 6(1)(f) GDPR; legal obligation, Art. 6(1)(c) GDPR)

  • To detect, investigate and prevent fraudulent, unauthorised or illegal activities.
  • To protect the security of our website, user accounts and data.
  • To enforce our General Terms and Conditions.

Service improvement and analytics: (Legal basis: legitimate interest, Art. 6(1)(f) GDPR)

  • To analyse how users use our website and Services in order to improve functionality, user experience and product offering.
  • For internal business analysis and reporting.

Compliance with legal obligations: (Legal basis: legal obligation, Art. 6(1)(c) GDPR)

  • To comply with applicable legal regulations, court orders, and authority requests.
  • To maintain legally required records (e.g. accounting records).

Cookies

We use cookies and similar technologies on our website. Cookies are small text files stored on your device. We use them for the functioning of the website, collecting usage data, improving your experience and for marketing purposes.

For necessary cookies that are essential for the website to function, we do not require your consent. For other types of cookies (analytical, functional, marketing) we will request your consent via a cookie banner on your first visit.

Most web browsers automatically accept cookies, but you can manage cookie settings through your browser settings or via the cookie settings interface on our website (if available). Please note that disabling certain types of cookies may affect the functionality of our website.

We may also recognise Global Privacy Control (GPC) signals, which may serve as an opt-out signal from certain forms of data processing (such as targeted advertising), depending on your location and applicable laws.

More detailed information about the cookies we use, their purpose and duration, and about managing your cookie preferences, can be found in our Cookie Policy (if you have a separate one, otherwise delete this link and sentence).

How we disclose your personal data

We may disclose your personal data to third parties in the following circumstances:

  • Service providers: We share data with third parties that perform services on our behalf and according to our instructions (e.g. IT service providers, payment service providers, delivery service providers, analytics service providers, email sending/marketing tool providers, customer support providers). These service providers act as our data processors and are obligated to protect your data.
  • Legal and regulatory authorities: We may disclose your data if we are required to do so by law, court order or request by a competent authority, or to protect our rights, property or safety, or the rights and safety of our users or others.
  • In connection with business transactions: In the event of a merger, acquisition, asset sale or bankruptcy, your data may be transferred to a third party involved in such a transaction.
  • With your consent: We may disclose your data to third parties if you have given your explicit consent for such disclosure.

In the past 12 months, depending on your interaction with us, we may have disclosed the following categories of personal data to the following categories of recipients for the purposes described in this Privacy Policy:

  • Data categories: Contact details (name, address, email, phone), order and account data (order details, payment data — processed by data processors), website usage data (via cookies and analytics).
  • Recipient categories: Payment processors, delivery service providers, IT and hosting service providers, analytics service providers (e.g. Google Analytics), email sending and marketing tool providers, customer support service providers, competent authorities (upon request and by law), potential acquirers in the event of a business transaction.

We do not process or disclose special categories of personal data (e.g. health data, ethnic origin) without your explicit consent or unless there is another legal basis prescribed by law.

Third-party websites and links

Our website may contain links to other websites or platforms operated by third parties (e.g. social networks, blogs, partners). If you use these links, you leave our website. We do not guarantee the privacy or security of those websites, nor are we responsible for their content or practices. We recommend that you review the privacy policies and terms of use of those third parties before providing them with your personal data.

Children's data

Our Services are not intended for children under the age of 16 and we do not knowingly collect personal data from persons under the age of 16. If you are a parent or legal guardian and believe that your child has provided us with personal data, please contact us using the details in the "Contact" section to request deletion of that data.

Security and retention of your data

We implement reasonable technical, organisational and administrative security measures to protect the personal data we collect from unauthorised access, disclosure, alteration and destruction. Despite our efforts, no security measure is perfect or impenetrable, and we cannot guarantee complete security of your data.

We retain your personal data for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of contract performance, compliance with legal obligations (e.g. tax, accounting), dispute resolution, establishment of legal claims and enforcement of our agreements and policies. The criteria for determining retention periods include the type of data, the purpose of collection, our relationship with you and our legal obligations.

Your rights regarding personal data (GDPR rights)

Under the General Data Protection Regulation (GDPR), depending on the circumstances, you have the following rights regarding your personal data:

  • Right of access (right to information): You have the right to request confirmation of whether we are processing your personal data, and if so, to obtain access to that data and information about the processing (purpose, categories, recipients, retention period, etc.).
  • Right to rectification: You have the right to request correction of inaccurate personal data relating to you, as well as completion of incomplete data.
  • Right to erasure ("right to be forgotten"): You have the right to request erasure of your personal data if it is no longer necessary for the purposes for which it was collected, if you have withdrawn consent (and there is no other legal basis), if you have objected to processing based on legitimate interest, if the data has been unlawfully processed, or if erasure is required by law.
  • Right to restriction of processing: You have the right to request restriction of processing of your personal data in certain situations (e.g. if you contest the accuracy of the data, if processing is unlawful and you oppose erasure).
  • Right to data portability: You have the right to receive personal data relating to you, which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit it to another controller, where processing is based on consent or a contract and is carried out by automated means.
  • Right to object: You have the right to object to processing of your personal data based on our legitimate interest (Art. 6(1)(f) GDPR), including profiling. You have an unconditional right to object to processing of personal data for direct marketing purposes, including profiling related to direct marketing.
  • Right to withdraw consent: If processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing prior to its withdrawal.
  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. The supervisory authority in the Republic of Croatia is the Personal Data Protection Agency (AZOP).

How to exercise your rights:

To exercise your rights, please contact us by email at info@lunete.com or via the contact details in the "Contact" section. To protect your data, we may need to verify your identity before acting on your request. We will respond to your request without undue delay and no later than one month from receipt (the deadline may be extended by a further two months in complex cases).

Complaints

If you have any complaints about the way we process your personal data, please contact us directly at info@lunete.com or via the contact details in the "Contact" section. We will endeavour to resolve your complaint. If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Agency (AZOP) in the Republic of Croatia.

International data transfers

Your personal data may be transferred to, stored and processed in countries outside the European Economic Area (EEA). In such cases, we ensure that the transfer is carried out in accordance with applicable data protection laws and with appropriate safeguards, such as Standard Contractual Clauses adopted by the European Commission, to ensure an adequate level of protection for your data.

Contact

If you have any questions about this Privacy Policy, our data processing practices or wish to exercise your rights regarding personal data, please contact us:

Lunette, obrt za proizvodnju, vl. Matea Grubišić
Address: Alojzija Stepinca 13, 21210 Solin, CROATIA
OIB: 49454175984
Email: info@lunete.com
Phone: +385 98 949 4363

For the purposes of applicable data protection laws (including GDPR), Lunette is the data controller of your personal data.