Privacy Policy
This Privacy Policy describes the purpose of collecting and processing the personal data of User of the Webshop, the method and scope of the collection and processing of User’s personal data, the legal basis for the processing of User’s personal data, storage period of User’s personal data, the principles of collecting and processing the User’s personal data, the type of data that is collected, the User’s rights to data protection and the manner in which data is protected and ensures its security and legal processing.
When using the Webshop, regardless of registration, the User is obliged to read and accept Purchase Conditions, Cookie Policy and this Privacy Policy.
Processing manager: Da ljepoti ltd., Klanjčić 7a, 10 000 Zagreb, Croatia, OIB: 25935514944, representative of the processing manager, e-mail: info@yestobeauty.hr.
Data Protection Officer
All inquiries, requests, ambiguities, requests or objections can be directed by the user at any time to the data protection officer at the email address: info@yestobeauty.hr.
Processor: Da ljepoti d.o.o., Klanjčić 7a, 10 000 Zagreb, Croatia, OIB: 25935514944
Processor: Croatian Personal Data Protection Agency, Selska cesta 136, Zagreb, Croatia, e-mail: azop@azop.hr
Legal basis of data processing:
The provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data – General Data Protection Regulation (EU GDPR) apply to the collection and processing of personal data of users.
The User’s personal data is collected and processed through the Webshop based on the User’s consent, in accordance with Art. 6 6. paragraph 1. (a) EU GDPR, for the purpose of processing that is necessary for the use of the Webshop and the execution of the contract between the Customer and the Seller, in accordance with Art. 6. 6. paragraph 1. (b) EU GDPR, and for the purpose of other legitimate interests in accordance with Art. 6. 6. EU GDPR.
Type of data collected:
By accepting the Purchase Conditions and the Privacy Policy of the Webshop, the User confirms that he is aware of and agrees with the collection and processing of a set of data about the User consisting of:
- first and last name of the User,
- company name (optional) – due to the possibility of purchasing through the company R1
- country/region (optional)
- street (optional)
- city
- county (optional)
- Zip code
- email address,
- mobile/phone number,
- date of birth,
- login credentials.
Data shared by the User:
In addition to the above data collected by the Data Controller, Users can voluntarily share other data about themselves, for example:
- data from participation in promotional activities, events, contests or focus groups during testing,
- answers to the questions of the Data Controller,
- data provided to the customer service, whereby such communication is sometimes recorded in order to improve the service.
Information about the User shared by others:
In addition to data shared by the User himself, the Data Controller may receive data about the User from others, for example:
- data from other social networks, in case the User connects his profile with other social networks he uses,
- data that other Users share with the Data Controller when contacting the Data Controller.
In addition to the data above, the Data Controller may also collect data about the use of the Webshop, such as the date and time of login, features used by the User, searches, clicks, pages displayed to the User, addresses of redirecting web pages, ads that the User clicks on, data about devices used by the User to access the Webshop, data on hardware and software, wireless or mobile network and device sensors.
The controller uses and may allow others to use cookies and similar technologies. You can read more about this in the Cookie Policy.
It is possible to have automated decision-making – creating a profile, in accordance with Art. 22. 22. EU GDPR, for the purpose of analyzing User activities and preferences in order to enable the most successful use of the Webshop.
The processing manager cooperates with third parties for the purpose of improving the Webshop, with whom he may sometimes share collected data for the purpose of saving and maintaining data, analytics, taking care of Users, marketing, advertising, improving data security. The data controller guarantees a strict verification procedure before hiring such collaborators, and obliges all its collaborators to maintain the confidentiality of data with standard contractual clauses, which oblige them to protect the privacy and security of the data being processed.
The User gives his consent to collection and processing of the specified special categories of personal data, which are necessary for the use of the Webshop, and for the purpose of improving it. The User can withdraw the given consent at any time, but this will not affect the legality of the processing that was based on the consent before it was withdrawn.
Principles of collection and processing:
The controller is responsible for the legality, fairness and transparency of the processing of personal data that is collected, and guarantees that the data processing is appropriate, relevant and limited to what is necessary in relation to the purpose of the processing. The processing manager ensures the integrity and confidentiality of the data that is collected and processed, in a way that ensures data security.
The processing manager is not responsible for false representation of the User. Users undertake to provide true information about themselves when using the Webshop.
Purpose of collection and processing:
User’s personal data is collected and processed for specific, explicit and lawful purposes. The purpose of the Webshop is to inform the User about the available services of SPA centers, to collect data from the User for the purpose of optimal provision of SPA center services and the purchase and sale of Wellness gift vouchers.
In addition to the stated purposes, the Data Controller may use the collected data for other legitimate purposes in accordance with Art. 6. 6. . EU GDPR, for example for the purpose of improving the service, connecting various devices used by the User for the purpose of easier access and use of the Webshop, developing, displaying and monitoring content and advertisements adapted to the interests of the User, marketing, conducting research and analyzing the behavior of the User for the purpose of improving features and services offered by the Webshop, preventing illegal or unauthorized activities inside and outside the Webshop, complying with legally based requirements and assisting authorities responsible for the implementation of laws and other applicable regulations.
The use of the Webshop is completely voluntary.
Data storage period:
The controller stores User’s personal data in accordance with the principle of limiting the storage of personal data – personal data is stored as long as it is necessary in relation to the purpose of collection – use of the Webshop or during the period in which the collected data is necessary for establishing, exercising or defending legal claims requests or protection of the rights of another natural or legal person or public order, and for the purpose of realizing other legitimate interests in accordance with Art. 6. 6. EU GDPR.
User Rights:
The User has the right to access his personal data that is collected and processed for the purpose of using the Webshop, as well as access to information about the purpose of processing, the categories of data that are processed, the recipients to whom the data is disclosed, the intended period of data storage, and other rights in accordance with Articles 12 – 22. EU GDPR.
The User has the right to ask the Data Controller for access to his/her personal data that is collected and processed, as well as to request from the Data Controller the correction or deletion of data or to limit processing or to object to data processing. In the case of submitting such a request by the User, the Data Controller is obliged to respond to the received request, inform the User about the actions taken and/or provide the User with the requested information about the collection and processing of data within one month from the date of receipt of the User’s request, in accordance with Articles 15- 21. – 21. EU GDPR.
If, for justified reasons, he does not act in accordance with the User’s request, the Controller is obliged, no later than one month from the date of the request, to inform the User of the reasons for not acting in accordance with the User’s request and of the possibility of submitting a complaint to the competent authority.
The Controller provides a copy of the personal data being processed, but the User’s right to obtain a copy of personal data must not negatively affect the rights and freedoms of others.
If the processing of personal data is limited to the User’s request, such personal data may be processed only with the User’s consent, with the exception of storage, or to establish, exercise or defend legal claims or protect the rights of another natural or legal person or due to an important interest of the Union or a Member State , in accordance with Art. 18. 18. EU GDPR.
If the User objects to the processing of personal data, the Defense Manager may no longer use such personal data, unless he proves that there are legitimate interests for processing that exceed the interests, rights and freedoms of the User or for the purpose of establishing, exercising or defending legal claims, in accordance with Art. 21. 21. EU GDPR.
In the case of processing of personal data for the purposes of direct marketing, the User has the right to object at any time to the processing of personal data relating to him for the purposes of such marketing, and in this case the User’s personal data may no longer be processed for such purposes.
The Privacy Policy enters into force and starts to be applied on the day of its publication, and is available on the website and in the business premises of the Data Controller.
Date of entry into force: 01.05.2022.