Privacy Policy

Version: 1.0 | Effective Date: TODO: [Insert Date] << UPDATE BEFORE PUBLISHING

1. Introduction

This Privacy Policy describes how TODO: T.D. MODA d.o.o. (<< CONFIRM/UPDATE COMPANY NAME) ("we", "us", "our"), located at Pehlinska 9, 10000 Zagreb, Croatia (OIB/PIN: 60263817988), collects, uses, processes, and protects your personal data when you use our website wearswesh.com ("Site", "Web Shop") and related services.

Your privacy is extremely important to us. We are committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable data protection laws.

Please read this Privacy Policy carefully. By using our Site, you consent to the collection and use of your data as described in this Policy.

2. Data Controller

The data controller for your personal data is:

Name: TODO: T.D. MODA d.o.o. (<< CONFIRM/UPDATE COMPANY NAME) Address: Pehlinska 9, 10000 Zagreb, Croatia OIB/PIN: 60263817988 Contact Email: TODO: [Define Prefix]@wearswesh.com (e.g., legal@, support@, info@)

3. What Personal Data Do We Collect?

We may collect and process the following categories of personal data:

  • Data you provide directly to us:

    • Contact details: First and last name, email address, phone number.
    • Delivery details: Address (street, house number, postal code, city, country), recipient's name.
    • Account details: Username (if applicable), password (in encrypted form), order history, account settings (e.g., language preferences, theme, sizes).
    • Payment details: We do not directly store your credit card information. Payments are processed through a secure payment service provider (Stripe). We may only store masked card data (e.g., last 4 digits) and transaction details.
    • Communication data: Records of your communication with us (e.g., emails to customer support, messages via contact form).
    • Consent data: Records of your consent to the Privacy Policy, Terms of Service, and receiving marketing messages (including the time of consent and document version).
    • User content: Product reviews, comments, or other content you post on the Site.
    • Other data: Information you voluntarily provide (e.g., date of birth, gender).

  • Data we collect automatically:

    • Technical data: IP address, browser type and version, operating system, device type, time zone, location data (general).
    • Usage data: Information about how you use our Site, pages visited, time spent on site, clicks, interaction patterns, session data (e.g., via Vercel Analytics).
    • Cookies and similar technologies: We use cookies for basic site functionality, traffic analysis (e.g., via Vercel Analytics), and improving user experience. TODO: [Specify if other analytical/marketing cookies are used (e.g., Google Analytics, Facebook Pixel) when/if implemented]. Find more information in our Cookie Policy (<< THIS PAGE NEEDS TO BE CREATED).

4. Legal Basis and Purpose of Data Processing

We process your personal data based on the following legal bases and for the following purposes:

  • Performance of a contract (Article 6(1)(b) GDPR):
    • Processing your order, including payment and delivery.
    • Managing your user account.
    • Providing customer support and responding to your inquiries.
    • Processing returns and complaints.
  • Legal obligations (Article 6(1)(c) GDPR):
    • Complying with legal obligations (e.g., accounting, tax).
    • Responding to requests from competent authorities.
  • Legitimate interests (Article 6(1)(f) GDPR):
    • Improving our Site, products, and services.
    • Analyzing Site usage for statistical purposes (e.g., via Vercel Analytics).
    • Preventing fraud and ensuring the security of the Site and our systems (e.g., via Sentry).
    • Sending administrative information (e.g., about changes to Terms).
    • Sending marketing messages to existing customers about similar products or services (with the option to object/unsubscribe).
  • Consent (Article 6(1)(a) GDPR):
    • Sending marketing messages (newsletters) you have explicitly subscribed to.
    • Using certain (non-essential) cookies (e.g., for third-party analytics or personalized advertising) - TODO: [Specify when/if implemented].
    • Processing special categories of data (e.g., date of birth, gender) if you provide them with explicit consent.

5. How Do We Share Your Data?

We may share your personal data with the following categories of recipients, solely for the purposes described in this Policy:

  • Service Providers (Data Processors): Companies that help us run our business, such as:
    • Payment: Stripe.
    • Delivery: Delivery services (e.g., DPD, GLS, HP).
    • IT Infrastructure: Hosting service providers (Vercel), system maintenance, data storage (Supabase).
    • Communication: Transactional email service providers (Resend).
    • Analytics and Error Tracking: Analytics service providers (Vercel Analytics) and error tracking (Sentry).
    • TODO: [List other providers if used, e.g., for email marketing (Klaviyo?), CRM (HubSpot?), customer support (Crisp?) - when/if implemented].
  • Legal and Regulatory Bodies: When legally required or to protect our rights (e.g., courts, police, tax authorities).
  • Business Partners: In the event of a merger, acquisition, or sale of the company.

We impose contractual data protection obligations on all third parties with whom we share your data and limit their use strictly to the purposes for which the data was shared.

We do not sell your personal data to third parties.

6. Data Transfer Outside the EU/EEA

Some of our service providers (e.g., Stripe, Resend, Sentry, Vercel) may process data outside the European Economic Area (EEA). We strive to use providers offering servers within the EU/EEA where possible.

In cases where we transfer your data outside the EEA, we ensure an adequate level of data protection exists, using mechanisms such as:

  • Adequacy decisions of the European Commission.
  • Standard Contractual Clauses (SCC) approved by the European Commission.
  • Binding Corporate Rules (BCR).

TODO: [Legal advisor needs to verify specific transfer mechanisms for key service providers (Stripe, Resend, Sentry, Vercel...) and confirm compliance].

7. How Long Do We Keep Your Data?

We keep your personal data only for as long as necessary to fulfill the purpose for which it was collected, including satisfying any legal, accounting, or reporting requirements.

  • Order data (e.g., invoices) are kept in accordance with the accounting regulations of the Republic of Croatia (TODO: [Legal advisor should confirm the exact period, e.g., 11 years]).
  • User account data is kept while the account is active. We may delete inactive accounts after TODO: [Define inactivity period, e.g., 2 years] of inactivity, with prior notice if possible.
  • Data collected based on consent (e.g., for newsletters) is kept until you withdraw your consent.
  • Data collected based on legitimate interest is kept as long as our legitimate interest exists or until you lodge a valid objection to the processing.
  • System logs and security records are kept for TODO: [Define period, e.g., 6 months to 1 year] for security and analysis purposes.

After the retention period expires, we securely delete or anonymize the data.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: You can request confirmation whether we process your data and a copy of the data we process.
  • Right to rectification: You can request the correction of inaccurate or completion of incomplete data.
  • Right to erasure ("right to be forgotten"): You can request the deletion of your data under certain conditions.
  • Right to restriction of processing: You can request the restriction of processing your data under certain conditions.
  • Right to data portability: You have the right to receive the data you provided to us in a structured, commonly used, and machine-readable format and transmit it to another controller.
  • Right to object: You can object to the processing of your data based on our legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: If processing is based on your consent, you have the right to withdraw consent at any time.
  • Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP).

You can exercise your rights through your user account settings on the "My Account" page (when the functionality is implemented) or by sending a request to our email address: TODO: [Define Prefix]@wearswesh.com.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include data encryption, access control, regular security testing and updates, and employee training.

However, no data transmission over the internet or storage system is 100% secure.

10. Cookies

Our Site uses cookies. For detailed information about the cookies we use, why we use them, and how you can control them, please see our Cookie Policy (<< THIS PAGE NEEDS TO BE CREATED).

11. Children's Privacy

Our Site is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child without parental or guardian consent, we will take steps to remove that data.

12. Changes to the Privacy Policy

We reserve the right to change this Privacy Policy at any time. All changes become effective immediately upon posting the updated version on the Site, with the new effective date indicated.

We recommend that you review this Policy periodically to stay informed about how we protect your data.

13. Contact Information

If you have any questions or concerns regarding this Privacy Policy or our processing of your personal data, please contact us:

  • Email: TODO: [Define Prefix]@wearswesh.com
  • Address: Pehlinska 9, 10000 Zagreb, Croatia