Privacy Policy
1. General information and controller
This privacy policy explains how the pijavka.si website collects, processes and protects the personal data of visitors and customers. The processing is carried out in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and the Personal Data Protection Act (ZVOP-2).
The controller of personal data is:
Hirudo, Andrej Hladnik s.p.
Registered office: Dekani 225 b, 6271 Dekani, Slovenia
Email: [email protected]
Phone: Andrej Hladnik +386 41 633 711
Website: pijavka.si
Company registration number: 9821236000
VAT identification number: 88603440
For any questions regarding the protection of personal data, you may contact us at any time at the email address [email protected].
2. Which personal data we process
We process personal data depending on our relationship with you and on the website features you use. We classify the data into the following categories:
2.1 Order data
First name, last name, email, phone, address (street, postal code, town, country); for companies, the company name and tax number; customer note; preferred delivery date; order items; payment method and amounts.
The “customer note” field is optional and you voluntarily enter content into it that you wish to communicate to us with your order. Do not enter sensitive personal data in the note (in particular data concerning your health), as we do not need it to fulfil the order.
2.2 User account data
Email, encrypted password, name, phone, country and saved addresses.
2.3 Marketing consent / newsletter
Email address and data necessary for sending newsletters, on the basis of your consent.
2.4 Contact form
Name, email and message content.
2.5 AI assistant (on-site chat)
The user’s questions and the page context that you enter into the chat. Details are described in section 4.
2.6 Server logs
Technical data, such as the IP address and the time of access.
3. Purposes and legal bases of processing
For each category of data, we carry out the processing on the basis of the purposes and legal bases under the GDPR set out below:
| Data category | Purpose of processing | Legal basis |
|---|---|---|
| Order data | Performance and delivery of the order, issuing and retention of invoices | Performance of a contract (Art. 6(1)(b) GDPR); for issuing and retaining invoices, also compliance with a legal obligation under tax and accounting legislation (Art. 6(1)(c) GDPR; see the retention period in section 7) |
| User account | Management of the user account and shopping | Consent for the voluntary maintenance of the user account (Art. 6(1)(a) GDPR); for purchases made via the account, also performance of a contract (Art. 6(1)(b) GDPR) |
| Marketing / newsletter | Sending notifications and newsletters | Consent (Art. 6(1)(a) GDPR), which you may withdraw at any time |
| Contact form | Responding to your enquiry | Consent or legitimate interest in responding to the enquiry (Art. 6(1)(a) or Art. 6(1)(f) GDPR) |
| AI assistant | Generating a response and supporting the user | Consent through your active use of the chat (Art. 6(1)(a) GDPR) |
| Server logs | Security and reliable operation of the website | Legitimate interest (Art. 6(1)(f) GDPR) |
4. AI assistant (on-site chat)
An AI assistant (chat) is available on the website to help you with questions about the offer and the content of the site. Its use is voluntary: you start the chat by your own action and may discontinue it at any time. The following applies to its use:
- Only when you actually use the chat are your questions and the page context, for the purpose of generating a response, transmitted to an external artificial intelligence provider (OpenAI or Anthropic) based in the USA.
- The conversation history is stored locally in your browser (in sessionStorage) and not on our servers.
- Vector search (embeddings) runs by default locally on our server (Ollama, in the EU).
- The legal basis for this processing is your consent, which you express through the active use of the chat.
Do not enter sensitive personal data into the chat (e.g. health data, payment instrument data or other confidential data). More about the transfer of data to the USA is described in section 6.
5. Recipients and processors
We do not sell personal data. In order to provide our services, we may disclose it to the following categories of recipients or processors:
- The hosting or server management provider (server in the EU), which also processes server logs on our behalf;
- The email provider (e.g. Zoho / ZeptoMail);
- The artificial intelligence provider (OpenAI / Anthropic);
- The delivery service (Pošta Slovenije or a courier service);
- The bank (in the case of payment by bank transfer).
Processors process personal data exclusively in accordance with our instructions and in accordance with the relevant data processing agreements.
6. Transfers to third countries
When using the artificial intelligence provider (OpenAI / Anthropic), a transfer of data to the United States of America (USA) may occur. Such transfer is based on appropriate safeguards, namely on the standard contractual clauses (SCC) approved by the European Commission and, where the individual provider is certified for this, on the EU–US Data Privacy Framework (EU–US DPF). With the exception of the above, we process your data within the European Union or the European Economic Area.
7. Retention periods
We retain personal data only for as long as is necessary for the purposes for which it was collected, or for as long as required by law:
- Accounting documents and invoices: in accordance with the tax and accounting legislation that requires us to retain them (up to 10 years);
- User account data: until the account is deleted;
- Data processed on the basis of consent (e.g. newsletter): until the consent is withdrawn.
After the retention periods have expired, we delete the data or irreversibly anonymise it.
8. Cookies and local storage
The website uses exclusively essential cookies and local storage necessary for its operation, namely for:
- the operation of the shopping cart;
- logging in and maintaining the user session;
- storing the conversation with the AI assistant (locally in the browser).
The website does not use third-party advertising tracking or other tracking technologies for advertising.
9. Rights of the individual
In accordance with Articles 15–22 of the GDPR, you have the following rights in relation to your personal data:
- the right of access to data;
- the right to rectification of inaccurate data;
- the right to erasure (“the right to be forgotten”);
- the right to restriction of processing;
- the right to data portability;
- the right to object to processing; where we base the processing on legitimate interest (e.g. server logs, contact form), you may object to the processing on grounds relating to your particular situation (Art. 21 GDPR);
- the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out before the withdrawal.
You may exercise these rights by writing to us at the email address [email protected]. We will respond to your request within the statutory deadlines.
10. Right to lodge a complaint with the supervisory authority
If you believe that the processing of your personal data infringes the applicable regulations, you have the right to lodge a complaint with the supervisory authority:
Informacijski pooblaščenec Republike Slovenije (IP-RS)
Dunajska cesta 22, 1000 Ljubljana
Email: [email protected]
Website: www.ip-rs.si
11. Validity and changes to the policy
The controller may amend and supplement this privacy policy. The version published on the pijavka.si website at any given time is the valid one. We recommend that you review the policy from time to time. Date of last update: 21. 6. 2026.
