Privacy Policy

Effective date: 9 March 2026

The protection of personal data is important to us. We therefore strive to ensure that all processing of personal data carried out in connection with our website, E-shop, customer accounts, communications, and contractual relations is compliant with Regulation (EU) 2016/679 (GDPR) and applicable Slovenian personal data protection legislation, including the Personal Data Protection Act (ZVOP-2).

1. Who processes your personal data?

Your personal data is processed by Adria Peptides, Slovenia, as the controller. You may contact us regarding privacy-related matters at [email protected].

2. Purposes, Legal Bases, and Retention Periods

We process personal data only where there is an appropriate legal basis under the GDPR. The retention period depends on the purpose of processing, the applicable legal basis, and any statutory retention obligations.

2.1 Orders and purchase of Goods through the E-shop

We process data necessary to receive, verify, process, and fulfill orders, communicate with you, issue invoices, arrange delivery, handle complaints, and perform contractual obligations. Legal basis: contract and pre-contractual steps. Retention: contractual relationship and generally 4 years after termination, unless longer retention is required or justified.

2.2 Customer Account

We process data necessary to create, maintain, and administer Customer Accounts, including login details, account settings, order history, and related activity. Legal basis: contract and pre-contractual steps. Retention: for the duration of the account and as long as necessary for law, claims, compliance, or security.

2.3 Direct marketing to existing customers

If you have previously purchased Goods from us, we may use your contact details to send information about our own similar products, offers, or updates where permitted by law. Legal basis: legitimate interests. Retention: during the business relationship and generally up to 2 years after its end unless you object earlier.

2.4 Newsletter and promotional communications

If you subscribe or otherwise consent, we may send updates, news, and marketing content. Legal basis: consent. Retention: until withdrawal of consent, generally no longer than 2 years from consent unless renewed.

2.5 Competitions, giveaways, or promotional campaigns

We may process data to administer campaigns, verify participation, select winners, communicate results, and deliver prizes. Legal basis: consent or campaign terms. Retention: campaign duration and reasonable follow-up, generally no longer than 2 years unless longer retention is required.

2.6 Affiliate or referral programs

We may process limited referral, click, conversion, and purchase data to attribute commissions and administer the program. Legal basis: legitimate interests and, where necessary, contract. Retention: generally 4 years unless longer retention is required for accounting, tax, or claims.

2.7 Suppliers, service providers, and contractual partners

We process data necessary to negotiate, conclude, perform, and manage contractual relationships. Legal basis: contract and pre-contractual steps. Retention: contract duration and generally 4 years thereafter unless longer retention is necessary.

2.8 Contact persons of business partners

We process contact and professional identification data for business communication and contract performance. Legal basis: legitimate interests. Retention: business relationship and generally 4 years thereafter unless longer retention is required or justified.

2.9 Accounting and bookkeeping

We process data in invoices, accounting records, payment records, and related documentation. Legal basis: legal obligation. Retention: generally 10 years from preparation of the relevant accounting document or longer where required.

2.10 Tax compliance

We process data necessary for VAT, invoicing, reporting, and tax obligations. Legal basis: legal obligation. Retention: in accordance with applicable tax laws, generally 10 years.

2.11 Legal claims and protection of rights

We may process data to establish, exercise, defend, or enforce legal claims, respond to disputes, or protect the Company's legal position. Legal basis: legitimate interests or legal obligations. Retention: for the relevant claim, dispute, proceeding, or limitation period.

2.12 Registry administration and business correspondence

We may maintain records of correspondence, requests, notices, claims, and communications. Legal basis: legal obligations and legitimate interests. Retention: according to record type, typically up to 3 years for ordinary correspondence unless longer retention is required.

2.13 Essential cookies and website functionality

We use essential cookies and similar technologies necessary for website and E-shop operation and security. Legal basis: legitimate interests or other applicable e-privacy basis. Retention: generally up to 7 days unless a specific cookie has a different lifespan.

2.14 Non-essential cookies, analytics, and advertising technologies

Analytics, preference, or marketing cookies that are not strictly necessary are used where permitted, typically based on consent. Legal basis: consent where required. Retention: for the duration of consent and according to cookie lifespan, generally no longer than 1 year unless specified.

2.15 Social media pages and channels

We may process limited interaction data such as comments, messages, likes, and page activity. Legal basis: legitimate interests. Retention: for the duration of the social media presence or while content remains active, unless deletion is requested or required.

2.16 Statistics and internal analytics

We may generate internal reports and statistics from lawfully collected data, including anonymized or aggregated analytics. Legal basis: legitimate interests. Retention: as necessary for evaluation; anonymized outputs may be retained longer.

2.17 IT security and fraud prevention

We may process IP addresses, log records, device information, and access data to maintain security, prevent misuse, investigate incidents, and protect systems and users. Legal basis: legitimate interests. Retention: generally no longer than 12 months unless longer retention is required for a specific incident or claim.

2.18 GDPR compliance and data protection administration

We may process data to respond to privacy requests, document compliance, manage incidents, and fulfill GDPR obligations. Legal basis: legal obligation and legitimate interests. Retention: generally 5 years from creation of the relevant record or response unless longer retention is required.

3. To whom do we disclose or transfer your personal data?

We do not sell your personal data. We may disclose personal data where necessary to hosting and cloud providers, E-shop providers, payment processors, shipping and logistics providers, accounting, tax, legal, and audit advisers, IT support, security, analytics, anti-fraud providers, and public authorities, regulators, courts, or law enforcement bodies where required by law. If data is transferred outside the EEA, we will use appropriate safeguards in accordance with the GDPR.

4. What rights do you have?

Subject to GDPR conditions and limitations, you may have the right of access, rectification, erasure, restriction, objection, data portability, withdrawal of consent, and the right to lodge a complaint with the competent supervisory authority. In Slovenia, this is the Information Commissioner of the Republic of Slovenia.

You may exercise your rights by contacting us at [email protected].

5. Is providing personal data voluntary or mandatory?

Where processing is based on consent, providing data is voluntary. Where processing is necessary for contract performance or legal obligations, failure to provide required data may mean that we cannot create your account, accept or fulfill your order, communicate with you, issue invoices, comply with legal obligations, or provide certain website functions.

6. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time. The updated version will be published on our website with the new effective date.

Controller: Adria Peptides, Slovenia
E-mail: [email protected]