Arli ClubArli Club
HomeProductsOur StoryContact
|
Arli Club

Quality spirits with home delivery. This is placeholder copy for an online store template.

Quick links

HomeProductsOur StoryContact

Contact

+386 1 234 5678
[email protected]
Arli Club d.o.o., Vzorčna ulica 1, Ljubljana

© 2026 Arli Club. All rights reserved.

Terms & Conditions|Privacy Policy|Cookie Policy|Withdrawal from Purchase|Payment Options

Responsible alcohol use. Suitable only for persons aged 18 and over.

Created by Archilitics s.p.

Privacy Policy

1. Introduction

1.1 Purpose of the privacy policy

This privacy policy explains how Arli Club d.o.o. (hereinafter "we", "our", or "controller") collects, uses, stores, and protects your personal data when using the online store Arli Club (hereinafter "website").

The policy is prepared in accordance with:

  • General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679
  • Personal Data Protection Act (ZVOP-2)
  • Electronic Communications Act (ZEKom-2)
  • Restriction of Alcohol Consumption Act (ZOPA)
  • Electronic Commerce Market Act (ZEPT)
  • Consumer Protection Act (ZVPot-1)

1.2 Personal data controller

The controller of your personal data is:

  • Arli Club d.o.o.
  • Registered office: Vzorčna ulica 1, 1000 Ljubljana, Slovenia
  • Registration number: 0000000000
  • VAT ID: SI00000000
  • Court registration number: 10271400
  • Email: [email protected]
  • Phone: +386 1 234 5678
  • Website: https://template.arli.club

The company is registered in the court register at the District Court in Ljubljana on 14 December 1989.

1.3 Data protection contact

The provider is not required to designate a Data Protection Officer (DPO) within the meaning of Article 37 GDPR, as it does not carry out large-scale and systematic processing of special categories of personal data or regular and systematic large-scale monitoring of individuals. For all questions regarding personal data protection, exercising your rights, and related requests, please contact us at:

  • Email: [email protected] (recommended subject line: "Personal data protection")
  • Phone: +386 1 234 5678

We will respond without undue delay, and in any event within the period set out in Article 12 GDPR (typically 30 days; in exceptional cases extendable by an additional 60 days).

2. What personal data we collect

2.1 Data you provide directly

During login and registration:

  • Email address

Login is performed exclusively via one-time passcode (OTP) sent to your email address. We do not collect or store passwords.

When editing your user profile (optional):

  • First and last name
  • Phone number
  • Delivery address (street, city, postal code)
  • Marketing communication consent

When placing an order:

  • First and last name
  • Email address
  • Phone number
  • Delivery address (street, city, postal code, country)
  • Age confirmation (checkbox confirming you are 18 or older)
  • Terms and conditions acceptance
  • Marketing consent (optional)

Additionally for legal entities (optional):

  • Company name
  • VAT number
  • Company address (street, city, postal code)

For refunds on cash-on-delivery orders:

  • IBAN number (for processing potential refunds)

Gift box personalization (optional):

  • Custom inscription text (up to 50 characters)
  • Company logo (uploaded image)

During communication:

  • Content of your messages and inquiries
  • Date and time of communication

2.2 Data collected automatically

Order data:

  • Order history
  • Cart contents (stored locally on your device)
  • Selected products, quantities, and prices

Authentication data:

  • Encrypted session token (login cookie)
  • IP address — processed solely for request rate-limiting and abuse prevention (legal basis: legitimate interest, Art. 6(1)(f) GDPR); not used for tracking or profiling

We do not automatically collect: browser data, device type, operating system, or pages visited. We do not use analytics tools to track your behavior on the website.

3. Purpose of personal data processing

3.1 Legal bases for processing

We process your personal data on the basis of the following legal grounds (Article 6 GDPR):

A) Contract fulfillment (Article 6(1)(b) GDPR)

Purpose:

  • Order processing and fulfillment
  • Product delivery
  • Invoice issuance
  • Order-related communication (confirmation, shipping, delivery)
  • Complaint and return resolution

Data: name, address, email, phone, order data, IBAN (for refunds)

Without this data, we cannot fulfill your orders. Providing the data marked as required is a condition for concluding and performing the contract; without it we cannot process your order. Age verification is a legal requirement. Other data is voluntary.

B) Legal obligation (Article 6(1)(c) GDPR)

Purpose:

  • Age verification for alcohol sales (Restriction of Alcohol Consumption Act — ZOPA)
  • Accounting and taxes (Tax Procedure Act, VAT Act)
  • Archiving accounting documents (10 years under the Companies Act — ZGD-1)

Data: name, address, transaction data, invoices, age confirmation

These obligations are determined by law and are not dependent on your consent.

C) Legitimate interest (Article 6(1)(f) GDPR)

Purpose:

  • Fraud prevention and duplicate order prevention
  • Website security
  • Protection of rights in legal proceedings

Data: order data, email address

D) Consent (Article 6(1)(a) GDPR)

Purpose:

  • Marketing communication (news, special offers)

Consent is voluntary and can be withdrawn at any time in your user profile or by contacting [email protected].

3.2 Special categories of personal data

We do not collect special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health status, sexual orientation, etc.).

3.3 Automated decision-making and profiling

We do not carry out automated decision-making or profiling. We do not use recommendation systems based on your browsing or purchase history.

4. Who we share your personal data with

4.1 Data processors (service providers)

We may share your personal data with the following service providers, who process data exclusively on our behalf and under our instructions:

Hosting and infrastructure:

ProviderPurposeDataLocation
Netlify, Inc.Web application hostingServer requests (technical data)USA (EU-US Data Privacy Framework)
Supabase Inc.Database and authenticationAll personal data from user accounts and ordersFrankfurt, Germany (EU)
Cloudflare, Inc.Image storage (Cloudflare R2) — product photos, customer-uploaded logos, invoices (PDF), and age-verification recordsImage files and associated metadataUSA (EU-US Data Privacy Framework); traffic routed via Cloudflare's EU network

Delivery companies:

ProviderPurposeData
GLS General Logistics Systems d.o.o.Parcel delivery within SloveniaName, address, phone, tracking data

The provider may, by updating this page, add further contracted carriers. Your data is shared only with the carrier actually selected for a given shipment.

Email delivery:

ProviderPurposeDataLocation
Sendinblue SAS (Brevo)Sending login security emails (one-time OTP code) and transactional order emails (confirmation, shipping, returns)Email address, OTP code, name, order detailsFrance (EU)

Payments:

Payments are made exclusively via bank transfer or cash on delivery. We do not use external payment platforms (Stripe, PayPal, etc.) and do not share your payment data with third parties.

4.2 Government authorities

We may share personal data with government authorities upon lawful request:

  • Financial Administration of the Republic of Slovenia (FURS) — taxes, VAT
  • Market Inspectorate of the Republic of Slovenia — alcohol sales supervision
  • Police — within the scope of investigations
  • Courts — legal proceedings

4.3 Transfer of data to third countries

The following service providers are based in the United States of America:

  • Netlify, Inc. (web application hosting)
  • Cloudflare, Inc. (R2 image storage)

The transfer of data to the USA is protected by the EU-US Data Privacy Framework, recognized by the European Commission through an Adequacy Decision of 10 July 2023, and/or by appropriate safeguards in accordance with Article 46 GDPR (standard contractual clauses).

The following providers process data within the EU:

  • Supabase Inc. (database and authentication) — Frankfurt, Germany
  • Sendinblue SAS (Brevo) (login OTP and transactional order email) — France
  • GLS General Logistics Systems d.o.o. (parcel delivery) — Slovenia

5. How long we store your personal data

PurposeRetention periodLegal basis
Transaction data (invoices, orders)10 years from invoice dateCompanies Act (ZGD-1), Article 54
User account dataUntil account deletion or 3 years of inactivityLegitimate interest
Marketing consentUntil consent withdrawalConsent
Age confirmation per orderDuration of order retentionLegal obligation (ZOPA)
Sent-email log30 daysLegitimate interest (delivery evidence)
Customer-uploaded logos7 days after the order reaches a terminal state (delivered, cancelled or returned); orphan files are deleted automaticallyContract fulfillment

After the retention period, data is permanently deleted or anonymized.

6. Your rights

As a data subject, you have the following rights under the GDPR:

6.1 Right of access (Article 15 GDPR)

You have the right to obtain confirmation of whether we process your personal data, and if so, access to that data and information about the purpose of processing, categories of data, recipients, and retention periods.

How to exercise: Send a request to [email protected].

6.2 Right to rectification (Article 16 GDPR)

You have the right to correct inaccurate personal data and supplement incomplete data.

How to exercise: In your user profile on the website or by sending a message to [email protected].

6.3 Right to erasure — "right to be forgotten" (Article 17 GDPR)

You have the right to request erasure of your personal data if:

  • The data is no longer needed for the purposes for which it was collected
  • You withdraw consent
  • You object to processing
  • The data was processed unlawfully

Exceptions (erasure is not possible):

  • Legal obligation to retain (e.g., invoices — 10 years)
  • Enforcement or defense of legal claims

How to exercise: In your user profile ("Delete my account" button) or by sending a request to [email protected].

Deletion process: When your account is deleted, your personal data is erased. Data from past orders is retained in anonymized form to fulfill legal obligations (accounting, taxes). Account deletion is not possible while you have active (unfinished) orders.

6.4 Right to restriction of processing (Article 18 GDPR)

You have the right to request restriction of processing if:

  • You contest the accuracy of the data
  • The processing is unlawful but you do not want erasure
  • You need the data for legal claims
  • You object to processing (pending verification)

6.5 Right to data portability (Article 20 GDPR)

You have the right to receive personal data that you have provided to us in a structured, commonly used, and machine-readable format (JSON), and the right to transmit that data to another controller.

How to exercise: In your user profile ("Export my data" button). The export includes your profile, all orders, and associated data. Export is available once per 24 hours.

6.6 Right to object (Article 21 GDPR)

You have the right to object to the processing of your personal data based on legitimate interest or direct marketing.

For marketing: Objection means immediate cessation of marketing communication.

How to exercise: In your user profile (disable marketing consent) or by sending a message to [email protected].

6.7 Right to withdraw consent

When processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

6.8 Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority:

  • Information Commissioner of the Republic of Slovenia
  • Dunajska cesta 22, 1000 Ljubljana
  • Email: [email protected]
  • Phone: 01 230 97 30
  • Website: https://www.ip-rs.si

Response deadline: We will respond to your requests within 30 days. If the request is complex, the deadline may be extended by an additional 60 days, of which we will notify you.

7. Personal data security

7.1 Technical measures

We protect your personal data with:

Encryption:

  • SSL/TLS (HTTPS) — all communication between your browser and the website is encrypted
  • Secure, SameSite cookies — session cookies are transmitted only over HTTPS; the session is device-bound and expires automatically
  • Data encryption in the database at the Supabase provider

Access control:

  • Row-level security (RLS) — each user can only access their own data
  • Administrative interface access restricted to authorized persons only
  • Separate access for public and confidential data (separate server keys)

Authentication:

  • Passwordless login system (OTP) — one-time codes via email, no passwords
  • Codes are valid for 60 minutes and can only be used once
  • Request rate limiting to prevent abuse

7.2 Organizational measures

  • Data is accessible only to authorized persons
  • We have appropriate data processing agreements in place with service providers (processors)
  • Regular review of security settings

7.3 Your responsibility

  • Do not share your email inbox with others — your login relies on access to your email
  • Log out after use (especially on public devices)
  • Notify us immediately if you suspect unauthorized access to your account

8. Marketing communication

If you voluntarily consent to receiving marketing communication during checkout or in your user profile, we reserve the right to occasionally send:

  • Special offers and promotions
  • News about new products

Legal basis: Consent (Article 6(1)(a) GDPR)

Unsubscribe: You can withdraw consent at any time in your user profile or by sending a message to [email protected]. Withdrawal is free and immediate.

9. Children and minors

Our website is intended exclusively for persons of legal age (18+).

We do not knowingly collect personal data from persons under 18 years of age. When placing an order, confirmation that the buyer is at least 18 years old is mandatory.

If we learn that we have collected personal data of a minor, we will immediately delete that data. If you are a parent or guardian and believe that a minor has provided personal data, please notify us at [email protected].

10. Cookies and local storage

Detailed information about cookies, local storage, and session storage used by our website can be found in our Cookie Policy. All cookies and similar technologies we use are strictly necessary and fall within the exemption from consent set out in Article 225(3) of the Slovenian Electronic Communications Act (ZEKom-2). We do not use tracking, analytical or marketing cookies that would require consent.

11. Changes to the privacy policy

We reserve the right to update this privacy policy. Significant changes will be communicated by publishing them on this page with a new effective date.

We recommend that you periodically check this page.

12. Contact

12.1 Questions and requests

For questions regarding personal data protection or exercising your rights, contact us:

Arli Club d.o.o.
Vzorčna ulica 1, 1000 Ljubljana, Slovenia
Email: [email protected]
Phone: +386 1 234 5678

12.2 Complaint to supervisory authority

If you are not satisfied with our response or the processing of your data, you can lodge a complaint with:

Information Commissioner of the Republic of Slovenia
Dunajska cesta 22, 1000 Ljubljana, Slovenia
Email: [email protected]
Phone: 01 230 97 30
Website: https://www.ip-rs.si

Effective date: July 13, 2026

Arli Club d.o.o.
Vzorčna ulica 1, 1000 Ljubljana
Registration number: 0000000000 | VAT ID: SI00000000
[email protected] | +386 1 234 5678