This privacy policy explains how Arli Club d.o.o. (hereinafter "we", "our", or "controller") collects, uses, stores, and protects your personal data when using the online store Arli Club (hereinafter "website").
The policy is prepared in accordance with:
The controller of your personal data is:
The company is registered in the court register at the District Court in Ljubljana on 14 December 1989.
The provider is not required to designate a Data Protection Officer (DPO) within the meaning of Article 37 GDPR, as it does not carry out large-scale and systematic processing of special categories of personal data or regular and systematic large-scale monitoring of individuals. For all questions regarding personal data protection, exercising your rights, and related requests, please contact us at:
We will respond without undue delay, and in any event within the period set out in Article 12 GDPR (typically 30 days; in exceptional cases extendable by an additional 60 days).
Login is performed exclusively via one-time passcode (OTP) sent to your email address. We do not collect or store passwords.
We do not automatically collect: browser data, device type, operating system, or pages visited. We do not use analytics tools to track your behavior on the website.
We process your personal data on the basis of the following legal grounds (Article 6 GDPR):
Purpose:
Data: name, address, email, phone, order data, IBAN (for refunds)
Without this data, we cannot fulfill your orders. Providing the data marked as required is a condition for concluding and performing the contract; without it we cannot process your order. Age verification is a legal requirement. Other data is voluntary.
Purpose:
Data: name, address, transaction data, invoices, age confirmation
These obligations are determined by law and are not dependent on your consent.
Purpose:
Data: order data, email address
Purpose:
Consent is voluntary and can be withdrawn at any time in your user profile or by contacting [email protected].
We do not collect special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health status, sexual orientation, etc.).
We do not carry out automated decision-making or profiling. We do not use recommendation systems based on your browsing or purchase history.
We may share your personal data with the following service providers, who process data exclusively on our behalf and under our instructions:
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Netlify, Inc. | Web application hosting | Server requests (technical data) | USA (EU-US Data Privacy Framework) |
| Supabase Inc. | Database and authentication | All personal data from user accounts and orders | Frankfurt, Germany (EU) |
| Cloudflare, Inc. | Image storage (Cloudflare R2) — product photos, customer-uploaded logos, invoices (PDF), and age-verification records | Image files and associated metadata | USA (EU-US Data Privacy Framework); traffic routed via Cloudflare's EU network |
| Provider | Purpose | Data |
|---|---|---|
| GLS General Logistics Systems d.o.o. | Parcel delivery within Slovenia | Name, address, phone, tracking data |
The provider may, by updating this page, add further contracted carriers. Your data is shared only with the carrier actually selected for a given shipment.
| Provider | Purpose | Data | Location |
|---|---|---|---|
| Sendinblue SAS (Brevo) | Sending login security emails (one-time OTP code) and transactional order emails (confirmation, shipping, returns) | Email address, OTP code, name, order details | France (EU) |
Payments are made exclusively via bank transfer or cash on delivery. We do not use external payment platforms (Stripe, PayPal, etc.) and do not share your payment data with third parties.
We may share personal data with government authorities upon lawful request:
The following service providers are based in the United States of America:
The transfer of data to the USA is protected by the EU-US Data Privacy Framework, recognized by the European Commission through an Adequacy Decision of 10 July 2023, and/or by appropriate safeguards in accordance with Article 46 GDPR (standard contractual clauses).
The following providers process data within the EU:
| Purpose | Retention period | Legal basis |
|---|---|---|
| Transaction data (invoices, orders) | 10 years from invoice date | Companies Act (ZGD-1), Article 54 |
| User account data | Until account deletion or 3 years of inactivity | Legitimate interest |
| Marketing consent | Until consent withdrawal | Consent |
| Age confirmation per order | Duration of order retention | Legal obligation (ZOPA) |
| Sent-email log | 30 days | Legitimate interest (delivery evidence) |
| Customer-uploaded logos | 7 days after the order reaches a terminal state (delivered, cancelled or returned); orphan files are deleted automatically | Contract fulfillment |
After the retention period, data is permanently deleted or anonymized.
As a data subject, you have the following rights under the GDPR:
You have the right to obtain confirmation of whether we process your personal data, and if so, access to that data and information about the purpose of processing, categories of data, recipients, and retention periods.
How to exercise: Send a request to [email protected].
You have the right to correct inaccurate personal data and supplement incomplete data.
How to exercise: In your user profile on the website or by sending a message to [email protected].
You have the right to request erasure of your personal data if:
Exceptions (erasure is not possible):
How to exercise: In your user profile ("Delete my account" button) or by sending a request to [email protected].
Deletion process: When your account is deleted, your personal data is erased. Data from past orders is retained in anonymized form to fulfill legal obligations (accounting, taxes). Account deletion is not possible while you have active (unfinished) orders.
You have the right to request restriction of processing if:
You have the right to receive personal data that you have provided to us in a structured, commonly used, and machine-readable format (JSON), and the right to transmit that data to another controller.
How to exercise: In your user profile ("Export my data" button). The export includes your profile, all orders, and associated data. Export is available once per 24 hours.
You have the right to object to the processing of your personal data based on legitimate interest or direct marketing.
For marketing: Objection means immediate cessation of marketing communication.
How to exercise: In your user profile (disable marketing consent) or by sending a message to [email protected].
When processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
You have the right to lodge a complaint with the supervisory authority:
Response deadline: We will respond to your requests within 30 days. If the request is complex, the deadline may be extended by an additional 60 days, of which we will notify you.
We protect your personal data with:
If you voluntarily consent to receiving marketing communication during checkout or in your user profile, we reserve the right to occasionally send:
Legal basis: Consent (Article 6(1)(a) GDPR)
Unsubscribe: You can withdraw consent at any time in your user profile or by sending a message to [email protected]. Withdrawal is free and immediate.
Our website is intended exclusively for persons of legal age (18+).
We do not knowingly collect personal data from persons under 18 years of age. When placing an order, confirmation that the buyer is at least 18 years old is mandatory.
If we learn that we have collected personal data of a minor, we will immediately delete that data. If you are a parent or guardian and believe that a minor has provided personal data, please notify us at [email protected].
Detailed information about cookies, local storage, and session storage used by our website can be found in our Cookie Policy. All cookies and similar technologies we use are strictly necessary and fall within the exemption from consent set out in Article 225(3) of the Slovenian Electronic Communications Act (ZEKom-2). We do not use tracking, analytical or marketing cookies that would require consent.
We reserve the right to update this privacy policy. Significant changes will be communicated by publishing them on this page with a new effective date.
We recommend that you periodically check this page.
For questions regarding personal data protection or exercising your rights, contact us:
Arli Club d.o.o.
Vzorčna ulica 1, 1000 Ljubljana, Slovenia
Email: [email protected]
Phone: +386 1 234 5678
If you are not satisfied with our response or the processing of your data, you can lodge a complaint with:
Information Commissioner of the Republic of Slovenia
Dunajska cesta 22, 1000 Ljubljana, Slovenia
Email: [email protected]
Phone: 01 230 97 30
Website: https://www.ip-rs.si
Effective date: July 13, 2026
Arli Club d.o.o.
Vzorčna ulica 1, 1000 Ljubljana
Registration number: 0000000000 | VAT ID: SI00000000
[email protected] | +386 1 234 5678