Privacy Policy

1. Purpose and Introduction

The purpose of this Privacy Policy is to inform customers, potential customers, and visitors to the websites of Orthexa, Gornji Rudnik I 1, 1000 Ljubljana, Slovenia (hereinafter: “Orthexa,” “the Provider,” or “the Data Controller”), about the purposes and legal bases for the processing of personal data by Orthexa. We process your personal data with the utmost care and responsibility.This Privacy Policy may be changed or supplemented at any time without prior warning or notice. By continuing to use the Provider’s websites after any changes or additions, you confirm that you agree to the revised terms.All our activities comply with European legislation (Regulation (EU) 2016/697 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR), and relevant Council of Europe conventions) as well as the national legislation of the Republic of Slovenia (Personal Data Protection Act — ZVOP-1, Electronic Communications Act — ZEKom-1, Electronic Commerce Market Act — ZEPT, etc.).This Privacy Policy governs how we handle information obtained from you when you visit and use Orthexa’s websites, or when you provide such information in our physical stores, or during a purchase or communication via telephone.

2. Person Responsible / Data Controller

The person responsible or the data controller is:Orthexa d.o.o. Gornji Rudnik I 1 1000 Ljubljana Slovenia Email: [email protected] any questions or requests related to data protection or this Privacy Policy, please contact us at [email protected].

3. Personal Data

A “personal data” element is any information that identifies you as a specific or identifiable individual. An individual is identifiable when he or she can be directly or indirectly identified, especially by reference to an identifier (e.g., a name, identification number, location data, online identifier) or by reference to one or more factors specific to an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.In accordance with the purposes defined in this Privacy Policy, Orthexa collects the following personal data:
  • Basic user information: (first name, last name, home address, date of birth, location);
  • Contact information and data related to your communication with the Controller: (email address, phone number, date, time, and content of postal or email communication, date, time, and duration of telephone calls, and possible call recordings);
  • Channel and campaign information: how and through which source (website, advertising campaign, call center, physical store) you first came in contact with Orthexa;
  • Data on your purchases and issued invoices: (date and place of purchase, purchased items, prices of purchased items, total purchase amount, payment method, delivery address, invoice number and date, identifier of the person issuing the invoice, etc.), as well as data regarding product complaints;
  • Data on your use of the Controller’s website: (dates and times of website visits, pages visited or URLs, time spent on each page, number of pages visited, total time on the website, settings made on the website) and data on your use of the Provider’s communications (emails, SMS, etc.);
  • Data provided by you through voluntarily filled forms, for example, within prize contests or any product guides to help you identify optimal items for your needs;
  • Other data that you voluntarily provide to the Provider when specific services require it.
Orthexa does not collect or process your personal data unless you enable or consent to it (when ordering products or services, subscribing to receive e-news, participating in a prize contest, etc.) or when there is a legal basis for such collection, or when Orthexa has a legitimate interest in processing.The time period during which Orthexa stores collected data is described in more detail in the Data Retention section of this Privacy Policy.

4. Personal Information We Collect (Additional Information)

4.1. Device Information

When you visit our website (“the Site”), we automatically collect certain information about your device, including:
  • Web browser type
  • IP address
  • Time zone
  • Certain cookies that are installed on your device
As you browse the Site, we also collect information about the individual web pages or products you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically collected information as “Device Information.”We collect Device Information using the following technologies:
  • Cookies: Data files placed on your device or computer that often include an anonymous unique identifier. For more information about cookies and how to disable them, visit http://www.allaboutcookies.org.
  • Log Files: Track actions occurring on the Site and collect data, including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
  • Web Beacons, Tags, and Pixels: Electronic files used to record information about how you browse the Site.

4.2. Order Information

Additionally, when you make (or attempt to make) a purchase through the Site, we collect certain information from you, including:
  • Name
  • Billing address
  • Shipping address
  • Payment information (including credit card numbers)
  • Email address
  • Phone number
We refer to this information as “Order Information.”When we talk about “Personal Information” in this Privacy Policy, we are referring to both Device Information and Order Information.

5. Purposes of Data Processing and Legal Bases

Orthexa collects and processes your personal data on the following legal bases:
  1. Law and contractual relationships
  2. Consent of the individual
  3. Legitimate interest

5.1. Processing Based on Law and Contractual Relationships

When the provision of personal data is a contractual obligation, an obligation required to enter into and perform a contract with Orthexa, or a legal obligation, you must provide the personal data. If you do not provide the required data, you cannot conclude a contract with Orthexa, and Orthexa cannot deliver products or services as agreed.
Purpose of ProcessingDetailed Explanation
Conclusion and performance of the contractConclusion and fulfillment of the contract with Orthexa, including fulfilling your orders (delivering products, providing services), communicating with you, verifying payments, and fulfilling other obligations of Orthexa and/or your obligations.
Direct customer notification via email or SMS | Orthexa, under ZEKom-1 (the Electronic Communications Act of the Republic of Slovenia), may inform its customers about its products, services, and content. You can unsubscribe from such communication at any time by using the “unsubscribe” link in received messages or by sending a request to [email protected].

5.2. Processing Based on Legitimate Interest

Orthexa may also process personal data based on its legitimate interests unless those interests are overridden by your interests or fundamental rights and freedoms that require personal data protection. If Orthexa relies on legitimate interest, it carries out an assessment in accordance with the GDPR.Below are examples of processing under legitimate interest:
Purpose of ProcessingDetailed Explanation
Statistical data analysisGeneral statistical data analysis of customers, orders, and potential customers for internal sales analyses, repeat purchases, aggregate customer behavior, advertising optimization, and business optimization.
Access to past orders for better customer serviceWhen you call Orthexa’s call center (or we call you) or visit our physical stores (and identify yourself), our advisors can see your personal data and purchase history, enabling them to offer better service and more relevant offers. You can opt out of this processing at any time by sending a request to [email protected].
Processing non-collected online orders to prevent fraudOrthexa monitors shipped orders that are not picked up (cash-on-delivery) and identifies patterns that may constitute business losses. In such cases, Orthexa may block future cash-on-delivery purchases but still allow immediate payment methods (credit card or PayPal).
Automatic email communication about an abandoned cartIf you added products to your online shopping cart but did not complete the purchase, Orthexa may occasionally send an email reminding you about the incomplete purchase, offering assistance or additional information. You can opt out at any time by sending a request to [email protected].
Basic customized communication (through email, SMS, phone, postal mail, browser notifications, social media)Orthexa may send relevant offers, discounts, and other content that may be of interest based on your past interactions. We use demographic data (age, address), purchase history (items purchased, time of purchase), simple observation of website behavior, and your responses (e.g., opening messages, clicks, purchases) in aggregate to tailor messages. You can stop such communication at any time via the “unsubscribe” link or by requesting to [email protected].
Direct notification about special offers via phone calls or direct mailOrthexa may occasionally inform customers about products, services, discounts, and other content via phone calls or postal mail. You can opt out at any time by sending a request to [email protected].
Use of Facebook Custom AudiencesOn the basis of legitimate interest, Orthexa may use Facebook Custom Audiences to show more targeted ads on Facebook. This involves securely uploading your email address to Facebook, which checks if you are a Facebook user. If you are, Facebook places you into a “custom audience” so that Orthexa can show relevant ads/discounts. You can opt out by sending a request to [email protected].

5.3. Processing Based on Your Consent

Orthexa collects and processes your personal data for the following purposes when you give consent:
  • Ensuring you can access and use your user account on our website and our online store, and for administrative/technical reasons on Orthexa’s website;
  • Sending commercial offers and other content via email, SMS, direct mail, or phone calls, when no other legal basis exists and you have consented;
  • Any other specific purposes for which you explicitly agree to when interacting with Orthexa.
Profiling on the Basis of ConsentIf you consent, Orthexa may carry out personalized communication through various channels (email, SMS, phone, postal mail, browser notifications, social media). The goal is to offer you the best possible deals and content tailored to your exact needs. To do this, we may construct a user profile using:
  • Demographic data (date of birth, address)
  • Purchase history (items purchased, time of purchase, number of purchases)
  • Behavior on Orthexa websites (viewing products, adding to cart, browsing behavior)
  • Your responses (message opens, clicks, or purchases after receiving our messages)
Based on your profile, you might receive different types of offers, discounts, and communications from us (e.g., frequency and channel of communication). If you no longer wish to receive this kind of personalized communication, you can stop at any time via the “unsubscribe” link in received messages or by sending a written request to [email protected].

6. How We Use Your Personal Information (Additional Information)

We generally use the Order Information collected through the Site to:
  • Fulfill any orders placed (including processing payment information, arranging shipping, and providing invoices or order confirmations);
  • Communicate with you;
  • Screen orders for potential risk or fraud;
  • Provide you (when consistent with preferences you’ve shared) with information or advertising related to our products or services.
We use the Device Information to:
  • Help screen for potential risk and fraud (particularly your IP address);
  • Improve and optimize our Site (e.g., by generating analytics about how customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).

7. Sharing Your Personal Information

We share Personal Information with third parties to help us use Personal Information as described above. For example: We may also share your Personal Information to comply with applicable laws and regulations, respond to a subpoena, search warrant, or other lawful request, or to otherwise protect our rights.

8. Behavioral Advertising

We use your Personal Information to provide you with targeted advertisements or marketing communications that we believe may be of interest. For more information on how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page: http://www.networkadvertising.org/understanding-online-advertising/how-does-it-workYou can opt out of targeted advertising here: Additionally, you can opt out of some services by visiting the Digital Advertising Alliance’s opt-out portal: http://optout.aboutads.info/

9. Do Not Track

Please note that we do not alter our Site’s data collection and use practices when we see a Do Not Track (DNT) signal from your browser.

10. Data Retention

Orthexa will retain your personal data only for as long as necessary to fulfill the purpose for which the data was collected and further processed (e.g., to fulfill your orders, verify payments, provide you with special offers, etc.).
  • Data processed on the basis of law is retained for the period prescribed by law.
  • Data processed for fulfilling a contract is retained for as long as necessary to execute the contract and for 5 years after its termination unless there is a dispute between you and Orthexa regarding the contract. In such cases, Orthexa will retain the data for 5 years after the final court or arbitration decision or settlement, or if no court dispute arises, 5 years from the date of an amicable settlement.
  • Data processed on the basis of consent or legitimate interest is stored permanently until you revoke your consent or request to discontinue the processing. However, such data may be deleted even before revocation if the purpose of the processing has been achieved, or if required by law.
After the retention period expires, Orthexa will effectively and permanently delete or anonymize the personal data so that it can no longer be linked to a specific individual.

11. Contractual Processing of Personal Data

You acknowledge and agree that Orthexa may entrust certain tasks related to your data to other persons (contractual processors). Contractual processors may process the entrusted data exclusively on behalf of Orthexa, within the bounds of Orthexa’s authorization (as stated in a written contract or other legal act), and in accordance with the purposes set out in this Privacy Policy.Examples of contractual processors Orthexa cooperates with include:
  • Accounting services; law offices and other legal advisors;
  • Providers of data processing and analytics;
  • IT system maintenance providers;
  • Providers of email-sending services (e.g., Mailchimp, etc.);
  • Payment system providers (e.g., PayPal, etc.);
  • Customer relationship management (CRM) software providers (e.g., Microsoft);
  • Online advertising solutions providers (e.g., Google, Facebook).
Orthexa will not transfer your personal data to any unauthorized third parties. Contractual processors may only process the data within Orthexa’s instructions and must not use it to pursue their own interests.Neither Orthexa nor its processors export personal data to third countries (outside the European Economic Area) or international organizations, except to the U.S., where any contractual processors are part of the Privacy Shield program (or otherwise provide lawful measures).

12. Freedom of Choice

You control the information you provide about yourself. If you choose not to provide certain data to Orthexa, you may not be able to access certain parts or functions of our website or services.If you wish to unsubscribe from receiving e-newsletters, let us know at [email protected]. If your personal data changes (e.g., zip code, email address, physical address, phone number), please inform us at [email protected].

13. Automatic Recording of Non-Personal Information

Whenever you access our website, general, non-personal information (e.g., number of visits, average time on the website, pages visited) is automatically recorded (not as part of registration).We use this information to measure the attractiveness of our site and to improve content and usability. These data are not subject to further analysis and are not shared with third parties.

14. Cookies

Cookies are small, often invisible files temporarily stored on your device’s hard drive that allow Orthexa to recognize your computer during your next visit. Orthexa uses cookies only to collect information related to the use of its website and to optimize its internet advertising activities. Advertising cookies track an individual’s use of the Provider’s website unless the individual opts out of cookie usage.

15. Security

Orthexa strives to ensure the security of your personal data. Your data is protected at all times from loss, destruction, forgery, manipulation, unauthorized access, or unauthorized disclosure.

16. Consent of Minors and Services of the Information Society

Children under 16 should not provide any personal data on our websites or elsewhere without permission (consent or approval) from a holder of parental responsibility (a parent or guardian). Orthexa will never knowingly collect personal data from individuals known to be under 16 or use or disclose it without the holder of parental responsibility’s permission.In such cases, and in consideration of available technology, Orthexa will make reasonable efforts to verify that the holder of parental responsibility has given or authorized consent.

17. Individual Rights Regarding Data Processing

If you have any questions regarding our data protection policy or the processing of your personal data, feel free to contact us at [email protected]. We will respond to your request in writing and in accordance with the regulations.To ensure fair and transparent processing, you have the following rights under applicable data protection laws:
  1. Right to Withdraw Consent If you have consented to the processing of your personal data for one or more specific purposes, you have the right to withdraw that consent at any time by emailing [email protected]. Withdrawal of consent does not affect the lawfulness of data processing carried out before withdrawal. However, after withdrawal, Orthexa may no longer be able to provide certain services if they require personal data.
  2. Right of Access You have the right to obtain confirmation from Orthexa as to whether personal data concerning you is being processed and, if so, to access the personal data and certain additional information (purposes of processing, categories of personal data, retention periods, existence of your other rights, etc.).
  3. Right to Rectification You have the right to have inaccurate personal data concerning you corrected without undue delay. Considering the purposes of processing, you also have the right to have incomplete personal data completed.
  4. Right to Erasure (“Right to be Forgotten”) You have the right to have Orthexa erase your personal data without undue delay when one of the following grounds applies:
    • (a) Data is no longer necessary for the purposes for which it was collected.
    • (b) You withdraw your consent, and there is no other legal basis for processing.
    • (c) You object to processing, and there are no overriding legitimate grounds for processing.
    • (d) Data has been unlawfully processed.
    • (e) Data must be erased for compliance with a legal obligation in the EU or a Member State to which Orthexa is subject.
    • (f) Data was collected in relation to information society services offered to children.Certain exceptions (Article 17(3) GDPR) may limit this right.
  5. Right to Restriction of Processing You can request a restriction of processing if:
    • (a) You contest the accuracy of the data (for a period allowing Orthexa to verify accuracy).
    • (b) Processing is unlawful, and you oppose erasure, requesting restriction instead.
    • (c) Orthexa no longer needs the data, but you need it for legal claims.
    • (d) You have objected to processing pending verification of whether Orthexa’s legitimate grounds override yours.
  6. Right to Data Portability You have the right to receive your personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller without hindrance under certain conditions (Article 20 GDPR).
  7. Right to Object You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data based on public interest (Article 6(1)(e) GDPR) or legitimate interest (Article 6(1)(f) GDPR), including profiling. Orthexa shall no longer process your data unless it demonstrates compelling legitimate grounds overriding your interests or for the establishment, exercise, or defense of legal claims. Where personal data is processed for direct marketing purposes, you have the right to object at any time, and Orthexa will stop processing your data for such purposes.
  8. Right to Lodge a Complaint You have the right to lodge a complaint with a supervisory authority (in Slovenia, this is the Information Commissioner) if you believe your data protection rights have been breached.

18. Notification to Supervisory Authority of a Personal Data Breach

In the event of a personal data breach, Orthexa is obliged to notify the competent supervisory authority unless it is unlikely to risk individuals’ rights and freedoms. If there is suspicion of a criminal offense, Orthexa must also notify the police and/or the competent prosecutor’s office.If a breach is likely to result in a high risk to the rights and freedoms of individuals, Orthexa is obliged to inform the affected individuals without undue delay in clear and plain language.

19. Publication of Changes

Any changes to our Privacy Policy will be posted on our website. By using the site after any changes, you acknowledge and agree with the updated content of this Privacy Policy.
Last updated: January 15, 2025