Cookie PolicyValidsince: 10. 11. 2025
Operator: GDA d.o.o., Tržaška cesta 2, 1000 Ljubljana, Slovenia, info@cacao.si

This Policy explains what personal data we process, for what purposes, on what legal basis, for how long, to whom we disclose it, what security measures we apply and what rights you have.

1. Operator and contact

• Operator: GDA d.o.o., Tržaška cesta 2, 1000 Ljubljana, Slovenia
• Privacy contact: info@cacao.si
• Data Protection Officer (DPO) Meris Skocic

2. What data we collect and why

2.1 Online shop purchases

• Data: name and surname, email, phone, address, order details (items, amounts, statuses), communication regarding the order. We do not store payment card data (processed by PayPal/Braintree).
• Purpose: order processing, invoicing, customer support.
• Legal basis: performance of the contract (6(1)(b) GDPR), statutory accounting obligation (6(1)(c) GDPR; GDPR-1), our legitimate interest in security and evidence (6(1)(f) GDPR).

2.2 Personal collection

• Information: selected pick-up date and location, contact details.
• Purpose: to organise and carry out the takeover.
• Legal basis: performance of the contract (6(1)(b) GDPR).

2.3 Special instructions for cakes

• Information: the text of the dedication, the name of the celebrant and any other notes you provide.
• Purpose: personalisation and production of the ordered product.
• Legal basis: performance of the contract (6(1)(b) GDPR).
• Sensitive data (e.g. allergies): we do not request such data; if you voluntarily provide it, we process it solely for the purpose of product customisation and only with your explicit consent (9(2)(a) GDPR).

2.4 Candidates – “Work with us” form

• Information: name and surname, date of birth, address, telephone, e-mail, desired job, business unit (Cacao Portorož/Ljubljana centre/BTC/Europe), description of education and experience, presentation, description of interests and qualities.
• Purpose: to process applications and carry out the selection procedure.
• Legal basis: legitimate interest (6(1)(f) GDPR) – to fill a vacancy; we will ask for your consent to keep you in the talent pool after the end of the call (6(1)(a) GDPR).

2.5 Contact/communication

• Data: e-mail, content of the message, attachments.
• Purpose: to answer questions and requests.
• Legal basis: legitimate interest (6(1)(f) GDPR).

2.6 Logs and security

• Data: IP address, access time, requested URL, user-agent, referer, error code.
• Purpose: security, debugging, incident proofing.
• Legal basis: legitimate interest (6(1)(f) GDPR).

3. Cookies and analytics

• We use essential cookies necessary for the operation of the site and the shopping basket (without consent).
• We only use Google Analytics 4 (GA4) on the basis of your consent (6(1)(a) GDPR); IP anonymisation is enabled.
• We do not use other advertising or tracking pixels (Meta, TikTok, Hotjar, etc.).
• The GDPR/CCPA Cookie Consent plugin allows you to manage your consent; you can change or withdraw your consent at any time.
• For details, see the “Cookie Policy” page .

4. Legal basis (summary)

• Contract: purchase and personal collection, personalisation of the cake.
• Law: accounting obligations (ZDDV-1).
• Consent: GA4; possible sensitive data (allergies) in the notes; keeping the candidate in the talent pool.
• Legitimate interest: security, logs, communication, carrying out the selection process.

5. Data storage

• Accounts and accounting documents: 10 years (legal obligation).
• Procurement data (operational, including routine notes): up to 5 years from the last purchase or until the expiry of the relevant statute of limitations.
• Candidates – selection process: up to 6 months after the end of the process; in the talent pool for 12 months (by consent only).
• Contact communication: 1 year after the end of the communication.
• Logs: 6-12 months.

6. Forwarding and processors

We only disclose personal data when it is necessary for the purposes set out in this Policy or if required to do so by law.

• Payment processing: PayPal (including Braintree) – processing of cards and PayPal payments; we do not store card details.
• Website hosting and e-mail: Avant.Si d.o.o. (Neoserv), EU (Slovenia).
• National and supervisory authorities based on legal requirements.

7. Security

We use technical and organisational measures: TLS/HTTPS, restricted access based on the principle of least privilege, access control, regular updates, backups, separate processor access. Only authorised personnel have access to personal data.

8. Your rights

You have the right to access, rectification, erasure, restriction of processing, objection (where based on legitimate interest), portability (for data provided by you and processed on the basis of a contract or consent) and withdrawal of consent (which does not affect the lawfulness of the processing prior to withdrawal). Please send your request to info@cacao.si. We may verify your identity before responding.

You have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia, Dunajska cesta 22, 1000 Ljubljana, gp.ip@ip-rs.si, www.ip-rs.si.

9. Children

Services are not intended for persons under 16 years of age without the consent of a parent or guardian. We do not intentionally collect information from children.

10. Changes to the Policy

We will update the policy as necessary and publish it on https://cacao.si/politika-zasebnosti/ with a clear effective date. Changes will apply prospectively and will not affect existing contracts.