Privacy Policy – Maru + Bo trgovina d.o.o.

Version 1.1 – 29 July 2025

Key Facts 

• Who? Maru + Bo trgovina d.o.o. (Ljubljana, SI) is the data controller.
• What? We collect your e-mail (if you ask to be notified about our launch) and minimal technical data (necessary cookies & logs).
• Why? To send launch updates (with your consent) and to keep the site secure (our legitimate interest).
• Your choices: Sign-up is optional and you can withdraw consent anytime via the unsubscribe link.
  → Read the full policy below for details.

Table of Contents 

1. Who We Are
2. What Personal Data We Collect
3. Purposes & Legal Bases
4. Voluntariness and Consequences of Not Providing Data
5. Profiling & Automated Decisions
6. Retention Periods
7. Recipients & International Transfers
8. Security Measures
9. Your Rights
10. How to Lodge a Complaint
11. Changes to This Policy

1. Who We Are

Maru + Bo trgovina d.o.o.
Pražakova ulica 10, 1000 Ljubljana, Slovenia
Company Reg. No.: 6315046000 VAT ID: [insert]
E-mail (privacy): info@maru.bo

We act as a data controller under Regulation (EU) 2016/679 (“GDPR”), Slovenia’s Personal Data Protection Act (“ZVOP-2”) and the Electronic Communications Act (“ZEKom-2”).

2. What Personal Data We Collect

Category	Examples	Source
Contact data	E-mail address	You (launch-notification form)
Technical data	Truncated IP, timestamp, requested URL, browser/OS header; strictly necessary cookies	Your device/browser

3. Purposes & Legal Bases

Purpose	Data	Legal basis
Sending launch notifications & newsletters	E-mail address	Consent – Art. 6 (1)(a) GDPR (withdraw at any time)
Running, securing & obtaining basic statistics for the site	Technical data (necessary cookies & logs)	Legitimate interest – Art. 6 (1)(f) GDPR & Art. 157 ZEKom-2 Balancing test: we have performed a Legitimate Interest Assessment and concluded that our need to maintain security and compile minimal aggregated statistics does not override your rights and freedoms.

4. Voluntariness and Consequences

Providing your e-mail is entirely voluntary. If you choose not to provide it, we will simply be unable to send you launch updates—no other consequence follows. Technical data are generated automatically when you visit the site; without them, the website cannot be delivered securely.

5. Profiling & Automated Decisions

We do not engage in automated decision-making that produces legal or similarly significant effects. We may create non-intrusive audience segments (e.g., “people who opened at least one e-mail”) solely to tailor future messages; this profiling is based on your consent (newsletters) or our legitimate interest (site statistics) and has no significant impact on you.

6. Retention Periods

Data	Retention
E-mail address & mailing statistics	Until you withdraw consent or max. 24 months after your last opened message
Consent records (date/time, IP, form text)	5 years (obligation to demonstrate compliance)
Server logs (security)	30 days, unless needed for incident investigation

7. Recipients & International Transfers

Recipient (Processor)	Service	Location & Safeguards
Klaviyo, Inc.	E-mail marketing	USA – Standard Contractual Clauses (SCCs); no reliance on EU-US DPF; supplementary measures applied
Shopify International Ltd.	Hosting platform	EU data centres
Google Analytics 4	Site analytics (IP masking)	USA – SCCs + Google Ads Data Processing Terms & GA4 addendum
Google / Meta Ads Manager	Remarketing	Global infrastructure, including USA – SCCs

We review all SCCs periodically in line with Articles 45–47 GDPR and monitor third-country laws that could affect data importers.

8. Security Measures

• TLS 1.3 encryption in transit
• Access limited by the principle of least privilege
• Regular security patches and vulnerability scans
• Audit logs for administrator actions

9. Your Rights

You can at any time request: access, rectification, erasure, restriction, data portability, objection (Art. 21 GDPR) and withdrawal of consent (unsubscribe link in every e-mail). To exercise a right, contact us at info@maru.bo

10. How to File a Complaint

If you believe we are processing your data unlawfully, you may file a complaint with the Information Commissioner of the Republic of Slovenia (Dunajska cesta 22, 1000 Ljubljana, ip@ip-rs.si). Complaints may be submitted in Slovenian or English. You may also contact your local supervisory authority in the EEA.

11. Changes to This Policy

We will publish any material changes here. If you have subscribed to our mailing list, we will notify you by e-mail. The version number and date at the top indicate the latest revision.