Privacy Policy
Privacy Policy
Effective: 2026-04-21
1. Who we are
The controller of your personal data is JOLI d.o.o., a limited liability company registered in Slovenia, trading as Eluxena through the website eluxena.com (the "Site").
| Registered office | Celjska cesta 6, 3250 Rogaška Slatina, Slovenia |
| VAT number | SI49030795 |
| Company registration (matična številka) | 6498183000 |
| Email (general) | hello@lemonabird.com |
| Email (privacy & data rights) | hello@lemonabird.com |
| Phone | +386 70 263 425 |
This Privacy Policy explains how we collect, use, share, and protect your personal data, and the rights you have under the EU General Data Protection Regulation 2016/679 ("GDPR") and the Slovenian Personal Data Protection Act (ZVOP-2).
2. What we collect and why
We only process personal data for specific, declared purposes. The table below lists every purpose, what we process, the legal basis under GDPR Art. 6, and how long we keep the data.
| Purpose | Data categories | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Order fulfilment (taking payment, shipping goods, invoicing) | Name, billing + shipping address, email, phone, order items, payment status, transaction ID | Art. 6(1)(b) — performance of contract | 10 years from end of tax year (Slovenian accounting law: ZDDV-1, ZDavP-2) |
| Customer account management | Email, password (hashed by Shopify), address book, order history, wishlists | Art. 6(1)(b) — performance of contract; Art. 6(1)(a) — consent for optional fields | Until you delete the account + 30 days technical backup |
| Customer support | Name, email, order ref, any information you include in the message | Art. 6(1)(b) — performance of contract; Art. 6(1)(f) — legitimate interest (responding to enquiries) | 3 years from last contact |
| Fraud prevention, security, anti-abuse | IP address, device fingerprint, Shopify risk score, session data | Art. 6(1)(f) — legitimate interest (protecting the shop); Art. 6(1)(c) — legal obligation (AML, payment regulation) | 1 year (raw logs), 6 years (fraud-flag records) |
| Analytics & performance (only if you consent) | Pseudonymous page views, referrers, device type, IP truncated, interactions with products | Art. 6(1)(a) — consent, withdrawable any time | 14 months |
| Marketing & personalised advertising (only if you consent) | Email (for direct marketing), ad-platform identifiers, hashed email for custom audiences on Meta / Google / TikTok, browsing behaviour | Art. 6(1)(a) — consent, withdrawable any time; for existing customers by email: soft opt-in under ePrivacy Art. 13(2), ZEKom-2 Art. 158 | Until you withdraw consent or unsubscribe; ad-platform audiences refresh every 180 days |
| Reviews display (if you leave a review) | Your name as given, review body, rating, date | Art. 6(1)(a) — consent | Indefinite while review remains published; deleted within 30 days of request |
| Accounting and tax compliance | Invoice data, VAT number if B2B | Art. 6(1)(c) — legal obligation | 10 years |
| Exercising or defending legal claims | Order records, correspondence | Art. 6(1)(f) — legitimate interest | Until statute of limitations expires (max 10 years) |
We do not process special-category data (Art. 9) and we do not make automated decisions with legal or similarly significant effect (Art. 22), except for payment-fraud scoring performed by our payment processor with human review available on request.
3. How we collect your data
- Directly from you: when you create an account, place an order, contact us, sign up to our newsletter, or leave a review.
- Automatically: when you browse the Site, through cookies and similar technologies (see our Cookie Policy).
- From third parties: payment processors confirm your payment; delivery carriers update the shipment status; brand manufacturers occasionally provide warranty data.
4. Who we share your data with
We only share personal data with processors acting on our instructions or with recipients we are legally required to share with. The full, up-to-date list is on our Data sub-processors page. Categories include:
- Shopify Inc. (Canada) and Shopify International Ltd. (Ireland) — hosting, order management, checkout, built-in analytics. Canada has an EU Commission adequacy decision (2001/2002/C). Transfers to the US use Standard Contractual Clauses.
- Payment processors (Shopify Payments / Stripe, PayPal, Klarna where offered) — to take your payment and detect fraud.
- Delivery carriers (Pošta Slovenije, DHL, GLS, and local partners) — to ship your order.
- Email & CRM providers (Klaviyo — USA, SCCs in place) — only for marketing communications you consented to.
- Analytics & advertising platforms (Google Ireland Ltd., Meta Platforms Ireland Ltd., TikTok Technology Ltd. — Ireland) — only with your consent and in a pseudonymised or hashed form.
- Review platform (Judge.me — Canada, adequacy) — to display verified and editorial reviews.
- Professional advisors (accountants, tax advisors, lawyers) — bound by professional secrecy.
- Public authorities — where required by law (tax, customs, court orders).
5. International data transfers
Some of our processors are established outside the European Economic Area (notably in Canada, the UK, and the USA). When we transfer your data outside the EEA, we rely on one of the following safeguards required by GDPR Chapter V:
- an adequacy decision of the European Commission (Canada commercial sector, UK, EU-US Data Privacy Framework where the recipient is certified),
- or Standard Contractual Clauses (Commission Implementing Decision 2021/914) together with supplementary technical and organisational measures,
- or, where neither applies, your explicit consent to the specific transfer.
You may request a copy of the clauses in force for any specific transfer by emailing us.
6. Your rights
Under GDPR Articles 15–22 you have the right to:
- Access (Art. 15) — confirm whether we process data about you and get a copy.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure / "right to be forgotten" (Art. 17) — have your data deleted; we may refuse where we have a legal obligation to retain it (e.g. accounting records).
- Restriction of processing (Art. 18) — ask us to pause processing while we resolve a disagreement.
- Portability (Art. 20) — receive the data you provided to us in a structured, machine-readable format or have it sent to another controller.
- Objection (Art. 21) — object to processing based on legitimate interests or direct marketing; for direct marketing this is an absolute right.
- Withdraw consent (Art. 7(3)) — where we rely on your consent, you can withdraw it at any time without affecting processing that already happened.
- Not be subject to automated decisions (Art. 22) — we don't use automated decision-making with legal effect; this right is preserved.
- Lodge a complaint — see Section 10.
To exercise any of these rights, email us at hello@lemonabird.com with enough information to locate your data (typically: email used on the order, order number, or account email). We respond within one month (GDPR Art. 12(3)) and may extend by two further months for complex requests — we'll tell you if so. The service is free of charge unless the request is manifestly unfounded or excessive.
7. Cookies and tracking
We use cookies and similar technologies both to run the shop (strictly necessary — cart, checkout, login) and — only with your consent — for analytics, preferences, and marketing. Consent is collected through a banner on your first visit and can be changed at any time via the "Cookie preferences" button in the footer.
The full list of cookies we use is in our Cookie Policy.
8. How we protect your data
- In transit: TLS 1.2+ for all connections.
- At rest: encrypted databases with Shopify; hashed passwords (bcrypt); tokenised card data (Shopify Payments / Stripe are PCI-DSS Level 1 certified — we never see raw card numbers).
- Access control: least-privilege access for staff; two-factor authentication required on all admin accounts.
- Incident response: any personal-data breach likely to result in risk to you will be reported to the Informacijski pooblaščenec within 72 hours (GDPR Art. 33) and, where high risk, communicated to you directly (Art. 34).
9. Children
Our Site is intended for adults. We do not knowingly collect personal data from anyone under the age of 16 (the Slovenian age of consent under ZVOP-2 Art. 6). If you believe a minor has provided us with personal data, contact us and we will delete it.
10. Complaints
If you believe we are mishandling your personal data, we encourage you to contact us first at hello@lemonabird.com. You also have the right to lodge a complaint with your national supervisory authority. In Slovenia this is:
Informacijski pooblaščenec (Information Commissioner) Dunajska cesta 22, 1000 Ljubljana Email: gp.ip@ip-rs.si Website: www.ip-rs.si
If you are resident in another EEA country, you may lodge the complaint with your local authority instead.
11. Changes to this Policy
We review this Policy at least once a year and whenever our processing changes. The effective date above is always current. For material changes affecting your rights or consent, we will notify you by email (if we have one) and/or a banner on the Site before the new version takes effect.
12. Contact
- Email: hello@lemonabird.com
- Post: JOLI d.o.o., Celjska cesta 6, 3250 Rogaška Slatina, Slovenia
- Phone: +386 70 263 425