01 Data Controller

The controller of your personal data is:

• Name: Product Lab (sole trader Žan Ravnikar)
• Address: Celje, Slovenia
• Email: product.lab26@gmail.com
• Phone: +386 40 981 690

02 Data We Collect

We collect only the data strictly necessary to provide our services or communicate with you:

• Full name
• Email address
• Phone number
• Company name (optional)
• Content of your inquiry or message
• IP address and basic technical data (automatically collected on site visit)

03 Purpose and Legal Basis for Processing

• Responding to inquiries: processing based on your consent (Article 6(1)(a) GDPR)
• Performing a contract: processing based on contractual necessity (Article 6(1)(b) GDPR)
• Accounting and tax obligations: legal obligation (Article 6(1)(c) GDPR)
• Website security: legitimate interests (Article 6(1)(f) GDPR)

04 Sharing Data with Third Parties

We do not sell, share or transfer your personal data to third parties, except in the following cases:

• Resend (resend.com): email delivery service — receives contact form content solely to deliver your message
• Sanity (sanity.io): CMS for content management — does not store visitor personal data
• Netlify (netlify.com): hosting platform — processes IP addresses as part of website delivery

All listed processors are bound by appropriate Data Processing Agreements (DPA) and provide an adequate level of protection in accordance with GDPR.

05 Data Retention

• Inquiries (not converted to orders): retained for up to 6 months from last contact
• Customer and order data: retained for 5 years (statutory requirement for tax records)
• Technical logs: automatically deleted after 30 days

After the retention period expires, data is permanently and securely deleted or anonymised.

06 Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of access — you may request a copy of the data we hold about you at any time
• Right to rectification — you may request correction of inaccurate or incomplete data
• Right to erasure — you may request deletion of your data ("right to be forgotten") when no longer needed
• Right to restriction of processing — you may request a temporary halt to processing of your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to lodge a complaint — file a complaint with a supervisory authority

To exercise any of these rights, email product.lab26@gmail.com. We will respond within 30 days.

07 Cookies and analytics

Essential cookies (always active):

• cookieConsent — records your cookie preference (stored locally in your browser, not on our servers)

Analytics (only with your consent):

With your explicit consent, we use Google Analytics 4 (Google LLC, USA) for anonymous traffic analysis. Your IP address is anonymised and data is retained for a maximum of 14 months. Data transfer to the USA is carried out under the EU-US Data Privacy Framework.

• _ga, _ga_* — Google Analytics identifiers used to count unique visitors and sessions

You may withdraw your consent at any time — clear stored data in your browser (Settings → Privacy → Clear site data) and refresh the page. The cookie banner will reappear.

We do not use advertising cookies, Facebook Pixel or other third-party tracking technologies.

08 Data Security

We implement the following security measures to protect your personal data:

• Encryption of data in transit (HTTPS / TLS 1.3)
• Access to data is restricted exclusively to the data controller
• Regular security audits and system updates
• Payment data is not stored by us — it is processed by Stripe / PayPal

09 Supervisory Authority

If you believe your rights have not been adequately respected, you have the right to lodge a complaint with the Slovenian data protection supervisory authority:

• Information Commissioner of the Republic of Slovenia
• Dunajska cesta 22, 1000 Ljubljana, Slovenia
• www.ip-rs.si
• gp.ip@ip-rs.si

10 Changes to This Policy

We may update this Privacy Policy at any time. The date of the last update is always shown below. In case of material changes, we will notify you by email (if we have your address).