Privacy policy

Last updated:

June 25, 2024

All content published on the ecto.design website is the property of the controller. Without the controller’s permission, it may not be copied, reproduced, or distributed in any other way. The controller reserves the right to make changes to the content published on the website.

We are aware of our responsibility in handling personal data and respect your privacy. Therefore, we process personal data carefully in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation) and the Slovenian Personal Data Protection Act (Zakon o varstvu osebnih podatkov). All personal data obtained by ecto.design are treated confidentially and are used exclusively for the purposes stated in the processing purpose.

The purpose of the Privacy Policy is to inform our customers, website users, and other individuals (hereinafter: individuals) about the scope and nature of the personal data we collect, use, and process, the purposes and legal basis of processing personal data, and to inform individuals about their rights in this area.

Data controller

Grafično oblikovanje, Luka Gigović, s.p., Šeškova ulica 30, 1330 Kočevje, registration number: 9292829000, VAT number: 26633841, doing business as Ecto Design (hereinafter referred to as the “controller”), respects your right to privacy, principles of data protection, and strives for the highest level of protection of your personal data.

This data controller has no appointed data protection officer.

Regulations

The Controller respects the regulations defining the protection of personal data and acts in accordance with applicable sectoral laws, including the law governing the protection of personal data and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”).

In the event of changes in the regulations on personal data protection or sectoral laws, it may be necessary to adjust the provisions related to this area. You will be informed here about any changes and updates. In the event of a conflict between individual provisions, the hierarchy of legal acts will be respected.

This Privacy Policy in accordance with the GDPR governs the following areas:

  • contact information of the controller and contact of the Data Protection Officer,
  • purposes and legal bases for processing various types of users’ personal data, including profiling of users’ personal data,
  • users of personal data, contractual processing, and transfer of data to third countries,
  • retention periods for individual types of personal data,
  • care for the security of personal data,
  • users’ rights regarding the processing of personal data,
  • the procedure for exercising users’ rights in relation to the processing of personal data,
  • the right to lodge a complaint regarding the processing of personal data.

All personal data you provide to us will be treated and used confidentially and solely for the purposes for which they were provided. If there is a need for further processing of your data for another purpose, meaning that for this other purpose we require your appropriate consent, we will contact you in advance and request it.

The Controller will process the customer’s personal data solely for the purposes for which they were obtained and will not process them for purposes incompatible with the purposes for which they were collected. The Controller collects and processes only those personal data from the customer that are necessary to achieve the specific purpose.

Principles of the GDPR

The Controller, when processing personal data, adheres to the general principles outlined in Article 5 of the GDPR. During the processing of personal data, the data may only be collected for specified, explicit, and legitimate purposes, and the Controller is responsible for ensuring that the personal data are:

  • processed lawfully, fairly, and in a transparent manner in relation to the individual to whom the data pertains, and are not processed further in a manner incompatible with those purposes;
  • accurate, adequate, relevant, and limited to what is necessary for the purposes for which they are processed;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed, or as required by the regulations;
  • processed in a manner that ensures their integrity and confidentiality, especially ensuring that they are appropriately secured against unauthorized or unlawful processing, accidental loss, destruction, or damage by using suitable technical or organizational measures.

Personal data must not be further processed in a way that is incompatible with these purposes, unless otherwise stipulated by the relevant regulations.

Categories of personal data users

The Controller does not provide the personal data of individuals to any processor, nor does any third party have access to the personal data collected by the Controller.

Legal basis and purpose for collection and processing

The purpose of collecting individuals’ personal data is evident from the data collection overview below.

The legal basis for the collection and processing of personal data of individuals is defined by Article 6(1) of the GDPR, primarily point (a), which stipulates explicit consent for the processing of personal data. By using our portal, individuals explicitly agree that processing takes place solely for the purpose with which they explicitly agree, as shown below for each specific data item. Consent to provide personal data is always voluntary, and personal data is thus retained until revoked (consent can be withdrawn at any time, which is automatically understood to include the deletion or termination of the individual’s profile or account).

If an individual does not provide the required personal data marked with an asterisk (*) on the entry form or defined as “mandatory” in the data overview below, or if they withdraw consent for its processing, the Controller cannot fulfill the purpose for which the data is collected, such as processing the order or responding to a customer inquiry.

The collection and processing of personal data are also necessary for the provision of services or for taking measures (advice or legal negotiations) prior to ordering services.

In the case of cookies, the processing is necessary due to the legitimate interests pursued by the Controller or a third party, which override the interests or fundamental rights and freedoms of the individual to whom the personal data relates, requiring the protection of personal data. Therefore, the processing here is based on the legitimate interests of the Controller to maintain the highest standards of sales, services, product quality, and customer satisfaction. If the Controller is in doubt about obtaining certain personal data from a customer, it guarantees to consult an expert, and the fundamental rights and freedoms of the customer will always be weighed against the Controller’s interests regarding the type of data processing.

Methods of collecting personal data

The types of personal data are categorically defined below, and their collection and processing primarily serve to enable higher quality and more appropriate customer service.

The Controller uses contact information to send marketing messages, communicate regarding services, and inform about changes to privacy policy and general terms and conditions. Your data is also used to respond to your requests to contact us.

Other personal data is acquired only if you provide it to us voluntarily.

Notwithstanding the above, we reserve the right to obtain your public personal data from publicly accessible sources (e.g., business databases, public profile on social media), and we may also acquire data on other grounds, in the event of any outstanding debts to us.

Personal data we collect

If you are merely a visitor to our website, we collect data about you using cookies.

For the purposes of direct marketing (e.g., notifying via email) and other legitimate interests in sales, marketing, and customer support, we retain the following data:

  • Name and surname
  • Contact email address
  • Log file data (IP address, access time, browser version, visited page address)

These personal data are stored exclusively in electronic form and are secured in the information system.

Based on a contractual legal basis, we also collect and process other personal data used solely for the purpose of exercising contractual rights and fulfilling contractual obligations, as well as for the purpose of contract negotiation after receiving an offer or inquiry from an individual. These personal data include:

  • Name and surname
  • Contact email address
  • Address
  • Tax number
  • Log file data (IP address, access time, browser version, visited page address)
  • Transaction account number – last 4 digits of the card
  • Card validity
  • Card type
  • Name of the bank that issued the card

To fulfill legal obligations that require us to provide personal data of individuals to government authorities and other controllers for the fulfillment of their or our legal obligations or competences, we process those personal data and for those purposes as required by applicable regulations.

Our website contains an inquiry form intended for the personalized preparation of offers. The data collected exclusively for the purpose of preparing offers and establishing contact are:

  • Name and surname of the contact person
  • Contact email address
  • Company website
  • Position of the contact person
  • Country
  • Other data that the individual voluntarily writes under notes

Warning regarding potential data sharing risks

There is a possibility of unauthorized intrusion into our computer system, which is a criminal offense. Such intrusion could allow potential “hackers” to use this data for purposes not compatible with the original purpose of our data collection. Nevertheless, we will make every effort to prevent such incidents.

Data of another person

It is prohibited to provide data on behalf of someone else. In the case of a minor under the age of 16, personal data may only be provided to the controller if there is permission from the parent or legal guardian, and you are obligated to explicitly notify the controller of this. By using our website, you confirm that you are over 16 years of age.

Further marketing

The controller reserves the right to contact you by email for the purpose of its own marketing. However, your consent regarding this matter can be revoked at any time with effect for the future (ex nunc).

Providing access to your personal data

The controller may allow access to personal data by third parties only to the extent determined by judicial and other official authorities according to legal provisions or in other legally prescribed cases. If permissible and if it does not obstruct the prevention or detection of criminal activity, we will address any such order or request to you, or we will inform you before responding.

Transfer of personal data to third countries or organizations

The controller does not transfer personal data to any international organization or controller or processor of personal data established (based) in a country outside the EU or the European Economic Area.

Protection of your personal data

Your personal data exists only in electronic form and not in physical form (there are no printed copies). The data is protected by application software used for processing personal data, preventing unauthorized access to personal data during their transmission, including transmission via telecommunication means and networks. Furthermore, the controller ensures an effective way of blocking, destroying, or deleting personal data when the purpose for which they were collected ceases, or when you delete your profile or account, or when you request the deletion of your personal data.

The controller enables later determination of when individual data was entered into the personal data collection, used, transferred, or otherwise processed, and by whom (audit trail).

Unauthorized access to personal data, their use, and disclosure is prevented by the controller using the following security technologies and procedures:

  • Locking of workspaces and computers and preventing access to personal data,
  • Strictly confidential data, such as credit card information, is stored with the processor for payment processing in encrypted form,
  • Storage of personal data carriers in secured premises,
  • Preventing access to personal data by space maintainers, customers, and other visitors to the premises,
  • Preventing the use of passwords on work computers by individuals to whom the password was not directly assigned or for purposes other than specified,
  • Limiting data exports by employees,
  • Controlling copies and exports of data (audit trail on the sole shared account of the controller),
  • Limited, recorded, and secured data transmission over telecommunication networks,
  • Code control and data removal from individuals whose contract with the processor or employment contract with the controller has ended.

Recommended measures for privacy protection and individual responsibility

We recommend that individuals or all recipients of this policy also take steps to protect their privacy:

  • Ensuring accurate and up-to-date information
    If you are a subscriber to our services, we encourage you to inform us promptly of any changes to your personal information. We will endeavor to update your data as soon as we receive your notification.
  • Email
    Before sending us an unprotected email through your internet service provider, please be aware that its content may not be protected from unauthorized access, tampering, etc., on the internet.
  • Use of passwords
    We recommend that you ensure the security of passwords or other identifiers used to log into the email program. Make sure to store them properly and do not disclose them to others.
  • Antivirus protection
    We recommend that you have active antivirus software installed on the device used to access programs necessary for communication with the Ecto Design team.

Links to other websites, applications, and services

The Ecto Design website may provide links to third-party websites or include pages and services of third parties. Ecto Design is not responsible for the privacy or personal data protection practices of third parties, application providers, operating system providers, wireless service providers, device manufacturers, etc.

If you choose to visit such a link, we are not responsible for the availability of the selected third-party website, mobile applications, or other services. Additionally, we do not review third-party websites, their mobile applications, or services, and we are not directly or indirectly responsible for their use and content, or for the collection and processing of any data by these websites, mobile applications, or services. Therefore, we recommend that you familiarize yourself with the privacy policies or privacy statements of third-party services or mobile applications before using them or entering any of your personal data into them. These policies or statements are available either on their websites or upon access (registration) to such mobile applications. The Ecto Design team uses Slack, Figma, Adobe, and Queue (MJR Gaming Inc) in their work. Stripe is used for payments.

Rights of the Individual

In accordance with the provisions of the GDPR outlined below, you have certain rights regarding your personal data. Specifically, the Controller is obligated to confirm whether or not personal data concerning you is being processed. If your data is being processed, the Controller has the following duties towards you:

  • Right of access

    You have the right to access and be informed about your personal data processed by us. We give you the possibility to view certain data through your user account in Ecto’s client portal or request a copy of your personal data by contacting us.

  • Right to withdraw consent

    In case the processing is based on a consent granted by the User, the User may withdraw the consent at any time free of charge. Withdrawing a consent may lead to fewer possibilities to use the Ecto Design services. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

  • Right to rectify

    You have the right to have incorrect or incomplete personal data we have stored about you corrected or completed by contacting us. You can correct or update some of your personal data through your user account in the Ecto Design Client portal.

  • Right to erasure

    You may also ask us to delete your personal data from our systems. We will comply with such a request unless we have a legitimate ground to not delete the data.

  • Right to object

    You may have the right to object to certain use of your personal data if such data is processed for other purposes than necessary for the performance of the Ecto Design services or for compliance with a legal obligation. If you object to the further processing of your personal data, this may lead to fewer possibilities to use the Ecto Design services.

  • Right to restriction of processing

    You may request to restrict processing of personal data for example when your data erasure, rectification or objection requests are pending and/or when we do not have legitimate grounds to process your data. This may however lead to fewer possibilities to use the Ecto Design services.

  • Right to data portability

    You have the right to receive the personal data you have provided to us yourself in a structured and commonly used format and to independently transmit those data to a third party.

  • How to use your rights

    The abovementioned rights may be used by contacting Ecto Design or sending a letter or an e-mail to us on the addresses set out above, including the following information: the full name, address, e-mail address and a phone number. If you are a client we recommend you contacting us through the client portal or on Slack as that allows us to identify you more easily. We may request the provision of additional information necessary to confirm the identity of the User. We may reject or charge requests that are unreasonably repetitive, excessive or manifestly unfounded.

Exercising rights

If personal data is processed by Ecto Design based on consent, individuals can revoke their consent for the processing of personal data at any time, temporarily or permanently. Additionally, individuals can object to the processing of personal data concerning them for the purpose of direct marketing, or request access, rectification, restriction of processing, data portability, or erasure of personal data, or lodge an objection against the processing of personal data related to them, by sending a written request to the email address: info@ecto.design. Your revocation applies to future processing and does not affect the processing of personal data that was carried out before your revocation.

If you object to the processing of personal data based on our legitimate interests, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims in accordance with the General Data Protection Regulation.

We would also like to inform you that if you believe that the regulations governing the protection of personal data have been violated, you have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia, Dunajska cesta 22, 1000 Ljubljana.

Cookies

Business documentation

The controller reserves the right to process business documentation data, which are not inherently personal data but serve only as evidence of concluded business and negotiations: for example, business correspondence, copyright agreements or other bases for payment to the client, invoices, data on the assignment of a person to a business, data on received inquiries or responses to offers, customer identification number, order or contract number, and any complaints and claims.

For the purpose of its own statistics, the controller reserves the right to collect data on where the customer learned about the controller.

Retention period

All personal data is collected, processed, and used in accordance with the applicable data protection regulations. In general, your personal data is stored until revoked or as long as necessary to fulfill the purpose for which it is processed, or until the expiration of criminal and civil statute of limitations and legally prescribed retention periods. Data is stored until revoked. The retention period is decided on a case-by-case basis, as it depends on the type of data, the reason for collecting and processing the data, and the relevant legal or operational reasons for retention.

The criteria for determining the data retention period include: (i) the duration of our relationship with you; (ii) whether there is a legal obligation that we must comply with; and (iii) whether retention is advisable given our legal position (taking into account the statute of limitations for each unpaid claim, lawsuit, or regulatory investigation).

When considering filing a claim against the controller, the controller may retain all data that the controller believes will be necessary for defense against the claim or for asserting or filing a claim against you, the controller, or a third party, as long as it is still possible to assert the claim and the statute of limitations has not expired.

In accordance with the Value Added Tax Act, the controller must ensure the retention of invoices relating to the supply of goods or services in the territory of Slovenia, as well as invoices received by a taxable person with a registered office in Slovenia, for ten years after the end of the year to which the invoices relate.

Data destruction

Upon the expiration of the storage period or upon revocation, the data is permanently and irrevocably deleted or destroyed in such a way that it is no longer possible to ascertain its content or reuse it.

Other information

Any questions regarding this policy, comments, feedback, and requests for assistance regarding the exercise of your rights related to the processing of your personal data can be addressed to the following email address: info@ecto.design.

Policy changes

The controller reserves the right to periodically adjust this Privacy Policy as needed to reflect changes in our processing of personal data, as well as changes in relevant processing circumstances and legislation, and established practices in the field of personal data protection.

Any changes to this privacy policy will take effect upon publication on the website www.ecto.design. We recommend that all individuals affected by this policy regularly review it.

Continued use of our websites or services after the published changes to the Privacy Policy signifies your agreement with the changes.