Privacy policy
This policy explains how 6Tejst, Vito Štibernik s.p. processes personal data in accordance with Regulation (EU) 2016/679 (GDPR), the Slovenian Personal Data Protection Act (ZVOP-2), and applicable national laws.
Data controller
6Tejst, Vito Štibernik s.p., Kotredež 10, 1410 Zagorje ob Savi, Slovenia. Phone: +386 40 574 210. No Data Protection Officer has been appointed as the Article 37 GDPR threshold is not met. All data protection requests go to:
Data we collect
We collect order data (name, delivery and billing address, phone, email, order history); payment data (transaction reference IDs only, as card data is held by payment processors); account data (login credentials and communication preferences); newsletter data (email address, consent record, open and click metrics); support data (correspondence and photos submitted by the Buyer); loyalty data (points balance and redemption history); browsing data (IP address, browser type, pages visited, and cookie identifiers); and review data (name and content of submitted reviews). Mandatory fields are name, delivery address, email, and payment method — without these the contract cannot be performed. All other fields are voluntary.
Purposes and legal bases
We process data for the following purposes: performing the sales contract including order processing, dispatch, delivery, and customer support (Art. 6(1)(b) GDPR); issuing invoices and maintaining tax records (Art. 6(1)(c) GDPR); sending newsletters and automated marketing emails including abandoned-cart flows (Art. 6(1)(a) GDPR — consent); operating the customer account and loyalty programme (Art. 6(1)(b) GDPR); running web analytics via Google Analytics 4 (Art. 6(1)(a) GDPR — consent); measuring advertising via Meta Pixel for Facebook and Instagram (Art. 6(1)(a) GDPR — consent); preventing fraud and maintaining IT security (Art. 6(1)(f) GDPR — legitimate interest); and responding to legal claims (Art. 6(1)(f) GDPR — legitimate interest).
Recipients and processors
We share data only with processors bound by data processing agreements. Payment processors: Stripe Payments Europe Ltd., Dublin, Ireland (card payments, Apple Pay, Google Pay); Klarna Bank AB, Stockholm, Sweden (buy now pay later); PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg (PayPal payments). Logistics and hosting: Fully d.o.o., Ljubljana, Slovenia (dispatch, returns); Avant.si d.o.o./Neoserv, Šenčur, Slovenia (hosting); Cloudflare Inc., USA (CDN, security). Marketing and analytics: Omnisend Ltd., Vilnius, Lithuania (email marketing and automation); Google Ireland Limited, Dublin, Ireland (Google Analytics 4, Tag Manager, Google Ads); Meta Platforms Ireland Limited, Dublin, Ireland (Meta Pixel, Facebook and Instagram ads). Other: FunnelKit/WooFunnels Inc., USA (checkout and cart); WPLoyalty, self-hosted plugin (loyalty programme); authorised accountant in Slovenia (invoicing and tax); public authorities where legally required.
International transfers
Data is transferred outside the EEA to Cloudflare Inc., Google LLC, and Meta Platforms Inc. in the USA. All three are certified under the EU–US Data Privacy Framework and additionally covered by Standard Contractual Clauses approved by the European Commission. FunnelKit/WooFunnels Inc. (USA) is covered by Standard Contractual Clauses. Copies of applicable safeguards are available on request at:
Retention periods
Order and invoice data is retained for 10 years from the end of the calendar year of issue, in accordance with ZDavP-2 § 86 and German AO § 147. Customer account data is retained until deletion is requested. Newsletter subscription data is retained until consent is withdrawn. Omnisend email engagement data is retained for up to 24 months after last activity. Google Analytics 4 data is retained for 14 months per the GA4 data retention setting — note that the _ga cookie persists for 2 years on the device; these are two separate mechanisms. Meta Pixel event data is retained for up to 180 days per Meta's retention policy. Cookie consent logs are retained for 12 months. Support correspondence is retained for up to 3 years after last contact. Statutory limitation evidence is retained for up to 3 years under BGB § 195 or 5 years under the Slovenian Code of Obligations, whichever applies.
Your rights
You have the right to: access your personal data (Art. 15); rectification of inaccurate data (Art. 16); erasure subject to legal retention obligations (Art. 17); restriction of processing while a dispute is resolved (Art. 18); data portability in machine-readable format (Art. 20); object to processing based on legitimate interests (Art. 21); withdraw consent at any time without affecting prior lawful processing (Art. 7(3)); and lodge a complaint with a supervisory authority at any time, including before exhausting other remedies (Art. 77). To exercise any of these rights, contact us — we respond within one month:
Supervisory authorities
You may lodge a complaint with the supervisory authority of your EU country of residence at any time.
Slovenia — Informacijski pooblaščenec (IP), Dunajska cesta 22, 1000 Ljubljana:
Germany — Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), Graurheindorfer Str. 153, 53117 Bonn:
Automated decision-making
We do not use automated decision-making that produces legal effects or similarly significant effects under Art. 22 GDPR. Omnisend automated emails such as abandoned-cart reminders are based on browsing behaviour but do not produce such effects.
Last updated: 10 July 2026
