Privacy & Cookie Policy

1. General

The purpose of this Privacy Policy is to inform individuals, clients, users of products or services, collaborators, employees, and other persons (hereinafter: “individual”) who interact with the company SIMARINE d.o.o., Ulica Škofa Maksimilijana Držečnika 6, 2000 Maribor, Slovenia (hereinafter: “the company”), about the purposes, legal bases, security measures, and the rights of individuals regarding the processing of personal data carried out by the company.

We value your privacy and therefore always protect your data with great care.

We process personal data in accordance with applicable data protection legislation and other relevant laws that provide a legal basis for the processing of personal data.

Any changes to this document will be published on our website. By using the website, you confirm that you are familiar with the full content of this Privacy Policy.

Personal Data Controller

SIMARINE d.o.o.

Ulica škofa Maksimilijana Držečnika 6

2000 Maribor

Email: [email protected]

Phone: +386 31 446 604

Website: https://simarine.net/

2. Personal data

Personal data means any information relating to an identified or identifiable individual; an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, e-mail, username, password.

2) Purposes of processing and legal bases

The company collects and processes personal data on the following legal bases:

– processing is necessary for compliance with a legal obligation to which the controller is subject;
– processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
– processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party;
– the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
– processing is necessary in order to protect the vital interests of the data subject or of another natural person.

3.1. Purchasing goods and services in the online store

The company processes personal data in the context of online business through its online store when an individual submits an online form, registers (creates a user account), or makes a purchase (successfully places an order) as a guest (unregistered user). When a user purchases a product without registering or logging into a user account, the company processes only the personal data necessary for the execution of the order, business communication, and the exercise of rights and obligations arising from the concluded contract. This includes: first name, last name, delivery address, email address, phone number, details of the ordered product, and payment information.

When an individual registers a user account or makes a purchase as a registered user, a contract is concluded with the company for the provision of services to registered users. The types of personal data processed during account registration include: email address, password, first name, last name, delivery addresses, phone number, data on ordered/purchased products, favorite products, payment details, data on obtained discounts, and any other data the user provides in their profile. In the case of account registration, personal data is stored within the user’s profile. In addition to the purposes mentioned above, the data is also processed for automated data entry during the ordering process, displaying purchase history, evaluating the product offering, improving services and the online store’s offer, increasing customer satisfaction, analysing user habits, and creating special offers and benefits intended exclusively for registered users.

In the online store, the following is collected:

User personal data

First and last name
Email address
Delivery address (street, postal code, city, country)
Billing address (if different)
Phone number
User-account data (if the user registers): username, password (encrypted)

Order data

List of ordered products (name, quantity, price)
Shipping costs
Taxes (VAT)
Total purchase amount
Selected payment method
Order status (e.g., processing, completed)

Payment data

WooCommerce itself does not store sensitive card data (such as card numbers). These are processed by external payment providers (Stripe, PayPal, etc.).

Collected are:

Transaction ID (from the payment provider)
Transaction status (successful, unsuccessful)
Date and time of payment
Payment method

Technical / analytics data

IP address
Device and browser type
Time of purchase

The legal basis for processing the data is the contract. The retention period is until the purpose of the contract is fulfilled or up to 6 years after the termination of the contract.

3.2. Informing individuals by email (e.g., e-newsletters)

Based on the performance of lawful business activities, the company may inform its clients, customers, and users of its services via email about its services, events, trainings, offers, and other content. An individual may at any time request the termination of such communication and the processing of their personal data by unsubscribing via the link provided in each received message or by sending a request via email or regular mail to the company’s address.

The legal bases for data processing are legitimate interest and consent. The data will be processed until the individual unsubscribes from receiving messages, withdraws their consent, or until the purpose of the processing has been fulfilled. The withdrawal of consent does not affect the legality of the processing based on consent before its withdrawal.

3.3. Use of the Simarine application

The SIMARINE application, which is installed on an individual’s mobile device, is designed to provide access to and management of sensor devices built into boats and motorhomes via the mobile device. Through the mobile application, individuals can remotely monitor the battery status, water tank levels, and temperature conditions, as well as control the switching on and off of devices (such as lights and radios).

To use the application, the individual must first create a user account or log in via third-party providers (e.g., Google, Apple, Facebook). In this case, the user does not need to create a new password or fill out a registration form. However, the application still creates its own user account based on the data received from the third-party provider. The types of personal data processed during account registration include: email address and password.

The data is stored in the user’s profile. Registration data is used for user registration and to enable use of the application. Additionally, the data is used to contact the individual for the purpose of uninterrupted service provision. The individual’s email address is also used to inform them about the provider’s activities, similar products, and services.

The legal basis for data processing is the contract and legitimate interest. The data retention period lasts until the purpose is fulfilled, or until the processing is withdrawn, or up to 6 years after the termination of the contract.

3.4. Performance of a concluded contract

In cases where an individual concludes a contract with the company, the contract serves as the legal basis for the processing of personal data. The company may process personal data for the purpose of concluding and fulfilling the contract, such as the sale of goods and services, preparing offers, participation in various programs, etc. If the individual does not provide the required personal data, the company cannot enter into the contract and cannot perform the service or deliver goods or other products in accordance with the contract, as it lacks the necessary data for execution. On this basis, the company processes only those personal data that are necessary for the conclusion and proper performance of contractual obligations.

The legal basis for data processing is the contract. The retention period is until the purpose of the contract is fulfilled or up to 6 years after the termination of the contract, except in cases where a dispute arises between the individual and the company in relation to the contract. In such cases, the company retains the data for 10 years after the final court decision, arbitration, or court settlement, or, if there was no legal proceeding, 6 years from the date of the amicable resolution of the dispute.

3.5. Legitimate interest

The company may also process personal data based on its legitimate interest. Such processing is not permitted where these interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relates and who requires personal data protection. In cases where legitimate interest is used, the company performs an assessment in accordance with applicable legislation. The processing of personal data for the purposes of direct marketing is considered to be carried out on the basis of legitimate interest. The company may process personal data of individuals obtained from publicly accessible sources or in the context of lawful business activities for the purposes of offering goods, services, employment opportunities, informing about benefits, events, and similar. To achieve these purposes, the company may use regular mail, phone calls, email, and other telecommunications means. For direct marketing purposes, the company may process the following personal data of individuals: name and surname, permanent or temporary address, phone number, and email address. These personal data may be processed for direct marketing purposes even without the individual’s explicit consent. An individual may at any time request the termination of such communication and the processing of their personal data and unsubscribe from receiving messages via the unsubscribe link provided in each message or by sending a request via email or regular mail to the company’s address.

3.6. Processing based on consent

If the company does not have a legal basis derived from law, contractual obligation, legitimate interest, or the protection of an individual’s vital interests, it may request the individual’s consent. In such cases, the company may process certain personal data for the following purposes, provided that the individual gives their consent:

– residential address and email address (for the purposes of communication and notifications);
– photographs, videos, and other content related to the individual (e.g. publishing photos of individuals on the company website for the
– purpose of documenting activities and informing the public about the company’s work and events);
– other purposes for which the individual explicitly consents.

If the individual provides consent for the processing of personal data but later no longer wishes such processing to continue, they may request termination of processing by submitting a request via email or regular mail to the company’s address. The withdrawal of consent does not affect the legality of processing based on consent prior to its withdrawal. After receiving the withdrawal or deletion request, the data will be deleted no later than within 15 days. The company may also delete the data earlier, if the purpose of the processing has been fulfilled or if required by law.

Exceptionally, the company may refuse a request for erasure based on the General Data Protection Regulation (GDPR), in cases where processing is necessary for the exercise of the right to freedom of expression and information, compliance with a legal obligation, reasons of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes, statistical purposes, or for the establishment, exercise or defense of legal claims.

The legal basis for data processing is consent. The data will be processed until consent is withdrawn or the purpose of processing is fulfilled. Withdrawal of consent does not affect the lawfulness of processing carried out based on consent before its withdrawal.

3.7. Protection of the vital interests of the individual

The company may process personal data of an individual if such processing is necessary to protect the individual’s vital interests. In urgent situations, the company may search for the individual’s identification document, verify whether the person exists in its data records, review their medical history, or contact their relatives—without requiring the individual’s consent. This applies in cases where such actions are strictly necessary to safeguard the vital interests of the individual.

4. Storage and deletion of personal data

The company will retain personal data only for as long as necessary to fulfill the purpose for which the data was collected and processed. If the data is processed on the basis of a legal obligation, it will be stored for the period prescribed by law. Some data is retained during the period of cooperation with the company, while certain data may need to be retained permanently. Personal data processed by the company based on a contractual relationship with an individual will be retained for the duration necessary to fulfill the contract and for an additional 6 years after its termination, except in cases where a dispute arises between the individual and the company in connection with the contract. In such cases, the company will retain the data for 10 years after a final court decision, arbitration, or court settlement, or—if there was no legal proceeding—for 6 years from the date of the amicable resolution of the dispute. Personal data processed on the basis of the individual’s consent or legitimate interest will be stored until the consent is withdrawn or a request for deletion is submitted. Upon receiving a withdrawal or deletion request, the data will be deleted without undue delay. The company may also delete such data before consent is withdrawn, if the purpose of the processing has been achieved or if required by law. In the event that the individual exercises their rights, the company will retain the personal data until a final decision on the matter is made, and after that in accordance with the content of the final decision.

Exceptionally, the company may refuse a deletion request for reasons such as: the exercise of the right to freedom of expression and information, compliance with a legal obligation, public interest in the field of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and for the establishment, exercise or defense of legal claims. After the retention period expires, the company must permanently and effectively delete or anonymize the personal data so that it can no longer be linked to a specific individual.

5. Contractual processing of personal data and data transfers

The company may entrust certain personal data processing tasks to a data processor on the basis of a data processing agreement. Contracted processors may process the entrusted data solely on behalf of the controller, within the scope of the authorization specified in a written contract or other legal act, and in accordance with the purposes defined in this Privacy Policy.

The contracted processors with whom the company cooperates primarily include:

– providers of accounting services and other legal and business consulting services;
– infrastructure maintenance providers (video surveillance, security services);
– IT system maintenance providers;
– providers of email services and software/cloud service providers (e.g., Microsoft, Google);
– providers of social media and online advertising (Google, Facebook, Instagram, etc.).

To ensure better oversight and control over its processors and to maintain a structured contractual relationship, the company also maintains a list of all specific processors it works with.

Under no circumstances will the company disclose personal data to unauthorized third parties. Processors are only permitted to process personal data in accordance with the company’s instructions and may not use the data for any other purposes.

The company as the data controller, along with its employees, does not transfer personal data to third countries (outside the European Economic Area – EU member states as well as Iceland, Norway, and Liechtenstein) or to international organizations, except to the United States. In such cases, relationships with U.S.-based processors are governed by standard contractual clauses (model contracts adopted by the European Commission) and/or binding corporate rules (adopted by the company and approved by EU supervisory authorities).

6. Cookies

The company’s website operates using cookies, which are essential for providing online services. Cookies are used to store information about the state of individual web pages, to assist in gathering statistics on users and site traffic, and more. Upon entering the website, only cookies that are strictly necessary for the operation of the site (e.g. for the shopping cart) are loaded onto the user’s device. Other cookies will only be installed with the individual’s consent. Cookie settings can be changed and cookies deleted at any time (instructions are available on the websites of individual browsers).

The website uses the following cookies:

_session_id – stores session details (such as referrer and landing page) and expires at the end of the session.
_simarine_visit – lasts for 30 minutes from the last visit and is used by our internal statistics tracker to record the number of visits.
_simarine_uniq – valid until midnight of the following day and counts the number of visits made by an individual visitor.
voziček – stores information about the contents of your cart and lasts for 2 weeks.
_secure_session_id – a session cookie used for secure functionality.
storefront_digest – persists indefinitely and is used, if the store is password-protected, to check whether a visitor has access.
auth_token – valid for 15 minutes and enables access to the user account.

7. Data security and data accuracy

The company ensures information security and the security of its infrastructure (including premises and application-system software). Our information systems are protected, among other measures, by antivirus programs and a firewall. We have implemented appropriate organizational and technical security measures designed to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and from other unlawful or unauthorized forms of processing. Each individual is responsible for ensuring that the personal data they provide is transmitted securely and that the data provided is accurate and truthful.

8. Data Subject Rights Regarding Data Processing

The individual to whom the personal data relates has the right to request access to personal data, as well as the right to rectification or erasure of personal data, restriction of processing, the right to object to processing, and the right to data portability. The individual’s request will be handled in accordance with the provisions of the General Data Protection Regulation (GDPR) and applicable personal data protection laws.

All of the above rights and any questions related to them can be exercised by submitting a request to the company’s address or e-mail. The company will respond to the request without undue delay and no later than one month after receiving it. This deadline may be extended by up to two additional months, taking into account the complexity and number of requests. The individual will be informed of any such extension, including the reasons for the delay.

Exercising these rights is free of charge for the individual; however, the company may charge a reasonable fee if the request is clearly unfounded or excessive, particularly if it is repetitive. In such cases, the company may also refuse to act on the request. In case of doubt regarding the identity of the individual, the company may request additional information necessary to verify the identity of the requester.

In its decision regarding the individual’s request, the company will also inform the individual of the reasons for its decision and provide information about their right to file a complaint with the supervisory authority within 15 days of receiving the decision. The right to lodge a complaint with the supervisory authority may be exercised by contacting Information Commissioner of the Republic of Slovenia (address: Dunajska 22, 1000 Ljubljana, e-mail: gp.ip@ip-rs-si, website: www.ip-rs.si).

This Privacy Policy is effective from date 18.9.2025.