Privacy policy

The purpose of this Privacy Policy is to inform customers, potential customers, or visitors to the websites owned by JATrail d.o.o. about the purposes and legal basis for the processing of personal data by JATrail d.o.o., Mesarska cesta 4f, 1000 Ljubljana, Slovenia (hereinafter referred to as JATrail/the provider).

At JATrail, we value your privacy and always protect your data with great care.

This Privacy Policy may be changed or amended at any time without prior notice or notification. By using the provider’s websites after such changes or amendments, the individual confirms their agreement with these modifications.

By using the website, the user acknowledges and agrees to the full content of this Privacy Policy, unless additional consent is required for specific cases.

Our activities comply with European legislation (Regulation (EU) 2016/679 on the protection of individuals regarding the processing of personal data and the free movement of such data (General Data Protection Regulation or GDPR)) and conventions of the Council of Europe (ETS No. 108, ETS No. 181, ETS No. 185, ETS No. 189), as well as with the national legislation of the Republic of Slovenia (Personal Data Protection Act (ZVOP-1, Official Gazette of the RS, No. 94/07), Electronic Commerce Market Act (ZEPT, Official Gazette of the RS, No. 96/09 and 19/15), etc.).

Since we recognize the importance of your privacy and your awareness of how your personal data is processed, we invite you to read more about specific aspects of personal data protection in the guidelines of the Information Commissioner, who acts as the competent national authority for overseeing the legal framework for personal data protection in the Republic of Slovenia.

PERSONAL DATA

A personal data is any information that identifies you as an individual: your name, surname, email or physical address, etc.

For business purposes, JATrail collects the following user data:

  • Name and surname
  • Email address
  • Contact phone number
  • Other information entered into relevant forms on the website
 

By registering on the website, you explicitly agree that JATrail may use the collected personal data (name, surname, email address, and any other provided information) for direct marketing purposes through all advertising channels used by the provider (notifications via phone and SMS, printed media, unaddressed and addressed direct mail, email, etc.), as well as for statistical and market analyses related to direct marketing, marketing profiling, and segmentation. This ensures that you are continuously informed about our latest offers while receiving information only about products that best match your preferences.

You can withdraw your consent for direct marketing via email by:

  • Sending a reply email to a specific marketing message received from the provider, and/or
  • Filling out the online form linked in every marketing email sent by the provider.
 

Each marketing email will include appropriate information about the option to withdraw consent for direct marketing via email.

The provider will respect your request for withdrawal and will process it within a maximum of 15 days, ensuring the termination of direct marketing through the specified or all advertising channels. You will be notified in writing or through another agreed method within the following five days. This process is free of charge. The provider also guarantees all other rights in accordance with applicable legislation, as outlined further in this document.

The provider does not collect or process your personal data unless you enable or consent to it, such as when ordering services, subscribing to newsletters, participating in a prize draw, etc., or if there is a legal basis for data collection or a legitimate interest of the provider.

The provider collects and processes your personal data based on the following legal grounds:

  • Law and contractual relationships
  • Individual consent
  • Legitimate interest

PROCESSING PURPOSE

The conclusion and execution of a contract entered into with the provider, including the provider’s fulfillment of your orders (delivery of products and provision of services), communication with you, verification of your payments, and fulfillment of other obligations of the provider and/or your obligations (the provider’s legitimate interest in processing your personal data, Article 6(1)(f) of the GDPR).

Direct notification of customers about special offers, discounts, and other content via email or SMS.

Based on the ZEKom-1 Act (Electronic Communications Act of the Republic of Slovenia, implemented following Directive 2002/58/EC of the European Parliament and Council of July 12, 2002), JATrail d.o.o. informs its customers about its services and content. The customer may request the termination of such communication and the processing of personal data at any time. The customer can unsubscribe from such communication at any time by clicking the unsubscribe link provided in the received messages, or by sending a written request to the email address info@trailrun.si.

Basic personalized communication (via email, SMS, phone calls, mail, browser notifications, website information, social media) with offers and content.

As part of basic personalized communication (via email, SMS, phone calls, mail, browser notifications, website information, social media), we aim to present you with relevant offers, discounts, and other content that may interest you based on your past interactions with us.

For this purpose, we use the following data: Demographic data (gender, age), simple tracking of behavior on the Julian Alps Trail Run websites (viewing specific content that may trigger the sending of customized messages), without using this data to create user profiles, your responses (e.g., opening emails, clicking links) to various messages we send you.

We do not use any semi-automatic or automatic profiling; instead, we only select relevant recipient groups for specific messages. We never focus on individual data but rather process data in aggregate for larger groups.

Based on this data, the following factors may vary: which content we present to you to ensure maximum relevance, how often we send messages and through which communication channels.

Customers can unsubscribe from such communication at any time by clicking the unsubscribe link provided in received messages, or by sending a written request to info@trailrun.si.

Use of Facebook advertising tool: Facebook Custom Audiences

Based on its legitimate interest in online advertising, JATrail also uses the Facebook Custom Audiences service, either as part of basic personalized communication under legitimate interest or based on obtained consent for communication with personalized offers and content tailored to the user’s profile.

This service works as follows: Your email address, collected during your purchase or voluntary submission, is uploaded to Facebook. Facebook compares your email with its user database to determine if you are a Facebook user. If you are not a Facebook user, your email is not used, and Facebook takes no further action. If you are a Facebook user, you will be added to a newly created custom audience list, allowing us to show tailored ads to this group on Facebook. This enables us to display more targeted and personalized ads, including exclusive discounts, on Facebook.

You can request the termination of this service at any time by sending a written request to info@trailrun.si.


PROCESSING BASED ON YOUR CONSENT

The provider collects and processes (uses) your personal data for the following purposes when you give your consent:

  • Preparation and sending of personalized newsletters, if you have subscribed to them,
  • Sending commercial offers and other content via email, SMS messages, phone calls, or social media (Facebook, Instagram) when there is no other legal basis, and you have consented to this,
  • All other purposes for which you specifically agree when cooperating with the provider.

CONTRACTUAL PROCESSING OF PERSONAL DATA

As an individual, you are informed and agree that the provider may entrust certain tasks related to your data to other parties (contracted processors). Contracted processors may process the entrusted data exclusively on behalf of the provider, within the scope of the provider’s authorization (in a written contract or other legal act), and in accordance with the purposes defined in this privacy policy.

The contracted processors the provider collaborates with are:

  • Accounting services; law firms and other providers of legal advice,
  • Data processing and analytics providers,
  • IT system maintenance providers,
  • Email service providers,
  • Payment system providers,
  • Providers of online advertising solutions.

The provider will not disclose your personal data to unauthorized third parties.

Contracted processors may process personal data only in accordance with the controller’s instructions and must not use personal data for their own interests.

The controller and users of personal data do not transfer data to third countries.


STORAGE OF PERSONAL DATA

The provider will retain your personal data only as long as necessary to fulfill the purpose for which the personal data was collected and further processed. Personal data processed by the provider based on the law will be stored for the period prescribed by law. Personal data processed by the provider for the execution of a contractual relationship with the individual will be stored for the period necessary to perform the contract and for an additional 5 years after its termination, unless a dispute arises between you and the provider regarding the contract; in such a case, the provider will store the data for an additional 5 years after the finality of the court or arbitration decision, settlement, or, if no legal dispute occurred, for 5 years from the peaceful resolution of the dispute.

Personal data processed by the provider based on the individual’s consent or legitimate interest will be stored permanently, until the individual revokes their consent or requests the cessation of processing. The provider will delete such data before the revocation only when the purpose of processing personal data has already been achieved or if required by law.

After the retention period expires, the data controller will effectively and permanently delete personal data so that it can no longer be linked to a specific individual.


FREEDOM OF CHOICE

The information you provide about yourself is under your control. If you choose not to provide your data to the provider, you will not be able to access certain areas or functions on the website.


MINORS

The provider strongly recommends that all parents and guardians teach their children and dependents safe and responsible handling of personal data online. Minors should not submit any personal data on websites without the consent of their parents or guardians. The provider will never knowingly collect personal data from individuals it knows to be minors.

DATA PROCESSING INDIVIDUAL RIGHTS

You have several rights regarding your personal data. These include the right to access, review, deletion, and restriction of processing, transfer, objection, and complaint.

Right to Information: The right to know what data we collect about you, for what purposes, how long we store it, where your personal data is sourced from, to whom we share it, who processes it besides us, and what other rights you have in relation to the processing of your personal data. All of this information can be found in the “Privacy Policy,” and if you have any questions, you can contact us at info@trailrun.si.

Right to Withdraw Consent: If you have consented to the processing of your personal data (for one or more specific purposes), you have the right to withdraw that consent at any time, without affecting the legality of the data processing that was carried out based on the consent before its withdrawal. You can withdraw consent by sending a written statement to info@trailrun.si. Withdrawing consent for the processing of personal data will not have any negative consequences or sanctions for the individual. However, after the withdrawal of consent, the controller may no longer be able to provide certain services that require personal data.

Right to Access Personal Data: As an individual, you have the right to obtain confirmation from the provider (data controller) as to whether personal data concerning you is being processed, and if so, access to personal data and specific information (such as the purposes of processing, types of personal data, recipients, retention periods or criteria for determining retention periods, the existence of the right to rectify or erase data, the right to restrict processing, the right to object to processing, and the right to lodge a complaint with a supervisory authority, the source of the data if not collected from you, the existence of automated decision-making, including profiling, reasons for it, and the significance and consequences of such processing for you, as well as other information in accordance with Article 15 of the GDPR).

Right to Rectification of Personal Data: As an individual, you have the right to request the provider to rectify inaccurate personal data concerning you without undue delay. You also have the right to complete incomplete data, taking into account the purposes of processing, including providing supplementary statements.

Right to Erasure of Personal Data: As an individual, you have the right to request the provider to erase personal data concerning you without undue delay, and the provider must erase data without undue delay when there is one of the following reasons: the data is no longer necessary for the purposes for which it was collected or otherwise processed; if you withdraw consent and there is no other legal basis for processing; if you object to the processing, and there are no overriding legitimate grounds for processing; if the data has been unlawfully processed; if the data must be erased to comply with legal obligations under EU or Member State law applicable to the provider; if the data was collected in connection with offering information society services.

However, in certain cases, as described in the 3rd paragraph of Article 17 of the GDPR, you do not have the right to have your data erased.

Right to Restriction of Processing: As an individual, you have the right to obtain from the provider a restriction of processing when one of the following applies: if you contest the accuracy of the data, for a period enabling the provider to verify its accuracy; the processing is unlawful, but you oppose erasure and request restriction of use instead; the provider no longer needs the data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims; you have objected to processing, pending verification of whether the legitimate grounds of the provider override your rights.

Right to Data Portability: As an individual, you have the right to receive the personal data concerning you, which you have provided to the provider, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller without hindrance from the provider, where: the processing is based on consent or contract and is carried out by automated means. In exercising this right, you have the right to have the personal data transmitted directly from one controller (provider) to another, where technically feasible.

Right to Object to Processing: As an individual, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the provider (Article 6(1)(e) of the GDPR) or is necessary for the legitimate interests pursued by the provider or a third party (Article 6(1)(f) of the GDPR), including profiling based on such processing; the provider shall cease processing personal data, unless the provider demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. When personal data is processed for direct marketing purposes, the individual has the right to object at any time to the processing of their data for such marketing, including profiling, to the extent it is related to direct marketing; where the individual objects to processing for direct marketing purposes, the data shall no longer be processed for such purposes. Where data is processed for scientific or historical research purposes or statistical purposes, the individual has the right to object to processing on grounds relating to their particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other (administrative or judicial) remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or where the alleged infringement occurred (in Slovenia, this is the Information Commissioner), if you consider that the processing of personal data concerning you infringes data protection law.

Without prejudice to any other (administrative or judicial) remedy, you have the right to an effective judicial remedy against a legally binding decision of the supervisory authority regarding the matter, as well as in cases where the supervisory authority does not handle your complaint or inform you of the status of the matter or the decision on the complaint within three months. Courts of the Member State in which the supervisory authority is established have jurisdiction for actions against the supervisory authority.

Individuals can submit all requests related to the exercise of rights concerning personal data in writing to the controller at info@trailrun.si.

For reliable identification purposes when exercising rights concerning personal data, the controller may request additional information, and can only refuse action if it can demonstrate that the individual cannot be reliably identified. The controller must respond to a request without undue delay and no later than one month from the receipt of the request.

In the case of a personal data breach, the provider must notify the relevant supervisory authority, unless it is unlikely that the breach would result in a risk to the rights and freedoms of individuals. Where there is a suspicion of a criminal offense being committed during the breach, the provider must notify the police and/or the relevant prosecutor. If the breach is likely to result in a high risk to the rights and freedoms of individuals, the provider must immediately, or if not possible, without undue delay, notify the individuals concerned, in clear and plain language.


PUBLICATION OF CHANGES

Any changes to our privacy policy will be published on this website.

By using the website, the individual confirms that they accept and agree to the entire content of this privacy policy.