PRIVACY POLICY — HMBoiles j.d.o.o.

1. Introduction

This Privacy Policy describes how HMBoiles j.d.o.o. (“we”, “our” or “HMBoiles”) collects, processes, and protects the personal data of users of the online store www.hmboilies.hr.

The data controller is:

HMBoiles j.d.o.o.
Headquarters: Kerestinečka cesta 15, 10431 Kerestinec, Croatia
Phone: +385 99 422 2023
Email: info@hmboilies.hr
Registration authority: Commercial Court in Zagreb
MB: 05899770

We process your personal data in accordance with the General Data Protection Regulation (GDPR) and the applicable laws of the Republic of Croatia.

By using our online store, you confirm that you are familiar with this Policy.

2. What data we collect

We only collect data that is necessary for lawful operation and fulfilling your orders:

2.1. Data you provide

  • Name

  • Delivery address and/or billing address

  • Contact information (phone, email)

  • Order and purchase data

  • User account registration data (email, password – encrypted)

2.2. Data required for payment

Depending on the payment method, we may receive information about the transaction status (e.g., bank confirmation), but we do not receive or store card numbers.

2.3. Technical data (automatically collected)

  • IP address

  • Browser type and version

  • Device and operating system information

  • Website usage data (cookies, analytics, etc.)

This data is used for system security, website functionality, and improving user experience.

3. Purpose and legal basis of processing

We process your data only for legitimate purposes:

3.1. Contract performance (order and delivery)

  • Processing and delivery of orders

  • Customer communication

  • Handling complaints

  • Issuing invoices
    Legal basis: GDPR Art. 6(1)(b)

3.2. Legal obligations

  • Accounting

  • Maintaining business records
    Legal basis: GDPR Art. 6(1)(c)

3.3. Legitimate interest

  • Website improvement

  • Prevention of abuse
    Legal basis: GDPR Art. 6(1)(f)

3.4. Consent (only if explicitly given by the user)

  • Marketing communications

  • Newsletter
    Legal basis: GDPR Art. 6(1)(a)

4. Obligation to provide data

To place an order, you must provide the following data:

  • first and last name,

  • delivery address,

  • contact information,

  • email for order confirmation.

If you do not provide the data — we cannot fulfill the order.

5. With whom we share data

Personal data is shared exclusively with trusted partners necessary for fulfilling the order:

  • Delivery services (for package delivery)

  • Accounting (legal obligation)

  • IT/hosting service providers

We do not sell or rent your data.

6. Data transfer outside the EU

If we use services whose servers are located outside the EU (e.g., Google Analytics, Meta), data may be transferred to third countries.

In such cases, we use protective measures such as:

  • Standard Contractual Clauses (SCC)

  • Additional technical measures

7. Data retention period

  • Order data: 10 years (legal obligation)

  • User account: until account deletion

  • Marketing consents: until consent withdrawal

  • Technical data: according to cookie policy

After the period expires — data is deleted or anonymized.

8. Cookies

The website uses cookies for:

  • basic website functionality

  • analytics and statistics

  • potential marketing purposes

These are small pieces of code that the browser automatically executes, and they are necessary for the adequate display of page content on all devices; without them, using the pages would not be possible.

In addition to standard cookies, we also use Google Analytics cookies that track your behavior on the site. These cookies store information about how visitors use websites. More information about them can be found at http://www.google.com/analytics/learn/privacy.html.

Web cookies can be deleted using your browser settings, and instructions on how to remove them can be found using the “Help” function in your browser or on the browser manufacturer’s websites.

9. Your rights

The user has the right to:

  • access data

  • rectify data

  • erasure (“right to be forgotten”)

  • restriction of processing

  • object

  • data portability

  • withdrawal of consent

To exercise your rights, contact us at: info@hmboilies.hr

Right to lodge a complaint:
Personal Data Protection Agency (AZOP), Selska 136, Zagreb.

10. Data security

We use technical and organizational measures to protect data from unauthorized access, loss, and misuse.

11. Actions in case of data breach

In case of a personal data breach:

  • we will immediately take all necessary measures

  • we will notify AZOP within 72 hours

  • if there is a risk to the user, we will also notify you

12. Policy amendments

The Policy may be amended due to legal changes or changes in data processing methods. The date of the last amendment will be clearly stated.