Privacy Policy
Privacy Policy
GS Group d.o.o. respects and protects your privacy. Below you will find more detailed information about how we process your personal data.
This Privacy Policy describes how we process data provided or collected through our digital platforms, which allow visitors to access our website and use our services. It has been prepared in accordance with the EU General Data Protection Regulation (GDPR) and applicable local legislation.
GS Group d.o.o. is the owner of the website lalucosmetics.eu and the controller of personal data. This Privacy Policy applies to the following categories of natural persons:
-
buyers,
-
prospective buyers,
-
users of our website,
-
our suppliers and business partners.
We process personal data only for pre-defined, lawful purposes and based on an appropriate legal basis. The purposes and legal bases applied for each group are set out below.
We store personal data only for the period necessary to achieve the processing purpose for which the data were collected. Where processing is based on your consent, we will process your data until you withdraw your consent. Retention periods for individual purposes are specified below.
How are your personal data collected?
We collect data you provide when you request products, services or information, when you log into our websites, participate in public forums or other areas within our digital solutions, when you complete customer surveys, or when you otherwise communicate with us. We also collect data using technologies such as cookies. For more information on cookies, see our Cookie Policy: https://lalucosmetics.eu/pages/gdpr
We process your personal data for different purposes depending on our relationship. The purposes and retention periods are specified in the tables below.
Acting as a buyer
| Purpose of processing | Personal data processed | Legal basis | Retention period |
|---|---|---|---|
| Purchasing on our website | name and surname; delivery address; company/legal entity name (if a legal entity); VAT ID (if a legal entity); email (username); password (encrypted); contact phone number; country of residence | Contract | 5 years from order placement |
| Communication with the buyer regarding the order | name and surname; delivery address; company/legal entity name (if a legal entity); VAT ID (if a legal entity); email (username); password (encrypted); contact phone number; country of residence | Contract | 5 years from order placement |
| Sending newsletters | email address, name and surname | Legitimate interest / Law* | Until withdrawal |
| Sending personalized newsletters using profiling | email address, name and surname, profile information | Consent | Until withdrawal |
| Marketing communication based on profiling | profile information | Consent | Until withdrawal |
| Customer satisfaction surveys | email address, name and surname, survey responses | Legitimate interest (business optimization, relevant offers) | 1 year from survey date |
| Statistical analyses | aggregate, non-identifiable data on purchases, views and other on-site actions | Legitimate interest (business optimization, relevant offers) | 1 year |
| Legal claims, protection of our rights | data depend on the specific claim; data minimization always applies | Legal obligation / Legitimate interest | As required by law |
*If national law requires consent for newsletters, consent will be used; otherwise legitimate interest may apply in line with local rules.
Acting as a website visitor or prospective buyer
| Purpose of processing | Personal data processed | Legal basis | Retention period |
|---|---|---|---|
| Sending newsletters | email address, name and surname | Consent | Until withdrawal |
| Sending personalized newsletters using profiling | email address, name and surname, profile information | Consent | Until withdrawal |
| Marketing communication based on profiling | profile information | Consent | Until withdrawal |
| Communication regarding an enquiry | email or phone number, name and surname | Legitimate interest (effective communication) | 3 months after communication ends |
| Customer satisfaction surveys | email address, name and surname, survey responses | Legitimate interest (business optimization, relevant offers) | 1 year from survey date |
| Statistical analyses | aggregate, non-identifiable data on purchases, views and other on-site actions | Legitimate interest (business optimization, relevant offers) | 1 year |
| Website security | IP address | Legitimate interest (site security, safe shopping) | 1 year |
| Legal claims, protection of our rights | data depend on the specific claim; data minimization always applies | Legal obligation / Legitimate interest | As required by law |
Acting as a supplier
If you act as a supplier, we process your personal data to fulfil our contractual obligations and store them for 5 years from contract performance or the end of our business cooperation. In case of a dispute, we keep your personal data until a final decision by the competent authority.
Profiling
Profiling is the process of collecting and processing a data subject’s personal data to create a profile. It enables us to offer products that are attractive and tailored to your interests. We will use profiling only on the basis of your consent.
GS Group d.o.o. uses the following categories of data for profiling: purchase history and purchased products, purchase location, purchase time.
Sharing of personal data
We do not disclose your personal data to third parties except in the following cases:
-
Affiliates or third parties performing services on our behalf (e.g., responding to your enquiries, deliveries, email services). These companies are prohibited from using your data for purposes other than those required by us or by law (e.g., couriers, email service providers).
-
Internal transfers or third parties to ensure the safety and protection of our customers, to protect our rights and property in accordance with legal procedures, or in other cases where we, in good faith, believe disclosure is required by law (e.g., IT and finance advisors, external legal counsel).
All third parties to whom we disclose your personal data are required to protect them under a separate agreement and may not use them for any purposes other than those specified in the agreement.
Security
The security, integrity and confidentiality of your data are extremely important to us. We implement technical, organizational and physical security measures to protect data from unauthorized access, disclosure, use or modification, including:
-
regular updates of software, hardware and applications;
-
employee training;
-
due diligence and oversight of contracted processors.
We regularly review our security procedures to align with the latest technologies and practices. However, no security measures are perfect and there is always a residual risk.
Your rights
You may exercise your rights by sending a written request to GS Group d.o.o., Habatova ulica 20, SI-1236 Trzin (mark the envelope “personal data protection”) or by emailing info@lalu-brand.com with the subject “Personal data protection”. We will respond within one month, which may be extended by one additional month; if extended, we will inform you within the first month.
Your rights include:
-
Access: request confirmation whether we process your data and obtain access and processing information.
-
Rectification: request correction or completion of incomplete/inaccurate data.
-
Restriction: request restriction of processing (e.g., during verification of accuracy or completeness).
-
Erasure: request deletion (except where retention is required by law or contract).
-
Portability: request transmission of data you provided, in a structured, commonly used, machine-readable format.
-
Withdrawal of consent: withdraw consent at any time for processing based on consent (without negative consequences, though we may no longer be able to provide certain services).
-
Objection: object to processing for direct marketing (including profiling for such marketing) or to disclosures for direct marketing.
When exercising rights, we may request additional information to verify your identity. We may refuse to act only if we can demonstrate we cannot reliably identify you.
If you believe GS Group d.o.o. is breaching personal data obligations, you may lodge a complaint with the Information Commissioner of Slovenia, Dunajska cesta 22, SI-1000 Ljubljana, or via email gp.ip@ip-rs.si. More information: https://www.ip-rs.si.
Please note that we may be unable to provide certain products or services if you do not consent to collection of necessary personal data (e.g., we cannot fulfill delivery without your address).
Updates
This statement may be updated from time to time to reflect new technologies, business practices, legal requirements or other purposes. We will publish the current version of the Privacy Policy on our digital platforms. Please review it regularly. Where required by law, we will obtain your consent before changes take effect.
If you have comments or questions, contact GS Group d.o.o., Habatova ulica 20, SI-1236 Trzin or email info@lalu-brand.com.
GS Group d.o.o. · Habatova ulica 20 · SI-1236 Trzin · Slovenia · info@lalu-brand.com
Registry authority: District Court of Ljubljana · Share capital: €7,500 · IBAN: SI56 6100 0001 7947 966 · VAT ID: SI96440627 · Company reg. no.: 8065632000