Privacy policy


 

1. INTRODUCTORY PROVISIONS

1.1. By means of this Privacy Policy (hereinafter: the Policy), the company Studioteka d.o.o., Personal Identification Number (OIB): 80986001318, with its registered seat at Ulica Radoslava Lopašića 12A, 10000 Zagreb, Republic of Croatia (hereinafter: the Company), lays down the rules, conditions and methods for the collection, processing and protection of personal data of users of its services and visitors of the official website available at https://cherrycargo.eu/ (hereinafter: the Website).

1.2. The Company acts as the data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR), the Croatian Act on the Implementation of the General Data Protection Regulation (Official Gazette No. 42/2018), and other applicable regulations of the Republic of Croatia.

1.3. By using the Website, registering a user account, purchasing products through the Website or otherwise providing personal data to the Company, users confirm that they are familiar with this Policy and agree to the conditions for processing their personal data in accordance with this Policy, except where separate consent is required for certain processing activities.

1.4. This Policy forms an integral part of the Website’s terms of use and terms of purchase and applies to all contractual and non-contractual relationships between the Company and users insofar as they relate to the processing of personal data.


2. DATA CONTROLLER AND CONTACT INFORMATION

2.1. The data controller is:

Company name: Studioteka d.o.o.
Address: Ulica Radoslava Lopašića 12A, 10000 Zagreb, Republic of Croatia
Phone: +385 91 584 4972
E-mail: info@cherrycargo.eu
Website: https://cherrycargo.eu/

2.2. All inquiries, requests or complaints regarding the processing of personal data may be addressed to the above contact information.


3. PURPOSE AND LEGAL BASIS FOR PERSONAL DATA PROCESSING

3.1. The Company collects and processes users’ personal data for the purpose of concluding and performing sales contracts, processing orders, delivering products, communicating with users, handling complaints, managing user accounts, issuing invoices, and fulfilling other legal obligations of the Company.

3.2. Users’ personal data may also be processed to protect the Company’s legitimate interests, including the prevention of misuse, protection of information and communication infrastructure, improvement of services, and conducting statistical analyses to better understand users’ needs.

3.3. In cases where certain processing requires users’ consent (e.g. receiving newsletters, marketing messages or participating in surveys and prize draws), the Company shall process personal data exclusively on the basis of explicit consent.

3.4. The legal bases for personal data processing include:

a) performance of a contract or taking steps at the request of the user prior to entering into a contract;

b) compliance with legal obligations of the Company;

c) legitimate interests of the Company;

d) consent of the user where required.


4. TYPES OF PERSONAL DATA PROCESSED

4.1. Within the scope of its activities and for the purposes specified in this Policy, the Company collects and processes only personal data that are necessary to achieve the lawful purposes of processing and which are adequate, relevant and limited to what is necessary in accordance with the principle of data minimisation.

4.2. Depending on the type of service and the purpose of processing, the Company collects and processes the following categories of personal data:

a) Identification data: full name, Personal Identification Number (OIB);

b) Contact data: residence address, delivery address, telephone number, e-mail address;

c) Order and purchase data: information on products, quantities, transactions and complaints;

d) Payment data: credit/debit card information, transaction numbers;

e) Copies of personal documents where necessary (e.g. for customs or security procedures);

f) Technical data: IP address, cookies, device identifiers, access logs, in accordance with the Cookie Policy;

g) Other information voluntarily provided by users in communication with the Company.

4.3. The Company undertakes not to collect or process special categories of personal data unless such processing is explicitly permitted by law or based on the data subject’s explicit consent.

4.4. In cases where data concerning children under the age of 16 are collected, the Company shall act in accordance with applicable regulations and, where required, shall obtain the consent of a parent or legal guardian.

4.5. All personal data are collected directly from users or through their use of the Website, unless data are collected indirectly through authorised partners and within the scope of performing contractual obligations.

4.6. Our Website uses technical cookies which are strictly necessary cookies that cannot be disabled and are required for the operation of the Website. For such cookies, it is not necessary to obtain your consent. All information on how we process your personal data through cookies is available at: https://cherrycargo.eu/policies/cookies-policy


5. RECIPIENTS AND CATEGORIES OF RECIPIENTS

5.1. The Company processes users’ personal data independently, through its authorised employees and contractual partners, in strict compliance with the principles of confidentiality and access limitation solely to data necessary for the performance of specific tasks.

5.2. Users’ personal data, to the extent necessary for the fulfilment of the Company’s contractual obligations towards the user or compliance with legal obligations, may be disclosed to the following categories of recipients:

5.2.1. Hosting and technical infrastructure provider

• Users’ data are stored and processed via the Shopify Inc. platform, 151 O’Connor Street, Ground Floor, Ottawa, ON, Canada, K2P 2L8, which provides the Company with secure and stable operation of the Website and online store. Shopify provides technical support for transaction processing, order data storage, user account management and other functionalities necessary for the performance of sales contracts.

5.2.2. Delivery and logistics service providers

• Users’ data, including full name, delivery address and contact phone number, may be shared with the Company’s contractual partners providing transportation and delivery services for ordered products to the specified address. These recipients process the data exclusively for the purpose of delivery and informing the user about the shipment status.

5.2.3. Customs authorities and customs brokerage companies

• In the case of orders subject to customs control or export procedures, users’ personal data may be provided to the competent customs authorities or authorised customs brokerage companies to the extent necessary to fulfil customs obligations and ensure lawful import or export of goods.

5.2.4. Accounting and financial service providers

• Data relating to invoicing, bookkeeping and tax reporting may be disclosed to an authorised accounting service provider or authorised tax advisor with whom the Company has concluded a confidentiality and data processing agreement.

5.2.5. IT support and system maintenance

• To the extent technically necessary to resolve Website malfunctions or improve security features, certain data may be available to contractual IT service providers who, on behalf of and under the instructions of the Company, provide system maintenance, updates and IT system development services.

5.3. All recipients of personal data referred to in Article 5.2. of this Policy are obliged to process users’ personal data in accordance with the agreement with the Company, applicable data protection regulations and to implement appropriate technical and organisational measures to ensure the confidentiality and security of the data.

5.4. The Company does not sell, rent or exchange users’ personal data with third parties for marketing or commercial purposes not explicitly specified in this Policy.


6. DATA TRANSFER TO THIRD COUNTRIES

6.1. In the context of using the Shopify technical platform, the Company may transfer certain users’ personal data to servers located outside the European Economic Area (EEA), including Canada and the United States.

6.2. Shopify Inc. participates in data transfer programs that ensure the application of appropriate safeguards in accordance with the GDPR. In cases where no adequacy decision of the European Commission exists, Shopify and the Company apply Standard Contractual Clauses which serve as the legal basis for lawful data transfers to third countries.

6.3. The transfer of personal data to third countries is carried out solely to the extent necessary for the performance of hosting services, data storage, order processing and technical support for the Website.

6.4. Users acknowledge that in the event of data transfers to third countries, a different level of protection may apply compared to the Republic of Croatia and EEA member states, but the Company ensures that such transfers are always protected by appropriate contractual and technical safeguards.

6.5. Detailed information on international data transfers may be requested by submitting a written request to the contact information provided in Article 2 of this Policy.


7. RETENTION PERIODS FOR PERSONAL DATA

7.1. The Company collects and processes users’ personal data to the extent and for the duration necessary to achieve the specific purpose of processing, observing the storage limitation principle as laid down in the GDPR.

7.2. Retention periods for personal data are determined according to the type of legal relationship and the purpose of processing, as follows:

7.2.1. Data collected for the purpose of concluding and performing a sales contract, including data on identity, address, orders, delivery and communication related to contract performance, and for potential court disputes as well as statistics, are retained for up to five (5) years from the date of performance of the contract, or longer if a dispute is initiated or if otherwise required by applicable law.

7.2.2. Data collected for compliance with legal obligations, especially regarding bookkeeping, issuing and archiving invoices, and compliance with tax and other financial regulations, are retained for at least eleven (11) years from the end of the fiscal year to which they relate.

7.2.3. Data processed in connection with employment, including data on employees and job applicants, are retained for up to six years or longer, until the conclusion of a dispute if the Company as employer is aware that one has been initiated or if otherwise required by applicable law.

7.2.4. Data collected based on users’ consent, for example for the purpose of sending newsletters, promotional offers and information, are retained until the consent is withdrawn, unless a longer retention period is prescribed by specific regulations.

7.3. Upon expiry of the retention period, personal data are deleted, anonymised or otherwise irreversibly destroyed, in accordance with applicable security standards and the Company’s internal policies.

7.4. The Company regularly reviews the accuracy and relevance of stored personal data and takes all reasonable measures to ensure that data no longer necessary for the purpose of processing are not processed or retained longer than permitted by law.


8. USERS’ RIGHTS AS DATA SUBJECTS

8.1. Right of access

The user has the right to access their personal data processed by the Company and may request detailed information, in particular on the purpose of processing, the type/categories of personal data being processed including access to their personal data, the recipients or categories of recipients, and the envisaged storage period for the personal data. Access to personal data may be restricted only in cases prescribed by Union law or the national legislation of the Republic of Croatia, or where such restriction respects the essence of the fundamental rights and freedoms of others.

8.2. Right to rectification

The user has the right to request the rectification or completion of personal data if the data being processed are inaccurate, incomplete or not up to date. For this purpose, the user shall submit a request to the Company specifying what exactly is inaccurate, incomplete or outdated and how it should be corrected.

8.3. Right to erasure (right to be forgotten)

The user has the right to request the erasure of personal data relating to them if one of the following grounds applies: the personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed; the user withdraws consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR and where there is no other legal ground for the processing; the user objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing; the personal data have been unlawfully processed; the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject; the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

8.4. Right to restriction of processing

The user has the right to obtain restriction of processing if they contest the accuracy of the personal data; if the processing is unlawful and they oppose the erasure of the data; if the Company no longer needs the personal data but the user requires them for the establishment, exercise or defence of legal claims; or if the user has objected to processing of their personal data.

8.5. Right to object

If personal data are processed on the basis of legitimate interest or for direct marketing purposes, the user may object to such processing.

8.6. Right to data portability

The user has the right to receive the personal data concerning them, which they have provided to the Company, in a structured, commonly used and machine-readable format. The user has the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided, where the processing is carried out by automated means and is based on consent or on a contract.

8.7. The aforementioned rights do not apply insofar as processing is necessary: for exercising the right to freedom of expression and information; for compliance with a legal obligation which requires processing under Union or Member State law to which the Company is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR insofar as the exercise of the rights is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise or defence of legal claims.


9. SECURITY AND PROTECTION OF PERSONAL DATA

9.1. The Company implements appropriate technical and organisational measures to ensure an appropriate level of security for personal data, including protection against unauthorised or unlawful access, loss, destruction or damage.

9.2. The measures include, but are not limited to:

a) Restricting access to personal data to authorised persons only;

b) Using up-to-date security technologies and tools;

c) Regularly updating and maintaining IT systems;

d) Training employees on data protection principles.

9.3. In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of users, the Company shall, without undue delay, notify the competent supervisory authority (the Croatian Personal Data Protection Agency) and, where applicable, the users themselves, in accordance with Articles 33 and 34 of the GDPR.

9.4. The notification to users shall include a description of the nature of the breach, the possible consequences, the measures taken or planned by the Company, and recommendations for mitigating potential adverse effects.


10. RIGHT TO COMPLAINT AND JUDICIAL REMEDY

10.1. The user has the right to lodge a complaint with the Company as the data controller at any time if they believe that the Company is processing their personal data contrary to this Policy or the applicable data protection regulations.

10.2. A complaint may be submitted:

  • in writing to the Company’s registered address: Studioteka d.o.o., Ulica Radoslava Lopašića 12A, 10000 Zagreb, Croatia;
  • by e-mail to the official address: info@cherrycargo.eu;
  • by phone at: +385 91 584 4972, with subsequent written confirmation for record purposes.

10.3. Upon receipt of a complaint, the Company shall, without undue delay and at the latest within 30 days of receipt, notify the user in writing of the actions taken or the reasons for not acting on the complaint.

10.4. In the case of complex or numerous complaints, the time limit may be extended by an additional two months, of which the Company shall timely inform the user, stating the reasons for the extension.

10.5. It is recommended that the user first submits a complaint to the Company before contacting the Croatian Personal Data Protection Agency or initiating court proceedings, but irrespective of this, it is emphasised that the user has the right to lodge a complaint with the competent supervisory authority at any time if they believe that the processing of their personal data by the Company does not comply with applicable data protection regulations.

The competent supervisory authority in the Republic of Croatia is:

Croatian Personal Data Protection Agency (AZOP)
Selska cesta 136, 10000 Zagreb, Republic of Croatia
E-mail: azop@azop.hr
Website: www.azop.hr

10.6. Lodging a complaint with the supervisory authority does not affect the user’s right to an effective judicial remedy if they believe their rights have been infringed by the processing of personal data.


11. FINAL PROVISIONS

11.1. This Privacy Policy enters into force on the date of its publication on the Company’s official website https://cherrycargo.eu/ and is available to all users at any time.

11.2. The Company reserves the right to amend and/or supplement this Policy at any time, in particular for the purpose of compliance with applicable regulations, decisions of competent authorities, or changes in business processes and technical solutions.

11.3. Any amendments or supplements to this Policy shall be timely published on the Company’s official website, clearly indicating the date of entry into force of the changes.

11.4. In the event of significant changes relating to the method or purpose of personal data processing, the Company shall inform users thereof via the official website and/or by e-mail, if technically feasible and applicable.

11.5. Users are advised to regularly review this Policy to stay informed about how the Company collects, processes and protects personal data.

11.6. This Policy is drafted in the Croatian language. In the event of translation into other languages, in case of any differences in interpretation, the version in the Croatian language shall prevail.

11.7. In the event of any questions, comments or requests regarding the application of this Policy, users may contact the Company using the contact details provided in Articles 2 and 10 of this Policy.

 

PRIVACY POLICY – Studioteka d.o.o. (Cherrycargo.eu)
Date of publication: October 1st, 2025.