PRIVACY POLICY
I. ABOUT THE PRIVACY POLICY
At Vidvana d.o.o, we are aware of the responsibility involved in handling personal data and we respect your privacy. The purpose of this Privacy Policy is to inform visitors to the website https://bistromaha.si/ managed by Vidvana d.o.o. (hereinafter: “Website”), as well as guests who make a reservation at Bistro Maha, about the processing of their personal data.
Vidvana operates in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the “GDPR”, the Personal Data Protection Act (ZVOP-2, Official Gazette of the Republic of Slovenia, No. 163/2022), the Electronic Communications Act (ZEKom-1, Official Gazette of the Republic of Slovenia, No. 109/2012, as amended), and other regulations governing the protection of personal data.
A visitor to the website, by using the website and its subdomains (hereinafter referred to as the “Websites”), and the functionalities they provide (such as subscribing to updates, notifications, and news), acknowledges and accepts this Privacy Policy and confirms that they have read and agree to its terms.
This Privacy Policy may be amended or supplemented at any time without prior notice. By continuing to use the Websites after such changes or additions, the visitor confirms their acceptance of the updated Privacy Policy.
II. DATA CONTROLLER
The Data Controller is Vidvana d.o.o., Slovenska cesta 54, 1000 Ljubljana (hereinafter referred to as: »Controller«, »Provider«, or »Vidvana«). If you have any questions, please contact us by sending an email to: info@maha.si.
III. HOW WE COLLECT YOUR DATA
Your personal data is collected in the following ways:
- When you visit or use the Websites or provide your personal data through the functionalities offered by the Websites, such as:
- subscribing to updates, notifications, and newsletters,
- when making a reservation at Bistro Maha via the subdomain https://bistromaha.si/rezervacije/,
- and others.
- When you provide it directly to us by phone, email, regular mail, or in person to our staff at the Bistro Maha.
IV. LEGAL BASIS FOR PROCESSING YOUR DATA
Processing Based on Your Voluntary Consent. Certain personal data is collected and processed by the Provider when you give your consent. Consent is provided electronically by clicking the appropriate link on the Websites or by using its functionalities, thereby confirming that you have read this Privacy Policy and agree to the collection and processing of the submitted data. Consent for processing your personal data that is not solely related to the use of the Websites is given by completing the information and consent form, either electronically or in physical form, or in another clear and demonstrable manner.
Processing Based on Legal and Contractual Obligations. Where the provision of personal data is a contractual requirement or a requirement necessary for the conclusion and performance of a contract with the Provider, or a legal obligation, you must provide your personal data. If you do not provide the required personal data, you will not be able to enter into a contract with the Provider, and the Provider will not be able to perform the services or deliver the goods.
Processing Based on Legitimate Interest. The Provider may process personal data on the basis of legitimate interest pursued by the Provider, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relates, and which require the protection of personal data. In cases where legitimate interest is applied, the Provider conducts an assessment in accordance with the GDPR.
V. TYPES OF PERSONAL DATA WE PROCESS
|
Reservation at Bistro Maha |
|
|
Types of Personal Data Processed |
Contact Information: Name, Surname, Email address, Telephone Number. Information about your communication with the Controller: Date, time, and content of postal or email correspondence, date and location of the reservation, etc. Other information obtained by the Provider or provided by the individual in connection with the reservation. |
|
Purpose |
Reservation at Bistro Maha and the ability to communicate with you regarding the reservation, its modification, and to understand your expectations and preferences related to the reservation. |
|
Legal Basis |
Processing is necessary for the performance of a contract or for taking steps prior to entering into a contract – Article 6(1)(b) of the GDPR. Legitimate interests – Article 6(1)(f) of the GDPR. |
|
Type of Processing |
Collection, Storage, Organization, Transmission, Access, Use, Deletion. |
|
Users of Personal Data |
The Controller, the Controller’s legal representative, employees of the Controller, or the Controller’s contractual partners involved in managing reservations, as well as companies with which the Controller has concluded a personal data processing agreement. |
|
Receiving updates, notifications, and newsletters |
|
|
Types of Personal Data Processed |
Contact Information: Name, Surname, Email address, Physical address, Telephone Number. Other Personal Data: Language. |
|
Purpose |
Sending e-newsletters, information about promotional activities, event details, educational content, updates, notifications, general offers, or other publications and printed or electronic materials of the Controller and Ustna medicina d.o.o., as well as their affiliated companies and business partners, in the fields of integrative medicine, dental services, and topics related to improving physical balance and vitality. Participation in any potential prize draws. |
|
Legal Basis |
Consent – Article 6(1)(a) of the GDPR. |
|
Type of Processing |
Collection, Storage, Organization, Transmission, Access, Use, Deletion. |
|
Users of Personal Data |
The Controller and Ustna medicina d.o.o., Slovenska cesta 54, 1000 Ljubljana, as well as companies associated with them, the Controller’s legal representative, employees of the Controller, or contractual partners involved in the distribution of newsletters, etc., and companies with which the Controller has concluded a personal data processing agreement. Companies considered associated with the Controller and/or Ustna medicina d.o.o. include those deemed affiliated in accordance with the provisions of the Companies Act (ZGD-1), as well as companies in which the same person holds the position of shareholder and/or legal representative as in the Controller or in Ustna medicina d.o.o. |
|
Website visit |
|
|
Types of Personal Data Processed |
Data about the user’s interaction with the Controller’s website: IP address, dates and times of visits, pages or URLs visited, time spent on each page, number of pages visited, total time spent on the website, etc. |
|
Purpose |
To ensure the proper functioning of the website, maintain network and information security (i.e., enable detection and prevention of unauthorized access that could compromise the availability, integrity, and confidentiality of stored or transmitted personal data), maintain and improve the website, its content, and usability, and perform analytics and website functionalities. |
|
Legal Basis |
Legitimate Interests – Article 6(1)(f) of the GDPR. |
|
Type of Processing |
Collection, Storage, Structuring, Analysis, Transmission, Access, Deletion. |
|
Users of Personal Data |
The Controller, the Controller’s legal representative, employees of the Controller, or contractual partners who manage and ensure the operation of the website, as well as companies with which the Controller has concluded a data processing agreement. |
VI. PERIOD OF DATA PROCESSING
The Provider will process your personal data only for as long as necessary to achieve the purpose for which the personal data was collected and further processed (e.g., to ensure that you access and use the Provider’s website, to ensure that you can access specific information available to you, for the Provider’s newsletter distribution, to fulfill the Provider’s contractual obligations and/or your contractual obligations, i.e., for the provision of hospitality services, etc.).
Personal data processed by the Provider on the basis of law will be retained for the period prescribed by law.
Personal data processed by the Provider for the purpose of performing a contractual relationship with an individual will be retained for the period necessary to fulfill the contract and for an additional 5 years after its termination, except in cases where a dispute arises between you and the Provider in connection with the contract; in such cases, the Provider will retain the data for 5 years after the finality of a court or arbitration decision or settlement, or, if no legal dispute occurred, 5 years from the date of amicable resolution of the dispute.
Your personal data collected and processed on the basis of your consent will be retained until you withdraw your consent or until the purpose for which they were collected has been fulfilled. Where processing is based on your consent, you may withdraw it at any time.
After the retention period has expired, the Controller will effectively and permanently delete or anonymize personal data so that it can no longer be linked to a specific individual.
VII. PRIVACY AND PERSONAL DATA PROTECTION
To prevent unauthorized access to or disclosure of the collected data, maintain the accuracy of personal information, and ensure its proper use, we implement appropriate technical and organizational measures to safeguard the data we collect.
We ensure protection through appropriate technical and organizational measures, which include in particular:
- Adequate security of premises, hardware, system software, and application software;
- Ensuring the security of transmission and transfer of personal data;
- Preventing unauthorized persons from accessing computer systems where personal data is processed and from accessing personal data repositories;
- Pseudonymization and encryption of personal data;
- Measures to ensure continuous confidentiality, integrity, availability, and resilience of processing systems and services;
- Measures to enable timely restoration of the availability of personal data in the event of a security incident;
- Procedures for regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures;
- Measures that allow determining when specific types of personal data were entered, used, or otherwise processed and by whom;
- Regular education and training of all employees who process personal data in their work;
- Careful and deliberate selection of all our contractual processors;
- Appropriate limitation and monitoring of the collection, access, and processing of personal data;
- Regular updating and proper upgrading of all computer equipment used to process your personal data;
- Prompt and effective action in the event of potential security incidents to prevent or limit damage to personal data.
VIII. CONTRACTUAL PROCESSORS OF PERSONAL DATA
As an individual, you acknowledge and agree that the provider may entrust certain tasks related to your data to other parties (contractual processors). Contractual processors may process the entrusted data exclusively on behalf of the provider, within the limits of the provider’s authorization (as defined in a written contract or other legal act) and in accordance with the purposes specified in this Privacy Policy.
The contractual processors with whom the provider cooperates are:
- The contractual processor responsible for maintaining and hosting the website for the Controller;
- Providers of data processing and analytics;
- IT system maintenance providers;
- Providers of email and SMS messaging services (e.g., InfusionSoft and others);
- Providers of online advertising solutions (e.g., Google, Facebook).
Contractual processors may process personal data only in accordance with the controller’s instructions and may not use the personal data to pursue any of their own interests.
The provider will not disclose your personal data to any unauthorized third parties.
IX. COOKIES
The website uses cookies. This policy complies with Regulation (EU) 2016/679 (GDPR), Directive 2002/58/EC (ePrivacy), and the Slovenian Electronic Communications Act (ZEKom-2). Cookies are small text files that we and third parties associated with us place on your device (e.g., computer or smartphone) when you visit our website and online interface. These files typically contain a string of alphanumeric characters that allow our servers to recognize your session, properly load the website, and provide you with the requested service (e.g., login).
You can change your cookie settings through the consent tool on the website or through your browser settings (Chrome, Firefox, Safari, Edge). With your consent/permission, which you provide by selecting the options shown to you when you visit the website, we will set additional optional cookies that are not strictly necessary for the functioning of the website, although they may enable additional functionalities. We will not set optional cookies unless you enable them. Optional cookies include: (i) functional cookies, (ii) analytical cookies, (iii) advertising cookies, and (iv) third‑party cookies. We will store optional cookies only with your consent.
For the operation of our website and online interface, we use:
• Strictly necessary cookies – these are essential for the basic functioning of the website and do not require your consent. They are stored in your browser. Without them, the website will not function as intended. Disabling strictly necessary cookies affects the operation of the website. These cookies are exempt from the consent requirement under Article 5(3) of Directive 2002/58/EC (ePrivacy) and do not store personally identifiable information. This category includes, among others, technical cookies of the WordPress CMS and the website theme (session, login, cart, security tokens), as well as the cookie used to store your consent decision.
List of strictly necessary cookies:
| Piškotek | Hramba | Upravljavec | Namen |
|---|---|---|---|
| wordpress_* | Seja | Bistro Maha | WordPress sejni piškotki — potrebni za prijavo in varnost. |
| wp_woocommerce_session_* | 2 dni | Bistro Maha | WooCommerce — shranjuje vsebino košarice in sejne podatke. |
| woocommerce_cart_hash | Seja | Bistro Maha | WooCommerce — oznaka vsebine košarice. |
| woocommerce_items_in_cart | Seja | Bistro Maha | WooCommerce — število izdelkov v košarici. |
| vbg_consent | 1 leto | Bistro Maha | Shranjuje vašo odločitev o soglasju za piškotke. |
| PHPSESSID | Seja | Bistro Maha | PHP sejni piškotek — vzdržuje sejo med brskanjem. |
| uncode_privacy[consent_types] | 1 leto | Bistro Maha | Uncode tema — shranjuje nastavitve soglasja za piškotke. |
| woocommerce_recently_viewed | Seja | Bistro Maha | WooCommerce — seznam nedavno ogledanih izdelkov. |
| tk_ai | Seja | Bistro Maha | WooCommerce / WordPress — notranji sejni identifikator. |
| partnero_session_uuid | 1 leto | Partnero | Partnero — identifikator seje za partnerski program. |
• Functional cookies – hese enable enhanced functionalities such as live chat and language settings. The legal basis for using these cookies is your consent (Article 6(1)(a) GDPR), which you provide by making the appropriate selection or clicking when the cookie banner appears on the website.
List of functional cookies:
| Piškotek | Hramba | Upravljavec | Namen |
|---|---|---|---|
| _GRECAPTCHA | 6 mesecev | Google Ireland Ltd. | Google reCAPTCHA — razlikuje med ljudmi in boti pri obrazcih. |
| __stripe_mid | 1 leto | Stripe, Inc. | Stripe — identifikator naprave za preprečevanje goljufij. |
| intercom-device-id-* | 9 mesecev | Intercom, Inc. | Intercom — identifikator naprave za klepet s podporo. |
| ml-traffic-source-* | Seja | MailerLite | MailerLite — vir prometa za obrazec za prijavo. |
| lp_custom | 1 leto | MailerLite | MailerLite — podatki o obiskovalcu za personalizacijo. |
• Analytical cookies – these are used to understand how visitors interact with the website (e.g., Google Analytics). The data is anonymised. The legal basis for using these cookies is your consent (Article 6(1)(a) GDPR), which you provide by making the appropriate selection or clicking when the cookie banner appears on the website.
List of analytical cookies:
| Piškotek | Hramba | Upravljavec | Namen |
|---|---|---|---|
| _ga | 2 leti | Google Ireland Ltd. | Google Analytics — razlikuje edinstvene uporabnike spletnega mesta. |
| _ga_* | 2 leti | Google Ireland Ltd. | Google Analytics GA4 — shranjuje stanje seje in meri obiske. |
| _hjSessionUser_* | 1 leto | Hotjar Ltd. | Hotjar — identifikator uporabnika za analitiko vedenja. |
| FPAU | 3 mesece | Google Ireland Ltd. | Google — meri konverzije oglaševalskih akcij. |
| sbjs_current | Seja | Bistro Maha | SourceBuster — beleži trenutni vir obiska. |
| sbjs_first | Seja | Bistro Maha | SourceBuster — beleži prvi vir obiska. |
| sbjs_* | Seja | Bistro Maha | SourceBuster — analitika virov prometa (več piškotkov). |
• Advertising cookies – these are used to deliver personalised advertisements based on previously visited pages (e.g., Facebook Pixel, Google Ads). They are set by our advertising partners. The legal basis for using these cookies is your consent (Article 6(1)(a) GDPR), which you provide by making the appropriate selection or clicking when the cookie banner appears on the website.
List of advertising cookies:
| Piškotek | Hramba | Upravljavec | Namen |
|---|---|---|---|
| _gcl_au | 3 mesece | Google Ireland Ltd. | Google Ads — meri učinkovitost oglaševalskih akcij. |
| _fbp | 3 mesece | Meta Platforms Ireland Ltd. | Facebook Pixel — identifikator brskalnika za oglaševanje in remarketing. |
| _rdt_uuid | 3 mesece | Reddit, Inc. | Reddit Pixel — identifikator za merjenje oglaševalskih konverzij. |
| _rdt_em | 1 leto | Reddit, Inc. | Reddit Pixel — šifriran e-poštni naslov za ujemanje občinstev. |
| _rdt_pn | 1 leto | Reddit, Inc. | Reddit Pixel — šifrirana telefonska številka za ujemanje občinstev. |
| _uetvid | 13 mesecev | Microsoft Ireland Operations Ltd. | Microsoft UET (Bing Ads) — identifikator za merjenje konverzij. |
| _adroll_fpc | 1 leto | AdRoll, Inc. | AdRoll — identifikator za retargeting oglase. |
• Third‑party cookies. With your consent, we will store third‑party cookies. On this website, they are set by the following data controllers:
o Google Ireland Ltd. — https://policies.google.com/privacy
o Trustindex Zrt. — https://trustindex.io/privacy-policy/
X. CHANGE OF PERSONAL DATA AND INDIVIDUAL RIGHTS REGARDING THEIR PERSONAL DATA
If your personal data changes (postal code, email address, physical address, telephone number), please notify us of the changes at info@maha.si. Individuals who wish to unsubscribe from newsletters should also inform us at info@maha.si.
You are hereby informed that you have the following rights regarding your personal data: The right of access to personal data, rectification, deletion, or restriction of processing. You also have the right to object to processing and the right to data portability. You may submit a request to exercise these rights electronically, by mail, or in person. Each request will be handled in accordance with the provisions of the GDPR.
We specifically inform you that you may withdraw your consent for the processing of any personal data that Vidvana processes based on your consent at any time.
To exercise the above-mentioned rights or to submit any complaints, please contact the Controller, Vidvana d.o.o. at Slovenska cesta 54, 1000 Ljubljana, or via email at: info@maha.si. We also inform you that if you believe that regulations governing personal data protection have been violated, you have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec Republike Slovenija), Dunajska cesta 22, 1000 Ljubljana. On the Information Commissioner’s website, you can submit a report regarding violations of personal data protection legislation using the provided form.