The purpose of this privacy policy (hereinafter: policy) is to communicate the purpose and legal basis for the processing of personal data by eHorti to the customers and visitors of eHorti websites. eHorti, podjetje za proizvodnjo, trgovino in storitve d.o.o., Zvezda 18, 1210 Ljubljana – Šentvid, SLOVENIA, (hereinafter: eHorti or the company or provider or personal data controller) ensure the protection of your personal data and guarantees safety throughout the business interaction.

At eHorti, we value your privacy and will always diligently protect your data. This privacy policy may be changed, modified or updated at any time, with no prior warning or notification. By using the provider’s website, the user confirms she or he agrees with the changes and modifications.

All our online activities, connected to the collection and processing of data are in accordance with European legislation (Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (The EU General Data Protection Regulation (GDPR)) and Treaty Conventions ETS 108, ETS 181, ETS 185, ETS 189) and national legislation of the Republic of Slovenia (Personal Data Protection Act (ZVOP-1, Ur. l. RS, no. 94/07), Electronic Commerce Market Act (ZEPT, Ur. l. RS, no. 96/09 in 19/15) etc.). The privacy policy covers the handling of personal information that the provider receives whenever you visit or use a eHorti website or is shared in another way.

Controller and authorised person for data protection

The personal data controller is the company eHorti, podjetje za proizvodnjo, trgovino in storitve d.o.o., Zvezda 18, 1210 Ljubljana – Šentvid, SLOVENIA. If you have any questions regarding the use of this policy or in connection with the exercising of your rights under this policy, please contact us via

Basic concepts

Personal data or personal information is all information by which an individual can be identified (such as name, surname, e-mail address, telephone number, etc.). The controller is a legal entity that determines the purposes and means of processing personal data. The processor is a legal or private individual who processes personal data on behalf of the controller. Processing is the collection, storage, access and all other forms of use of personal data. EEA is the European Economic Area, which consists of all members of the European Union, Iceland, Norway and Lichtenstein.

Personal data

Personal data is information identifying an individual, directly or indirectly, through identifiers like name, ID number, location, or factors related to physical, physiological, genetic, mental, economic, cultural, or social identity. The provider, per this policy, collects the following personal data for specified purposes:

  • Basic user information (name, address, date of birth) for purchases.
  • Contact details and communication history (email, phone, date, time, content).
  • Purchase history and invoicing data.
  • Website usage information (visit times, pages visited, settings modifications).
  • User interaction with messages (email, SMS) from the provider.
  • other data that the user voluntarily provides to the controller when they are required for specific services.

The controller does not collect personal data unless you enable it or consent to it, for example, when ordering products or services, subscribing to an e-mail newsletter, taking part in a prize game, etc., or when there is a legal basis or a legal interest by the controller for data processing. One of the ways the controller collects your personal data is with the use of cookies. You can read more about the use of cookies here. The controller only collects the data that is relevant and necessary for the fulfilment of the purposes for which the data is processed. The period of data for which the provider stores collected data is further defined in the chapter “Storing personal data” of this Policy.

The legal basis for data processing

The provider collects and processes your personal data based on the following legal grounds:

  • Law-based processing
  • Contract-based processing
  • Processing based on the individual’s consent
  • Processing on the basis of legitimate interest

Contract-based processing

Information is collected when it is necessary for entering into, executing and fulfilling contractual obligations. In this case, providing personal information is voluntary. If you choose to not provide the company with the necessary personal data, you cannot enter into a contract with them, nor can the company provide the services or supply of products, as the company lacks the information necessary to fulfil the contract.

Processing based on the individual’s consent

Data is processed only with your explicit consent. When processing is subject to consent, we will first make sure that you have all the necessary information needed for making a decision. You can withdraw your consent at any time. If you withdraw consent, the company may not be able to provide you with their services or products.

Processing on the grounds of legitimate interest

The provider can process data on the grounds of legitimate interest for which the provider is striving, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. When using legitimate interest, the provider always makes a judgement in accordance with the General regulation on data processing. When processing data on the grounds of legitimate interest, the user has the right to object to the data processing. You can read more about your rights below.

Law-based processing

We process your personal information when we are required to do so by the law that binds us (for example, tax law mandates the retention of invoices). We process the needed information in accordance with the requirements of the law.

The purpose of data processing

The company collects and processes data for the following purposes:

Purpose of data processing Detailed explanation
Communication regarding services or responding to requests Notices to users, responses, resolving complaints, completing satisfaction surveys, etc. Processing is carried out on the basis of a legitimate interest in ensuring effective communication and successful transactions.
Entering agreements and the execution of obligations based on the contract Entering and executing the contract with the provider, including the provider’s fulfilment of your orders (supply of products and provision of services), communication with you, verification of your payments and fulfilment of other obligations of the provider and/or your obligations. We process personal information on a contractual basis and a pre-contractual relationship. In the event that you do not provide us with all the information necessary for the execution of the contractual obligations, we reserve the right to suspend or cancel the order.
Directly informing customers of special offers, discounts and other content via email or SMS. At eHorti d.o.o. Pursuant to ZEKom-1 (Electronic Communications Act of the Republic of Slovenia, implemented pursuant to Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002), we inform our customers of our products, services and contents. You may at any time request the discontinuation of such communication and processing of personal data (right of objection). You may terminate such communication at any time via the unsubscribe link in the inbox, or by a written request to the e-mail address In this case, we process your information based on law.
Direct contact about special offers and other content via e-mail Based on your consent, we will notify you of your products, services, discounts and content via e-mail. You may at any time request the discontinuation of such communication and processing of personal data by withdrawing consent. You can withdraw your consent at any time by a written request to the e-mail address
Direct contact about special offers and other content via phone calls and regular mail Based on customer consent, we also periodically inform customers about our products, services, discounts and content by regular mail. You may at any time request the discontinuation of such communication and processing of personal data by withdrawing consent. You can withdraw your consent at any time by a written request to the e-mail address
General statistical processing of data about buyers and their orders and potential buyers (contacts) for the purposes of internal analyses of sales, repeated purchases, aggregate buyers’ behaviour, advertising and business optimisation At eHorti d.o.o. company we conduct general statistical processing of data about buyers and their orders, as well as potential buyers (contacts). Based on this processing we conduct internal analyses of sales, repeated purchases and aggregate buyers’ behaviour and monitor and optimise our business efficiency and optimise our advertising, e.g.:
  • monitoring sales through our sales channels (internet, stores, call centre),
  • monitoring the number of buyers who make repeated purchases, the time span and the value of the purchases,
  • monitoring general statistical sales data like average shopping cart value, number of products per order and similar,
  • monitoring responses to e-mail, SMS, phone calls and various advertising messages (TV, radio and online advertising) in order to optimise advertising (decisions about what, where, to whom and how we advertise)
This type of statistical monitoring allows us to optimise our business and advertising in general and allows us to offer affordable products and services to users. This processing of personal data is based on the legitimate interest of the company to provide quality services and products to users.
Access to your past purchases and other data by eHorti call centre and stores consultants with the purpose of providing better services and offers When you place a call to our call centre (or our outbound call to you) or if you visit our store (if and when you independently identify yourself), our consultants will have access to your stored personal data and purchase history, based on which they will be able to provide better services and more relevant offers. This data processing is based on a legitimate interest of the company. If you do not want this data to be collected, you can stop this type of data processing at any time by sending us a written request to our e-mail address
Processing data about unclaimed remote orders with the purpose of fraud prevention At eHorti d.o.o. company, we process data about sent and unclaimed remote orders based on our legitimate interest. By doing so, we determine if and which buyers disproportionately remotely order products with payment on delivery option and then do not claim these products, causing us business damage, which we wish to prevent. When we identify such buyers, we disable payment on delivery option for them, but they can still order products with immediate advance payment by pay cards or PayPal.
Automated e-mail communication with the user based on her or his start of the online purchase process At eHorti d.o.o. company, based on our legal interest, we occasionally send reminder e-mails to potential buyers that have put products into their shopping cart but never completed the purchase, with the purpose of reminding them to complete the purchase or offering them help or information in regards to doing so. You can stop this type of data processing at any time by either sending us a written request to our e-mail address
Basic customised communication (through e-mail, SMS, phone calls, mail, browser notifications, information at websites, social networks), with discounts, orders and content. Within the basic customised communication (through e-mail, SMS, phone calls, mail, information at websites, social networks) we try to present relevant offers, discounts and other content that might be of interest to you, based on your past interactions with us. For this, we use the following data about you:
  • demographic data (gender, age)
  • history of purchases (products purchased, number of purchases),
  • simple processing of your behaviour at eHorti websites (viewing individual products or content that may trigger sending of customised messages), without the use of these data for user profiling
During this process we do not use any type of automated or semi-automated profiling, we only collect suitable user sets for individual messages. We never focus on individual user’s data, we only conduct aggregate processing of large groups. What messages you get from us is dependent on this data. You can stop this type of data processing at any time, either by clicking the unsubscribe link in received messages, by written request sent to this e-mail address
Using the Facebook Custom Audiences advertising tool We at eHorti d. o. o. use the Facebook Custom Audiences service. We use it based on the acquired agreement to communicate through customised offers and content based on the user’s profile. The service functions in the following way:
  1. We upload the e-mail address that we acquired from you through your purchase or you provided it voluntarily, to Facebook.
  2. Facebook conducts a comparison between your e-mail address and its user database and determines whether you are a Facebook user.
  3. If you are not a Facebook user, then nothing further is done with your e-mail address and Facebook conducts no activities with it.
  4. If you are a Facebook user, Facebook will add you to a newly created list of custom audiences that will allow us, and only us, to show this group of users customised advertisements on Facebook.
  5. Based on this, we can show you ads that are more targeted and customised to you, as well as extra discounts.
This type of data processing can be stopped at any time by either sending us a written request to our e-mail address
Use of an online account and access to GDPR information We process your personal data in order to provide access to your user account, which allows you to access your personal information and regulate the consent given. You can also access past order information. We process personal information on the basis of legitimate interest.
Communicating custom offers and content based on your user profile Based on consent, the provider can personalise the communication which is carried out through various communication channels (e-mail, phone calls, mail, browser notifications, website information, social networks). We want to present you with the best possible offers and content tailored to your needs, which is why we use your profile as the basis for personalised communication. We may use the following information for this purpose:
  • Demographics (gender, date of birth, age, address)
  • Purchase history (products, purchase time, number of purchases)
  • Answers in questionnaires on eHorti websites
  • Behaviour on eHorti websites (views of products or content, adding products to the shopping cart, online transactions)
  • Your responses to the messages we send you (opening messages, clicking on links, buying)
Based on this user profile, it may then affect the content and offers you receive from us:
  • Presenting products and content that will be of maximum interest to you
  • What offers you receive (eHorti customers with more purchases or more frequent purchases can get better deals)
  • How often we send you messages and through what channels
If you wish to revoke your consent at any point, you can terminate this data processing at any time via the unsubscribe link in your inbox or by sending a written request to
Legal claims, rights protection and dispute resolution Data collection for the stated reason occurs in accordance with the law.
Legal obligations We collect your information in order to fulfil our legal obligations, e.g. saving invoices for tax purposes. We process your data only to the extent necessary to comply with legislation.

Storing personal data

The provider will store your personal data only for the time necessary to realise the purpose for which the personal data was collected and further processed. The personal data that are being processed on a legal basis the provider stores for the time period defined by law.

The personal data that are being processed based on a contract with the individual, the provider stores for the duration of the contract and 5 years after its expiration, unless there has been a dispute about the contract between the user and the provider. In this case, the provider stores data for 5 years after the finality of the court or arbitrary ruling or settlement or, if there was no judicial dispute, 5 years from the day of an amicable settlement. The provider stores the data that are processed based on personal consent, until the revocation of such consent from the user. The provider deletes these data before objection only when the purpose of storing data had already been fulfilled. After the end of the period of personal data being stored, the controller effectively and permanently erases or anonymises the personal data so that they cannot be linked to an individual.

Detailed overview of the deadlines for data storing are listed in the table below:

Purpose of data processing Time period of data being stored
Communication regarding our services or responding to requests 6 months from the end of the communication
Conclusion and fulfilment of obligations arising from entering a contract 5 years from the execution of the contract
Directly notifying customers about special offers, discounts and other content via e-mail or SMS Until revoked
Directly notifying customers about special offers, discounts and other content by phone or regular mail Until revoked
Access to past orders and other information by customer support consultants in order to provide a better service Until revoked
Processing data on undelivered parcels with the purpose of fraud prevention 5 years from the start of processing
Automated e-mail communication with the user based on the beginning of the online buying process Until revoked
Basic personalised communication (e-mail, SMS, phone calls, mail, browser notifications, website information, social networks) with personalised offers and content Until revoked
Facebook Custom Audiences Advertising Tool Until revoked
Using an online account Until revoked
Access to specific information on the website Until revoked
Personalised e-magazines Until revoked
Market communication using user profiles Until revoked

Contractual processing of personal data

The provider may entrust some tasks related to the processing of personal data to others (contractual processors). Contractual processors may process confidential data exclusively in the name of the provider, within limits of the provider’s mandate (a written contract or other legal act) and according to purposes as defined in this privacy policy. Contractual processors that the controller transmits personal data are:

  • an accounting service, law firms and other providers of legal counsel;
  • providers of data processing and analytics;
  • maintenance of IT systems,
  • e-mail marketing services (e.g. MailChimp);
  • providers of payment systems (e.g. PayPal, Klarna, Sofort, Multibanco, dotPay and others);
  • providers of systems for managing customer relations (e.g. Microsoft);
  • providers of solutions for online advertising (e.g. Google, Facebook)

The provider will not forward your personal information to third unauthorised parties. Contractual processors can only process personal data within the framework of the controller’s instructions and must not use it to pursue any interests of their own. The controller and recipients of personal data do not transmit personal data to third countries (outside of member countries of the European economic area – members of EU and Iceland, Norway and Liechtenstein) and to international organisations, except the USA – all contractual processors in the USA are in the Privacy Shield programme.

Freedom of choice

You are in control of any information you give out about yourself. If you decide you do not wish to share your data, we may not be able to provide you with certain services. Individuals that wish to unsubscribe from the e-newsletter, please notify us through our e-mail address If there are any changes to your personal information (zip code, e-mail address, physical address, phone number), please notify us through our e-mail address

Automatically recorded information (non-personal information)

Whenever you visit our website, the general, non-personal information (browser users, number of visits, the average duration of the visit, pages visited) are being automatically recorded (not as a part of registration). This information is used to measure the attractiveness of our website and to improve the content and usability. Your information is not subject to further examination and is not disclosed to a third party.


Cookies are small pieces of data that are temporarily stored on your hard drive that allow our website to recognize your computer the next time you visit the website. The provider uses cookies only to gather information concerning the use of the website and to optimise online advertising activities. Advertising cookies monitor the individual’s usage of the provider’s website unless the individual does not agree to website cookie use. You can read more about cookies and how they’re used here.


The provider is strongly committed to ensuring personal data security. Your data is, at all times, protected from loss, destruction, falsification, manipulation and unauthorised access and unauthorised disclosure. In order to protect personal data, we take organisational and technical measures, such as:

  • Employee education
  • Supervision of employees and regular reviews of individual employees
  • Careful selections and overview of contractors
  • A backup of electronically stored data
  • Regular maintenance and updating of technical equipment
  • Adopting appropriate internal policies and instructions for the protection of personal data

Consent of a minor in relation to the services of the information society

Minors under 16 years of age should not transmit any personal data to websites without the permission (consent or approval) of a parent or a legal guardian. The provider will never knowingly collect personal information from minors (under 16 years of age) or in any way use or disclose them to an unauthorised third party without their parent’s or legal guardian’s permission. The above does not affect the general law of contract of member states, like regulations about validity, drawing up or effects of the contract regarding minors. Bearing in mind the available technology, the provider will show reasonable efforts to verify that a parent of a legal guardian gave or approved consent.

Rights of the individual regarding data processing

If you have any questions about our privacy policy or processing in regards to your personal data, you can contact us. Write to us at Based on your request, we will notify you about the requested information or fulfil your request (in accordance with applicable legislation).

As an individual, you have the following rights regarding fair and transparent processing, based on regulation: The right to withdraw consent: if you have, as an individual, consented to the processing of personal data (for one or more purposes), you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Consent can be withdrawn through a written statement that is sent to the provider to one of the contacts at the provider’s website Withdrawal of consent for personal data processing has no negative consequences or sanctions for the individual. However, it is possible that the controller may not be able to offer one or more of its services after the withdrawal of consent if those services cannot be performed without personal data (e.g. the benefit club or customised communication).

The right to access personal data: as an individual, you have the right to obtain from confirmation from the provider (processor of personal data) as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing, the categories of personal data concerned, its users, the period for which the personal data will be stored, or the criteria used to determine that period, the right to request rectification or erasure of personal data or restriction of or objection to processing of personal data, the right to lodge a complaint with a supervisory authority, the source of the data if the data were not collected from you, the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you, in accordance to Article 15 of GDPR.

The right to rectify personal data: as an individual, you have the right to obtain from the provider without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement; The right to deletion of personal data (“the right to be forgotten”): you have the right to obtain from the provider without undue delay the deletion of your personal data when one of the below reason exists: (a) the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, (b) you have withdrawn your consent, and there is no legal basis for further processing, (c) you have objected to the processing of your personal data, and there are no overriding legitimate grounds for the processing, (d) your personal data have been unlawfully processed, (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the provider is subject, (f) the personal data has been collected in relation to the offer of an information society. As an individual under certain circumstances, as defined in Article 17, paragraph 3, you do not have the right to data deletion;

The right to restriction of processing: as an individual, you have the right to obtain from the provider restriction of processing where one of the following applies: (a) you contest the accuracy of the personal data for a period enabling the provider to verify the accuracy of the personal data, (b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead, (c) the provider no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, (d) you have objected to processing pending the verification whether the legitimate grounds of the provider override yours;

The right to data portability: you have the right to receive the personal data concerning you, which you have provided to the provider, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the provider to which the personal data have been provided, where: (a) the processing is based on consent or on a contract; and (b) the processing is carried out by automated means. In exercising your right to data portability, you have the right to have your personal data transmitted directly from one controller (provider) to another, where technically feasible;

The right to object to data processing: as an individual, You can object to the processing of your personal data on various grounds. This includes situations where processing is necessary for public interest or official authority, for the legitimate interests of the provider or a third party, or for direct marketing purposes. The provider must cease processing unless they demonstrate compelling legitimate grounds that override your interests, rights, and freedoms or for legal claims. If your data is processed for direct marketing, including profiling, you can object, and the data must no longer be processed for such purposes. In cases of data processing for scientific, historical, or statistical purposes, you can object unless it’s necessary for a task in the public interest;

The right to lodge a complaint with a supervisory authority: without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes data protection regulations. Without prejudice to any other administrative or non-judicial remedy, you have the right to an effective judicial remedy, against a legally binding decision of a supervisory authority concerning it, as well as where the supervisory authority which is competent does not handle a complaint or does not inform you within three months on the progress or outcome of the complaint lodged.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established. The individual may address all her or his requests regarding personal data in written form to the provider, through one of the contacts at the website In order to ensure reliable identification in case of a user exercising his or her rights regarding personal data, the provider may request additional data from the user and shall not refuse to act on the request of the individual, unless the provider demonstrates that it is not in a position to identify the user. The provider must, by user’s request to exercise his or her rights in regards to data processing, provide information without undue delay and in any event within one month of receipt of the request.

Notifying the supervisory authority of personal data breach

In a personal data breach, the provider must promptly notify the supervisory authority unless it can prove the breach poses no risk to individuals’ rights and freedoms. If there’s suspicion of a crime, the provider must inform the police and/or prosecutor. If the breach is likely to significantly impact individuals, the provider must notify them immediately or, if not possible, without undue delay, using clear and understandable language.

Social media access

Through our website, you can access the following web pages, which the provider utilizes in their work:

  • Facebook
  • Instagram
  • Youtube

Each of these social networks, when providing their services, acts in accordance with their terms of use and privacy policies. eHorti does not assume any liability with respect to the use of social networks that the user may access through its website. Questions and claims need to be addressed to individual social networks. The privacy policies are available at the links below:

Publishing of changes

All changes in our privacy policy will be published on this website. Updated: 08.07.2021