Your Cart

Privacy Notice

Taffy & Lilly respects and protects your privacy. This Taffy & Lilly Privacy Notice (“Privacy Notice”) helps you understand why we collect personal data about you, the types of personal data we collect, how we collect it, how long we retain it, and with whom we share it, as well as your rights. This document also explains how we protect your data.

This Taffy & Lilly Privacy Notice is compliant with the EU General Data Protection Regulation 2016/679 (“GDPR”).

The data controller responsible for your personal data is Taffy & Lilly d. o. o., Ulica Stanka Brenčiča 9, 2250 Ptuj, Slovenia, registration number 8455201000 (hereinafter referred to as “Taffy & Lilly”).

Why We Process Personal Data and Legal Bases for Collection

The main reason for collecting, using, and storing your data is to provide our services to you. “Service,” “our service,” and similar descriptions mean doing business with you/your organization and assisting with your inquiries, sales processes, and claims.

We also process data about your use of the services for business development purposes, to inform you about business procedures, products, and services through marketing activities, and to improve our services based on your feedback. Your personal data may also be processed for contractual purposes and employment purposes, as well as to fulfill legal obligations.

We process personal data based on various legal grounds, as outlined below.

Performance of a Contract, including Purchase – Article 6(1)(b) GDPR:

  • When we process personal data in relation to a contract, our legal basis is the “performance of a contract,” including a purchase.

Consent – GDPR Article 6(1)(a):

  • When we send you news about our products, we do so based on your consent. Where the legal basis for processing is consent, you have the right to withdraw that consent at any time.

Legal Obligation – GDPR Article 6(1)(c):

  • If we share your personal data with law enforcement or other government authorities, we do so due to a legal obligation.

Legitimate Interest – GDPR Article 6(1)(f):

  • We have a legitimate business interest in processing your data, for example, when assisting you with inquiries.

Special Categories – GDPR Article 9(2)(a) and GDPR Article 9(2)(f):

  • When we process special categories of data, we do so to meet regulatory compliance requirements.

Types of Personal Data We Process

Below are the main types of personal data collected by SOPI, along with the main purpose and legal basis for their collection:

Activity Types of Personal Data Collected (for illustrative purposes) Purpose(s) Legal Basis
General Business Operations Name, contact details, and other information necessary for conducting business with you or your organization. As part of Taffy & Lilly’s general business operations, we collect personal data about individuals, customers, suppliers (including third-party service providers), and other stakeholders. We may also use your data for system testing. GDPR – Article 6(1)(b) GDPR – Article 6(1)(f)
Inquiry Assistance Name, email address, phone numbers, conversations, other contact details, photos, plans, sketches when provided to Taffy & Lilly. You may choose to provide us with personal data such as contact details when contacting us by phone, email, postal mail, or using our digital platforms. This personal data enables us to respond to your requests for information about Taffy & Lilly products or to respond to your inquiries. We may also ask you to complete a survey after contacting us. GDPR – Article 6(1)(a) GDPR – Article 6(1)(b) GDPR – Article 6(1)(f)
Sales (including online sales) and Order Fulfillment Name, contact details, payment and credit card information, etc. We may collect personal data from customers and potential customers to conduct business with you or your organization. We use your data to analyze shopping trends through your online store activity and purchase history to provide you with a personalized browsing experience. Additionally, we use data to process and fulfill online store orders, facilitate product delivery, and provide appropriate customer services, including processing your returns. GDPR – Article 6(1)(b) GDPR – Article 6(1)(a) GDPR – Article 6(1)(f)
Advertising Campaigns Name, contact details, etc. Conducting various advertising campaigns. Consent to terms and conditions is collected before engaging in the activity. GDPR – Article 6(1)(a) GDPR – Article 6(1)(b)
Business Development Personal data collected on our digital platforms. Personal data provided to us and collected on our digital platforms will also be used to improve our understanding of our customers and as a basis for customer communication at all touchpoints with Taffy & Lilly. Personal data will also be used for the development of our products and services. GDPR – Article 6(1)(a)
Marketing Contact details, browsing history, sales and subscription service data (such as name, address, email, phone number), purchase history, unique identifiers (such as cookie IDs or device IDs), and browsing history tracking based on these IDs, etc. Note that this list is not exhaustive, as we may process any personal data arising from your interaction with our website, products, and services. Based on your consent or legitimate interest, we process your personal data to inform you about Taffy & Lilly’s business, products, and services. For the above purposes, we carry out marketing activities tailored to your preferences and profile, e.g.:
  • to optimize and customize the content and delivery of our marketing messages when you wish to receive them,
  • to provide personalized marketing based on your preferences and profile, both when interacting with us on our channels and through third-party channels (e.g., social networks, search engines, online stores).

If you do not wish to receive further information, you can easily and freely unsubscribe from our marketing messages at any time. Instructions describing the subscription or unsubscription process to our marketing messages are always available to you. You can also contact us by email or postal mail to unsubscribe.

GDPR – Article 6(1)(a) GDPR – Article 6(1)(f)
Your Exposure in Photos, Videos, Statements, or Participation in Our Campaigns If you have previously agreed and sent us a personal photo or if our photographer takes your photo. We will use photos, statements, etc., as specified in the contract signed by you. GDPR – Article 6(1)(b), if the photo and statement are based on a contract with compensation, please note that you cannot exercise the right to rectify or erase the photo. GDPR – Article 6(1)(a), if the photo and statement are processed based on consent, you can exercise all rights specified in section 6 below. GDPR – Article 6(1)(f), if the photo or video is taken at an internal Taffy & Lilly event or similar and the photos or videos are shared internally only.
Website Visitors, Customer Surveys, and Market Research Personal data from digital platforms or customers in the context of surveys. To improve the products and services we offer, we may collect personal data from our website visitors or customers who complete our survey. We will contact you with the provided survey and process personal data within the survey based on consent or within legitimate interests. Personal data obtained from surveys will be used for marketing purposes only with your consent. GDPR – Article 6(1)(a) GDPR – Article 6(1)(f)
Recruitment and Employment Contracts Name, contact details, previous work experience, obtained educational degrees, relevant records, information about professional interests, etc. When a person applies for a job or enters into an employment contract with us, we may collect certain data such as name, contact details, previous work experience, obtained educational degrees (diplomas, certificates), relevant records, and information about professional interests. This may be collected directly from the person, from a recruitment consultant, including references and publicly accessible sources. This data is used to inform or assist in the decision to offer employment or contract employment to an individual. GDPR – Article 6(1)(b) GDPR – Article 6(1)(f)
Legal Compliance, including Anti-Corruption, Whistleblower Compliance, and Sanctions Screening All types of personal data. We may collect personal data in accordance with the law, a court or authority decision, and/or to disclose data to relevant public authorities as required or permitted by law. GDPR – Article 6(1)(c) GDPR – Article 6(1)(f) GDPR – Article 9(2)(a) GDPR – Article 9(2)(f)

Seveda, tukaj je prevod: ---

How We Collect Your Personal Data

Directly from You

In most cases, personal data is collected directly from you or created as part of using our services, products, and channels. We collect the personal data you provide when you request products, services, or information from us, register with us, participate in public forums or perform other activities on our digital platforms, respond to our surveys, or otherwise communicate with us. We collect data using various technologies, such as cookies. For more information, please read our Cookie Policy.

From Our Business Partners

In some cases, we may collect your personal data from our business partners when they need our assistance to provide you with the best possible service.

From Your Public Website

In some cases, we collect your personal data on your company's websites when we want to present or offer our services to you.

Links to Other Websites

This website contains links to other websites (e.g., Facebook, YouTube) to which this Privacy Notice does not apply. Please note that we do not endorse other websites and their content. We recommend reading the privacy policies of each website you visit.

How Long We Retain Your Personal Data

We retain your personal data only as long as necessary for the purposes described in this privacy notice. This means that retention periods will vary depending on the type of data and the reason we have it.

Examples of retention periods:

  • Until you unsubscribe from a marketing campaign, which you can do at any time.
  • Photos and testimonials are retained as necessary and as described in the contract.
  • Personal data is retained until the end of the recruitment process or the withdrawal of consent (if given for future recruitment).
  • To comply with, for example, anti-corruption regulations, we retain data in accordance with the laws we are required to follow.

With Whom We Share Your Personal Data

We may also share your personal data with selected third parties, including:

  • Business partners, suppliers, and subcontractors we work with to provide you with the best services in the support and sales process, including, for example, logistics providers.
  • Technology providers, such as analytics, tracking technology, targeting and retargeting technology, and search engine providers, that help us improve and optimize our platforms, as well as companies that provide website support and hosting.
  • Advertisers and advertising networks that use data to select and display relevant ads to you and others, if you have given consent.
  • Social media websites (such as Facebook, Instagram, and Google), if the processing of personal data is necessary for marketing purposes and based on your consent.
  • Other parties to ensure the safety and protection of our customers, to protect our rights and property, to comply with legal processes, or in other cases if we believe in good faith that disclosure is legally required.

Transfer to Third Countries

In some cases, we may transfer personal data to companies in so-called third countries, which are countries outside the European Economic Area. If we do so, we ensure data protection and transfer only if one of these conditions applies:

  • The respective country has an adequate level of protection as determined by the European Commission,
  • The company is certified under the “EU - U.S. Data Privacy Framework,”
  • We use standard contractual clauses (EU model clauses) approved by the European Commission, and additional supplementary measures to regulate data transfer.

Data Security

The security, integrity, and confidentiality of your personal data are of utmost importance to us. We have implemented technical, administrative, and physical security measures designed to protect your personal data from unauthorized access, disclosure, use, and modification. We periodically review our security procedures to consider appropriate new technologies and methods. Be aware that despite our efforts, no security measure is perfect or impenetrable.

Your Privacy Rights

GDPR provides you, as a data subject, with the following rights regarding personal data we hold about you:

  • Right of Access: You have the right to request a copy of the personal data we hold about you and information on how we process it.
  • Right to Rectification: If your personal data is inaccurate or incomplete, you have the right to request correction.
  • Right to Erasure: You have the right to request the deletion of personal data in certain circumstances, such as if the data is no longer necessary for the purposes for which it was collected.
  • Right to Restrict Processing: You have the right to request the restriction of processing of your personal data in certain circumstances, such as during the verification of data accuracy.
  • Right to Data Portability: You have the right to request the transfer of your personal data to another data controller, where technically feasible.
  • Right to Object: You have the right to object to the processing of your personal data if it is based on legitimate interests, public task, or profiling.
  • Right to Withdraw Consent: You have the right to withdraw your consent for the processing of personal data at any time if the processing is based on consent.

If you wish to exercise any of these rights, you can contact us at [company contact details].

Your Rights Legal Basis Explanation
Access to your data Article 15 GDPR You have the right to request information on whether Taffy & Lilly processes personal data relating to you, and if so, you have the right to request a copy of the personal data we have processed.
Request for correction Article 16 GDPR You always have the right to request the correction of any incorrect or incomplete personal data we may process about you.
Request for deletion Article 17 GDPR Depending on the activity of personal data processing and in certain circumstances, you have the right to request the deletion of your data before our obligation to cease processing your data arises.
Request to restrict processing Article 18 GDPR You have the right to request the restriction of processing, which means you can request that Taffy & Lilly restricts the use of your personal data in certain circumstances.
Data portability Article 20 GDPR Under certain conditions, you have the right to receive the personal data you provided to us in a machine-readable format.
Right to object Article 21 GDPR If you are not satisfied with the way Taffy & Lilly processes your personal data, you can send your objections to the email address

If you have any questions regarding the specific personal data we process or store about you, or if you wish to exercise your rights, please send an email to

We will respond to your request to exercise any of your rights within one (1) month, but we have the right to extend this period by two (2) months. If we extend the response period, we will notify you within one month of your request.

If you believe that we have not satisfactorily resolved your complaint, you can lodge a complaint with your local data protection agency. You can find the contact details of the relevant data protection agency on the website of the European Data Protection Board:

Changes to Taffy & Lilly Privacy Notice

We may occasionally amend this Privacy Notice to adapt it to the latest technologies, industry practices, or regulatory requirements, or for other purposes. We will always post the latest version on our digital platforms. We advise you to regularly read the Privacy Notice.

This Privacy Notice was last updated on: 27-05-2024.