COOKIES POLICY – TRASIDO

This Cookies Policy governs the deployment, operation, management, and regulatory compliance of cookies and similar tracking technologies used in connection with the Trasido marketplace platform, including its website, applications, digital interfaces, APIs, and related electronic services (collectively, the "Platform"), operated by AC/DC d.o.o., Partizanska cesta 14, 2230 Lenart, Republic of Slovenia ("Trasido", "we", "us", or "our").

This Policy establishes the legal framework under which information is stored on, or accessed from, a user's terminal equipment, in accordance with Article 5(3) of Directive 2002/58/EC as amended (ePrivacy Directive), Regulation (EU) 2016/679 (General Data Protection Regulation – "GDPR"), Regulation (EU) 2022/2065 (Digital Services Act), and applicable Slovenian implementing legislation.

The Policy applies to all users who access, browse, register with, transact through, or otherwise interact with the Platform, irrespective of whether such users act as consumers, independent sellers, business users, or other categories of Platform participants. It applies to users located within the European Union and, where required under Article 3 GDPR, to users located outside the European Union whose personal data is processed in connection with the offering of services or monitoring of behaviour within the Union.

This Policy governs both first-party cookies deployed directly by Trasido and third-party cookies deployed through integrated service providers, including payment processors, hosting infrastructure providers, analytics services, fraud prevention tools, advertising networks, and other technological partners whose services are integrated into the Platform's infrastructure.

The use of cookies and similar technologies under this Policy serves purposes that may include, without limitation, the technical operation of the Platform, security and fraud prevention, authentication and session management, transaction processing, performance monitoring, analytics, functional customisation, marketing optimisation, and regulatory compliance monitoring.

This Cookies Policy does not replace the Privacy Notice but operates in conjunction with it. Where information collected through cookies constitutes personal data within the meaning of Article 4(1) GDPR, such processing shall additionally be governed by the Privacy Notice, including provisions relating to lawful basis, data subject rights, retention, security safeguards, and international data transfers.

Nothing in this Policy shall be interpreted as limiting mandatory rights granted to users under applicable data protection or electronic communications legislation. Where statutory provisions impose stricter requirements than those described herein, such statutory provisions shall prevail.

2.1 Governance Responsibility and Oversight

AC/DC d.o.o., as operator of the Platform, assumes full organisational and regulatory responsibility for the lawful implementation, management, supervision, and documentation of cookies and similar tracking technologies deployed within the Trasido ecosystem. Decisions relating to the introduction, modification, or removal of any tracking technology are undertaken within the internal compliance governance structure and are subject to oversight by the data protection and regulatory compliance function, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation) and Directive 2002/58/EC as amended (ePrivacy framework).

No tracking technology may be deployed without prior documented legal assessment and formal compliance clearance in accordance with internal governance procedures.

2.2 Pre-Deployment Compliance Assessment

Prior to the activation of any cookie, tracking script, embedded tag, software development kit (SDK), pixel, or similar mechanism enabling the storage of or access to information on a user's terminal equipment, a documented compliance assessment shall be conducted. Such assessment shall determine the nature, purpose, and operational functionality of the technology, evaluate whether personal data is processed, and identify the appropriate legal basis pursuant to Article 6 GDPR.

Where the technology involves behavioural monitoring, analytics profiling, or other forms of user tracking, an assessment of potential implications under Article 22 GDPR shall be performed.Where personal data may be transferred outside the European Economic Area, the lawfulness of such transfer shall be verified in accordance with Chapter V GDPR, including the implementation of appropriate safeguards where required.

Technologies requiring user consent under Article 5(3) of the ePrivacy framework shall not be activated prior to the collection of valid, demonstrable consent.

2.3 Consent Governance and Technical Enforcement

Trasido maintains technical and organisational mechanisms designed to ensure that non-essential cookies and tracking technologies are not activated in the absence of valid user consent. The consent management infrastructure ensures that consent is freely given, specific, informed, and unambiguous, and that users are provided with clear and granular choices regarding different categories of tracking technologies.

The system further ensures that consent may be withdrawn at any time without detriment, and that consent records are securely maintained in a manner sufficient to demonstrate compliance with regulatory requirements in the event of supervisory authority review. Technical controls prevent the execution of non-essential scripts until consent conditions are satisfied.

2.4 Cookie Registry and Documentation

AC/DC d.o.o. maintains an internal registry documenting all cookies and tracking technologies deployed on the Platform. This registry records the identity of each technology, its provider, its functional purpose, retention duration, classification category, data processing implications, and any associated international data transfers.

The registry is subject to periodic review and forms part of the accountability documentation required under Article 5(2) GDPR. It is maintained in a format capable of demonstrating compliance in the context of regulatory audits or supervisory authority inquiries.

2.5 Ongoing Monitoring and Compliance Review

The deployment and operation of cookies and tracking technologies are subject to periodic internal review to ensure continued legal compliance, technical accuracy, and alignment with disclosed information provided to users. Compliance monitoring may include technical scanning, verification of consent enforcement mechanisms, and validation of retention periods.

Where non-compliance or irregularities are identified, corrective measures shall be implemented without undue delay.Where such irregularities may constitute a personal data breach or regulatory violation, AC/DC d.o.o. shall assess notification obligations pursuant to Articles 33 and 34 GDPR.

2.6 Third-Party Risk Governance

Where cookies or tracking technologies are introduced through third-party service integrations, AC/DC d.o.o. ensures that such providers are contractually bound by appropriate data protection obligations in accordance with GDPR requirements. Where cross-border data transfers are involved, lawful transfer mechanisms under Chapter V GDPR shall be implemented.

The scope of third-party tracking technologies is limited to documented and legally assessed purposes. Deployment beyond approved scope is not permitted.

The Platform deploys cookies and similar tracking technologies that may be functionally categorised according to their operational purpose and legal qualification under applicable legislation.

Certain cookies are strictly necessary for the technical operation, security, and integrity of the Platform. Such cookies enable the transmission of communications over electronic networks, the secure authentication of users, the maintenance of session continuity, the protection of the Platform against fraudulent or malicious activity, the processing of transactions, the implementation of load balancing mechanisms, and the preservation of system stability. These cookies are considered essential within the meaning of Article 5(3) of the ePrivacy Directive and may be deployed without prior user consent where their use is strictly necessary to provide an information society service explicitly requested by the user.

The Platform may also deploy functional cookies that enhance user experience by remembering configuration settings, language preferences, display options, login persistence choices, or other user-specific adjustments. While not strictly required for basic operation, such cookies facilitate personalised and efficient interaction with the Platform and may require prior consent where mandated by applicable law.

Performance and analytics cookies may be used to measure, evaluate, and optimise the functionality, reliability, and performance of the Platform. These technologies enable the assessment of aggregated usage patterns, navigation flows, error diagnostics, service quality metrics, and system responsiveness. Where such cookies involve the processing of personal data or the access to user device information beyond what is strictly necessary, they shall be deployed only upon valid prior consent.

Security-related cookies may be used to detect and prevent fraudulent transactions, unauthorised access attempts, automated abuse, or other activities that may compromise the integrity of the Platform or the security of users. Where such cookies are strictly necessary for security and fraud prevention, they may be deployed without consent; however, where their function extends beyond strict necessity, lawful consent shall be obtained.

Marketing, advertising, and behavioural analytics cookies may be deployed to evaluate campaign performance, measure conversion effectiveness, optimise promotional communications, and, where applicable, personalise advertising content. These cookies shall not be activated unless and until the user has provided valid, freely given, specific, informed, and unambiguous consent in accordance with applicable data protection and electronic communications legislation.

The classification of cookies deployed on the Platform is subject to ongoing compliance review to ensure alignment with evolving regulatory guidance issued by supervisory authorities, including the European Data Protection Board.Any reclassification of cookies resulting from regulatory developments or technological changes shall be reflected in updated consent mechanisms and policy disclosures as required by applicable law.

The deployment and use of cookies and similar tracking technologies on the Platform are carried out strictly in accordance with Article 5(3) of Directive 2002/58/EC (ePrivacy Directive), Regulation (EU) 2016/679 (General Data Protection Regulation – "GDPR"), and applicable Slovenian legislation governing electronic communications and personal data protection.

Where cookies are strictly necessary for the transmission of communications over an electronic communications network or for the provision of an information society service explicitly requested by the user, such cookies may be deployed without the requirement to obtain prior consent. The necessity threshold shall be interpreted narrowly and in accordance with regulatory guidance issued by competent supervisory authorities. The burden of demonstrating necessity rests with the Platform operator.

All cookies and similar technologies that are not strictly necessary for the operation of the Platform shall be deployed only on the basis of prior, valid, and demonstrable user consent. Consent shall be obtained through a compliant consent management mechanism that ensures that consent is freely given, specific, informed, and unambiguous, as required under Article 4(11) and Article 7 GDPR.

Consent shall not be inferred from silence, inactivity, pre-ticked boxes, default settings, or continued browsing. Users shall be provided with clear and accessible information regarding the purpose, scope, duration, and third-party involvement associated with each category of non-essential cookies prior to the activation of such technologies. No non-essential cookies shall be placed on a user's device before consent has been affirmatively granted.

The consent mechanism implemented by the Platform shall enable users to granularly manage their preferences by category, withdraw consent at any time with effect for the future, and modify previously selected preferences through accessible and user-friendly controls. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to withdrawal.

Records of consent shall be securely maintained in accordance with the accountability principle under Article 5(2) GDPR and shall be capable of demonstrating compliance in the event of regulatory audit or supervisory authority inquiry. Consent logs shall document the time, scope, and configuration of consent provided.

Where cookies involve the processing of personal data, such processing shall also rely on an appropriate legal basis under Article 6 GDPR. In most cases, such legal basis shall be the user’s consent. Where strictly necessary cookies involve limited personal data processing, the legal basis may be the performance of a contract or the legitimate interests of the Platform operator, provided that such interests do not override the fundamental rights and freedoms of the data subject.

The Platform shall not condition access to core services upon acceptance of non-essential cookies, except where such cookies are objectively necessary for the requested service or where legally permissible under applicable guidance. The Platform shall avoid the use of coercive consent mechanisms, deceptive design patterns, or consent fatigue techniques that may compromise the validity of user consent.

The consent management framework shall be periodically reviewed to ensure continued compliance with evolving regulatory standards, including guidance issued by the European Data Protection Board, national supervisory authorities, and applicable court jurisprudence.

The Platform may permit the deployment of cookies and similar tracking technologies by carefully selected third-party service providers whose services are integrated into or support the functionality, analytics capabilities, security infrastructure, or marketing operations of the Platform. Such third-party technologies may include, where applicable, analytics tools, fraud prevention systems, payment processing services, content delivery networks, advertising services, or embedded external content.

Where third-party cookies are deployed, such cookies may collect information directly from the user's device in accordance with the technical configuration of the third-party service. In such cases, the third party may act either as an independent controller or as a processor on behalf of AC/DC d.o.o., depending on the nature of the processing activity and the contractual allocation of responsibilities. The qualification of roles shall be determined in accordance with Articles 4(7) and 4(8) GDPR and documented within the applicable contractual framework.

AC/DC d.o.o. undertakes reasonable due diligence measures prior to integrating third-party services that deploy cookies on the Platform. Such measures include the assessment of regulatory compliance, review of contractual safeguards, verification of security standards, and evaluation of data protection commitments. Where a third party acts as a processor, processing activities shall be governed by a data processing agreement compliant with Article 28 GDPR. Where a third party acts as an independent controller, users shall be informed accordingly, and reference shall be made to the relevant third-party privacy documentation.

Third-party cookies that are not strictly necessary for the technical operation of the Platform shall not be activated unless and until valid user consent has been obtained through the Platform's consent management mechanism. The Platform does not authorise the deployment of non-essential third-party cookies without prior consent.

Where personal data collected through third-party cookies is transferred outside the European Economic Area, such transfers shall occur only in accordance with Chapter V GDPR. Cross-border transfers shall be based on an adequacy decision adopted by the European Commission, the use of Standard Contractual Clauses, binding corporate rules, or other lawful transfer mechanisms recognised under applicable law. Where required, supplementary safeguards shall be implemented to ensure an equivalent level of protection consistent with the jurisprudence of the Court of Justice of the European Union.

Users are informed that certain third-party providers may operate infrastructure located in jurisdictions outside the European Union and may process data in accordance with local legal requirements. AC/DC d.o.o. shall implement reasonable measures to ensure that such processing remains subject to appropriate contractual and organisational safeguards and shall review third-party compliance on a periodic basis.

The use of third-party cookies does not transfer responsibility for regulatory compliance away from the Platform operator. AC/DC d.o.o. remains accountable for ensuring that the integration of third-party technologies complies with applicable data protection and electronic communications legislation to the extent required by law.

The list of active third-party services and associated cookie categories may be updated from time to time in response to operational, technical, or regulatory developments. Any material changes affecting user consent or cross-border data transfer practices shall be reflected in the consent management interface and this Policy, where required by applicable law.

Cookies and similar tracking technologies deployed on the Platform are stored for periods that are proportionate, limited, and strictly aligned with the purposes for which they are processed. The duration of storage depends on the functional classification of the cookie, the operational necessity of the underlying service, and the legal basis supporting the processing activity.

Session-based cookies are designed to operate temporarily and are automatically deleted once the user's browsing session ends or the browser is closed. These cookies are typically used to ensure technical continuity, session authentication, or transaction integrity during active interaction with the Platform.

Persistent cookies may remain stored on a user's device for a defined period determined by their functional purpose. Such cookies may support user preferences, consent records, security monitoring, analytics measurement, fraud detection, or marketing optimisation. The retention period for persistent cookies shall not exceed what is objectively necessary to fulfil the specified purpose and shall be subject to periodic review to ensure compliance with the principle of storage limitation under Article 5(1)(e) GDPR.

Where cookies involve the processing of personal data, the retention period shall be aligned with the broader data retention framework defined in the Privacy Notice.In determining appropriate retention periods, AC/DC d.o.o. takes into account the operational requirements of the Platform, regulatory obligations, statutory limitation periods, risk mitigation needs, contractual enforcement considerations, and the rights and expectations of data subjects.

Consent-related cookies used to record user preferences and consent configurations may be retained for the duration necessary to demonstrate compliance with accountability obligations under Article 5(2) and Article 7 GDPR. Such records shall be securely stored and may be retained for a period sufficient to defend against potential regulatory claims or legal disputes, subject to applicable statutory limitation periods.

Upon expiry of the applicable retention period, cookies shall either be automatically deleted, anonymised, or rendered technically inaccessible in accordance with internal governance standards. Users may also delete cookies at any time through browser settings or the Platform's consent management interface, subject to technical limitations inherent to browser environments.

AC/DC d.o.o. conducts periodic reviews of cookie retention practices to ensure ongoing compliance with evolving regulatory guidance, technological developments, and risk management standards.Where retention practices are modified, such modifications shall be reflected in updated policy disclosures and, where required, may trigger renewed consent mechanisms.

Nothing in this Section shall limit statutory retention obligations imposed under applicable financial, consumer protection, anti-fraud, or regulatory compliance legislation where extended retention is legally required.

Users retain full control over the use of non-essential cookies and similar tracking technologies deployed through the Platform. The exercise of such control is implemented through a structured consent management mechanism designed to ensure transparency, granularity, and regulatory compliance.

Prior to the activation of any non-essential cookies, users are presented with clear and comprehensible information regarding the nature, purpose, and functional classification of such technologies. Users are afforded the opportunity to provide or withhold consent on a category-specific basis. No non-essential cookies shall be deployed before valid consent has been obtained in accordance with applicable legal requirements.

Users may modify or withdraw previously granted consent at any time through the Platform's accessible consent management interface. Withdrawal of consent shall take effect for the future and shall not affect the lawfulness of processing carried out prior to such withdrawal. The mechanism for withdrawing consent shall be as easily accessible as the mechanism used to provide consent, and shall not impose unnecessary technical or procedural barriers.

In addition to the consent management interface provided by the Platform, users may manage cookie settings through their browser configuration. Most browsers permit users to block, restrict, or delete stored cookies and to configure alerts for cookie placement. Users are informed, however, that disabling strictly necessary cookies may affect the functionality, security, or availability of certain Platform features.

Where cookies involve the processing of personal data, users may exercise their rights under Regulation (EU) 2016/679 (GDPR), including the right of access, rectification, erasure, restriction of processing, objection to processing, and data portability, subject to the conditions and limitations provided by law. Requests relating to personal data processed by AC/DC d.o.o. in connection with cookie deployment may be submitted through the contact details provided in the Privacy Notice.

Where third-party cookies are deployed and the third party acts as an independent controller, users may also exercise their rights directly against the relevant third party in accordance with the applicable privacy documentation of such provider.

The Platform shall not condition access to core services on the acceptance of non-essential cookies, except where such cookies are objectively necessary for the requested service or where legally permissible.The consent framework shall avoid coercive design practices, deceptive interface configurations, or mechanisms that undermine the validity of user choice.

AC/DC d.o.o. maintains internal governance procedures to ensure that user preferences are respected, technically enforced, and periodically reviewed.Consent configurations are recorded and implemented in a manner consistent with the accountability and transparency principles established under applicable data protection legislation.

Nothing in this Section shall limit or restrict mandatory rights granted to data subjects under applicable European Union or Slovenian law.

AC/DC d.o.o. implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk associated with the deployment of cookies and similar tracking technologies, in accordance with Article 32 of Regulation (EU) 2016/679 (GDPR) and applicable Slovenian data protection legislation.

Security measures are designed to protect information collected through cookies against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, or other forms of unlawful processing. Such measures are proportionate to the nature of the data processed, the likelihood and severity of potential risks to data subjects, and the operational structure of the Platform.

Technical safeguards may include secure transmission protocols, encrypted communications, access control mechanisms, environment segregation, secure server configurations, logging systems, anomaly detection mechanisms, and system integrity monitoring. Organisational safeguards include internal governance policies, access authorisation frameworks, role-based access restrictions, incident response procedures, periodic compliance reviews, and staff training obligations relating to data protection and cybersecurity.

Where third-party service providers deploy cookies or process personal data through integrated technologies, AC/DC d.o.o. undertakes reasonable due diligence and contractual oversight to ensure that such providers implement appropriate security standards consistent with GDPR requirements. Data processing agreements, confidentiality obligations, and technical security commitments are incorporated where required under applicable law.

The Platform maintains internal procedures for the identification, assessment, and management of potential security incidents relating to cookie-related data processing. In the event of a personal data breach, AC/DC d.o.o. shall act in accordance with Articles 33 and 34 GDPR, including notification to the competent supervisory authority and affected data subjects where legally required.

Security measures are subject to ongoing review and may be updated in response to technological developments, evolving threat landscapes, regulatory guidance, or risk assessments. Such updates are implemented to ensure continued compliance with the principles of integrity, confidentiality, and accountability under applicable data protection legislation.

While AC/DC d.o.o. undertakes reasonable and proportionate measures to safeguard data processed through cookies, users are also responsible for maintaining the security of their own devices, browsers, and network environments. The effectiveness of security protections may be influenced by external factors beyond the reasonable control of the Platform operator.

Nothing in this Section shall be interpreted as providing an absolute guarantee against security incidents. The security framework is designed to mitigate risks to a level appropriate to the nature of processing and applicable regulatory standards.

Data subjects whose personal data is processed in connection with cookies and similar tracking technologies deployed through the Platform have the right to lodge a complaint with a competent supervisory authority in accordance with Article 77 of Regulation (EU) 2016/679 (GDPR), if they consider that the processing of their personal data infringes applicable data protection legislation.

Without prejudice to any other administrative or judicial remedy, data subjects may submit a complaint to the supervisory authority in the Member State of their habitual residence, place of work, or the place of the alleged infringement.

As the Platform operator is established in the Republic of Slovenia, the competent lead supervisory authority is:

Information Commissioner of the Republic of Slovenia
Zaloška cesta 59
1000 Ljubljana
Republic of Slovenia
Website: https://www.ip-rs.si

The right to lodge a complaint with a supervisory authority shall not affect the right of the data subject to seek judicial remedies under Articles 78 and 79 GDPR, including the right to an effective judicial remedy against a legally binding decision of a supervisory authority and the right to an effective judicial remedy against a controller or processor.

AC/DC d.o.o. encourages users to contact the Platform directly prior to lodging a formal complaint with a supervisory authority, in order to enable efficient internal review and resolution of the matter where possible. However, this encouragement shall not limit, delay, or condition the data subject's statutory right to lodge a complaint with a competent authority at any time.

The existence of supervisory authority oversight reinforces the Platform's commitment to accountability, transparency, and lawful data processing practices in accordance with European Union and Slovenian data protection legislation.