Privacy Notice – TRASIDO

This Privacy Notice establishes the principles and conditions governing the collection, processing, storage, disclosure, and protection of personal data processed in connection with access to and use of the Trasido marketplace platform, including its website, mobile applications, digital interfaces, and all related services (collectively referred to as the “Platform”).

Trasido operates as a digital marketplace facilitating commercial transactions between buyers and independent third-party sellers, as well as enabling the provision of products and services offered directly under the Trasido brand.Personal data processing activities carried out in connection with the operation of the Platform are conducted in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”), applicable legislation of the Republic of Slovenia governing the protection of personal data, and other applicable European Union legal instruments regulating digital services, electronic commerce, and online marketplace operations.

This Privacy Notice applies to all individuals whose personal data is processed through the Platform, including registered users, buyers, sellers, visitors, business partners, and individuals communicating with Trasido through customer support channels or other communication interfaces made available via the Platform.

This Privacy Notice is intended to provide transparent, comprehensive, and legally compliant information regarding the manner in which personal data is processed, the legal bases for such processing, the rights of data subjects, and the safeguards implemented to ensure the lawful and secure handling of personal data in accordance with applicable data protection legislation.

Where personal data processing is subject to additional contractual, regulatory, or transactional conditions, such conditions shall be specified within applicable Platform agreements, including the Terms and Conditions, Seller Agreement, Cookies Policy, or other relevant Platform governance documentation.

Nothing in this Privacy Notice shall be interpreted as limiting or excluding mandatory rights granted to data subjects under applicable data protection legislation.

The Platform is operated by:

AC/DC d.o.o.
Partizanska cesta 14
2230 Lenart
Republic of Slovenia
E-mail: info@ac-dc.org

AC/DC d.o.o. acts as the primary data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”) in relation to personal data processed in connection with the operation, administration, maintenance, and regulatory compliance of the Platform.

In particular, AC/DC d.o.o. determines the purposes and means of processing personal data relating to user account management, Platform functionality, transaction processing infrastructure, fraud prevention, security monitoring, customer support services, regulatory compliance, and internal Platform governance.

Where products or services are offered directly under the Trasido brand or supplied by AC/DC d.o.o., AC/DC d.o.o. also acts as the data controller in relation to personal data processed in connection with such transactions, including order processing, payment administration, delivery coordination, customer relationship management, statutory warranty handling, and post-sale consumer support.

Where products or services are offered by independent third-party sellers through the Platform, such sellers generally act as independent data controllers with respect to personal data processed for the purposes of order fulfilment, delivery execution, after-sales support, warranty handling, and other seller-specific commercial activities, unless otherwise specified under applicable contractual arrangements or data processing agreements.

In certain operational scenarios, AC/DC d.o.o. may act as a data processor within the meaning of Article 4(8) GDPR on behalf of independent sellers where personal data processing is carried out strictly in accordance with documented instructions and subject to applicable contractual safeguards required under Article 28 GDPR.

Users and data subjects may contact AC/DC d.o.o. regarding matters relating to personal data processing, data protection rights, or privacy-related inquiries using the contact details specified above or through designated data protection communication channels made available via the Platform.

The Platform operates under a multi-party data processing structure characteristic of digital marketplace environments in which multiple independent economic operators may process personal data in connection with transactions conducted through the Platform.

In accordance with Article 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”), independent third-party sellers offering products or services through the Platform generally act as separate and independent data controllers in relation to personal data processed for the purposes of order fulfilment, delivery coordination, customer communication, warranty administration, after-sales support, and other commercial activities performed in connection with their contractual relationship with buyers.

AC/DC d.o.o., operating the Trasido Platform, facilitates communication, transaction infrastructure, order routing, and payment integration between buyers and independent sellers. However, once personal data is transmitted to independent sellers for the purposes of contractual performance, AC/DC d.o.o. does not determine the purposes or means of subsequent data processing carried out by such sellers and therefore does not act as a joint controller in relation to seller-operated processing activities, unless explicitly required by applicable law or specific contractual arrangements.

Where products or services are supplied directly by Trasido or by AC/DC d.o.o., AC/DC d.o.o. acts as the sole data controller in respect of personal data processed in connection with such transactions, including payment administration, order fulfilment, delivery coordination, customer support, warranty handling, fraud prevention, and compliance with applicable regulatory obligations.

The Platform may engage third-party service providers supporting Platform operations, including but not limited to payment service providers, hosting and cloud infrastructure providers, customer communication service providers, logistics integration partners, analytics service providers, fraud prevention service providers, and technical support vendors. Where such third-party service providers process personal data on behalf of AC/DC d.o.o., they shall act as data processors within the meaning of Article 4(8) GDPR and shall be engaged only subject to appropriate contractual safeguards and data protection obligations in accordance with Article 28 GDPR.

Where independent sellers engage their own logistics providers, payment providers, customer support vendors, or other service partners, such third parties shall operate under the responsibility and legal authority of the respective seller acting as data controller for such processing activities. AC/DC d.o.o. shall not be responsible for data processing activities conducted by third parties engaged directly by independent sellers.

The allocation of data protection responsibilities described in this Section reflects the operational and contractual structure of the Platform and is intended to ensure transparency, regulatory clarity, and compliance with applicable European Union data protection legislation governing digital marketplace service providers.

Nothing in this Section shall be interpreted as extending the data protection liability of AC/DC d.o.o. beyond obligations imposed under applicable data protection legislation or as establishing joint controller status between AC/DC d.o.o. and independent sellers, except where such status arises under mandatory applicable law.

AC/DC d.o.o., operating the Trasido Platform, may collect, generate, receive, and otherwise process various categories of personal data depending on the nature of the user’s interaction with the Platform, the services used, and the contractual or regulatory obligations applicable to the transaction.

Personal data processed through the Platform may include identification data, such as names, usernames, account identifiers, and verification credentials necessary to establish and maintain user accounts and contractual relationships.

Contact information may also be processed, including e-mail addresses, telephone numbers, billing addresses, delivery addresses, and other communication details required for order fulfilment, customer support, dispute handling, or regulatory compliance.

Transactional and commercial data may be processed in connection with purchases, returns, refunds, payment authorisation, payment verification, transaction history, order status, and contractual performance records necessary for the execution and administration of commercial transactions conducted through the Platform.

Technical and usage-related data may be collected automatically through the operation of the Platform. Such data may include IP addresses, device identifiers, browser type, operating system, session data, interaction logs, and usage behaviour necessary to ensure Platform functionality, security monitoring, fraud detection, service optimisation, and compliance with legal obligations relating to cybersecurity and digital service integrity.

Communication data may be processed where users communicate with Trasido, independent sellers, customer support services, or dispute resolution mechanisms through the Platform. Such communication records may include message content, support request documentation, complaint records, and transaction-related correspondence necessary to fulfil contractual obligations and resolve disputes.

Where users have provided valid consent, marketing and communication preference data may be processed, including subscription preferences, marketing engagement records, promotional interaction data, and opt-in or opt out communication records.

AC/DC d.o.o. processes only personal data that is necessary, relevant, and proportionate to the purposes for which it is collected, in accordance with the principles of data minimisation and purpose limitation established under Article 5 GDPR.

The categories of personal data processed may vary depending on whether transactions are conducted with independent sellers or directly with Trasido. Independent sellers may collect and process additional personal data under their own responsibility as independent data controllers, and users are encouraged to review the privacy policies of individual sellers where applicable.

Nothing in this Section shall be interpreted as requiring AC/DC d.o.o. to monitor or control personal data processing activities conducted independently by third-party sellers beyond obligations imposed under applicable data protection legislation.

Personal data processed in connection with the operation of the Platform may be obtained from multiple sources, depending on the nature of the interaction between the user and the Platform.

Personal data may be provided directly by users when creating an account, placing orders, submitting inquiries, communicating with customer support, participating in dispute resolution processes, subscribing to communications, completing verification procedures, or otherwise interacting with the Platform.

Personal data may also be collected automatically through the use of the Platform and associated digital interfaces. Such data may be generated through system logs, cookies, tracking technologies, device interactions, session identifiers, security monitoring systems, fraud detection mechanisms, and analytics tools necessary to ensure Platform functionality, integrity, regulatory compliance, and cybersecurity protection.

In the context of marketplace transactions, personal data may be received from independent third-party sellers where necessary for the performance of contractual obligations, dispute resolution, customer service coordination, fraud prevention, or compliance with legal obligations. In such cases, independent sellers act as separate data controllers for the personal data they process independently.

Personal data may also be received from third-party service providers acting on behalf of AC/DC d.o.o., including payment service providers, logistics providers, hosting providers, fraud prevention services, identity verification services, analytics providers, and other infrastructure partners engaged to support Platform operations.

Where permitted under applicable law, personal data may be obtained from publicly available sources, regulatory databases, sanctions lists, or official registers where necessary to comply with legal obligations, conduct risk assessments, prevent fraud, or protect the security and lawful operation of the Platform.

Where personal data is not obtained directly from the data subject, such processing shall be conducted in accordance with Article 14 GDPR, including the provision of required transparency information unless an exemption under Article 14(5) GDPR applies.

AC/DC d.o.o. processes personal data only where a valid legal basis exists under Article 6 GDPR and limits data collection to what is necessary and proportionate for the specified purposes of processing.

Nothing in this Section shall be interpreted as imposing responsibility on AC/DC d.o.o. for the independent data collection practices of third-party sellers or external service providers acting as separate data controllers.

AC/DC d.o.o. processes personal data only where a valid legal basis exists in accordance with Article 6 of Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”). The applicable legal basis depends on the nature of the processing activity, the relationship between the user and the Platform, and the regulatory obligations applicable to the specific transaction or service.

6.1 Processing Necessary for the Performance of a Contract

Personal data may be processed where such processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.

Such processing may include, inter alia, account creation and authentication, order processing, payment processing, delivery coordination, customer support, dispute resolution, communication relating to contractual performance, and administration of transactions conducted through the Platform.

Where transactions are conducted between buyers and independent sellers, personal data may be transmitted to the relevant seller where such transfer is necessary for contractual performance between the buyer and the seller.

6.2 Processing Necessary for Compliance with Legal Obligations

AC/DC d.o.o. may process personal data where such processing is required to comply with legal or regulatory obligations imposed under applicable European Union, Slovenian, or international legislation.

Such obligations may include compliance with tax and accounting requirements, consumer protection legislation, anti-fraud obligations, regulatory reporting requirements, court orders, requests from competent supervisory authorities, and obligations relating to cybersecurity and digital service regulation.

Where required by law, AC/DC d.o.o. may disclose personal data to public authorities, law enforcement bodies, regulatory agencies, or judicial institutions in accordance with applicable legal procedures.

6.3 Processing Based on Legitimate Interests

Personal data may be processed where such processing is necessary for the legitimate interests pursued by AC/DC d.o.o. or third parties, provided that such interests are not overridden by the fundamental rights and freedoms of data subjects.

Legitimate interests pursued by AC/DC d.o.o. may include ensuring the security, integrity, and functionality of the Platform; preventing fraud, abuse, and unlawful activities; protecting users, business partners, and third parties; enforcing contractual rights; conducting internal analytics, service optimisation, and risk management activities; maintaining Platform performance and reliability; and defending legal claims.

Where personal data is processed on the basis of legitimate interests, AC/DC d.o.o. performs balancing assessments to ensure that such processing remains proportionate and respects the rights of data subjects.

Data subjects have the right to object to processing carried out on the basis of legitimate interests in accordance with Article 21 GDPR.

6.4 Processing Based on Consent

Personal data may be processed on the basis of the data subject’s consent where such consent is required under applicable law.

Consent-based processing may include, for example, the sending of marketing communications, subscription to promotional materials, participation in surveys, use of certain cookies or tracking technologies, and other optional services offered through the Platform.

Where consent is relied upon as the legal basis for processing, data subjects may withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to withdrawal.

6.5 Processing of Special Categories of Personal Data

AC/DC d.o.o. does not intentionally process special categories of personal data within the meaning of Article 9 GDPR unless such processing is required by law, necessary for the establishment, exercise, or defence of legal claims, or otherwise permitted under applicable data protection legislation.

Where such data is processed, appropriate safeguards and security measures shall be implemented in accordance with applicable legal requirements.

6.6 Processing in Marketplace Context

The legal basis for processing personal data may differ depending on whether products or services are supplied directly by Trasido or by independent third-party sellers operating through the Platform.

Independent sellers act as separate data controllers for personal data processed in connection with their own commercial activities, including order fulfilment, delivery coordination, customer communication, warranty administration, and after-sales services. Users are encouraged to review the privacy policies of independent sellers where applicable.

AC/DC d.o.o. shall not be responsible for personal data processing activities carried out independently by third-party sellers beyond obligations imposed under applicable law.

6.7 Necessity and Proportionality

AC/DC d.o.o. processes personal data only where such processing is necessary, proportionate, and relevant to the purposes for which the data is collected, in accordance with the principles of data minimisation, purpose limitation, and transparency set out in Article 5 GDPR.

Where processing is no longer necessary, personal data shall be deleted or anonymised in accordance with applicable retention obligations and internal compliance policies.

Personal data processed in connection with the operation of the Platform may be shared with selected categories of recipients where such disclosure is necessary for the provision of Platform services, compliance with legal obligations, performance of contractual obligations, protection of legitimate interests, or where required by applicable law.

AC/DC d.o.o. ensures that personal data is disclosed only to recipients that provide adequate safeguards for data protection and confidentiality and only to the extent necessary for the specified processing purposes.

7.1 Independent Sellers

Where users purchase products or services offered by independent third-party sellers through the Platform, personal data necessary for order fulfilment, delivery coordination, customer communication, warranty administration, dispute resolution, and regulatory compliance may be shared with the relevant seller.

Independent sellers act as separate data controllers for personal data processed in connection with their commercial activities conducted through the Platform. Independent sellers are responsible for ensuring compliance with applicable data protection legislation and are required to process personal data in accordance with their own privacy policies and legal obligations.

AC/DC d.o.o. provides technical infrastructure enabling such data transmission but does not control or supervise personal data processing carried out independently by third-party sellers beyond obligations imposed under applicable law.

7.2 Payment Service Providers

Personal data relating to payment processing may be shared with authorised payment service providers engaged to process transactions conducted through the Platform.

Such providers may include payment processors, financial institutions, fraud detection services, and payment verification providers necessary to facilitate secure financial transactions, prevent payment fraud, and comply with financial regulatory requirements.

Payment service providers process personal data as independent data controllers or as data processors acting on behalf of AC/DC d.o.o., depending on the nature of the payment processing service and contractual arrangements in place.

AC/DC d.o.o. does not store or have access to full payment card information where such data is processed directly by certified payment service providers.

7.3 Logistics and Delivery Service Providers

Where physical goods are purchased through the Platform, personal data necessary for shipping and delivery services may be shared with logistics providers, courier services, freight carriers, customs clearance agents, and fulfilment partners.

Such disclosures may include delivery addresses, contact details, order information, and shipping documentation necessary to perform delivery services and comply with transport, customs, and import/export regulatory requirements.

Logistics providers may act as independent data controllers or as data processors depending on their role in the delivery chain.

7.4 Technical and Infrastructure Service Providers

AC/DC d.o.o. may engage third-party service providers to support the technical operation, hosting, maintenance, analytics, cybersecurity protection, and performance monitoring of the Platform.

Such service providers may include cloud hosting providers, data storage providers, system monitoring providers, identity verification services, analytics service providers, fraud prevention services, customer communication infrastructure providers, and other technical infrastructure partners.

Where such providers process personal data on behalf of AC/DC d.o.o., processing is governed by data processing agreements concluded in accordance with Article 28 GDPR.

7.5 Professional Advisors and Business Partners

Personal data may be disclosed to professional advisors, auditors, legal advisors, consultants, and compliance service providers where such disclosure is necessary for legal compliance, risk management, corporate governance, dispute resolution, or the protection of legal rights and business interests.

7.6 Public Authorities and Regulatory Bodies

AC/DC d.o.o. may disclose personal data to competent public authorities, regulatory agencies, supervisory authorities, law enforcement bodies, judicial authorities, or other governmental institutions where disclosure is required by applicable law, regulatory obligations, or lawful official requests.

Such disclosures may occur in connection with consumer protection investigations, financial compliance obligations, cybersecurity reporting obligations, fraud prevention measures, or enforcement of legal claims.

7.7 Corporate and Transactional Transfers

Personal data may be transferred to third parties in connection with corporate restructuring activities, mergers, acquisitions, asset transfers, investment transactions, or business reorganisations, provided that such transfers are conducted in accordance with applicable data protection legislation and subject to appropriate confidentiality safeguards.

7.8 Cross-Border Data Sharing

Where personal data is shared with recipients located outside the European Economic Area (EEA), such transfers shall be carried out in accordance with Chapter V GDPR and subject to appropriate legal safeguards, including adequacy decisions adopted by the European Commission, Standard Contractual Clauses, or other lawful transfer mechanisms.

Further information regarding international data transfers is provided in Section 8 of this Privacy Notice.

7.9 Data Minimisation and Disclosure Controls

AC/DC d.o.o. discloses personal data only to the extent necessary to achieve the specific processing purpose and implements contractual, organisational, and technical safeguards designed to ensure confidentiality, security, and lawful processing by data recipients.

Nothing in this Section shall be interpreted as extending the legal responsibility of AC/DC d.o.o. to data processing activities conducted independently by third-party sellers, payment service providers, or external service providers acting as separate data controllers.

8.1 General Rule and Legal Basis (Chapter V GDPR)

Personal data processed in connection with the Platform may, due to the global nature of digital infrastructure and cross-border commerce, be transferred to recipients located outside the European Economic Area (“EEA”), where such transfers are objectively necessary for the provision of Platform services, the performance of contractual obligations, the implementation of security and fraud prevention measures, or compliance with applicable legal requirements. AC/DC d.o.o. ensures that any transfer of personal data to a third country or international organisation is carried out strictly in accordance with Chapter V of Regulation (EU) 2016/679 (“GDPR”) and is limited to the minimum scope necessary to achieve the relevant lawful purpose.

8.2 Transfers Based on Adequacy Decisions (Article 45 GDPR)

Where personal data is transferred to a jurisdiction in respect of which the European Commission has adopted an adequacy decision pursuant to Article 45 GDPR, such transfer shall be conducted on the basis of that adequacy decision and on the understanding that the destination jurisdiction is deemed to provide an adequate level of protection within the meaning of EU data protection law. In such cases, no additional transfer authorisation is required beyond compliance with the general GDPR principles and the applicable legal basis for processing.

8.3 Transfers Subject to Appropriate Safeguards (Article 46 GDPR)

Where personal data is transferred to a jurisdiction that is not covered by an adequacy decision, AC/DC d.o.o. shall ensure that the transfer is subject to appropriate safeguards within the meaning of Article 46 GDPR and that enforceable data subject rights and effective legal remedies are available. In such cases, the transfer is typically implemented through contractual safeguards recognised under EU law, including Standard Contractual Clauses adopted by the European Commission, together with any supplementary measures that may be reasonably required to maintain an essentially equivalent level of protection in light of the circumstances of the transfer, the nature of the data, and the risk profile of the recipient environment.

8.4 Transfers to Service Providers and Platform Infrastructure Partners

International transfers may occur where Platform operations rely on service providers or infrastructure partners that store, access, or otherwise process personal data from locations outside the EEA, including in connection with hosting, content delivery, cybersecurity services, analytics, customer support tooling, payment processing infrastructure, and operational monitoring systems. Where such third parties process personal data on behalf of AC/DC d.o.o., AC/DC d.o.o. ensures that the relationship is governed by a legally compliant data processing arrangement under Article 28 GDPR and that cross-border transfers are implemented only once an appropriate transfer mechanism under Chapter V GDPR has been established and documented.

8.5 Transfers to Independent Sellers Established Outside the EEA – Allocation of Responsibility

Where a user enters into a transaction with an independent seller established outside the European Economic Area (“EEA”), personal data strictly necessary for the performance of the underlying purchase contract may be transmitted to such seller for the purposes of order fulfilment, delivery coordination, customer communication, warranty processing, regulatory compliance, and post-sale obligations.

In such circumstances, the independent seller acts as an autonomous and independent data controller within the meaning of Article 4(7) GDPR in respect of personal data processed for its own commercial purposes. The independent seller is solely responsible for ensuring that any cross-border processing, onward transfers, storage, or further disclosure of personal data under its control complies with applicable data protection legislation, including Chapter V GDPR where relevant.

AC/DC d.o.o. does not determine the purposes or means of processing carried out independently by such sellers and shall not be deemed a joint controller within the meaning of Article 26 GDPR in respect of such independent processing activities, unless expressly required under mandatory applicable law.

AC/DC d.o.o. shall not be liable for data protection infringements, unlawful international transfers, security breaches, or regulatory non-compliance committed by independent sellers in connection with personal data processed under their independent responsibility, except to the extent that liability arises from the direct actions or omissions of AC/DC d.o.o. under applicable law.

Where technically feasible and proportionate, AC/DC d.o.o. may implement contractual governance standards requiring independent sellers to comply with applicable data protection legislation as a condition of access to the Platform. However, such governance measures shall not be interpreted as creating supervisory responsibility, joint controllership, or assumption of liability for seller-controlled processing activities.

Users acknowledge that cross-border transactions may involve the transfer of personal data to jurisdictions that may not provide an equivalent level of data protection as guaranteed within the EEA. Where such transfers are necessary for the performance of a contract between the user and an independent seller, such transfer may rely, where applicable, on Article 49(1)(b) GDPR, without prejudice to the independent seller’s obligation to ensure compliance with all applicable legal safeguards.

Nothing in this Section shall be interpreted as limiting the rights of data subjects under applicable data protection legislation.

8.6 Transfer Risk Management and Security Controls (Article 32 GDPR)

AC/DC d.o.o. implements appropriate technical and organisational measures designed to ensure that international transfers do not result in a reduction of the protection afforded to personal data under EU law. Such measures are implemented proportionately, taking into account the nature, scope, context, and purposes of the processing and the risks to the rights and freedoms of natural persons, and may include confidentiality controls, access restrictions, security monitoring, and other safeguards necessary to protect personal data against unauthorised access, unlawful disclosure, alteration, loss, or destruction during transfer and subsequent processing.

8.7 Transparency and Access to Information on Transfer Safeguards

Data subjects may request further information regarding the transfer mechanisms and safeguards applied to international transfers by contacting AC/DC d.o.o. using the contact details provided in this Privacy Notice. Where Standard Contractual Clauses or comparable safeguards are relied upon, AC/DC d.o.o. may provide relevant information regarding such safeguards, subject to the protection of confidential information, security considerations, and legitimate commercial interests.

8.8 No Data Localisation Commitment

Unless expressly stated otherwise for a specific service, AC/DC d.o.o. does not provide a guarantee that personal data will be processed exclusively within the EEA, as certain Platform functionalities may rely on globally distributed technical infrastructure or cross-border operational support. Any such processing shall remain subject to the safeguards and legal requirements set out in this Section and shall not be interpreted as limiting or restricting mandatory rights of data subjects under GDPR.

9.1 General Retention Principle

Personal data processed in connection with the Platform shall be retained only for as long as necessary to fulfil the purposes for which it was collected and processed, including the performance of contractual obligations, compliance with legal and regulatory requirements, protection of legitimate business interests, enforcement of contractual rights, dispute resolution, fraud prevention, and security monitoring.

AC/DC d.o.o. applies the principle of storage limitation in accordance with Article 5(1)(e) GDPR and ensures that personal data is not retained for longer than is objectively necessary in light of the purposes of processing and applicable statutory retention requirements.

9.2 Contractual and Transactional Retention

Personal data relating to user accounts, transactions, orders, payments, communications, and contractual performance may be retained for the duration of the contractual relationship and for a reasonable period thereafter where retention is necessary for accounting, taxation, regulatory compliance, audit requirements, legal defence, or enforcement of rights.

Where users maintain an active account, personal data associated with such account may be retained for as long as the account remains active and for a reasonable period following account closure in order to comply with statutory record-keeping obligations and to mitigate fraud or abuse risks.

Where retention is required under applicable financial, accounting, tax, or consumer protection legislation, personal data shall be retained for the minimum statutory retention period prescribed under such laws.

9.3 Legal and Regulatory Retention Obligations

Personal data may be retained beyond the duration of the contractual relationship where necessary to comply with legal obligations imposed on AC/DC d.o.o., including obligations arising under tax legislation, accounting rules, anti-fraud requirements, anti-money laundering obligations, regulatory compliance duties, dispute resolution procedures, or lawful requests from competent authorities.

Retention in such cases shall be limited to what is required by the applicable legal framework and shall not exceed statutory retention periods unless further retention is justified by ongoing legal proceedings, regulatory investigations, or enforcement requirements.

9.4 Dispute Resolution and Legal Claims

Where personal data is necessary for the establishment, exercise, or defence of legal claims, such data may be retained for the duration of the relevant statutory limitation period and, where applicable, until the final resolution of the dispute.

Retention for legal defence purposes shall be proportionate and limited to data necessary to safeguard the legitimate interests of AC/DC d.o.o., in accordance with Article 6(1)(f) GDPR.

9.5 Security, Fraud Prevention, and Risk Monitoring

Certain categories of personal data, including technical logs, authentication records, device identifiers, and transaction monitoring information, may be retained for a limited period where necessary to maintain Platform security, detect and prevent fraud, investigate suspicious activity, or ensure compliance with internal risk management procedures.

Such retention shall be proportionate to the identified risk and shall not exceed what is necessary to ensure the security, integrity, and lawful operation of the Platform.

9.6 Anonymisation and Aggregation

Where personal data is no longer required for the purposes described above, it may be irreversibly anonymised in accordance with recognised technical standards. Once anonymised, such data shall no longer be considered personal data within the meaning of GDPR and may be retained for statistical analysis, service optimisation, business intelligence, and operational improvement purposes.

9.7 Data Deletion and Erasure Procedures

AC/DC d.o.o. implements internal procedures designed to ensure timely deletion, anonymisation, or restriction of personal data once retention is no longer justified under applicable legal bases.

Where a data subject exercises the right to erasure under Article 17 GDPR, AC/DC d.o.o. shall assess the request in accordance with applicable legal requirements, taking into account overriding legal retention obligations, contractual necessity, fraud prevention requirements, and the need to establish, exercise, or defend legal claims.

9.8 Independent Sellers’ Retention Responsibilities

Where independent sellers process personal data as separate data controllers in connection with transactions conducted through the Platform, such sellers are solely responsible for determining and implementing lawful retention periods in compliance with applicable data protection legislation.

AC/DC d.o.o. does not assume responsibility for retention practices independently determined by third-party sellers, except where liability arises under mandatory applicable law.

10.1 General Security Commitment

AC/DC d.o.o. implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk associated with the processing of personal data, in accordance with Article 32 of Regulation (EU) 2016/679 (GDPR).

Such measures are designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed in connection with the operation of the Platform.

Security measures are implemented taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the varying likelihood and severity of risks to the rights and freedoms of natural persons.

10.2 Technical Safeguards

AC/DC d.o.o. maintains technical security mechanisms designed to ensure confidentiality, integrity, availability, and resilience of processing systems and services.

Such mechanisms may include data encryption during transmission and storage, pseudonymisation techniques, secure authentication controls, access restriction mechanisms based on role-based authorisation principles, network protection systems, intrusion detection technologies, and system monitoring solutions.

Platform systems are designed to ensure that access to personal data is limited strictly to authorised personnel and service providers who require such access for legitimate operational, legal, or security purposes.

10.3 Organisational Measures

In addition to technical safeguards, AC/DC d.o.o. maintains internal organisational measures designed to ensure ongoing data protection compliance.

Such measures include internal access control policies, confidentiality obligations imposed upon employees and contractors, documented data protection procedures, internal incident response protocols, risk assessment procedures, and regular review of data processing practices to ensure alignment with applicable legal requirements.

Personnel with access to personal data are subject to confidentiality obligations and are required to process personal data only in accordance with documented instructions and established compliance procedures.

10.4 Security Testing and Risk Assessment

AC/DC d.o.o. conducts periodic assessments of its security measures in order to evaluate effectiveness, identify potential vulnerabilities, and implement corrective improvements where necessary.

Security reviews may include internal audits, vulnerability assessments, system monitoring, and other reasonable technical or organisational evaluations consistent with industry standards and regulatory expectations.

Where processing activities are likely to result in high risk to the rights and freedoms of individuals, AC/DC d.o.o. may conduct data protection impact assessments in accordance with Article 35 GDPR.

10.5 Incident Management and Personal Data Breaches

AC/DC d.o.o. maintains internal procedures designed to detect, assess, and respond to personal data breaches in a timely and proportionate manner.

Where a personal data breach occurs that is likely to result in a risk to the rights and freedoms of natural persons, AC/DC d.o.o. shall notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of the breach, in accordance with Article 33 GDPR.

Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, AC/DC d.o.o. shall communicate the breach to affected data subjects without undue delay in accordance with Article 34 GDPR, unless an exemption under applicable law applies.

10.6 Third-Party Security and Service Providers

Where AC/DC d.o.o. engages third-party service providers that process personal data on its behalf, such processing shall be governed by written data processing agreements in accordance with Article 28 GDPR.

AC/DC d.o.o. undertakes reasonable due diligence when selecting service providers and requires such providers to implement appropriate technical and organisational measures designed to ensure data security consistent with applicable legal standards.

However, AC/DC d.o.o. shall not be liable for security failures attributable exclusively to independent third-party data controllers or service providers acting outside the scope of documented processing instructions, except where liability arises under mandatory applicable law.

10.7 Limitations of Security Guarantees

While AC/DC d.o.o. implements appropriate and proportionate security measures consistent with industry standards and regulatory expectations, no method of electronic transmission or storage is entirely secure.

Accordingly, AC/DC d.o.o. cannot guarantee absolute security of personal data and shall not be liable for unauthorised access, interception, alteration, or destruction of personal data where such incidents occur despite the implementation of reasonable and lawful security safeguards, except where liability arises from intentional misconduct or gross negligence under applicable law.

11.1 General Principle

Data subjects whose personal data are processed by AC/DC d.o.o. in connection with the operation of the Trasido Platform are entitled to exercise the rights granted under Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable Slovenian data protection legislation.

AC/DC d.o.o. ensures that data subjects are able to exercise their rights in a transparent, accessible, and legally compliant manner, without undue delay and subject only to the limitations permitted under applicable law.

11.2 Right of Access

Pursuant to Article 15 GDPR, data subjects have the right to obtain confirmation as to whether personal data concerning them are being processed and, where that is the case, access to such personal data and related information.

Such information includes, inter alia, the purposes of processing, categories of personal data concerned, recipients or categories of recipients to whom the data have been disclosed, envisaged retention periods, the existence of data subject rights, the right to lodge a complaint with a supervisory authority, and the source of the data where not collected directly from the data subject.

AC/DC d.o.o. shall provide a copy of personal data undergoing processing, subject to limitations permitted under applicable law.

11.3 Right to Rectification

In accordance with Article 16 GDPR, data subjects have the right to obtain without undue delay the rectification of inaccurate personal data concerning them.

Taking into account the purposes of processing, data subjects may also request the completion of incomplete personal data, including by means of providing a supplementary statement.

11.4 Right to Erasure

Under Article 17 GDPR, data subjects have the right to request the erasure of personal data without undue delay where one of the statutory grounds applies.

Such grounds may include situations where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, where consent has been withdrawn and no other legal basis exists, where the data subject objects to processing and no overriding legitimate grounds exist, or where processing is unlawful.

The right to erasure shall not apply where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for other grounds recognised under Article 17(3) GDPR.

11.5 Right to Restriction of Processing

Pursuant to Article 18 GDPR, data subjects may request restriction of processing where the accuracy of personal data is contested, where processing is unlawful and erasure is opposed, where AC/DC d.o.o. no longer requires the personal data but the data subject requires them for legal claims, or where the data subject has objected to processing pending verification of overriding legitimate grounds.

Where processing is restricted, personal data shall be stored but not otherwise processed except as permitted under applicable law.

11.6 Right to Data Portability

In accordance with Article 20 GDPR, where processing is based on consent or on a contract and is carried out by automated means, data subjects have the right to receive the personal data concerning them in a structured, commonly used, and machine-readable format and to transmit such data to another controller without hindrance.

Where technically feasible, data subjects may request direct transmission of personal data from AC/DC d.o.o. to another controller.

11.7 Right to Object

Under Article 21 GDPR, data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data based on Article 6(1)(e) or Article 6(1)(f) GDPR.

Where personal data are processed for direct marketing purposes, data subjects have the right to object at any time to such processing, including profiling related to direct marketing.

Where a valid objection is submitted, AC/DC d.o.o. shall cease processing the personal data unless compelling legitimate grounds for processing are demonstrated which override the interests, rights, and freedoms of the data subject, or unless processing is necessary for the establishment, exercise, or defence of legal claims.

11.8 Right to Withdraw Consent

Where processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, data subjects have the right to withdraw their consent at any time.

Withdrawal of consent shall not affect the lawfulness of processing carried out prior to the withdrawal.

11.9 Automated Decision-Making and Profiling

Where personal data are subject to automated decision-making, including profiling, within the meaning of Article 22 GDPR, data subjects have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them, except where such processing is permitted under applicable law.

Where automated decision-making is used, AC/DC d.o.o. shall implement appropriate safeguards, including the right to obtain human intervention, express their point of view, and contest the decision.

11.10 Exercise of Rights

Requests for the exercise of data subject rights may be submitted to AC/DC d.o.o. using the contact details provided in this Privacy Notice.

AC/DC d.o.o. shall respond to such requests without undue delay and in any event within one (1) month of receipt, subject to extension as permitted under Article 12(3) GDPR where requests are complex or numerous.

Where AC/DC d.o.o. has reasonable doubts concerning the identity of the individual making the request, it may request additional information necessary to confirm the identity of the data subject.

11.11 Supervisory Authority and Right to Lodge a Complaint

Data subjects have the right to lodge a complaint with a competent supervisory authority in accordance with Article 77 GDPR if they consider that the processing of personal data relating to them infringes applicable data protection legislation.

Where AC/DC d.o.o. is established in the Republic of Slovenia, the competent supervisory authority is the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec), without prejudice to the right of data subjects to lodge complaints with supervisory authorities in their Member State of habitual residence, place of work, or place of alleged infringement.

12.1 General Principle of Cross-Border Transfers

Personal data processed in connection with the operation of the Trasido Platform may, in certain circumstances, be transferred to recipients located outside the European Economic Area (EEA).

Any such transfer shall be carried out strictly in accordance with Chapter V of Regulation (EU) 2016/679 (GDPR) and applicable Slovenian data protection legislation, and only where appropriate safeguards ensuring an adequate level of protection are implemented.

AC/DC d.o.o. does not transfer personal data to third countries or international organisations unless a lawful transfer mechanism exists and appropriate protective measures are in place.

12.2 Transfers Based on Adequacy Decisions

Where personal data are transferred to a third country in respect of which the European Commission has adopted an adequacy decision pursuant to Article 45 GDPR, such transfer shall be deemed to provide an adequate level of data protection.

In such cases, transfers may occur without the need for additional authorisation, subject to compliance with the conditions set out in the applicable adequacy decision.

12.3 Transfers Subject to Appropriate Safeguards

Where personal data are transferred to a third country that is not subject to an adequacy decision, AC/DC d.o.o. shall ensure that appropriate safeguards are implemented in accordance with Article 46 GDPR.

Such safeguards may include the use of Standard Contractual Clauses adopted by the European Commission, binding corporate rules where applicable, or other lawful transfer mechanisms recognised under GDPR.

Where Standard Contractual Clauses are used, AC/DC d.o.o. shall assess, prior to transfer, whether the legal framework of the recipient country ensures an essentially equivalent level of protection to that guaranteed within the European Union and shall implement supplementary technical or organisational measures where necessary.

12.4 Transfers Based on Derogations

In limited circumstances, transfers may be based on one of the derogations set out in Article 49 GDPR, including where the data subject has explicitly consented to the proposed transfer after being informed of potential risks, or where the transfer is necessary for the performance of a contract between the data subject and AC/DC d.o.o., or for the implementation of pre-contractual measures taken at the data subject's request.

Such derogations shall be applied restrictively and only where no other lawful transfer mechanism is available.

12.5 International Transfers Involving Service Providers

Where AC/DC d.o.o. engages third-party service providers located outside the EEA, including hosting providers, cloud service providers, payment processors, analytics providers, or technical infrastructure providers, personal data may be processed in jurisdictions outside the EEA.

In such cases, AC/DC d.o.o. shall ensure that contractual, technical, and organisational safeguards consistent with Articles 28 and 46 GDPR are implemented to protect personal data against unauthorised access, disclosure, alteration, or misuse.

Service providers are contractually bound to process personal data solely in accordance with documented instructions and applicable data protection obligations.

12.6 Transfers Involving Independent Sellers

Where independent sellers located outside the EEA process personal data of buyers obtained through the Platform, such sellers act as independent data controllers and are solely responsible for ensuring compliance with applicable cross-border transfer requirements under GDPR and relevant national legislation.

AC/DC d.o.o. does not assume responsibility for international data transfers carried out independently by third-party sellers outside the scope of its own processing activities, except where liability arises under mandatory applicable law.

12.7 Transparency and Information Rights

Data subjects may request information regarding applicable safeguards used in connection with cross-border transfers of their personal data.

Where appropriate safeguards are implemented under Article 46 GDPR, copies of relevant transfer mechanisms may be provided upon request, subject to redaction of confidential commercial information where legally justified.

12.8 No Unlawful Export of Personal Data

AC/DC d.o.o. shall not knowingly transfer personal data to jurisdictions subject to international sanctions, regulatory restrictions, or legal regimes incompatible with EU data protection standards, unless legally authorised and subject to appropriate risk assessment and compliance measures.

13.1 Principle of Storage Limitation

Personal data processed in connection with the operation of the Trasido Platform shall be retained only for as long as necessary to fulfil the purposes for which the data were collected and processed, in accordance with Article 5(1)(e) of Regulation (EU) 2016/679 (GDPR).

AC/DC d.o.o. shall ensure that retention periods are determined based on the nature of the data, the purposes of processing, applicable legal obligations, contractual requirements, regulatory standards, and legitimate business needs, while respecting the rights and freedoms of data subjects.

13.2 Retention Criteria

The duration of personal data retention shall be assessed in light of the following criteria: the duration of the contractual relationship between the user and AC/DC d.o.o.; the necessity of retaining data for the performance of contractual obligations or post-contractual claims; applicable statutory limitation periods for legal claims; mandatory retention obligations under tax, accounting, anti-money laundering, consumer protection, or commercial legislation; regulatory audit requirements and risk management obligations; the necessity of retaining data for fraud prevention, dispute resolution, or enforcement of contractual rights.

Retention shall not exceed what is necessary in light of these criteria.

13.3 Contractual and Transactional Data

Personal data relating to user accounts, transactions, payments, and commercial interactions may be retained for the duration of the contractual relationship and thereafter for a period necessary to comply with statutory accounting and tax obligations, which under Slovenian law may extend up to ten (10) years, or longer where required by applicable legislation.

Where data are required for the establishment, exercise, or defence of legal claims, such data may be retained for the duration of applicable statutory limitation periods.

13.4 Marketing Data

Where personal data are processed for marketing purposes on the basis of consent, such data shall be retained until consent is withdrawn.

Where processing is based on legitimate interest, retention shall be limited to a reasonable period reflecting the user's interaction with the Platform, and shall be subject to periodic review.

Upon objection to marketing communications, personal data may be retained in a suppression list to ensure that the data subject does not receive further marketing communications.

13.5 Security and Log Data

Technical logs, security monitoring data, and system access records may be retained for a limited period necessary to ensure Platform integrity, detect fraud, investigate security incidents, and comply with regulatory or cybersecurity obligations.

Retention of such data shall be proportionate to the identified risk and subject to internal review procedures.

13.6 Data Deletion and Anonymisation

Upon expiry of applicable retention periods, personal data shall be securely deleted or irreversibly anonymised in accordance with established internal procedures.

Deletion processes shall be designed to prevent unauthorised recovery, reconstruction, or access to deleted data.

Where complete deletion is not immediately feasible due to technical system constraints, personal data shall be isolated and protected until secure deletion can be executed.

13.7 Archiving and Restricted Storage

In certain circumstances, personal data may be retained in restricted archival storage for compliance, audit, or legal defence purposes.

Archived data shall be subject to access restrictions and shall not be actively processed for new commercial purposes.

13.8 Seller Data Retention Responsibilities

Where independent sellers act as separate data controllers in respect of personal data obtained through the Platform, such sellers are solely responsible for determining and applying legally compliant retention periods for data processed in connection with their commercial activities.

AC/DC d.o.o. does not assume responsibility for retention practices implemented independently by third-party sellers outside the scope of its own processing activities.

13.9 Ongoing Review and Governance

AC/DC d.o.o. shall periodically review retention policies to ensure continued compliance with applicable legislation, regulatory guidance, and evolving risk assessments.

Retention governance forms part of the Platform's broader data protection compliance framework and internal risk management procedures.

14.1 Right to Lodge a Complaint

Data subjects have the right, pursuant to Article 77 of Regulation (EU) 2016/679 (GDPR), to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes applicable data protection legislation.

The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy available under applicable law.

14.2 Competent Supervisory Authority

As AC/DC d.o.o. is established in the Republic of Slovenia, the competent supervisory authority for data protection matters is the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec).

Data subjects may also lodge a complaint with the supervisory authority in the Member State of their habitual residence, place of work, or place of the alleged infringement, in accordance with Articles 55 and 56 GDPR.

14.3 Internal Resolution Procedure

Prior to lodging a complaint with a supervisory authority, data subjects are encouraged, though not required, to contact AC/DC d.o.o. directly in order to seek clarification or resolution of any concerns relating to the processing of personal data.

AC/DC d.o.o. is committed to addressing complaints in a transparent, timely, and good-faith manner and shall undertake reasonable efforts to resolve data protection concerns without undue delay.

14.4 Judicial Remedies

In accordance with Articles 78 and 79 GDPR, data subjects have the right to an effective judicial remedy against a legally binding decision of a supervisory authority or where they consider that their rights under GDPR have been infringed as a result of unlawful processing of personal data.

Judicial proceedings may be initiated before the courts of the Member State where AC/DC d.o.o. is established or where the data subject has their habitual residence, subject to applicable jurisdictional rules.

14.5 Cooperation with Supervisory Authorities

AC/DC d.o.o. shall cooperate with competent supervisory authorities in the performance of their investigative and corrective powers, including responding to lawful requests for information, participating in compliance reviews, and implementing corrective measures where legally required.

Nothing in this Privacy Notice shall be interpreted as limiting the statutory powers of supervisory authorities or restricting the legal rights of data subjects under applicable data protection legislation.

15.1 Right to Amend

AC/DC d.o.o. reserves the right to amend, update, or modify this Privacy Notice at any time where such modification is necessary to reflect changes in applicable legislation, regulatory guidance, supervisory authority interpretation, technological developments, business practices, processing activities, or risk management requirements.

Amendments may also be implemented to improve transparency, clarify existing provisions, or ensure continued compliance with evolving legal and operational standards.

15.2 Notification of Changes

Where material changes to this Privacy Notice are introduced, AC/DC d.o.o. shall take appropriate steps to inform users in a clear and proportionate manner. Such notification may be provided through publication on the Platform, direct electronic communication, account notification mechanisms, or other reasonable means of communication consistent with the nature of the change.

Where required by applicable law, users may be requested to acknowledge updated provisions.

15.3 Effective Date

The date of the most recent update shall be indicated at the beginning of this Privacy Notice. Amendments shall take effect upon publication unless a later effective date is expressly specified.

Continued use of the Platform following the effective date of any amendment shall constitute acknowledgment of the updated Privacy Notice, without prejudice to data subject rights under applicable law.

15.4 No Reduction of Mandatory Rights

No amendment to this Privacy Notice shall operate to reduce, restrict, or waive any rights granted to data subjects under applicable European Union or Slovenian data protection legislation.

Where mandatory legal provisions grant data subjects greater protection than this Privacy Notice, such legal provisions shall prevail.

15.5 Version Control and Archiving

AC/DC d.o.o. may maintain archived versions of previous Privacy Notices for regulatory, audit, and compliance purposes. Historical versions may be made available upon reasonable request where required by law or regulatory guidance.