Privacy policy

Privacy Policy

Last updated: November 6, 2025

1) Who we are (Controller)

Ekovela DOO Beograd (“Ekovela”, “we”, “us”, “our”) operates this website as the official distributor of Yves Rocher products in Serbia under exclusive distribution rights for the Serbian market. For data-protection purposes, Ekovela DOO Beograd is the data controller of your personal information processed in connection with the website and related online services.

Contact (controller):
Ekovela DOO Beograd, Jurija Gagarina 231/329, 11070 Beograd (New Belgrade), Serbia
Email: info@ekovela.rs
PIB (tax ID): 114747114 • Registration No.: 22064541

2) Scope

This Privacy Policy explains how we collect, use, disclose and otherwise process personal information when you visit or interact with our website, create an account, make a purchase, contact customer service, or otherwise use our online services (collectively, the “Services”). “You” means any user of the Services (customer, site visitor or other individual).

By accessing or using the Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

We may update this Privacy Policy from time to time for operational, legal or regulatory reasons. When we do, we will post the revised Policy on the Site and update the “Last updated” date, and take any other steps required by applicable law.

3) What information we collect

3.1 Information you provide directly

  • Contact details: name, postal address, phone number, email.

  • Order & payment details: billing/shipping addresses, purchased items, payment confirmation (note: card data are processed by our payment providers; we do not store full card numbers).

  • Account details: username, password and security settings.

  • Customer support data: content of your communications with us (emails, forms, messages).

You may choose not to provide certain data, but this may limit functionality (e.g., ordering, deliveries, returns).

3.2 Information collected automatically (Usage Data)

We use cookies, pixels and similar technologies (“Cookies”) to collect device and usage data such as IP address, browser type, device identifiers, pages viewed, time stamps, referring/exit pages and interactions with the Services.

3.3 Information from third parties

We may receive information from third-party service providers (e.g., e-commerce platform, payment processors, analytics, logistics partners) and advertising/marketing partners. Any such data will be handled in accordance with this Policy (see Section 6 – Disclosures and Cookies).

4) How and why we use personal information (Legal bases)

We process personal information only where a legal basis applies, including:

  • Contract necessity (Art. 6(1)(b) GDPR): to provide the Services and fulfil our agreement with you, e.g., processing orders and payments, creating/managing accounts, shipping, handling returns/exchanges, sending transactional notices.

  • Legitimate interests (Art. 6(1)(f) GDPR): to secure and improve the Services (fraud prevention, troubleshooting, analytics), to communicate non-marketing service messages, and to operate our business (balanced against your rights).

  • Consent (Art. 6(1)(a) GDPR): for certain marketing communications, certain cookies/analytics, and where required by law. You may withdraw consent at any time (see Your Rights).

  • Legal obligations (Art. 6(1)(c) GDPR): to comply with tax, accounting, consumer-protection and other legal requirements.

Main purposes

  • Providing products and Services: order processing, payment, delivery, returns, account administration, customer care.

  • Security & fraud prevention: detect, investigate and prevent fraudulent or illegal activity; protect our users and our rights.

  • Service improvement & analytics: operate, maintain and enhance the Site and user experience.

  • Marketing & advertising: with your consent where required, we may send marketing by email/SMS/post and tailor ads on our Site and third-party sites. You can opt out of direct marketing at any time, including via the unsubscribe link in emails.

5) Cookies

We use Cookies to operate and improve the Site (e.g., remember preferences, run analytics). Details for Shopify-related cookies are available here: https://www.shopify.com/legal/cookies.
You can manage cookies through your browser settings. Blocking cookies may impact functionality. Blocking does not necessarily prevent all data sharing (e.g., with advertising partners) unless further controls are used.

6) How we disclose personal information

We may disclose personal information in the following circumstances:

  • Vendors/Processors: to trusted service providers acting on our instructions, e.g., Shopify (store platform/hosting), HolestPay (payment gateway), Banca Intesa AD Beograd (acquirer), IT and cloud hosts, analytics providers, customer-support tools, and D-Express (courier/fulfilment).

  • Business & marketing partners: to show relevant offers and measure campaigns, in accordance with their privacy notices and applicable law (consent where required).

  • Affiliates / corporate group: for internal administration and service provision.

  • Legal & compliance: where required by law, to enforce terms, or to protect rights, security and property (including in connection with mergers, acquisitions or insolvency events).

  • With your direction or consent: e.g., social logins, public reviews, or when you request a specific transfer/disclosure.

We do not use or disclose “sensitive” personal information for the purpose of inferring characteristics about you.

Categories disclosed and typical recipients

  • Identifiers & contact, order and account data → vendors/processors (e.g., Shopify, payment and logistics providers), affiliates, marketing partners (where lawful).

  • Commercial data (orders, returns, support) → vendors/processors, affiliates.

  • Internet/usage data & geolocation (IP-based) → IT/analytics vendors, security/fraud providers, marketing partners (where lawful).

7) International transfers

Your data may be transferred to and processed in countries outside your own. Where we transfer personal data from Europe/UK to a third country without an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) (and UK equivalents where relevant).

8) Security

We employ technical and organizational measures appropriate to risk; however, no system is perfectly secure and we cannot guarantee “perfect security”. Avoid sending sensitive data via insecure channels.

Payments: card data are entered in secure, PCI DSS-compliant environments provided by our payment partners (e.g., HolestPay, Banca Intesa). We do not store full card numbers on our systems.

9) Data retention

We keep personal data only as long as necessary for the purposes described or as required by law. Typical periods include:

  • Accounts & orders: for the life of the account plus limitation periods;

  • Tax/accounting records: generally 7 years (or longer if required by applicable law);

  • Marketing data: until you opt out or withdraw consent;

  • Support correspondence: for a period needed to manage your request and for audit/compliance.

10) Children’s data

The Services are not intended for children. We do not knowingly collect personal information from children below the age applicable in their country. For Serbia, the age of digital consent is 15; for EEA/UK, it is typically 16 unless a Member State sets a lower age within 13–16. If you are a parent/guardian and believe a child has provided us data, contact us to request deletion.

11) Your rights

Depending on where you live, you may have the following rights (subject to legal limits and verification):

  • Access (Know): request access to the personal data we hold about you;

  • Rectification: request correction of inaccurate data;

  • Erasure: request deletion of your data;

  • Restriction: request restriction of processing;

  • Portability: receive a copy of your data in a portable format or request transfer to a third party;

  • Object: object to processing based on legitimate interests, including the right to object to direct marketing at any time;

  • Withdraw consent: where processing is based on consent;

  • Appeal: appeal our decision if we decline your request, by replying to our response.

To exercise rights, use the contact details below. We may need information to verify your identity (e.g., email/account data). You may authorize an agent where permitted by law (proof of authorization required). We will respond within timeframes required by applicable law. We will not discriminate against you for exercising your rights.

12) Complaints and supervisory authority

If you have concerns about our data-handling, please contact us first (see Contact). You may also lodge a complaint with your local data-protection authority. In Serbia, the competent authority is the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik).

13) Third-party websites and links

Our Site may link to third-party sites or platforms. We are not responsible for their privacy/security practices or content. Review their policies before providing personal information. Content you share in public or semi-public areas (including social platforms) may be visible to others.

14) Contact

If you have questions about this Policy or our privacy practices, or wish to exercise your rights, contact:

Ekovela DOO Beograd
Jurija Gagarina 231/329, 11070 Beograd (New Belgrade), Serbia
Email: info@ekovela.rs
PIB: 114747114 • Registration number: 22064541