Privacy Policy

This privacy policy describes how JacaFineArt, operated by the OBRT identified below, collects, uses and protects personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Croatian Act implementing the GDPR (NN 42/2018).

1. Data controller

The data controller is the OBRT identified in the imprint at the bottom of this page. For any privacy-related question, write to gbbanusic@gmail.com.

2. What we collect

We collect only what we need to deliver your painting and communicate with you:

• Checkout data — full name, shipping address, phone, email, and (for COD orders) confirmation of cash-on-delivery.
• Account data — email address used for the one-time sign-in code, and an order history bound to it.
• Newsletter — email address and language preference. Consent given by an active opt-in tick.
• Cart — stored locally in your browser. It only reaches us when you confirm the order.
• Technical data — IP address, browser type, access time (web-server logs, used only for security).

3. Legal basis

We process your data on one of the following bases (Art. 6 GDPR):

• Performance of a contract (Art. 6(1)(b)) — when you order a painting, we must deliver it and issue an invoice.
• Legal obligation (Art. 6(1)(c)) — the Croatian Accounting Act and tax law require us to keep invoices for 11 years.
• Legitimate interest (Art. 6(1)(f)) — fraud prevention and operational correspondence.
• Consent (Art. 6(1)(a)) — newsletter. Withdrawable at any time.

4. Recipients

We share your data only with carefully selected processors that we technically need:

• Stripe Payments Europe Ltd. (Ireland, EU) — card processing. PCI-DSS certified.
• Resend Inc. (USA) — transactional and newsletter email. Transfer to the USA is governed by the EU Standard Contractual Clauses.
• Supabase Inc. (Netherlands / EU region) — database, authentication, file storage.
• Hrvatska pošta and GLS Croatia — parcel delivery (shipping address + recipient name + phone).
• Croatian Tax Administration — fiscalisation of every B2C invoice via the FINA certificate, mandatory from 1 January 2026.

We have data-processing agreements (Art. 28 GDPR) with all processors. We never sell your data and never share it for third-party marketing.

5. Retention

• Order data and invoices — 11 years (Croatian Accounting Act and General Tax Act).
• Newsletter subscription — until you unsubscribe (one click in any mail).
• Browser cart — 30 days, stored locally on your device.
• Server logs — 30 days, then anonymised or deleted.
• Complaints and disputes — 5 years from closure.

6. Your rights

As a data subject, you have the following GDPR rights:

• Right of access (Art. 15) — request a copy of all data we hold about you.
• Right to rectification (Art. 16) — have inaccurate data corrected.
• Right to erasure (Art. 17) — except for data we must keep by law (e.g. invoices).
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — receive a machine-readable export.
• Right to object (Art. 21) — especially against marketing.
• Right to withdraw consent — at any time, without giving a reason.
• Right to lodge a complaint with the supervisory authority (AZOP).

To exercise any of these rights, write to gbbanusic@gmail.com. We respond within 30 days.

7. Cookies

For details on cookies and other browser storage, see our Cookie Policy →

8. Supervisory authority (AZOP)

If you believe your data-protection rights have been violated, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency:

9. Changes

We may update this policy from time to time. Each version is dated. Material changes will be announced via the newsletter (if subscribed).