Privacy Policy

The responsible party for data processing is:

MTL Crafts d.o.o.
Pilanska bb
78000 Banja Luka

Phone: +387 66 993 614

We appreciate your interest in our online shop. Protecting your privacy is very important to us. Below, we provide detailed information about how we handle your data.

1. Access Data and Hosting

You can visit our website without providing any personal information. Each time a webpage is accessed, the web server automatically stores a so-called server log file. This file contains information such as the name of the requested file, your IP address, the date and time of access, the amount of data transferred, and the requesting provider (access data) and documents the retrieval. These access data are evaluated exclusively for the purpose of ensuring the smooth operation of the site and improving our offerings. This serves to protect our legitimate interests in the correct presentation of our offer, which outweigh other interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. All access data are processed only as long as necessary to achieve the purposes mentioned above.

The services for hosting and displaying the website are partially provided by our service providers as part of processing on our behalf. Unless otherwise explained in this privacy policy, all access data and all data collected via forms on this website are processed on their servers. If you have questions about our service providers and the basis of our cooperation with them, please contact us using the contact details provided in this privacy policy.

Our service providers are based in and/or use servers in the following countries for which the European Commission has determined an adequate level of data protection through a decision: Israel, United Kingdom, USA.

The adequacy decision for the USA serves as the basis for third-country data transfers, provided the respective service provider is certified. Certification is in place.

Our service providers are based in and/or use servers in the following countries: Brazil, Mexico, India, Ukraine.
For these countries, no adequacy decision by the European Commission exists. Our collaboration with them is based on the following safeguards: Standard Data Protection Clauses of the European Union.

2. Data Processing for Contract Fulfillment and Contact

2.1 Data Processing for Contract Fulfillment

We collect personal data when you voluntarily provide it to us as part of your order or when contacting us (e.g., via a contact form or email). Required fields are marked as such, as we need these data to process your order or handle your inquiry. Without this information, you cannot complete the order or send the inquiry. The specific data collected can be seen in the respective input forms.
We use the data you provide for contract fulfillment and to process your inquiries (including inquiries about and handling of any warranty and performance claims as well as statutory update obligations) in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR. Further details on the processing of your data, especially regarding its transfer to our service providers for order, payment, and shipping processing, can be found in the subsequent sections of this Privacy Policy. Once the contract has been fully processed, your data will be restricted for further use and deleted after the expiration of any applicable tax and commercial law retention periods in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR, unless you have expressly consented to the further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, or we reserve the right to use your data for purposes permitted by law, which we will inform you about in this statement.

Inventory Management System

To process orders and fulfill contracts, we use inventory management systems provided by external service providers. These service providers act on our behalf within the framework of order processing. If you have any questions about our service providers or the basis of our cooperation with them, please use the contact details provided in this Privacy Policy.

Our service providers are based in and/or use servers in the following countries: Bosnia.
For these countries, no adequacy decision by the European Commission exists. Our cooperation with them is based on the following safeguards: Standard Data Protection Clauses of the European Commission.

Data Sharing for Age Verification

If your order includes goods that are subject to age restrictions, we ensure that the buyer has reached the required minimum age by using a reliable procedure that includes personal identity and age verification. For this purpose, the SCHUFA IdentityCheck service is used on our website. This service is operated by SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany (hereinafter referred to as SCHUFA).
To verify the required minimum age, certain personal data (e.g., name, address, and date of birth) are transmitted to SCHUFA Holding AG. An identity check with Q-Bit, positively evaluated by the Commission for the Protection of Minors in the Media (KJM) for age verification, is then conducted. The data transfer to SCHUFA is carried out in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR to protect our overriding legitimate interests in offering a youth protection-compliant service and complying with statutory youth protection regulations. No credit check is conducted as part of this process.

2.2 Contacting Us

As part of customer communication, we collect personal data to process your inquiries in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR when you voluntarily provide this information while contacting us (e.g., via contact form, live chat tool, or email). Required fields are marked as such because this information is necessary for processing your inquiry. The specific data collected can be seen in the respective input forms. Once your inquiry has been fully processed, your data will be deleted unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, or we reserve the right to use your data for other purposes permitted by law, which we inform you about in this policy.

3. Data Processing for Shipping Purposes

To fulfill the contract in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR, we pass your data on to the shipping service provider responsible for the delivery, insofar as this is necessary for the delivery of ordered goods. If you have questions about our service providers and the basis of our cooperation with them, please use the contact information provided in this privacy policy.

Data Sharing with Shipping Providers for Delivery Notification

If you have expressly consented during or after your order, we will share your email address and phone number with the selected shipping provider in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. This allows the provider to contact you prior to delivery for the purpose of delivery notification or coordination.
You can revoke your consent at any time by sending a message to the contact information provided in this privacy policy or directly to the shipping provider at the contact address listed below. Upon revocation, we will delete the data you provided for this purpose unless you have expressly consented to further use of your data or we reserve the right to use your data for other purposes permitted by law, which we inform you about in this policy. If you have questions about our service providers and the basis of our cooperation with them, please use the contact details provided in this privacy policy.

General Logistics Systems Germany GmbH & Co. OHG
GLS Germany-Straße 1 - 7
DE-36286 Neuenstein
Germany

United Parcel Service Deutschland S.à r.l. & Co. OHG
Görlitzer Straße 1
41460 Neuss
Germany

Hermes Germany GmbH
Essener Straße 89
D-22419 Hamburg
Germany

DHL Paket GmbH
Sträßchensweg 10
53113 Bonn
Germany

DPD Deutschland GmbH
Wailandtstraße 1
63741 Aschaffenburg
Germany

4. Data Processing for Payment Transactions

For payment processing in our online shop, we work with the following partners: technical service providers, financial institutions, and payment service providers.

4.1 Data Processing for Transaction Handling

Depending on the chosen payment method, we share the necessary data for processing the payment transaction with our technical service providers, who act on our behalf as part of a data processing agreement, or with the authorized financial institutions or the selected payment service provider, insofar as this is required for payment processing. This is done to fulfill the contract in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR. In some cases, the payment service providers themselves collect the data required for processing the payment, for example, on their own website or through a technical integration in the order process. In such cases, the privacy policy of the respective payment service provider applies.
If you have any questions about our payment processing partners and the basis of our cooperation with them, please contact us using the contact information provided in this privacy policy.

4.2 Data Processing for Fraud Prevention and Optimization of Payment Processes

In some cases, we may share additional data with our service providers, which they, as our data processors, use along with the data necessary for payment processing to prevent fraud and optimize our payment processes (e.g., invoicing, handling disputed payments, supporting accounting). This is carried out in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR to protect our overriding legitimate interests as part of a balancing of interests in safeguarding against fraud and ensuring efficient payment management.

5. Advertising via Email and Post

5.1 Email Newsletter with Registration

If you subscribe to our newsletter, we will use the data required for this purpose or the data you have separately provided to regularly send you our email newsletter based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can unsubscribe from the newsletter at any time, either by sending a message to the contact details described below or via a designated link in the newsletter. After unsubscribing, we will delete your email address from the recipient list unless you have expressly consented to the further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, or we reserve the right to use your data for purposes permitted by law, which we will inform you about in this statement.

Our service providers are based in and/or use servers in the following countries, for which the European Commission has determined an adequate level of data protection: Israel, United Kingdom, USA.

The adequacy decision for the USA serves as the basis for data transfers to third countries, provided the respective service provider is certified. Certification is in place.

Our service providers are based in and/or use servers in the following countries: Brazil, Mexico, India, Ukraine.
For these countries, no adequacy decision by the European Commission exists. Our cooperation with them is based on the following safeguards: Standard Data Protection Clauses of the European Union.

5.2 Advertising by Post and Your Right to Object

In addition, we reserve the right to use your first and last name as well as your postal address for our own advertising purposes, such as sending you interesting offers and information about our products by postal mail. This serves to protect our overriding legitimate interests in direct advertising to our customers, in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. You can object to the storage and use of your data for these purposes at any time by sending a message to the contact details provided in this privacy policy.
After you have withdrawn your consent, we will delete your address from the recipient list, unless you have expressly consented to the further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, or we reserve the right to use your data for other legally permitted purposes, which we will inform you about in this statement.

6. Cookies and Other Technologies

6.1 General Information

To make your visit to our website more appealing and to enable the use of certain features, we use technologies, including so-called cookies, on various pages. Cookies are small text files that are automatically stored on your device. Some of the cookies we use are deleted at the end of the browser session, meaning after you close your browser (so-called session cookies). Other cookies remain on your device, allowing us to recognize your browser during your next visit (persistent cookies).

Protection of Privacy on Devices

When using our online services, we employ strictly necessary technologies to provide the explicitly requested telemedia service. The storage of information on your device or access to information already stored on your device does not require your consent in these cases.

For non-essential features, the storage of information on your device or access to information already stored on your device requires your consent. Please note that if consent is not given, certain parts of the website may not be fully functional. Any consent you have provided will remain in effect until you adjust or reset the respective settings on your device.

Subsequent Data Processing Through Cookies and Other Technologies

We use technologies that are strictly necessary for the utilization of certain features on our website (e.g., shopping cart functionality). These technologies collect and process information such as your IP address, the time of your visit, device and browser information, and details about your use of our website (e.g., shopping cart contents). This processing is based on our overriding legitimate interests in providing an optimized presentation of our offerings, as part of a balancing of interests, in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.

Additionally, we use technologies to fulfill our legal obligations (e.g., to document consent for the processing of your personal data) as well as for web analytics and online marketing. Further information on these technologies, including the respective legal basis for data processing, can be found in the following sections of this Privacy Policy.

Cookie Settings

You can find the cookie settings for your browser at the following links: Microsoft Edge™ / Safari™ / Chrome™ / Firefox™ / Opera™

If you have consented to the use of technologies in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, you can withdraw your consent at any time by sending a message to the contact information provided in the Privacy Policy. Alternatively, you can use the button for cookie settings.

6.2 Use of the Wix Consent Manager Tool for Managing Consents

We use the Wix Consent Manager Tool on our website to inform you about the cookies and other technologies we use and to obtain, manage, and document your consent, where necessary, for the processing of your personal data through these technologies. This is required under Art. 6 para. 1 sentence 1 lit. c GDPR to fulfill our legal obligation under Art. 7 para. 1 GDPR to demonstrate your consent to the processing of your personal data. The Wix Consent Manager Tool is provided by Wix.com Ltd., 40 Nemal St., Tel Aviv 6350671, Israel ("Wix"). After submitting your cookie declaration on our website, Wix's web server stores your IP address, the date and time of your declaration, browser information, language, the URL from which the declaration was submitted, and information about your consent behavior. A cookie is also set, containing information about your consent behavior. Your data will be deleted after 365 days unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, or we reserve the right to use your data for other purposes permitted by law, which we will inform you about in this policy.

Our service providers are based in and/or use servers in the following countries for which the European Commission has determined an adequate level of data protection: Israel, United Kingdom, USA.

The adequacy decision for the USA serves as the basis for data transfers to third countries, provided the respective service provider is certified. Certification is in place.

Our service providers are based in and/or use servers in the following countries: Brazil, Mexico, India, Ukraine.
For these countries, no adequacy decision by the European Commission exists. Our cooperation with them is based on the following safeguards: Standard Data Protection Clauses of the European Union.

6.3 Information on Third-Country Transfers (Data Transfers to Non-EU Countries)

We use technologies from service providers on our website whose headquarters and/or server locations may be in third countries outside the EU or EEA. If there is no adequacy decision by the European Commission for such a country, an adequate level of data protection must be ensured through other suitable safeguards.

Suitable safeguards, such as the EU Commission's standard contractual clauses or binding corporate rules (BCR), are generally possible but require prior verification by the contracting parties to ensure that an adequate level of protection can be guaranteed. According to the case law of the European Court of Justice (ECJ), it may be necessary to implement additional protective measures.

We have generally agreed upon the EU Commission’s standard data protection clauses with the technology providers we use that process personal data in a third country. Whenever possible, we also agree to additional safeguards to ensure sufficient data protection in third countries without an adequacy decision.

Despite all contractual and technical measures, the level of data protection in a third country may not meet EU standards. In such cases, we may request your consent under Art. 49 para. 1 lit. a GDPR, as part of the cookie consent process, for the transfer of your personal data to a third country.
This involves specific risks, particularly that local authorities in the third country might have access rights to your personal data that are not sufficiently limited from a European data protection perspective. As the data exporter, we or you as the data subject may not be aware of such access, and you may not have adequate legal remedies to prevent or contest these accesses.

The following countries are currently considered third countries without an adequacy decision by the EU Commission (example list):

China 
Russia
Taiwan

Details on which third countries your data may be transferred to can be found in the data protection information for the respective tool used and/or the consent management platform (CMP) employed by us.

7. Social Media

7.1 Social Buttons for Facebook (by Meta), Instagram (by Meta), WhatsApp

Our website uses social buttons from social networks. These are embedded into the page as simple HTML links, meaning no connection to the servers of the respective provider is established when you visit our website. If you click on one of the buttons, the webpage of the respective social network will open in a new browser window. There, you can, for example, use the Like or Share button.

7.2 Our Online Presence on Facebook (by Meta), Instagram (by Meta), YouTube, LinkedIn

If you have given your consent to the respective social media operator in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, your data will be automatically collected and stored for market research and advertising purposes when you visit our online presence on the social media platforms mentioned above. Using pseudonyms, usage profiles are created from this data. These profiles can be used, for example, to display advertisements inside and outside the platforms that presumably match your interests. Cookies are typically used for this purpose. Detailed information about the processing and use of data by the respective social media operator, as well as contact details and information about your rights and privacy settings, can be found in the privacy notices of the respective providers linked below. If you need further assistance regarding this, you can also contact us.

Facebook (by Meta) is a service provided by Meta Platforms Ireland Ltd., Block J, Serpentine Avenue, Dublin 4, Ireland ("Meta Platforms Ireland"). Information about your use of our online presence on Facebook (by Meta), which is automatically collected by Meta Platforms Ireland, is generally transferred to a server of Meta Platforms, Inc., 1601 Willow Road, Menlo Park, California 94025, USA, and stored there. Data processing during visits to a Facebook (by Meta) fan page is based on a joint controller agreement under Art. 26 GDPR. Further information (including details about Insights data) can be found here.

Our service providers are based in and/or use servers in the following countries, for which the European Commission has determined an adequate level of data protection: USA, Canada, Japan, South Korea, New Zealand, United Kingdom, Argentina.

The adequacy decision for the USA serves as the basis for data transfers to third countries, provided the respective service provider is certified. Certification is in place.

Our service providers are based in and/or use servers in these countries: Australia, Hong Kong, India, Indonesia, Malaysia, Singapore, Thailand, Taiwan, Brazil, Mexico.
For these countries, no adequacy decision by the European Commission exists. Our cooperation with them is based on the following safeguards: the European Commission's standard contractual clauses.

Instagram (by Meta) is a service offered by Meta Platforms Ireland Ltd., Block J, Serpentine Avenue, Dublin 4, Ireland (“Meta Platforms Ireland”). The information automatically collected by Meta Platforms Ireland about your use of our online presence on Instagram is typically transferred to and stored on a server of Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. Data processing related to visiting an Instagram (by Meta) fan page is based on a joint responsibility agreement pursuant to Art. 26 GDPR. Further details (including information on Insights data) can be found here.

Our service providers are located in and/or use servers in the following countries for which the European Commission has determined an adequate level of data protection: the USA, Canada, Japan, South Korea, New Zealand, the United Kingdom, and Argentina.

The adequacy decision for the USA serves as the basis for third-country transfers where the respective service provider is certified. Certification is in place.

Our service providers are also located in and/or use servers in the following countries: Australia, Hong Kong, India, Indonesia, Malaysia, Singapore, Thailand, Taiwan, Brazil, and Mexico.
These countries do not have an adequacy decision from the European Commission. Our collaboration with these providers is based on the following safeguards: the European Commission's Standard Contractual Clauses (SCCs).

YouTube is a service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The information automatically collected by Google about your use of our online presence on YouTube is typically transferred to and stored on a server of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Our service providers are located in and/or use servers in countries outside the EU and the EEA for which the European Commission has determined an adequate level of data protection.

Our service providers are also located in and/or use servers in countries outside the EU and the EEA for which no adequacy decision from the European Commission exists. Our collaboration with these providers is based on the European Commission’s Standard Contractual Clauses (SCCs).

LinkedIn is a service provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”). The information automatically collected by LinkedIn about your use of our online presence on LinkedIn is typically transferred to and stored on a server of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA.

Our service providers are located in and/or use servers in the following country, for which the European Commission has determined an adequate level of data protection: the USA.

The adequacy decision for the USA serves as the basis for third-country transfers, provided the respective service provider is certified. Certification is in place.

8. Contact Options and Your Rights

8.1 Your Rights

As a data subject, you have the following rights:

Right of access (Art. 15 GDPR): You have the right to request information about the personal data we process about you to the extent specified in Art. 15 GDPR.
Right to rectification (Art. 16 GDPR): You have the right to request the immediate correction of incorrect or the completion of incomplete personal data stored by us.
Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data stored by us, provided that further processing is not required:
- for exercising the right to freedom of expression and information;
- for compliance with a legal obligation;
- for reasons of public interest; or
- for the establishment, exercise, or defense of legal claims.
Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data where:
- the accuracy of the data is contested by you;
- the processing is unlawful, but you oppose the erasure of the data;
- we no longer need the data, but you require it for the establishment, exercise, or defense of legal claims; or
- you have objected to the processing pursuant to Art. 21 GDPR.
Right to data portability (Art. 20 GDPR): You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller.
Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. You can typically contact the supervisory authority at your usual place of residence or work, or at the location of our company’s headquarters.

Right to Object

If we process personal data as explained above to safeguard our overriding legitimate interests as part of a balancing of interests, you have the right to object to this processing with effect for the future. If the processing is for direct marketing purposes, you can exercise this right at any time as described above. If the processing is for other purposes, you may only object based on reasons arising from your particular situation.

After you exercise your right to object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.

This does not apply if the processing is for direct marketing purposes. In that case, we will no longer process your personal data for this purpose.

8.2 Contact Options

If you have any questions regarding the collection, processing, or use of your personal data, or if you wish to request information, correction, restriction, or deletion of data, as well as to revoke any consent given or object to specific data uses, please contact us directly using the contact details provided in our imprint.