This Privacy Policy explains how Initra Energija d.o.o. ("we", "us", "the Controller") collects, uses, stores, and protects your personal data when you visit our websites (tigoenergy.shop and all regional tigoenergy.* domains), create an account, place an order, or otherwise interact with our services. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Slovenian Personal Data Protection Act (ZVOP-2).

1. Data Controller

The data controller responsible for processing your personal data is: Initra Energija d.o.o., Podsmreka 59A, 1356 Dobrova, Slovenia. VAT ID: SI62518313. Registration No: 9624007000. Email: support@tigoenergy.shop. You may contact us at any time regarding your personal data using the details above.

2. Personal Data We Collect

We collect the following categories of personal data: (a) Identity data: first name, last name, company name (for B2B customers). (b) Contact data: email address, phone number, billing address, shipping address. (c) Financial data: bank account details (for refunds), VAT number (for B2B customers). We do not store credit card numbers — all card payments are processed by third-party payment providers. (d) Transaction data: order history, order amounts, payment records, invoices, return requests. (e) Account data: email address, hashed password, account preferences, communication preferences. (f) Technical data: IP address, browser type and version, operating system, device type, time zone setting, pages visited, time spent on pages, referral source. (g) Communication data: records of correspondence with our support team, including support tickets, emails, and any attachments. (h) Marketing data: your preferences for receiving marketing communications and your interaction with them.

3. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR: (a) Performance of a contract (Art. 6(1)(b)): processing necessary to fulfil your order, process payments, arrange delivery, handle returns, and provide customer support. (b) Legal obligation (Art. 6(1)(c)): processing necessary to comply with tax, accounting, and regulatory requirements (e.g., invoice retention, VAT reporting under the OSS scheme, anti-fraud obligations). (c) Legitimate interests (Art. 6(1)(f)): processing necessary for our legitimate business interests, including improving our services, website analytics, fraud prevention, debt recovery, and protecting our legal rights, provided these interests do not override your fundamental rights and freedoms. (d) Consent (Art. 6(1)(a)): where you have given explicit consent, such as for marketing emails or non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. How We Use Your Data

We use your personal data for the following purposes: processing and fulfilling orders; managing your customer account; processing payments and issuing invoices; arranging shipping and delivery (sharing necessary data with carriers such as DPD); handling returns, refunds, and warranty claims; providing customer support and responding to inquiries; sending transactional emails (order confirmations, shipping updates, invoice delivery); sending marketing communications where you have opted in; conducting website analytics to improve user experience and site performance; preventing fraud and unauthorized access; complying with legal and regulatory obligations (tax reporting, accounting, consumer protection); exercising or defending legal claims.

5. Data Sharing and Third Parties

We share your personal data only where necessary and with appropriate safeguards: (a) Shipping carriers (e.g., DPD, GLS): your name, address, phone number, and email for delivery and tracking purposes. (b) Payment processors: payment data necessary to process your transaction. We do not have access to your full card details. (c) Hosting and infrastructure providers (e.g., Vercel, Supabase): your data is stored on servers operated by these providers, who act as data processors under written data processing agreements. (d) Email service providers: for transactional and marketing emails. (e) Tax and accounting authorities: where required by law (e.g., invoice data for VAT reporting). (f) Professional advisors: lawyers, accountants, and auditors where necessary to protect our legal interests. (g) Law enforcement or regulatory authorities: where required by law or in response to a valid legal request. We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

6. International Data Transfers

Your personal data is primarily processed within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to cloud service providers with servers in the United States), we ensure appropriate safeguards are in place, including: EU Standard Contractual Clauses (SCCs) approved by the European Commission; adequacy decisions by the European Commission (e.g., the EU-US Data Privacy Framework); or your explicit consent where required. You may request information about the specific safeguards applied to transfers of your data by contacting us.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected: (a) Account data: for as long as your account is active, and for 3 years after account closure. (b) Order and transaction data: for 10 years from the date of the transaction, as required by Slovenian tax and accounting legislation (ZDavP-2). (c) Invoice data: for 10 years as required by law. (d) Communication records (support tickets): for 5 years from the date of the last communication. (e) Marketing consent records: for as long as the consent is active, plus 3 years after withdrawal for compliance documentation. (f) Technical/analytics data: for up to 26 months. (g) Cookie data: see our Cookie Policy for specific retention periods. After the applicable retention period, data is securely deleted or anonymized.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data: (a) Right of access (Art. 15): you may request a copy of the personal data we hold about you. (b) Right to rectification (Art. 16): you may request correction of inaccurate or incomplete data. (c) Right to erasure (Art. 17): you may request deletion of your personal data where there is no compelling reason for continued processing ('right to be forgotten'). This right is subject to legal retention obligations. (d) Right to restriction (Art. 18): you may request that we limit the processing of your data in certain circumstances. (e) Right to data portability (Art. 20): you may request to receive your personal data in a structured, commonly used, machine-readable format (JSON). You can exercise this right through the GDPR data export feature available in your account settings. (f) Right to object (Art. 21): you may object to processing based on legitimate interests or for direct marketing purposes. (g) Right to withdraw consent: where processing is based on consent, you may withdraw it at any time. To exercise any of these rights, contact us at support@tigoenergy.shop. We will respond within 30 days. We may request identity verification before processing your request.

9. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, as defined under Article 22 GDPR.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18 without parental consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at support@tigoenergy.shop.

11. Cookies

We use cookies and similar tracking technologies on our website. For detailed information about the types of cookies we use, their purposes, and how to manage your cookie preferences, please refer to our separate Cookie Policy available at the "Cookie Policy" link in the footer of our website.

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include: encryption of data in transit (TLS/SSL); secure hosting infrastructure with access controls; regular security assessments; access limited to authorized personnel on a need-to-know basis; secure password hashing. While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. The updated policy will be published on our website with a revised "last updated" date. We encourage you to review this policy periodically. Material changes will be communicated through a prominent notice on our website or by email where appropriate.

14. Contact for Privacy Matters

For any questions, requests, or complaints regarding this Privacy Policy or the processing of your personal data, please contact: Initra Energija d.o.o., Podsmreka 59A, 1356 Dobrova, Slovenia. Email: support@tigoenergy.shop. We will make every effort to address your concerns promptly.

15. Right to Lodge a Complaint

If you believe that the processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. The supervisory authority for Slovenia is: Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec), Dunajska cesta 22, 1000 Ljubljana, Slovenia, email: gp.ip@ip-rs.si, website: www.ip-rs.si. You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.