Privacy Policy

The data controller is MADRAS - LINE d.o.o., Levičnikova ulica 4A, 1000 Ljubljana, Slovenia. Registration number: 5620198000. Tax number: 59594519.

For privacy questions, write to info@pima-tees.com.

We collect only what we need to operate the shop. The categories are:

• Account data — when you sign in with Google: email address, display name, profile photo URL, and the unique Firebase user ID. Legal basis: performance of contract (GDPR Art. 6(1)(b)) and our legitimate interest in providing an account-based shopping experience.
• Order data — items purchased, quantities, prices, order date and status. Legal basis: performance of contract.
• Shipping address — name, street, postal code, city, country, phone number. Legal basis: performance of contract.
• Payment data — handled entirely by Stripe; we receive a payment-confirmation token but never see your card number. Legal basis: performance of contract.
• Invoice data — your name, address, items and amount on every invoice we issue and fiscally verify. Legal basis: a legal obligation to keep accounting records (Slovenian tax and accounting law, GDPR Art. 6(1)(c)).
• Technical data — your IP address, browser, and (if you consent to analytics) anonymous usage events. Legal basis: legitimate interest in operating and securing the site, and consent for analytics (Art. 6(1)(a)).

We use a small number of first-party cookies and one optional third-party tag:

• Strictly necessary: a cart cookie that holds your selected items, your sign-in session (managed by Firebase Authentication), and a cookie that remembers your cookie-banner choice. These never require consent.
• Analytics (optional): if you accept analytics, we load Google Analytics 4 (GA4) and it sets cookies (typically _ga and _ga_*) to measure aggregate traffic. We use Google Consent Mode v2 with the default "denied" — GA writes nothing until you accept.

You can change your choice at any time using the "Cookie preferences" link in the footer.

We do not sell your data. We share specific data with the following processors, each strictly to perform their part of running the shop:

• Google LLC / Google Ireland Ltd. — Firebase Authentication (sign-in), Cloud SQL (database), Cloud Storage (images), Cloud Run (hosting), Firebase Hosting (static assets) and, with your consent, Google Analytics 4. EU data centres are used where available; some processing may occur in the United States under the EU-U.S. Data Privacy Framework or the EU's 2021 Standard Contractual Clauses.
• Stripe Payments Europe, Ltd. (Ireland) — payment processing. Stripe is the controller for the payment data it collects directly from you.
• Financial Administration of the Republic of Slovenia (FURS) — fiscal verification of invoices where legally required.

Where a sub-processor (notably Google) processes data outside the European Economic Area, we rely on adequacy decisions or the European Commission's 2021 Standard Contractual Clauses to provide the equivalent level of protection required by the GDPR.

• Account data: until you delete your account or ask us to delete it, then within 30 days from the request.
• Orders & invoices: at least 10 years, as required by Slovenian tax and accounting law (Zakon o davčnem postopku, Zakon o računovodstvu).
• Shipping addresses: kept on your account until you remove them; address copies snapshotted into past orders are kept with the order for the same 10-year period.
• Analytics events: GA4 default of 14 months.
• Server logs: 30 days, then deleted.

Under the GDPR you can, at any time:

• request a copy of the data we hold about you (Art. 15);
• have inaccurate data corrected (Art. 16);
• have your data erased, where the law allows (Art. 17);
• restrict or object to processing (Art. 18 and 21);
• receive your data in a portable format (Art. 20);
• withdraw consent at any time, without affecting the lawfulness of past processing (Art. 7(3)).

To exercise any of these, write to info@pima-tees.com. You also have the right to lodge a complaint with the Slovenian Data Protection Authority — Informacijski pooblaščenec, ip-rs.si.

We rely on Google Cloud's infrastructure controls (encryption in transit and at rest, identity-based access). Card data never reaches our servers — it is handled directly by Stripe, a PCI-DSS Level 1 certified processor.

We do not make automated decisions that produce legal or similarly significant effects on you (no automated profiling, no automated credit scoring, no automated account closure).

We update this policy when our practices or sub-processors change. Material changes are signposted on this page and dated above; small edits (typos, clarifications) are made silently. Always check the "Last updated" date.