Privacy Policy

Last updated: 2026-04-20

This Privacy Policy explains how Bel Canto d.o.o. (trading as Arlene's Online MeetUp, arlenemart.eu) collects, uses, and protects your personal data when you visit our site or place an order. It is written in plain English so you can read it in a few minutes. If you have any questions, email us at orders@arlenemart.eu.

Contents

Data Controller

The data controller responsible for your personal data is:

  • Bel Canto d.o.o.
  • Ivšićev prilaz 9, 10000 Zagreb, Croatia
  • VAT: HR68964256322
  • OIB: 68964256322
  • Email: orders@arlenemart.eu

We have not appointed a Data Protection Officer because our business is below the mandatory-appointment threshold in GDPR Article 37. All data-protection questions should be sent to the contact email above.

Data We Collect

We collect only the data we need to run the store and fulfil your orders. The categories are:

  • Account data — your name, email address, and (if you register an account) a hashed password. We never see or store your password in plain text.
  • Order data — billing address, shipping address, the products you ordered, the total price, and your order history.
  • Payment data — handled by Stripe. We never see or store your full card number. We may retain the last four digits and card brand for receipt and fraud-investigation purposes.
  • Communication data — any email you send us and any reply we send you.
  • Technical data — your IP address, browser user-agent, and cookies. See our upcoming Cookie Policy for full details (deferred to the cookie-consent banner rollout).

We process each category of data under a specific lawful basis in GDPR Article 6:

  • Account and Order data — contract (Art. 6(1)(b)): we need this data to fulfil your order.
  • Payment data — contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for invoicing.
  • Communication data — legitimate interest (Art. 6(1)(f)) in answering your questions; consent where you opt in to marketing.
  • Technical data — legitimate interest for strictly-necessary cookies; consent for analytics and marketing cookies.

Recipients and Processors

We share your data only with the processors we need to run the store. We do not sell personal data to anyone.

  • Stripe — payment processing. EU cardholders are handled by Stripe Payments Europe Ltd. (Ireland). Onward transfer to Stripe Inc. in the United States is governed by Standard Contractual Clauses (SCCs).
  • Resend — transactional email delivery (order confirmations, password resets, shipping notifications). Resend is based in the United States; transfers are covered by SCCs.
  • Cloudflare — content delivery and basic bot protection. Cloudflare is based in the United States; transfers are covered by SCCs.
  • Meilisearch — product search. We self-host Meilisearch on our own server; no data leaves our infrastructure.
  • Hetzner Online GmbH — hosting and server infrastructure. Located in Germany (EU).

International Transfers

Some of the processors listed above (Stripe, Resend, Cloudflare) are based in the United States. Any transfer of your personal data to these processors is governed by the European Commission's Standard Contractual Clauses (SCCs) as adopted under GDPR Article 46(2)(c). We do not transfer your data to any country or organisation that lacks an adequate level of protection as determined by the European Commission or safeguarded by SCCs.

Retention

  • Account data — kept while your account is active plus 3 years after your last activity, for customer-service purposes.
  • Order and invoicing data — 11 years, as required by Croatian tax and accounting law.
  • Communication data — 2 years after the last message exchanged.
  • Cookies — per the lifetimes disclosed in our Cookie Policy (coming soon with the cookie-consent banner).

Your Rights

Under the General Data Protection Regulation (GDPR) you have the following rights:

  • Access (Art. 15) — a copy of the personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — delete your data, subject to legal retention requirements.
  • Restriction (Art. 18) — limit our processing in specific situations.
  • Portability (Art. 20) — receive your data in a machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interest or direct marketing.
  • Withdraw consent (Art. 7(3)) — for any processing based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email orders@arlenemart.eu. We will respond within one month.

You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP — Agencija za zaštitu osobnih podataka) at azop.hr.

Cookies

We use essential cookies to run the store (for example, to keep your cart state between pages). With your consent, we also use analytics cookies to understand how customers navigate the site, so we can improve it. You can change your preferences anytime via the Cookie Settings link in the footer.

Changes to This Policy

We may update this Privacy Policy from time to time as our business or the law changes. The Last Updated date at the top of this page reflects the most recent change. Material changes will also be announced by email to registered customers.

Contact

For any question about this Privacy Policy or to exercise your rights, contact us: