Privacy policy

Privacy policy

Privacy Notice pursuant to Article 13 of the General Data Protection Regulation (GDPR) – Version 2.0

Data Controller

The controller of personal data in relation to the website https://valens-health.com and your other interactions with VALENS INT. Proizvodnja in trženje d.o.o. is:

VALENS INT. Proizvodnja in trženje d.o.o.
Poslovna cona Žeje pri Komendi, Pod jelšami 18
1218 Komenda, Slovenia

Company registration number: 2148781000
VAT number: SI 83564926
Email: [email protected]

(hereinafter: the “Organisation” or the “Company”)

The Organisation has appointed a Data Protection Officer (DPO): Gregor Božič.
All questions, requests, inquiries, and other communications related to personal data protection may be addressed to: [email protected].

 

Introduction

Basic information about the Organisation and its mission

The Organisation collects, stores, and otherwise processes certain information and data, including personal data, in accordance with the Personal Data Protection Act (ZVOP-2) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter: the “GDPR”).

Purpose and use of this notice

This Privacy Notice describes how the Organisation processes personal data of individuals who have provided their personal data directly to the Organisation as the data controller, in connection with the website https://valens-health.com (e.g. through the use of cookies when visiting the website, submission of contact forms, etc.).

Terminology and amendments to this notice

Unless otherwise stated, the terms used in this notice (e.g. personal data, processing, controller, processor) have the same meaning as defined in the GDPR.

The term website refers to https://valens-health.com, including all related subpages, servers, and systems.

Defined terms used in the singular shall include the plural and vice versa, and terms expressed in one grammatical gender shall include all genders.

 

Personal Data Retention Period

The retention period of personal data depends on the purpose for which the data were collected. Personal data are retained only for as long as necessary to fulfil the purpose for which they were collected or further processed, or until the expiry of statutory limitation periods, legally prescribed retention periods, or until withdrawal of consent, where processing is based on consent.

Taking into account the nature of the processed data and associated risks, the Organisation periodically and in a documented manner verifies compliance with data retention limitation principles.

Unless otherwise required by law, personal data are deleted, destroyed, anonymised, or otherwise rendered non-identifiable after the purpose of processing has been fulfilled (e.g. by restricting access, blocking, or archiving).

An individual may request the deletion of personal data at any time by submitting a request to the official email address stated at the beginning of this document.

 

  1. Legal Bases for the Processing of Personal Data

1.1 Performance of a contract or pre-contractual measures

The Organisation may process personal data based on the performance of a contract (e.g. provision of services) or steps taken prior to entering into a contract (e.g. responding to inquiries via official communication channels).

In such cases, personal data are provided as part of contractual obligations or negotiations, and explicit consent is not required.

Failure to provide such data may hinder or prevent the provision of services or cooperation, of which the individual will be informed accordingly.

1.2 Compliance with legal obligations

The Organisation processes personal data to comply with legal obligations, particularly those related to taxation and accounting (e.g. issued and received invoices), including:

  • when required to disclose personal data to inspectors or other authorities in accordance with applicable law,
  • when processing invoice-related data pursuant to the Value Added Tax Act (ZDDV-1).

1.3 Legitimate interests of the Organisation

Personal data may also be processed where necessary to protect the legitimate interests of the Organisation, such as for administrative, civil, or criminal proceedings, provided that only data strictly necessary for such purposes are processed.

Personal data may also be processed where necessary to protect the vital interests of an individual.

1.4 Consent

Use of the Organisation’s services is generally not conditional upon consent to personal data processing.

However, personal data may be processed based on explicit consent, defined as a freely given, specific, informed, and unambiguous indication of the individual’s wishes (e.g. consent to receive newsletters).

Consent may be withdrawn at any time via the unsubscribe link in communications or by contacting the Organisation.

Consent may also apply to online advertising, including the use of optional (marketing) cookies and tracking technologies. Detailed information is available in the “Cookies” section.

Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

 

  1. Recipients of Personal Data

2.1 Employees of the Organisation

Personal data are processed by authorised employees who require such data to perform their duties. All employees are bound by confidentiality obligations.

2.2 Public authorities

Where required by law, personal data may be disclosed to competent public authorities and supervisory bodies.

2.3 Contractual processors

Personal data may be processed by contractual processors acting solely on behalf of the Organisation under data processing agreements, including:

  • IT service providers and developers,
  • email distribution services (The Rocket Science Group LLC – Mailchimp),
  • payment service providers (Stripe Payments Company),
  • accounting service providers,
  • website hosting providers.

The Organisation does not disclose personal data to unauthorised third parties.

2.4 Website hosting provider

The website is hosted on servers located in Germany.

2.5 Transfers to third countries

As a rule, personal data are not transferred outside the European Economic Area (EEA).
Exceptions may include limited transfers to service providers located in the United States, subject to appropriate safeguards, including standard contractual clauses or adequacy decisions under EU-US data transfer frameworks.

 

Special Categories of Personal Data

The Organisation does not encourage the provision of special categories of personal data. If such data are inadvertently disclosed, appropriate safeguards will be applied.

 

Your Rights under the GDPR

You may contact the Organisation at any time using the email address stated above to exercise your rights, including:

  • right to information,
  • right of access,
  • right to erasure (“right to be forgotten”),
  • right to withdraw consent,
  • right to rectification,
  • right to restriction of processing,
  • right to data portability,
  • right to object,
  • rights related to automated decision-making and profiling,
  • right to lodge a complaint with a supervisory authority.

In Slovenia, the competent authority is:

Information Commissioner of the Republic of Slovenia
Dunajska 22, 1000 Ljubljana
Email: [email protected]
Phone: +386 1 230 97 30
Website: www.ip-rs.com

 

Automated Decision-Making and Profiling

The Organisation does not carry out automated decision-making or profiling.

Processing of Personal Data of Children

The Organisation’s services are intended for individuals aged 15 years or older.
If personal data of individuals under 15 are processed without parental consent, such data will be deleted without delay.

 

Data Security

The Organisation protects personal data using appropriate technical, organisational, and security measures to prevent unauthorised access, alteration, loss, or disclosure. Equivalent safeguards are required from contractual processors.

Version and Effective Date

This Privacy Policy constitutes version 2.0 and is applicable as of 22 January 2026.

VALENS INT. Proizvodnja in trženje d.o.o.