Data processing agreement (DPA)

This Data Processing Agreement (“DPA”) is entered into as of the Effective Date of the Agreement (the “DPA Effective Date“). In the event of conflict or inconsistency between the Agreement and this DPA, the DPA shall take precedence.

BETWEEN:

Centrum Cognito d.o.o., incorporated and registered in Slovenia with company number 8827567000 whose registered office address is at this date at Šarahova ulica 34, 2000 Maribor (“Centrum”, “we”, “us”, “our”) and the entity agreeing to this DPA (“Customer”, “you”, “your”), hereinafter collectively referred to as the “Parties” and individually as a “Party”.

 BACKGROUND

(A)  The Customer and Centrum entered into TINA ASSITANT PLATFORM TERMS OF SERVICE (“Agreement”) that requires Centrum to process Personal Data on behalf of the Customer.

(B)   This DPA sets out the additional terms, requirements and conditions on which the Parties will process Personal Data relating to the services provided under the Agreement.

AGREED TERMS

  1. DEFINITIONS AND INTERPRETATIONS

 The following definitions and rules of interpretation apply in this DPA.

1.1 Definitions:

Business Purposes: the processing services to be provided by Centrum to the Customer as described in the Agreement and any other purpose specifically identified in ANNEX A.     

Controller: has the meaning given to it in GDPR.

Data Protection Laws:

(a)     To the extent the ZVOP-2 applies, the law of Slovenia to which the Parties are subject, which relates to the protection of Personal Data.

(b)    To the extent the GDPR applies, the law of the European Union or any member state of the European Union to which the Parties are subject, which relates to the protection of Personal Data.

(d)    Any other Laws and regulatory requirements in force from time to time which apply to a Party relating to the use of Personal Data (including without limitation, the privacy of electronic communications; and the guidance and codes of practice issued by the relevant authority and which apply to a Party.

Data Subject: the identified or identifiable living individual to whom the Personal Data relates.

Centrum Data: any Personal Data that Centrum processes in connection with this DPA in the capacity of a controller.     

Professional Service: shall have the same meaning as defined under the Agreement.

Customer Data: means Personal Data provided by or on behalf of the Customer to Centrum, or that Centrum otherwise processes on behalf of the Customer in connection with the Agreement.

GDPR: the General Data Protection Regulation ((EU) 2016/679).

EEA: the European Economic Area.

Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Parties as a result of, or in connection with, the provision of the services under the Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual, including health data as defined under the GDPR and ZVOP-2 and includes any equivalent definition in the Data Protection Laws.                   

Processing, processes, processed, process: (whether or not capitalised) means any activity that involves the use of Personal Data. It includes but is not limited to, any operation or set of operations that are performed on the Personal Data or sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as defined under the GDPR and ZVOP-2 and includes any equivalent definition in the Data Protection Laws. Processing also includes transferring Personal Data to third parties.

Personal Data Breach: means a breach of security leading to the accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data and includes any equivalent definition in the Data Protection Laws.

Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller and includes any equivalent definition in the Data Protection Laws.

Purposes: the purpose for which the Customer Data is processed, as set out in Clause 

Records: has the meaning given to it in Clause 12.             

Term: This DPA’s term as defined in Clause 10.           

1.2     This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.

1.3     The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

1.4     A reference to writing or written includes email.

1.5     In the case of conflict or ambiguity between:

(a)    any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;

(b)    the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and

(c)    any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail.

  1. PERSONAL DATA TYPES AND PROCESSING PURPOSES

2.1     Both parties will comply with all applicable requirements of applicable Data Protection Laws. This clause is in addition to and does not relieve, remove or replace, a Party’s obligations or rights under applicable Data Protection Laws.

2.2     The Customer and Centrum agree and acknowledge that for the purpose of the Data Protection Laws:

(a)     Centrum shall act as Controller in respect of the Personal Data and processing activities set out in Part 1 Annex A

(b)     Centrum shall process the Personal Data set out in Part 2 of Annex A, as a Processor on behalf of the Customer in respect to the processing activities set out in Part 2 of Annex A.

2.3     Should the determination in Clause 2.2 change, then each Party shall work together in good faith to make any changes which are necessary to Clause 2.2 or the related schedules.

2.4    Without prejudice to the generality of Clause 2.1, the Customer will ensure that it has all necessary appropriate consents and notices in place or other legal basis to enable lawful transfer of the Customer Personal Data to Centrum for the duration and purposes of the Agreement and this DPA.

2.5     In relation to the Customer Data, Part 2 (Annex A) sets out the scope, nature, and purpose of processing by Centrum, the duration of the processing, and the types of Personal Data and categories of Data Subjects.

  1. CENTRUM ACTING AS PROCESSOR AND CUSTOMER AS CONTROLLER

Centrum’s obligations

Without prejudice to the generality of Clause 2.1, Centrum shall, in relation to Customer Data:

3.1     Centrum will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the provisions of DPA (Part 2, Annex A). The Centrum will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Laws.

3.2     Centrum must comply promptly with any Customer written instructions requiring Centrum to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing. Centrum shall inform Customer immediately if it considers in its opinion that any of Customer’s instructions infringe applicable Data Protection Laws.

3.3     Centrum will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or this DPA specifically authorises the disclosure, or as required by the laws of Slovenia, EU laws or court or regulator. If the laws of the Slovenia, EU laws or court or regulator require Centrum to process or disclose the Personal Data to a third-party, Centrum must first inform the Customer of such legal or regulatory requirement and allow the Customer to object or challenge the requirement, unless the laws of Slovenia or EU law prohibit the giving of such notice.

3.4     Centrum will reasonably assist the Customer, (taking into account the nature of the processing and the information available to the Centrum), and at the Customer’s cost and written request, in responding to any request from a Data Subject and in ensuring the Customer’s compliance with its obligations under applicable Data Protection Laws with respect to security, breach notification, impact assessments and consultations with supervisory authorities or regulators. 

3.5     Centrum must notify the Customer promptly of any changes to the Data Protection Laws that may reasonably be interpreted as adversely affecting Centrum’s performance of the Agreement or this DPA.

  1. Centrum’s Personnel

4.1     Centrum will ensure that all personnel with access to Customer Data:

(a)    are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;

(b)    have undertaken training on the Data Protection Laws and how it relates to their handling of Personal Data and how it applies to their particular duties; and

(c)    are aware of both Centrum’s duties and their personal duties and obligations under the Data Protection Laws and this DPA.

4.2     Centrum will take reasonable steps to ensure the reliability, integrity and trustworthiness of all of Centrum’s Personnel with access to the Personal Data.

  1. Security

5.1     Centrum must implement appropriate technical and organisational measures, including (without limitation) those set out in Annex B, to protect against unauthorised or unlawful processing of Customer Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data having regard to the state of technological development and the cost implementing any measures.

5.2    Centrum must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

(a)    the pseudonymisation and encryption of Personal Data;

(b)    the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c)    the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

(d)    a process for regularly testing, assessing and evaluating the effectiveness of security measures.

  1. Personal data breach

6.1     Centrum will without undue delay notify the Customer in writing on becoming aware of a Personal Data Breach involving the Customer’s Data, including (without limitation):

(a)    the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. Centrum will restore such Personal Data as soon as possible.

(b)    any accidental, unauthorised or unlawful processing of the Personal Data; or

(c)    any other Personal Data Breach.

6.2     Where Centrum becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information:

(a)    description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and the approximate number of both Data Subjects and the Personal Data records concerned;

(b)    the likely consequences; and

(c)    a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

6.3     Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the Parties will coordinate with each other to investigate the matter. Further, the Centrum will reasonably co-operate with the Customer in the Customer’s handling of the matter, including but not limited to:

(a)    assisting with any investigation;

(b)    providing the Customer with physical access to any facilities and operations affected;

(c)     facilitating interviews with Centrum’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors;

(d)    making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably required by the Customer; and

(e)    taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

6.4     The Centrum will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer’s written consent, except when required to do so by Data Protection Laws.

6.5    The Parties shall assess and determine:

(a)    whether to provide notice of the accidental, unauthorised or unlawful processing and/or the  Personal Data Breach to any Data Subjects, in-scope regulators, law enforcement agencies or others, as required by law or regulation, including the contents and delivery method of the notice; and

(b)    whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.6     Centrum will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 except to the extent the matter arose from the Customer’s specific written instructions, negligence, wilful default, or breach of this DPA, in which case the Customer will cover reasonable expenses.

6.7     Centrum will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Centrum caused such incident, including all costs of notice and any remedy as set out in Clause 6.5.

  1. Cross-border transfers of personal data

7.1.   Any transfer of personal data to a third country (i.e. a country outside the European Economic Area) or an international organization by the processor will take place based on the documented instructions of the controller and will comply with the provisions of Chapter V of the GDPR.

7.2.    In the event of the transfer of personal data to a third country or international organization, where the processor has not received the controller’s instructions for this, but they are required by the law of the Union or the member states that apply to the processor, the processor will inform the controller of the relevant legal requirement before starting the processing of personal data unless that legislation prohibits such notification on important grounds in the public interest.

To the extent the Parties transfer personal data outside of the EEA or the UK any Personal Data subject to the EU GDPR and UK GDPR, they do so only in accordance with this DPA and execution of SCCs if required.

7.3     Processor without documented instructions from the operator, e.g. approval by the controller or specific requirements under Union or Member State law applicable to the processor, within the scope of the OP may not:

(a) transfer personal data to a controller or processor in a third country or international organization;

(b) transfer personal data to a sub-processor in a third country or international organization;

(c) enable the processing of personal data by a processor in a third country or an international organization.

7.4.    The processor may only process, or permit the processing, of the Personal Data outside the EEA and UK under the following conditions:

(a)     the processor is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals. The Processor must identify in Annex A the territory that is subject to such adequacy regulations; or

(b)     the processor participates in a valid cross-border transfer mechanism under the Data Protection Laws so that the processor (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR. The Processor must identify in Annex A the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Processor must immediately inform the Customer of any change to that status; or

(c)     the transfer otherwise complies with the Data Protection Laws for the reasons set out in Annex A.

7.5.    If any Personal Data transfer between the Customer and the Processor requires the execution of SCCs to comply with the Data Protection Laws, the parties hereby enter the SCCs (which are incorporated by reference and form an integral part of this DPA) as amended by Annex C, and take all other actions required to legitimise the transfer.

7.6.    The Customer consents to the appointment by the Processor of a subcontractor located outside the EEA in compliance with the provisions of Clause 8 and authorises the Processor to enter into SCCs with the subcontractor. The Processor will make the executed SCCs available to the Customer on request.

7.7.    For the purposes of SSCs the Parties agree:

(a)    to observe the terms of the SSC without modifications (subject to Annex C);

(b)    that the names and addresses of each Party shall be considered to be incorporated into the SSC;

(c)    that their signatures to the DPA shall be considered signatures to the SSCs.

7.8.    In the event the SSCs are amended, replaced, or repealed by a supervisory authority under Data Protection Laws, the Parties shall work together in good faith to enter into any updated version of the SSCs (to the extent required) or negotiate in good faith a solution to enable the transfer of personal data to be conducted in compliance with EU GDPR and UK GDPR. If at any time either Party becomes aware that the transfer of personal data may result in an increase in the risk of any public, private or governmental body in any country mandating or obtaining access to the personal data, the parties shall work together to ensure the execution of an addendum to the SSCs which will enhance the protection afforded o the personal data.

  1. Subcontractors

8.1     The Customer hereby provides its prior, general authorisation for Centrum to:

8.1.1       appoint those processors (“Sub-Processors”) listed in Annex A to process the Customer’s Personal Data, provided that Centrum:

(i)           shall ensure that the terms on which it appoints such Sub-Processors comply with applicable Data Protection Laws, and are consistent with the obligations imposed on Centrum in Clause 2;

(ii)          shall remain responsible for the acts and omission of any such Sub-Processors as if they were the acts and omissions of Centrum; and

(iii)         shall inform the Customer of any intended changes concerning the addition or replacement of the Sub-Processors, thereby giving the Customer the opportunity to reasonably object to such changes provided that if the Customer reasonably objects to the changes Centrum will not share Customer Data with the objected to Sub-Processor for a period of one (1) month after adding or replacing the Sub-Processor. The Customer has the option to terminate the Agreement with the Centrum within such timeframe. After the (1) one month period, Centrum will assume the Customer agrees with the newly added Sub-Processor.

  1. Complaints, data subject requests, and third-party rights

9.1.   Centrum must take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

9.1.1. the rights of Data Subjects under the Data Protection Laws, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

9.1.2. information or assessment notices served on the Customer by the Commissioner or other relevant regulator under the Data Protection Laws.

9.2.    Centrum must notify the Customer immediately in writing if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data or either party’s compliance with the Data Protection Laws.

9.3.   Centrum must notify the Customer promptly if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Laws.

9.4.   Centrum will give the Customer, its full cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request.

9.5.   Centrum must not disclose the Personal Data to any Data Subject or a third party other than in accordance with the Customer’s written instructions, or as required by domestic or applicable Data Protection Laws.

  1. Term and termination

10.1.  This DPA will remain in full force and effect so long as:

10.1.1. the Agreement remains in effect; or

10.1.2. Centrum retains any of the Personal Data related to the Agreement in its possession or control (“DPA Term”).

10.2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after the DPA Term in order to protect the Personal Data will remain in full force and effect.

10.3.  Centrum’s failure to comply with the terms of this DPA is a material breach for the purposes of Clause 10.3 of the Agreement.

10.4.  If a change in any Data Protection Laws prevents either party from fulfilling all or part of its DPA obligations, the Parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the Parties are unable to bring the Personal Data processing into compliance with the Data Protection Laws, either Party may terminate the Agreement on not less than 30 working days on written notice to the other Party.

  1. Deletion or return, and destruction of the data

11.1.   At the Customer’s request, Centrum will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

11.2.  On termination of the Agreement for any reason or expiry of its term, Centrum will securely delete or destroy all or any of the Customer Data related to this DPA in its possession or control unless Centrum is required by the applicable law to continue to process the Customer Data, namely to comply with medical devices and retention obligations.

11.3.   Centrum will give the Customer 30 days to export and delete Customer Data after the termination date (“Exporting Period”). After the Exporting Period ends Centrum will delete or destroy Customer Data as per Clause 11.2.

11.4. The Customer is solely responsible for storing any data, including, Customer Data received through the Platform and to comply with the rights of Data Subjects under the Data Protection Laws, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, or any other legal requirements related to the processing when providing the Professional Services.

11.5. If any law, regulation, or government or regulatory body requires Centrum to retain any documents, materials, or Personal Data that Centrum would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

  1. Records

12.1. Centrum will keep detailed, accurate, and up-to-date written records regarding any processing of the Customer Data, including but not limited to, the access, control, and security of the Customer Data, approved Sub-Processors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (“Records”) until the deletion as per Clause 11.2 occurs after which point the data will become unretrievable.

12.2.  Centrum will ensure that the Records are sufficient to enable the Customer to verify Centrum’s compliance with its obligations under this DPA and the Data Protection Laws and Centrum will provide the Customer with copies and/or access to the Records upon request.

12.3. The Customer and Centrum must review the information listed in the Annexes to this DPA to confirm its current accuracy and update it when required to reflect current practices.

  1. Audit

 13.1. Centrum will permit the Customer and its third-party representatives to audit Centrum’s compliance with its Agreement obligations, on at least thirty (30) days’ notice, during the DPA Term. Centrum will give the Customer and its third-party representatives all necessary assistance to conduct such audits at no additional cost to the Customer. The assistance may include but is not limited to:

13.1.1.    remote electronic access to, and copies of the Records and any other information held at Centrum’s premises or on systems storing the Personal Data;

13.1.2.    access to and meetings with any of Centrum’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and

13.1.3.    inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment, or application software used to process the Personal Data.

13.2. The notice requirements in Clause 13.1 will not apply if the Customer reasonably believes that a Personal Data Breach has occurred or is occurring, or Centrum is in material breach of any of its obligations under this DPA or any of the Data Protection Laws.

13.3.  If a Personal Data Breach occurs or is occurring, or Centrum becomes aware of a breach of any of its obligations under this DPA or any of the Data Protection Laws, Centrum will:

13.3.1.    promptly conduct its own audit to determine the cause;

13.3.2.    produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;

13.3.3.    provide the Customer with a copy of the written audit report; and

13.3.4.    remedy any deficiencies identified by the audit.

 13.4.  At least once a year, Centrum will conduct audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.

13.5. On the Customer’s written request, Centrum will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as Centrum’s confidential information under the Agreement.

13.6. Centrum will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by Centrum’s management.

  1. Warranties

 14.1.   The Parties warrant and represent that:

14.1.1.    its employees, subcontractors, agents, and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Laws;

14.1.2.    it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Laws and other laws, enactments, regulations, orders, standards, and other similar instruments;

14.1.3.    it has no reason to believe that the Data Protection Laws prevent it from providing any of the Agreement’s contracted services; and

14.1.4.  considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:

14.1.4.1.      the harm that might result from such accidental, unauthorised or unlawful processing and loss or damage;

14.1.4.2.      the nature of the Personal Data protected; and

14.1.4.3.      comply with all applicable Data Protection Laws and its information and security policies, including the security measures required in Clause 5.1.

14.2.            The Customer warrants and represents that Centrum’s expected use of the Personal Data for the Business Purposes complies with the Agreement and this DPA will comply with the Data Protection Laws.

14.3   The Customer is responsible for ensuring that each Data Subject actively consents to the data processing as per this DPA, or that an alternative legal basis can be relied upon before any data is shared with the Platform. This includes obtaining any end user consent the Customer is legally or contractually required to obtain from its end users also including Centrum data processing as well as ensuring the exercise of any other legislative rights (for example data retention, GDPR requests, or any similar legislation on the applicable territory etc.).

  1. Indemnification

 15.1.  Each of the Parties agrees to indemnify, keep indemnified and defend at its own expense the non-breaching Party against all costs, claims, damages or expenses incurred by such Party or for which such Party may become liable due to any failure of the breaching Party or its employees, subcontractors or agents to comply with any of its obligations under this DPA and/or the Data Protection Laws.

15.2.  Any limitation of liability set forth in the Agreement will not apply to this DPA’s indemnity or reimbursement obligations.

15.3.  Each Party’s total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of its obligations set out in this DPA, or applicable Data Protection Laws shall be limited to five (5) x the total amount paid by the Customer to Centrum as per the Agreement in one (1) year prior to the breach taking place.

  1. Notice

 16.1.  Any notice or other communication given to a party under or in connection with DPA must be in writing and delivered to the address for notice as defined within the Agreement.

16.2.  Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

 

 

ANNEX APERSONAL DATA PROCESSING PURPOSES AND DETAILS

Part 1WHERE CENTRUM ACTS AS A CONTROLLER 

  • Purpose and nature of processing:
  • for administration and billing purposes

–        for security purposes (so that we can intervene in case of security breaches, check bugs and crashes, etc.)

–        for analytics purposes on the Site

–        for marketing purposes

1.2. Duration of Processing: as long as necessary to carry out Business Purposes and legal requirements. For the avoidance of doubt, Centrum shall only process personal data for internal analytics used to improve the Site.

 1.3. Personal Data Categories:

 Customer Data

  • Professionals and Personnel’s Personal Data:

DIRECTLY IDENTIFIABLE INFORMATION: full name, telephone number, email address, and bank account information.

INDIRECTLY IDENTIFIABLE PERSONAL DATA:  postal address, identifiers: Customer ID, Client ID, IP address, location (country, region – not specific enough to identify the street), time zone, analytics ID.

OTHER CATEGORIES:

Technical information: User-agent (client information about type and version), Centrum unique identifiers (Customer ID, Client ID), records of events with technical Information.

Analytical information: ​​user agent (client information about type and version), analytic (client) ID timestamp, country code, country name.

  • Client’s Personal Data

 DIRECTLY IDENTIFIABLE INFORMATION: full name, telephone number, email address.

INDIRECTLY IDENTIFIABLE PERSONAL DATA: identifiers: Centrum identifiers (Customer ID, Client ID), date of birth, sex, gender, curatorship relationship, nationality, language, marital status, employment status, postal address.

HEALTH DATA. Any type of health data Costumer collects from the Client and inserts into the Platform, such as anamnesis, current health condition, diagnosis, medications, health data collected through audio recordings (transcriptions) and any other health data collected when performing therapy with the Client.

1.4. Data Subject Types: Customer, Client, Visitor of the Site

 1.5.  Legal basis: contract performance (administration and billing purposes), legitimate interests (security purposes), consent (marketing, analytics)

1.6. Centrum’s processors

 Google Analytics

Name: Google LLC

Registered address: 600 Amphitheatre Parkway, Mountain View, California, 94043

Data processing purpose: website analytics

Data processing territory: EU

 Mailchimp

Name: The Rocket Science Group LLC

Registered address: 675 Ponce De Leon Ave NE Suite 5000, Atlanta, GA 30308, United States

Data processing purpose: sending out newsletters

Data processing territory: ZDA

Part 2WHERE CENTRUM ACTS AS A PROCESSOR

2.1. Subject matter of processing: to carry out Parties’ rights and obligations under the Agreement (“Permitted Purpose”).

2.2. Duration of Processing: the DPA Term (or longer to comply with a requirement of applicable law to which the Parties are subject).

2.3. Nature of Processing:

2.3.1. The Parties acknowledge and agree that in respect of any Personal Data which are to be processed in respect of the matters relating to the Agreement, the Customer shall act as a Controller and Centrum as a Processor.

The Controller shall:

–        only share Personal Data for the purpose which is consistent with the Permitted Purpose;

–        ensure that it has:

(i)     complied with the transparency requirements of applicable Data Protection Laws by providing the required information to Data Subjects where applicable (including its transfer to the other Party under this DPA or to a third party contracting with Centrum); and

(ii)    a valid legal basis for Processing any Personal Data, including its transfer to the Centrum;

–        only share any Special Categories of Personal Data to Centrum where necessary for the Permitted Purpose and then only have obtained the explicit prior consent of the relevant Data Subjects, or established (to the satisfaction of Centrum) an alternative lawful basis for the disclosure.

The Processor shall:

–        not Process Personal Data in a way that is incompatible with the Permitted Purposes (other than to comply with a requirement of applicable law to which Processor is subject);

–        not Process Personal Data for longer than is necessary to carry out the Permitted Purposes (other than to comply with a requirement of applicable law to which Processor is subject); and

–        taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, have in place appropriate technical and organisational security measures to protect the Personal Data against unauthorised or unlawful Processing, or accidental loss or destruction or damage.

2.4. Personal Data Categories:

 Categories of Personal Data that Centrum processes on behalf of the Customer when providing its Platform to the Customer.

 Customer Data

  • Professionals and Personnel’s Personal Data:

DIRECTLY IDENTIFIABLE INFORMATION: full name, telephone number, email address, and bank account information.

INDIRECTLY IDENTIFIABLE PERSONAL DATA:  postal address, identifiers: Customer ID, Client ID.

OTHER CATEGORIES:

Technical information: User-agent (client information about type and version), Centrum unique identifiers (Customer ID, Client ID), records of events with technical Information.

  • Client’s Personal Data

 DIRECTLY IDENTIFIABLE INFORMATION: full name, telephone number, email address.

INDIRECTLY IDENTIFIABLE PERSONAL DATA: identifiers: Centrum identifiers (Customer ID, Client ID), date of birth, sex, gender, curatorship relationship, nationality, language, marital status, employment status, postal address.

HEALTH DATA. Any type of health data Costumer collects from the Client and inserts into the Platform, such as anamnesis, current health condition, diagnosis, medications, health data collected through audio recordings (transcriptions) and any other health data collected when performing therapy with the Client.

Data Subject Types: Customer, Client

 Legal basis: Contract performance.

 Business Purposes: as per the Agreement.

 

  1. Approved Subcontractors used by the Centrum:

With the Effective Date of the DPA, the controller approves the use of the services of the following sub-processors:

Amazon Web Services

Name: Amazon Web Services Inc.

Registered address: 410 Terry Avenue North, Seattle, WA 98109-5210, ZDA

Data processing purpose: hosting services

The territory of data processing: EU

 Google Speech-to-Text

Name: Google Cloud EMEA Limited

Registered address: 70 Sir John Rogerson’s Quay, Dublin 2, Ireland

Data processing purpose: transcription services

 The territory of data processing: EU

The controller authorizes the use of the services of the above-mentioned sub-processors for the processing of personal data for the processing described for Centrum.

ANNEX B – SAFETY MEASURES

 Taking into account that the processing of personal data includes personal data, the processing of which must take place in accordance with the provisions of Article 9 of the General Data Protection Regulation on “special types of personal data”, a high level of security must be ensured.

The processor is entitled and obliged to make decisions about the technical and organizational data security measures implemented to ensure the necessary (and agreed) level of data security.

Regardless of the above, the processor will in any case ensure at least the following measures, which are agreed upon with the controller:

  1. MEASURES OF PSEUDONYMIZATION AND ENCRYPTION OF PERSONAL DATA

The processing of personal data must – to the greatest extent possible – take place in such a way that the data can no longer be attributed to a specific person without reference to additional information, provided that this additional information is stored separately and is subject to appropriate technical and organizational measures.

Pseudonymization. Centrum enables the provision of Platform Services with the help of identifiers to avoid personal identification Each Customer receives its ID (User ID) upon registration of the Account. Each Customer’s Client also receives its ID (Client ID). Centrum has implemented and tested the access control list (ACL) at the application level, which allows access to Accounts and information about the Clients only to those Customers who authenticate themselves correctly. This means that the Customer can only access the data related to its Customer ID and in no event can access other Customer Accounts and/or information about other Customer’s Clients. In limited cases, when it is necessary for the safety of Customers or critical system problems, Centrum’s authorised personnel can access personal data together with health data.

Encryption at rest. To ensure privacy, we securely encrypt, limit and restrict access to personal information. We encrypt all data at rest and all personally identifiable information is double-encrypted with two keys at the infrastructure and application levels. We have restricted access to production environments and monitoring of the Customer’s activities. Data is encrypted and protected by keys, and we have included commercially reasonable efforts to ensure that Customer data remains secure while we process it. The customer is aware that no security measure is 100% secure.

Transfer encryption. When transferring sensitive personal data, it is considered that the data is adequately secured if it is transmitted using cryptographic methods in such a way that its illegibility or un recognizability during transmission is ensured. Audio recordings for the transcription service are sent via the gRPC protocol.

Transfer control. Several measures have been designed and implemented to ensure that personal data cannot be read, copied or modified during electronic transmission or transport or storage on disk. These include the following:

– TLS encryption of all communications (web client, APIs) – Encryption of storage of the rest of the database and content of the shared file storage                                         

– Double encryption of personally identifiable data that requires platform- and application-level credentials to decrypt                                          

– Creation of VPN tunnels and secure proxies for remote access to administrative internal systems                               

– Separation of development, test and production network                                          – Documentation of data recipients and periods for data provision, including deletion times where applicable.

Input control. The purpose of input control is to ensure that appropriate measures are taken that enable subsequent verification and identification of the specific circumstances in which the data was entered.

– Data access is protected by role-based access control using centralized authorization against the appropriate identification provider. Access is controlled and allocated separately between development, test and production environments.                            

– Access to data in production environments is limited to essential personnel.                                    

– All data entered is transmitted over the network using encryption protocols such as HTTP/TLS.                                  

– The use of systems to access or edit data in all environments is recorded in technical logs, including the user identifier.                                       – Where applicable, the version history of data updates is kept in the systems so that it is possible to view the history of all updates and undo any change.

 

  1. MEASURES FOR ENSURING ONGOING CONFIDENTIALITY, INTEGRITY AND AVAILABILITY AND RESILIENCE OF PROCESSING SYSTEMS AND SERVICES.

Data Storage Infrastructure. Centrum processes data with the help of identifiers, namely User ID and Client ID, to avoid personal identification, which means that Centrum never directly identifies the User or its Clients during the provision of Platform Services. In limited cases, when it is necessary for the safety of Users or critical system problems, authorized personnel of the Center can access personal data together with health data.

We keep the data for as long as it is necessary to provide the Platform Services to the User.

Confidentiality. The processor only grants access to personal data that it processes on behalf of and on behalf of the controller to those persons under the control of the processor who has committed to confidentiality or is legally bound by confidentiality and only based on the demonstrated need for access to the data. The list of persons who are granted access to personal data will be regularly reviewed. Based on regular checks, access to personal data will be terminated if it is no longer necessary, whereby personal data will no longer be accessible to the persons concerned.

At the controller’s request, the processor will demonstrate that the relevant persons under the control of the processor are bound by the above confidentiality requirements and have access to the data only when there is a need to access personal data.

Sub-processors are bound to data confidentiality by contracts that include confidentiality obligations.

 

  1. MEASURES FOR ENSURING THE ABILITY TO RESTORE AVAILABILITY AND ACCESS TO PERSONAL DATA IN A TIMELY MANNER IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT.

Incident Management. In the event of an incident, Centrum will notify the Customer in a timely manner about the event and Centrum’s technical team will strive to solve the incident as soon as possible. After a successfully resolved incident, Centrum prepares an independent report and analyses the incident’s causes to prevent a possible recurrence.

Recovery and Response. To prevent data loss in the event of an incident, Centrum performs regular database backups in production environments. This way, Centrum can restore all data that would otherwise mean data loss in the event of an incident.

 

  1. PROCESSES FOR REGULAR TESTING, ASSESSING, AND EVALUATING THE EFFECTIVENESS OF TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF PROCESSING.

Security monitoring and testing. To ensure the security of processing, we engage third-party providers for penetration testing (security testing) – a controlled form of hacking in which a professional tester working on behalf of an organization uses the same techniques as a criminal hacker to find vulnerabilities. in company networks or applications. During security testing, the third-party provider may have access to personally identifiable information. Security testing providers are contractually obligated to implement all necessary technical and organizational measures to protect data and may not pass it on to third parties or use it for purposes other than security testing for us.

 

  1. MEASURES TO PREVENT UNAUTHORISED ACCESS TO PERSONAL DATA

 Access control. System access control aims to prevent the accidental or intentional destruction of data, its alteration or loss, and unauthorized processing of personal data.

Access to the infrastructure is via AWS. All access activities are recorded and monitored, and logins to the User Account are performed only via HTTP.

All Accounts are password protected and have two-factor authentication.

Only production has “live” data.

Networking and access control related to development, test, and production environments are separate. Customers and testers are granted access to the development environment as needed for testing, but not access to the production environment or environments that have data similar to production.

 

  1. MEASURES FOR THE PROTECTION DURING TRANSMISSION

Transfer encryption. When transferring sensitive personal data, it is considered that the data is adequately secured if it is transmitted using cryptographic methods in such a way that its illegibility or un recognizability during transmission is ensured. Audio recordings for the transcription service are sent via the gRPC protocol.

Encryption at rest. To ensure privacy, we securely encrypt, limit and restrict access to personal information. We encrypt all data at rest and all personally identifiable information is double-encrypted with two keys at the infrastructure and application levels. We have restricted access to production environments and monitoring of the Customer’s activities. Data is encrypted and protected by keys, and we have included commercially reasonable efforts to ensure that Customer data remains secure while we process it. The customer is aware that no security measure is 100% secure.

 

  1. MEASURES FOR DATA PROTECTION DURING STORAGE

 AWS. Centrum uses the AWS service for storage. AWS undertakes a) to use the data only to provide its storage services; b) that the data will not be disclosed to any third party; c) that it restricts its staff from processing data without their permission; d) to maintain control over the correction, blocking, deletion and retrieval of data; e) that he is responsible for the implementation and maintenance of technical and organizational measures; f) that it is certified in accordance with ISO 27001 and agrees to maintain an information security program for services that comply with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001, for the establishment, implementation, monitor and improve AWS security standards; and g) may use sub-processors, but will limit their access to only the purposes of offering the AWS Services. AWS continuously maintains a high level of security and compliance across all of our global operations.

 

  1. MEASURES FOR ENSURING EVENTS LOGGING.

 To provide a complete audit trail, we log every access to data. Logging of accesses must be such that it enables subsequent verification of who accessed, when and to which personal data; the identification of the person who came into contact with the data must be unique, i.e. it must refer to an individual concrete person.

Shopping Cart
Scroll to Top
1Create an account
2Create your Organization
3Set up your Profile
4Tell us about yourself
5Bank account details

Get Started for Free

Terms & Conditions

General conditions of online purchases by Centrum cognitio d.o.o. are compiled in accordance with the Personal Data Protection Act (ZVOP-1-UPB1), in accordance with the European Regulation on the Protection of Personal Data (GDPR) and based on the recommendations of the Chamber of Commerce and Industry and international e-business codes.

The online store www.shop.tina-assistant.com (hereinafter the “store”) is managed by the company Centrum cognitio d.o.o., a provider of e-business services (hereinafter the “provider”). When registering in the system, the visitor obtains a username, which is the same as his e-mail address, and a password. The user name and password unambiguously determine and associate the user with the entered data. By registering, the visitor becomes a user and acquires the right to purchase.

The general terms and conditions deal with the operation of the online store, the user’s rights and the business relationship between the provider and the customer.

INFORMATION ABOUT THE COMPANY

Centrum cognitio d.o.o.

Šarhova ulica 34

2000 Maribor

Slovenia

Tax number: 22203290

Identification number: 8827567000

Access to information (legislation summary)

The provider undertakes to always provide the customer with the following information:

  • company identity (company name and registered office, register number),
  • contact information that enables the user to communicate quickly and efficiently (e-mail, telephone),
  • essential characteristics of goods or services (including after-sales services and guarantees),
  • product availability (every product or service offered on the website should be available within a reasonable time),
  • conditions of product delivery or service performance (method, place and deadline of delivery),
  • all prices must be clearly and unequivocally determined and it must be clearly shown whether they already include taxes and transport costs, the method of payment and delivery, the time validity of the offer,
  • the period during which it is still possible to withdraw from the contract and the conditions for withdrawal; in addition, also about if and how much it costs the customer to return the product,
  • explanation of the complaint procedure, including all information about the contact person or customer service department.

Offer of articles

Prices are presented as Regular prices and Online prices.

Regular prices are usually the manufacturer’s or importer’s recommended selling prices or prices that the provider himself creates.

The online price is the price that applies to online purchases, for contractual partners (contractual discount and payment term), for new or non-contractual customers in case of immediate 100% cash payment.

Payment methods

The provider allows the following payment methods:

  • with a Mastercard/Visa credit card via PayPal and Stripe (online price applies),
  • by bank transfer to the store manager’s account – Centrum cognitio d.o.o. (according to the offer / preliminary invoice) (the online price applies), the provider issues an invoice to the customer on a permanent medium, with itemized costs,

The sales contract (order) is stored in electronic form on the provider’s server and is accessible to the customer at any time in his user profile.

Prices

All prices are clearly stated in all forms – including VAT, regular price, online price, unless explicitly stated otherwise.

Prices are valid at the time of placing the order, if the item is in stock and have no future validity.

The prices are valid in the case of payment with the above-mentioned payment methods, under the above-mentioned conditions.

Despite our best efforts to provide the most up-to-date and accurate information, it may happen that the price information is incorrect. In this case, or in the event that the price of the item changes during the processing of the order, the provider will allow the buyer to withdraw from the purchase, and at the same time, the provider will offer the buyer a solution that will be mutually satisfactory.

The purchase contract between the provider and the buyer is concluded the moment the provider confirms the order (the buyer receives an email about the status of the order confirmed). From this moment on, all prices and other conditions are fixed and apply to both the provider and the buyer.

Purchase process

ACCEPTED; After submitting the order, the buyer receives a notification by e-mail that the order has been accepted into the queue. At this step, the buyer has the opportunity to cancel the order within one hour. The customer can always access comprehensive information on the status and content of the order on the provider’s website.

Warranty

Items have a warranty if it is stated so on the warranty card or invoice. The guarantee is valid if the instructions on the guarantee sheet are followed and upon presentation of the invoice. The warranty periods are indicated on the warranty sheets or on the invoice.

Warranty information is also provided on the article presentation page. If there is no warranty information, the item does not have a warranty or the information is currently unknown. In the latter case, the buyer can contact the provider, who will provide up-to-date information.

Safety

The provider uses appropriate technological and organizational means to protect the transfer and storage of personal data and payments.

Protection of personal data

We pay special care and attention to your personal data. All data that you enter when ordering is carefully protected and we will not pass it on to third parties under any circumstances. We strive to ensure that our online stores comply with regulations and are aware of the sensitive nature of this area.

The manager of the online store www.shop.tina-assistant.com, Centrum cognitio d.o.o., is in accordance with the Personal Data Protection Act (ZVOP-1-UPB1) ) and in accordance with the European Regulation on the Protection of Personal Data (GDPR) committed to protecting personal data of its users.

For the purposes of operating online stores, www.shop.tina-assistant.com collects the following user data:

  • name and surname,
  • address and place of residence,
  • email address (your username),
  • contact phone number,
  • password in encrypted form,
  • and other data that users enter in the forms on the shop.tina-assistant.com online store

We are not responsible for the accuracy of data entered by users.

For the purposes of ensuring security, the IP addresses from which users access online stores are also collected. At the start of the visit, each user is assigned a session cookie for identification and monitoring of the shopping basket. Online stores can store other cookies on your computer, among others, such as cookies from the Google Analytics system (analysis of website visits).

All the mentioned data, except for cookies, are stored on the server of Centrum cognitio d.o.o. are stored permanently. Session cookies are stored in the server memory only for the duration of the visit and are deleted after one hour of inactivity, while permanent cookies are stored on the visitor’s computer and are valid for a maximum of 2 years.

The administrator of the online stores www.shop.tina-assistant.com can use the data in an anonymized summary form for statistical analysis purposes. Centrum cognitio d.o.o. under no circumstances will it hand over user data to unauthorized persons. The delivery service (e.g. Pošta Slovenije, GLS) will only be trusted with the user’s delivery address. We will contact the user via remote communication means only if the user does not expressly object to this.

Exceptional disclosure of personal information

Data provided by Centrum cognitio d.o.o. collects and processes, will only be disclosed if such an obligation is stipulated by law, or in good faith that such action is necessary for proceedings before courts or other state authorities and for the protection and realization of the legal interests of the company Centrum cognitio d.o.o.

About cookies

What are cookies and why are they needed?

A cookie is a short text that the online store sends to the browser (Firefox, IE Explorer, Edge, Opera, etc.) when you visit. In this way, the online store recognizes you and thus remembers the information about your visit and provides you with a friendly and simpler online service. With the help of cookies, we adjust the content on our website, remember your preferences and record your visit to our online store. Browsing our online store is more pleasant, faster and above all more efficient with cookies.

List of cookies we use

Google Analytics sets the following cookies:

_ga 2 years This randomly generated number is used to determine unique visitors to our website.

_gid 24 hours This randomly generated number is used to determine unique visitors to our website.

_gat 1 minute Limiting the frequency of requests.

Termination of user account

If you want to terminate your user account on shop.tina-assistant.com online stores, you can do so by logging into your user account and selecting the option “Permanently delete my data” or by sending us a request by e-mail to [email protected]

The following information must be provided in the message:

In the subject of the message: Termination of user account

In the content of the order: a) name and surname of the user, b) address of the user, c) e-mail, with the help of which the user account was opened

The request to cancel the user account must be sent from the email address with which the user account was opened. We will notify you of the cancellation via email.

Communication

The provider will contact the user via means of remote communication only if the user does not expressly object to this.

Advertising emails will contain the following components:

  • will be clearly and unequivocally marked as advertising messages,
  • the sender will be clearly visible,
  • various campaigns, promotions and other marketing techniques will be marked as such. Also, the conditions of participation in them will be clearly defined,
  • the way to unsubscribe from receiving advertising messages will be clearly presented,
  • the provider will expressly respect the user’s wish not to receive advertising messages.

Disclaimer

The provider makes every effort to ensure that the information published on its pages is up-to-date and correct. Nevertheless, the characteristics of the items, the delivery time or the price can change so quickly that the provider fails to correct the information on the web pages. In such a case, the provider will inform the customer about the changes and allow him to withdraw from the order or exchange the ordered item.

Although the provider tries to provide accurate photos of the items for sale, all photos should be taken as symbolic. Photos do not guarantee product features.

Complaints and disputes

The provider complies with applicable consumer protection legislation and the Code of Obligations. The provider makes every effort to fulfill its duty to establish an efficient system for dealing with complaints and to designate a person with whom, in case of problems, the buyer can contact by phone or e-mail. All complaints are submitted in writing to the company’s address.

The provider will consider the complaint within the legal deadline and notify the buyer of the decision.

Delivery

The provider will deliver the goods or services within the agreed time.

The contractual partner for the delivery of shipments is Pošta Slovenije d.o.o. or GLS d.o.o., but the provider reserves the right to choose another delivery service if this will allow him to fulfill the order more efficiently. The goods can also be picked up in person at our company headquarters. The order must be received within 3 working days

The accompanying documentation contains all the necessary information regarding the address where the buyer can contact in the event of a complaint and information regarding guarantees and service or other services after the conclusion of the contract.

Delivery cost

Delivery is free for shipments whose total value exceeds €50.00 including VAT. For more information call our support team on 0038670 449 913 or email us at [email protected]

The consumer’s right to withdraw from the contract

The consumer (the above applies exclusively to natural persons who acquire the article for purposes outside of their commercial activity) has the right to notify the seller within 14 days of taking over the articles that he withdraws from the contract without having to give a reason for his decision. The deadline starts counting one day after the date of collection of the items.

Withdrawal from the contract is sent by the consumer to the seller’s e-mail address: [email protected]

The seller sends him the Form for withdrawing from the contract to his e-mail address.

In case of withdrawal from the contract, the consumer returns the received item by post to the address of the company’s warehouse: Centrum cognitio d.o.o., Šarhova ulica 34, 2000 Maribor, Slovenia or brings it to the address in person.

The return of the received items to the company within the withdrawal period is considered a notice of withdrawal from the contract.

The consumer must return the item to the seller undamaged and in the same quantity, unless the item is destroyed, damaged, lost or its quantity has decreased through no fault of the consumer. The consumer may not use the articles unhindered until the withdrawal from the contract. The consumer may inspect and test the items to the extent necessary to determine the actual condition. The consumer is responsible for a decrease in the value of the goods if the decrease is the result of conduct that is not absolutely necessary to determine the nature, properties and functioning of the goods.

The only cost charged to the consumer in connection with withdrawal from the contract is the cost of returning the items (which, in the case of shipping, is calculated according to the price list of the delivery service and depends on whether it is a shipment/package/cargo). The item must be returned to the seller no later than 30 days after the notification of withdrawal from the contract (purchase) was sent.

The consumer does not have the right to withdraw from the contract for contracts, the subject of which is an article that was manufactured according to the consumer’s precise instructions, that was adapted to his personal needs, that due to its nature is not suitable for return, that is perishable or that has already expired best before. There is no possibility of withdrawing from the contract if the consumer has in any way reduced the value of the device by using or damaging it or by an action that affects the integrity of the product.

Withdrawal from the contract is not possible for goods:

  • for goods or services, the price of which depends on fluctuations in the markets, over which the company has no influence and which may occur during the withdrawal period from the contract;
  • for goods that are manufactured according to the exact instructions of the consumer and adapted to his personal needs;
  • sealed goods that are not suitable for return due to health protection or hygiene reasons, if the consumer has opened the seal after delivery; (e.g. serums, creams and cleansing mousse)
  • goods which, due to their nature, are inseparably mixed with other objects;

The refund of payments made, including delivery costs (except for additional costs due to the choice of a type of delivery that is not the most affordable standard form of delivery offered by the company) will be made as soon as possible, but no later than within 14 days of receiving the notice of withdrawal from the contract . The company returns the received payments to the consumer using the same means of payment that the consumer used (which is most commonly by payment to a transaction account), unless the consumer has explicitly requested the use of a different means of payment and the consumer does not bear any costs as a result.

In case of withdrawal from the contract where a bonus, discount code or promotional code was used, these funds are considered as a discount and are not returned to the user. Only the paid amount is returned to the user. When withdrawing from the contract, the gift voucher is considered as a means of payment and is returned to the user as a gift voucher, and the amount paid is returned to the user.

In exceptional cases, when the items are not returned in accordance with the ZVPot, we can offer the consumer the purchase of the item with appropriate compensation, which is determined in the minutes upon return. The purchase with a reduced value is taken into account upon confirmation of the consumer by e-mail. The consumer benefits from the aforementioned redemption fee only when ordering another item of the same or higher value.

The right to a refund in the case of warranty claims and material defects is more precisely regulated by the provisions of the Consumer Protection Act (unofficial consolidated text).

Withdrawal by the consumer from the contract for items in the set

If the consumer decides to withdraw from the contract for the items that make up the set, he can request an exchange for the same set or a refund for the entire set. The consumer can exchange the item from the set in the event of a material defect or damage to the item, but cannot request a refund for it. In case of claiming the warranty of the item from the set, the manufacturer’s warranty period applies.

Returning items

More important instructions for returning items:

  • When you return the items to the seller (Centrum cognitio d.o.o.), you must attach a contract withdrawal form. Also attach a copy of the invoice.
  • You can return the items in person at the pick-up points or send them to the seller’s address, Centrum cognitio d.o.o., Šarhova ulica 34, 2000 Maribor, Slovenia.
  • We recommend that you use a delivery service that allows you to track the shipment and that you properly prepare the items for transport (you can use the original packaging or other suitable safe packaging).
  • Shipping costs are always covered by the sender, unless otherwise agreed in advance. We do not accept ransom payments.
  • In the case of returning the item, the buyer must properly protect the item before handing it over to the carrier. The item must be protected by the original packaging or packaging that can protect the item in the same way as the original packaging.

The funds you have in your Tina assistant account can only be used in full in one lump sum.

In case of withdrawal from the contract where a bonus, discount code or promotional code was used, these funds are considered as a discount and are not returned to the user. Only the paid amount will be returned to the user’s TRR or other means of payment, insofar as the user expressly requests this. When withdrawing from the contract, the gift voucher is considered as a means of payment and the amount is also returned to the user.

The obtained prize cannot be paid out or returned to the Tina assistant account under any circumstances.

Treatment of damaged shipments (compensation)

If, upon receiving the shipment, you noticed that the item or shipment is physically damaged, its contents are missing, or it shows signs of being opened, you can file a compensation procedure with the Post Office of Slovenia. You do this by bringing the shipment (packaging + contents) to the post office as soon as you notice the damage or looted shipment, no later than within 30 days of receiving the shipment. Please note at the post office that it is necessary to fill out the Record of Damaged Shipment, which you must also sign. After receiving all the necessary documentation, a claim for compensation is submitted to Pošta Slovenije. The request at Pošta Slovenije is processed by a commission and based on the answer or approval, the purchase price is refunded or a new item is ordered. Together with Pošta Slovenije, we will ensure that the compensation is resolved in the shortest possible time.

If the package was delivered to you by GLS and you find that the item or physical shipment is damaged, missing contents, or shows signs of being opened, you can file a claim for compensation. Damage must be reported within 7 calendar days from the date of receipt of the package to the e-mail address [email protected]. When reporting damage, we will also need photos of the package, (inner) packaging, damaged item, DHL label and a description of the damage.

Stock

You do not pay the delivery cost if you pick up the goods in person at our company headquarters.

If we do not have the item in stock in our warehouse, it will take longer for delivery. In this case, observe the following rules:

the expected delivery date is an informative data based on our experience with suppliers.

if the item is not in stock, please call 0038670 449 913 for availability information

if you order several items and the waiting time for some will be longer than for others, we will try to send the items that are in stock immediately, and the others after they are in stock.

If the waiting time is very long, you can withdraw from the purchase with a written notice. The price may change due to exchange rate movements or supplier price changes, in which case we will notify you in advance.

Reclamation

The buyer can complain about the goods if the goods do not have the prescribed characteristics, if the seller sent the wrong products, in the wrong quantity or if they deviate from the buyer’s order in any other way.

The buyer can complain about the goods within 15 days of the purchase and request an immediate replacement for the same, flawless item or within the statutory period and under the conditions for claiming a complaint due to a material defect.

In the event of a complaint, the buyer may, in accordance with legal restrictions, request a replacement of the item, its repair or a refund of the purchase price. In the latter case, the seller reserves the right to charge rent or depreciation according to the current price list for the time the buyer used the goods, but no more than the amount by which the market value of the item decreased during and as a result of use.

A condition for the initiation of the complaint procedure, due to a material defect, is a fully completed complaint record, with an attached copy of the invoice. You can request a complaint record by calling 0038670 449 913, we will send it immediately.

The buyer can return the goods for reclamation by bringing them in person or returning them by post at the seller’s expense and after prior agreement with the seller. If you want to return the goods at our expense, you must agree on this with the merchant, who will send a courier to your address to pick up the goods. A different method of refund at our expense is not possible. We do not accept ransom payments!

Out-of-court settlement of consumer disputes

The company Centrum cognitio d.o.o. in accordance with legal norms, it does not recognize any provider of out-of-court resolution of consumer disputes as competent for the resolution of a consumer dispute that the consumer could initiate in accordance with the Act on Out-of-Court Resolution of Consumer Disputes.

The company Centrum cognitio d.o.o. as a provider of goods and services engaged in online trade in the EU, publishes on its website an electronic link to the platform for the online resolution of consumer disputes (SRPS). The platform is available to consumers at the electronic link http://ec.europa.eu/odr. The aforementioned regulation comes from the Act on the Out-of-Court Settlement of Consumer Disputes, Regulation (EU) No. 524/2013 of the European Parliament and of the Council on the online resolution of consumer disputes and the amendment of Regulation (EC) no. 2016/2004 and Directive 2009/22/EC.

The aforementioned regulation is derived from the Act on out-of-court settlement of consumer disputes, REGULATION (EU) no. 542/2013 OF THE EUROPEAN PARLIAMENT AND COUNCIL of 21 May 2013 on online resolution of consumer disputes and amendment of Regulation (EU) no. 2006/2004 and Directive 2009/22/EC (Regulation on online resolution of consumer disputes).

Cookie policy

Cookie policy

The Electronic Communications Act (Official Gazette No. 109/2012), ZEKom-1, has incorporated rules on the use of cookies and similar technologies to shop or access information stored on users’ computers, tablets or mobile devices into the legal system.

Our website may place a so-called “cookie” on your computer’s browser.

What are cookies?

Cookies are small text files that give us information about how often a person visits our website and what content the user views. Cookies are not harmful and are always temporary. The cookies themselves do not contain any data that would allow a person to be identified. You always have the option to accept or reject cookies. Most web browsers accept cookies automatically, which you can change in the settings so that your computer rejects cookies or you receive a warning before a cookie is stored.

Strictly necessary cookies

These are cookies that are necessary for the proper functioning of the website and without which the transmission of the message on the communication network would not be possible. These cookies enable user-friendly online services, a better user experience and do not require consent.

 Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google. Google Analytics uses cookies to analyse how users use the website. The information obtained by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google [on servers in the United States]. Google will use this data for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this data to third parties where required to do so by law, or where such third parties process the data on Google’s behalf. Google will not associate your IP address with any other data held by Google.

Google Analytics sets the following cookies:

  • _ga 2 years This randomly generated number is used to determine unique visitors to our website.
  • _gid 24 hours This randomly generated number is used to determine unique visitors to our website.
  • _gat 1 minute Limiting the frequency of requests.

You can find detailed information about Google Analytics and your privacy (including how you can control the data sent to Google) at https://policies.google.com/privacy/partners.

Service cookies

We cannot manage the use of third-party cookies; for more information about these cookies, visit the websites of these persons, e.g. Facebook, Twitter, Instagram, YouTube.

If you do not want to use online cookies, you can refuse or disable the storage of cookies in your browser settings. If you agree to the use of our cookies, but not to the use of third-party cookies, you can select the “block third-party cookies” option (reject third-party cookies) – the option may vary slightly between different browsers.

How to manage cookies?

You can also control and change cookie settings in your web browser. For information about cookie settings, select the web browser you are using.

If you have previously given your consent for cookies and later changed your mind and excluded the receipt of cookies in your browser, your visit to the website will be understood as a first visit. In this case, you will receive a cookie notification again.

Additional questions

All further questions about cookies can be sent to us at the email address [email protected]