Privacy Policy for the processing of personal data

Information on the collection and processing of personal data

VAPOUR INTERNATIONAL d.o.o., HR – 52 460 Buje - Buie (City of Buje - Buie), Digitronska ulica - Via Digitron 2, Croatia, OIB/PIN: 12135052940 (hereinafter: the “Company”) pays particular attention to the protection and processing of personal data. In the course of carrying out its registered business activities, the Company processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR) and applicable national legislation.

 

  1. Controllers of personal data:

 

  • Joint controllers

In connection with the use of the website kiwivapor.com/it/it/, registration of a user account and the purchase of products via the online store, the personal data of data subjects are processed by joint controllers within the meaning of Article 26 GDPR, namely:

 

  1. VAPOUR INTERNATIONAL d.o.o., HR – 52 460 Buje - Buie (City of Buje - Buie), Digitronska ulica - Via digitron 2, Croatia, OIB/PIN: 12135052940
  2. +385 (0) 52 220 04105

e-mail: [email protected]

  1. MOTUS S.r.l., Palestrina (RM), Via Eliano 12, CAP 00036 (hereinafter: the “Seller”)
  2. +39 351 771 84 56

e-mail: [email protected]

The joint controllers jointly participate in determining the purposes and means of the processing of personal data in the part relating to user account registration and the functioning of the online store via a shared web interface, including the collection, display and availability of data required to create and technically transmit the order to the Seller via the web interface.

MOTUS S.r.l., as the Seller, is an independent controller for the processing of personal data necessary for the conclusion and performance of the sales contract with the end customer, including payment collection, issuance of invoices, compliance with fiscal obligations, and the organisation and performance of delivery, in accordance with its obligations.

The joint controllers have arranged their respective roles and responsibilities in accordance with Article 26 GDPR. The essence of that arrangement is made available to data subjects through this Information notice, and additional clarification regarding the allocation of responsibilities may be provided upon request. For operational matters relating to the online store, data subjects may primarily contact VAPOUR using the contact details set out under section 1(1), without prejudice to the data subject’s right to exercise their rights in relation to and against each joint controller.

For user accounts created prior to 28 May 2026, the sole and exclusive controller of personal data is VAPOUR INTERNATIONAL d.o.o.

 

  • Allocation of responsibilities between the joint controllers

 

  1. VAPOUR is responsible for:
  • management and security of the website and user accounts,
  • technical maintenance and security of the web interface through which the Seller receives orders, and ensuring correct transmission and availability of data within the system,
  • processing of personal data related to warranties, service, complaints/claims and technical support,
  • marketing communications (where consent has been given),
  • processing for system security and website analytics purposes.

 

  1. MOTUS S.r.l. is responsible for:
  • concluding and performing the sales contract with the end customer,
  • collecting payment, issuing invoices and fulfilling fiscal obligations,
  • logistics, warehousing and delivery of products,
  • processing personal data for compliance with legal obligations applicable to the Seller in relation to distance selling, tax obligations and consumer protection.

Exercise of data subject rights: Data subjects may exercise their GDPR rights in relation to either joint controller using the contact details provided under section 1(1) of this Information notice. If a request relates exclusively to processing carried out by MOTUS S.r.l. as the Seller (e.g. payment, invoice, fiscal obligations, delivery), VAPOUR will, where applicable and without undue delay, forward the request to MOTUS for handling and coordination, or will direct the data subject to submit the request directly to MOTUS, depending on the nature of the request; this does not affect the data subject’s right to submit a request to either joint controller. The joint controllers agree that VAPOUR acts as the primary contact point for queries related to the functioning of the web interface and the user account, while the Seller acts as the primary contact point for queries related to the sales transaction (payment, invoice, delivery).

 

  1. Data Protection Officer (DPO) for VAPOUR:

The Company’s Data Protection Officer is Attorney Marko Anić and can be contacted at:

  1. +385 (0)1 8891 027,

e-mail: [email protected] .

 

  1. If we use external service providers to process your personal data (the “processors”), the processing is carried out on our instructions. In such cases, we remain responsible for the protection of your personal data. As a rule, we use service providers established and/or with infrastructure in the European Economic Area (EEA). If, in individual cases, personal data is transferred outside the EEA or access from outside the EEA is enabled, such transfer will be carried out only on an appropriate legal basis and with suitable safeguards in accordance with Chapter V GDPR (e.g. an adequacy decision or standard contractual clauses, with additional measures where required).

 

This Information on the collection and processing of personal data (hereinafter: the “Information Notice”) describes which data we collect, how we process it, for which purposes we use it, and your rights in relation to your data. The purpose of this Information Notice is to inform you of all relevant features of the collection, processing and storage of your personal data. This applies to all personal data you have provided to us via electronic, written or verbal communication, or that has been provided to us via our business partners (for example, authorised sellers and points of sale with whom you have a contractual or similar relationship), as well as data collected from other sources.

 

 

Personal data we collect

 

The Company processes only those personal data that are necessary for the use of the website and the online store, opening and using a user account, the functioning and security of the web interface through which the Seller receives orders, communication with data subjects, and the handling of warranties, service, complaints/claims and technical support:

 

  1. Data for opening and using a user account – name and surname, email address, password hash, country and language (if selected), activity history within the user profile

 

  1. Data within the online store available on kiwivapor.com that are entered when registering a user account and placing an order and are simultaneously available to VAPOUR and the Seller via the web interface, whereby MOTUS S.r.l., as the Seller, processes such data for the conclusion and performance of the sales transaction and delivery. VAPOUR processes the same data for the purposes of the functioning and security of the web interface, user account management and, where necessary, for warranties, service and technical support

 

  1. Data for complaints/claims, warranties, service and technical support name and surname, contact details, device serial number, description of the defect, technical data and photographs (if provided), proof of purchase (if communicated), statuses and service history, correspondence content

 

  1. Website usage data – IP address, website visits and similar browser-related usage data (a separate Cookie Policy is available; please refer to it for more detailed information)

 

  1. Data from communications with the Company – name and surname, email address and/or telephone number, communication content, data and documents provided in order to respond to the enquiry

 

  1. Data of business partners and vendors/service providers – name and surname of contact persons, business email address and telephone number, data on the legal entity from public registers

 

 

 

 

Personal data the Company does not process

 

As a rule, the Company does not process, and it is not necessary to provide, the following data: payment data (card number, expiry date, CVV, card tokens), bank transaction data, payment processing data, fiscalisation data, invoicing data, delivery logistics data and delivery status, parcel collection data, complaints and returns data that relate exclusively to the sales transaction between the user and the Seller, the Seller’s commercial decisions, commercial discounts and sales terms, payment data via third-party payment service providers, payment method data, payment instrument identifiers, and any other data for which the Seller is exclusively responsible as controller in the context of performing the sales transaction and delivery of products. If any of the above data are exceptionally provided to the Company (e.g. in connection with handling an objection/complaint/claim or proving a purchase), the Company will process such data only to the extent necessary to resolve the request and protect its legal interests. This does not exclude the processing of address and/or delivery data where necessary to organise service, replacement or return within the Company’s manufacturer-related obligations.

 

 

Purposes of collection and legal bases for processing

 

The Company collects personal data directly from data subjects and, in specific cases, indirectly from other sources, and processes it pursuant to the GDPR and the Act on the Implementation of the GDPR (hereinafter: the “Act”) for the following purposes:

 

1) Use of the online store for user account registration and purchase of products via the Seller

 

To enable a simpler and more efficient purchase of products displayed in the online store available on VAPOUR’s official website, the data subject may use a shared web interface through which they can open a user account, select products and enter the data necessary to purchase products from the Seller. Within this online store, VAPOUR does not conclude a sales contract with the end customer, does not issue invoices and does not carry out delivery. The sales contract is concluded directly between the data subject and the Seller, who is the actual seller of the products and who independently receives and processes orders, collects payment, issues invoices and delivers the products to the end customer.

 

The personal data entered by the data subject when registering a user account and purchasing products are available to VAPOUR and the Seller via the web interface, and each joint controller processes the personal data independently and in accordance with its role and processing purpose, as described in this Information Notice.

 

VAPOUR processes the data subject’s personal data for the purposes of: (i) enabling registration and use of the user account, (ii) ensuring the functioning, stability and security of the web interface through which the purchase of products from the Seller is carried out, (iii) handling warranties, service, complaints/claims and technical support, and (iv) maintaining the functionality and security of the online store.

 

The lawfulness of processing is based on Article 6(1)(b) GDPR – taking steps at the request of the data subject prior to entering into a contract of sale with the Seller (user account registration and use of the web interface), and on Article 6(1)(f) GDPR – VAPOUR’s legitimate interest in ensuring the correct, secure and uninterrupted functioning of the online store and the related information system.

 

If the data subject does not provide the personal data necessary for registration of the user account and/or purchase of products, use of the online store and purchase of products via the Seller will not be possible.

 

VAPOUR does not process payment data, does not collect payments and has no access to transaction data; all payment processes are carried out exclusively within the Seller’s systems or those of its contracted payment service providers.

 

For the conclusion and performance of the sales contract, including the processing of personal data related to payment, invoicing and delivery, the Seller’s sales terms and privacy rules apply. They are available within the online store prior to confirming the purchase, and the data subject is invited to review them before completing the purchase.

 

 

2) Handling complaints/claims, returns, warranties, service and technical support

 

Requests relating to a refund of the purchase price, replacement or other consumer requests arising from the sales contract with the Seller are, as a rule, handled by MOTUS S.r.l. as the Seller. The Company handles requests related to the manufacturer’s warranty, service, technical diagnostics and technical support, in accordance with the nature of the products and the obligations assumed.

 

The Company processes the data subject’s personal data for the purpose of receiving and handling requests relating to warranties, service, product complaints/claims and technical support, including diagnostics, communication with the user and performing repairs where applicable.

 

The lawfulness of processing is based on Article 6(1)(c) GDPR – compliance with the Company’s legal obligations as a manufacturer in accordance with the Consumer Protection Act and applicable regulations, and Article 6(1)(f) GDPR – the Company’s legitimate interest in ensuring product correctness, customer support and protection of its legal interests.

 

To the extent that the processing relates to the performance of obligations arising from the manufacturer’s warranty or other assumed after-sales obligations of the Company, the processing may also be based on Article 6(1)(b) GDPR.

 

If the data subject does not provide the necessary data (e.g. proof of purchase, contact details or device data), the Company will not be able to process the request or provide appropriate technical support.

 

Personal data is collected when the request is submitted or during communication with the Company’s customer support.

 

 

3) Use of the website, security measures, technical logs and system administration

 

The Company processes technical data automatically generated when visiting the website, including the IP address, access logs, technical identifiers, cookies and other similar data, for the purposes of ensuring stable and secure operation of the website, preventing abuse, detecting technical errors and improving system security.

 

The lawfulness of processing is based on Article 6(1)(f) GDPR – the controller’s legitimate interest in ensuring the functionality, integrity and security of the information system, with safeguards ensuring that the data subject’s interests, rights and freedoms do not override that interest.

 

Strictly necessary cookies are placed because they are required for the technical operation of the website and to enable functionality explicitly requested by the data subject (e.g. user account login, shopping cart). Where necessary to provide the requested service, the processing is based on Article 6(1)(b) GDPR. In addition, certain technical cookies and logs may be processed on the basis of the legitimate interest in ensuring system security and stability (Article 6(1)(f) GDPR).

 

Non-essential cookies (e.g. analytics or marketing cookies) are placed solely on the basis of the data subject’s consent via the cookie management interface (cookie banner), which the data subject may withdraw or adjust at any time in cookie settings.

 

More information on this category of processing is available in the Website Cookie Policy.

 

 

4 Communications with users – enquiries, requests, complaints/objections, general correspondence

 

The Company processes the personal data of data subjects who contact the Company in order to provide information, respond to enquiries, handle objections/complaints, provide assistance, or communicate regarding the use of the website, the Company’s products, warranties, service and technical support.

 

The lawfulness of processing is based on Article 6(1)(f) GDPR – the controller’s legitimate interest in responding to enquiries and ensuring proper communication with the data subject, since the data subject reasonably expects such communication.

 

Where an objection/complaint is submitted within the meaning of the Consumer Protection Act, the lawfulness of processing is based on Article 6(1)(c) GDPR – compliance with a legal obligation.

 

 

5) Marketing and notifications (e.g. newsletter, special offers and promotional activities)

 

The Company processes the data subject’s personal data for the purpose of sending information about new products, benefits, promotional offers and content relating to the Company’s business only where the data subject has given explicit and freely given consent.

 

The lawfulness of processing is based on Article 6(1)(a) GDPR – the data subject’s consent. Consent may be withdrawn at any time; withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

 

Consent is given by ticking a specific unticked checkbox when subscribing to the newsletter and/or in user profile settings. Consent may be withdrawn at any time via the unsubscribe link in each marketing message and/or by contacting the email address indicated in this Information Notice.

 

The Company does not obtain marketing contact details from other sources and does not use contact details collected for contract performance purposes for marketing without the data subject’s consent.

 

6) Statistical analysis, service improvement and development of functionalities

 

The Company processes aggregated data and/or data anonymised so that it can no longer be linked to an individual, for the purposes of business analysis, trend monitoring and optimisation of the website, services and user experience.

 

 

Special categories of personal data

 

In relation to data subjects, the Company does not process the following types of personal data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health, sex life or sexual orientation.

 

The above categories may nevertheless be processed in the following situations: (1) the data subject has given explicit consent for one or more specified purposes, unless applicable law provides that such consent has no effect; (2) processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent; (3) processing relates to personal data which are manifestly made public by the data subject; (4) processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity; (5) processing is necessary for reasons of substantial public interest on the basis of applicable law, is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard fundamental rights and interests; (6) processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of applicable law.

 

All personal data that you or a third party have provided to us will be processed in accordance with the purpose for which it is processed.

 

The Company may use an internal CCTV system and other security measures at its premises, whereby images of visitors may be captured/recorded and location-related information processed, for the legitimate interests of ensuring security. This processing does not relate to the use of the website or the online store; it is carried out exclusively in the Company’s physical premises, with a visible CCTV notice.

 

 

Links to third-party websites and services

 

Our website may contain links to third-party websites. Please note that we are not responsible for the collection, use, maintenance, sharing or disclosure of data and information by such third parties. If you provide data on third-party websites or use them, the privacy policies and terms of use of those websites apply. We recommend that you read the privacy policies of the websites you visit before providing personal data.

 

The Company will take all reasonable measures to protect your personal data against unauthorised access, disclosure, alteration or destruction, and to keep personal data accurate and up to date as far as possible. However, no security system or internet data transmission system can guarantee complete security.

 

We also refer you to our Cookie Policy.

Legitimate interests of the Company as a purpose of processing

 

We will process your personal data for the purposes of our legitimate interests unless your interests or fundamental rights and freedoms requiring the protection of personal data override those interests. The Company’s legitimate interest in this context is processing personal data in order to tailor our services to your needs and preferences. We may also use such data for internal statistical and analytical purposes.

 

You may object to processing based on the Company’s legitimate interests at any time; in such case, we will no longer process your data for that purpose. This does not affect the lawfulness of processing prior to the objection. In any event, we require your explicit consent for direct marketing.

 

 

Consent

 

On the basis of your consent, we may also process other personal data beyond those listed in this Information Notice. Consent may be withdrawn at any time; in such case, the data for which consent has been withdrawn will be erased (where the data is processed solely on the basis of that consent).

 

In accordance with applicable law, the Company will not erase data despite a data subject request to the extent that processing is necessary: (a) for compliance with a legal obligation requiring processing to which the Company is subject, or for the performance of a task carried out in the public interest; (b) for exercising the right of freedom of expression and information; (c) for reasons of public interest in the area of public health; (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or for the establishment, exercise or defence of legal claims.

 

Where marketing consent is given, the Company processes your personal data solely for the purpose of delivering marketing content relating to the products and services of VAPOUR INTERNATIONAL d.o.o. The processing may include basic technical segmentation (for example, by communication language, delivery country, category of previously purchased products or type of support provided), solely for sending content that is organisationally relevant and appropriately adapted to the communication channel you use.

 

Such processing does not constitute profiling within the meaning of Article 4(4) GDPR, since we do not analyse your personal behaviour, habits, purchasing patterns or preferences, nor do we create individual user profiles producing legal effects or similarly significantly affecting you. The Company does not carry out automated decision-making under Article 22 GDPR, nor decisions based solely on automated processing without human intervention.

 

The processing is carried out exclusively on the basis of your explicit consent in accordance with Article 6(1)(a) GDPR. You may withdraw consent at any time by contacting the details set out at the beginning of this document, without any negative consequences and without affecting the lawfulness of processing carried out prior to withdrawal.

 

Where consent is given, the Company will occasionally inform you about benefits, promotions, new products, service information and other notices that may reasonably be expected to be of interest to you. The Company does not use algorithmic models or automated analytics systems that could affect your rights and freedoms; any segmentation is carried out strictly within the limits necessary for the accuracy, security and relevance of communications.

 

To whom your personal data may be disclosed

 

In the context of using the online store, the data subject’s personal data is also available to the other joint controller – the Seller – in accordance with the allocation of responsibilities described in this Information Notice.

 

The Company ensures that your personal data is processed only for the purposes set out in this document. Depending on the processing purpose, your data may, in addition to the Company, be processed by other entities and persons acting as processors (e.g. IT service providers, public authorities, service centres (in case of repairs), legal representatives where necessary, etc.).

 

Processors, except public authorities, process data only on the Company’s instructions, applying technical and organisational measures to ensure the protection of your rights.

 

Each controller may engage processors within its own processing purposes; this section describes the engagement of processors by VAPOUR, unless expressly stated otherwise.

 

 

Where your personal data will be processed

 

Your personal data will be processed within the EEA (exceptionally, processing may also take place outside the EEA). In any event, such processing will be carried out by processors whose responsibilities, personal data protection obligations and applicable technical and organisational measures are set out contractually in accordance with all applicable personal data protection laws.

 

 

Retention period

 

  • User account data: for as long as the account is active; after deletion/deactivation of the account, no longer than 12 months, unless longer retention is necessary to resolve open requests or comply with legal obligations.

 

  • Warranty/service/complaints and customer support data: for the duration of the procedure and thereafter up to 5 years for record-keeping and protection of legal interests (limitation periods).

 

  • Correspondence and general enquiries: up to 24 months from closure of the enquiry, unless the content indicates a need for longer retention (e.g. dispute).

 

  • Technical logs and security records: up to 6 months, except in the event of an incident where they are retained until completion of the relevant procedure.

 

  • Marketing consents and consent records: for as long as the consent remains valid; consent records for an additional 5 years for compliance evidence purposes.

 

  • Cookies: in accordance with the retention periods set out in the Cookie Policy.

 

 

 

 

Your rights in relation to the collected personal data

 

In relation to the data you have disclosed to us, you have: (i) the right of access to personal data being processed, (ii) the right to rectification or erasure, (iii) the right to restriction of processing, (iv) the right to object to processing, (v) the right to data portability, (vi) the right to withdraw consent, and (vii) the right to lodge a complaint with a supervisory authority. To exercise any of these rights, please contact us using the contact details set out in section 1(1) of this Information Notice.

 

Requests may be submitted by email or post using the contact details in section 1(1).

 

 

Right to lodge a complaint with a supervisory authority

 

You may lodge a complaint regarding the processing of your personal data at any time with the competent supervisory authority in accordance with the Act on the Implementation of the GDPR or other applicable laws governing personal data protection and supervisory powers.

 

In the Republic of Croatia, the competent authority is:

 

Croatian Personal Data Protection Agency (AZOP)

Ulica Metela Ožegovića 16, HR – 10 000 Zagreb

e-mail: [email protected]

Web: www.azop.hr

Tel. +385 (0)1 4609-000, Fax: +385 (0)1 4609-099

 

Data subjects in Italy may also lodge a complaint with the competent Italian supervisory authority (Garante per la protezione dei dati personali) in accordance with its procedural rules.

 

 

Other information

 

We may amend this Information Notice from time to time. Where we make material changes to this Information Notice, we will publish a link to the amended Information Notice on the homepage of our website. Any changes become effective once the amended Information Notice is published on the website.

 

This Information Notice on the collection and processing of personal data is applied in accordance with Regulation (EU) 2016/679 (GDPR) and the Act on the Implementation of the GDPR (Official Gazette No. 42/2018) and enters into force on 28 May 2026.[1]

 

[1] Note: All terms used in this text which have a gendered meaning, regardless of whether they are used in the masculine or feminine form, shall be construed as gender-neutral