Privacy and cookie policy

The purpose of this Privacy and Cookies Policy is to inform the users (hereinafter also referred to as: the individual or you) of the website (the “Website”) of the purposes and basis for the processing of personal data by Fistula Protect Medical d.o.o., e-mail address: (hereinafter referred to as: Fistula Protect Medical, the company, we or the controller).

We process, store, and protect all personal data in accordance with the applicable legislation governing the protection of personal data, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in the processing of personal data and on free flow of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR) and the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07 – official consolidated text and 177/20, hereinafter: ZVOP-1). Please read our Privacy and Cookie Policy in detail to understand how we protect your privacy.

By providing us with your personal data, you declare that you have read our Privacy and Cookie Policy and that you are aware of the processing methods and the legal basis for the processing of your personal data. If you do not agree to the processing methods, please do not provide us with your personal data.


The following describes the basic terminology you encounter when reading our Privacy and Cookies Policy:

Personal data: personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject: is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

Processing: is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing: is the marking of stored personal data with the aim of limiting their processing in the future.

Profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior location or movements.

Automated decision making: is when a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects individuals.

Pseudonymization: is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Controller or controller responsible for the processing: is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor: is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient: is a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third-party: is a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Consent of the data subject: is any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to himself or herself.


The data controller is Fistula Protect Medical d.o.o., Slivnica pri Celju 33 A, 3263 Gorica pri Slivnici, identification number: 9162135000, e-mail:

We do not have Data Protection Officer as we do not process personal data to such an extent that this obligation should be fulfilled.


  • Processing based on consent

We process personal data on the basis of the clear and unambiguous consent of the individuals concerned for the following purposes:

  • to complete the contact form,
  • participation in promotional campaigns published on the Website,
  • consent to the use of their telephone number and email address for the purpose of sending information and offers about products and services,
  • online consultation,
  • diagnostic form,
  • sending newsletters.
  • Processing based on contract


Processing based on the contract includes the following processing:

  • placing an order for goods and/or services,
  • conclusion and implementation of the contract,
  • informing customers about a successful order,
  • performance of services,
  • resolving complaints.
  • Processing based on legitimate interests:

Where the circumstances so require, we process personal data on the basis of legitimate interest for the purposes of:

  • responding to your inquiry about products and/or services,
  • measuring your satisfaction with your purchase, via e-mail or telephone communication,
  • e-mail communication based on your initiation of the online purchase process,
  • if you have added selected products to your shopping basket but have not completed your purchase, we may occasionally send you e-mail messages relating to your pending purchase, with the aim of attempting to complete your purchase or providing you with assistance and information in this regard,
  • informing you about new products and services (direct marketing), on the basis of point (f) of the first paragraph of Article 6 of the GDPR or Article 158 of the Electronic Communications Act (ZEKom-1),
  • optimization of pages,
  • ensuring the security of IT systems,
  • preventing abuse and/or fraud.
  • Processing based on a legal obligation

We process personal data on the basis of legal obligation and in accordance with the relevant legislation:

  • retention of personal data regarding the purchase in accordance with applicable law (e.g. fulfillment of tax obligation).


We collect the following types of data:

Voluntarily provided data

For the purposes of our business, responding to inquiries, participating in promotional offers, and processing your order for products/services, we collect the following personal data, which we obtain if you explicitly provide it to us:

  • name and surname,
  • delivery address,
  • e-mail address,
  • phone number
  • other data you provide.

Providing personal data is a condition for using our services or ordering products, as without the necessary personal data we cannot send out your order.

Data generated automatically

We automatically collect device data or other log data when you use our Website.

We collect anonymous data from each visitor to monitor traffic and troubleshoot errors. This information helps us to understand who is using our Website, which in turn helps us to improve and market our Website and, in particular, our online products and services. We collect information such as IP address, web requests, data sent in response to such requests, browser type, browser language, timestamp for the request, and other anonymous statistics involving the use of our Website. This information cannot be used by itself to identify or contact you. We may automatically combine the personal information we collect with other, non-personal information. In this case, we will treat the combined information as personal information under this Privacy and Cookie Policy, and will use it for marketing purposes.

We are not responsible for the accuracy of the information you enter.


We are not in the business of selling your personal data. We may share your personal information with third parties only as set out in this Privacy and Cookie Policy.

We share personal data with third parties:

  • Based on your consent, we may share your personal data with those third parties for whom you have given your consent.
  • With our service providers, business partners, and contractors who provide services on our behalf or who we use to support our business, such as:
  • Stripe, an online payment platform whose Privacy Policy can be found here,
  • with our accounting service
  • a provider for managing and generating invoices or offers.
  • We may report to law enforcement agencies any activities that we reasonably believe to be unlawful, or that we reasonably believe may aid a law enforcement investigation into unlawful activity. In addition, we reserve the right to disclose your personal information to law enforcement authorities if, in our sole discretion, we determine that you are either in breach of our Privacy and Cookie Policy or that the release of your personal information may protect the rights, property, or safety of us or another person. We will only disclose personal information that is lawfully requested or lawfully obtained by law enforcement authorities on a case-by-case, specific basis.
  • We may disclose your personal data to comply with a law, regulation or compulsory legal request, to protect the safety of any person from death or serious bodily injury, to prevent fraud or misuse of products or services or their users, or to protect our property rights. We will disclose personal data to government entities or third parties based on judgments of courts or tribunals or decisions of administrative authorities or another binding act. We will disclose personal data that previously mentioned entities require in a particular cases to be disclosed.

We will disclose your personal data as necessary to comply with our obligations to you and to the minimum extent necessary.

We do not transfer the personal data we collect to third countries. Your data is only processed within the European Union. In the event that your data is transferred to third countries, we will inform you.


We are committed to protecting children’s online privacy and internet safety. We do not offer products and services to children or knowingly collect or solicit personal information from children under the age of 15.

We will not retain any communication that we reasonably believe is coming from a child under the age of 15. Parents or guardians of children under the age of 15 are encouraged to regularly check and monitor their children’s use of e-mail and other online activities.

We use all available technology and endeavor to verify whether the holder of parental responsibility for the child has given or approved consent.


We do not process personal data for automated decision-making and profiling.


We appreciate you trusting us and sharing your personal data with us.  We are committed to protecting it and we take appropriate technical and organizational measures to ensure a high level of data protection (some of the measures we take include: the use of firewalls and data encryption, physical access control – securing IT premises and equipment, and control of information access authorizations through a system of passwords to authorize and identify users).

We restrict access to personal data to our employees, service providers, and agents who need to know it in order to develop or improve our services.

You understand that our Website provides links to other Websites which are not owned and/or operated by us. Your use of these third-party services is completely optional. We are not responsible for the content and/or practices of third parties.


You can update or remove your personal data or opt-out at any time.

  • Updates: If you still wish to use our products and services and change your relevant personal information (name, email, postal address, telephone number, etc.), please let us know at
  • Deletion of personal data: If you wish to remove your data from our collections completely, please send us a deletion request to
  • Opt-out: If you do not like receiving emails or other marketing materials, you can unsubscribe at any time by following the “unsubscribe” link in any marketing email you receive from us. We will be sorry if you unsubscribe, but we respect your privacy.

It can take up to 10 days to process a request sent to After this time, the request will be processed and, if it meets the conditions, will be valid.

Once we have received your withdrawal of consent, we will stop processing your personal data and will delete it. We will notify you that your withdrawal has been taken into account.


Under the GDPR, the individual has the right to access personal data, the right to rectification, the right to erasure (“the right to be forgotten”), the right to data portability, the right to request the restriction of processing of personal data, the right to object and the right to lodge a complaint with a supervisory authority.

To exercise your rights or to obtain further information, please contact: Your application will be responded to within 10 days and in accordance with the GDPR.

Where there is reasonable doubt as to the identity of the data subject making a request in relation to any of his or her rights, we may require the provision of additional information necessary to confirm the identity of the data subject.

If the data subject’s requests are manifestly unfounded or excessive, in particular, because they are repetitive, we may charge a reasonable fee, taking into account the administrative costs of providing the information or communication or of carrying out the requested action or refuse to act on the request.


The data subject has the right to obtain our confirmation as to whether personal data concerning himself or herself are being processed and, where this is the case, to have access to the personal data and to additional information relating to the processing of personal data, including:

  • the purposes of the processing;
  • the types of personal data;
  • the users or categories of users to whom the personal data have been or will be disclosed, in particular users in third countries or international organizations;
  • where possible, the envisaged period of retention of the personal data or, if this is not possible, the criteria to be used to determine that period;
  • the existence of a right to obtain from the controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning the data subject, or the existence of a right to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information concerning their source;
  • the existence of automated decision-making, including profiling, and meaningful information on the grounds for it, as well as the meaning and foreseeable consequences of such processing for himself or herself.

Upon request, we will provide a copy of the personal data we process to the data subject. We may charge a reasonable fee, taking into account administrative costs, for additional copies of the data requested by the data subject.


The data subject shall have the right to have inaccurate personal data concerning himself or herself rectified without undue delay. The data subject shall have the right, having regard to the purposes of the processing, to have incomplete personal data completed, including by submitting a supplementary declaration.


The data subject has the right to obtain the erasure of personal data concerning himself or herself without undue delay:

  • where the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • where the data subject withdraws the consent on which the processing is based and no other legal basis exists for the processing;
  • where the data subject objects to processing on the basis of a legitimate interest of the controller and there are no overriding legitimate grounds for the processing;
  • where the data subject objects to processing for direct marketing purposes;
  • where the personal data must be erased in order to comply with a legal obligation under EU or Slovenian law; where the data is incorrectly collected from a child who, in accordance with applicable law, is not able to provide such data in connection with the provision of information society services.

Where directory or other published data are involved, we shall take reasonable steps, including technical measures, to inform other controllers processing personal data that the data subject has requested them to erase any links to, or copies of, that personal data.


The data subject has the right to restrict processing where:

  • the data subject contests the accuracy of the data for a period for which we can verify the accuracy of the personal data;
  • the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead that its use be restricted;
  • we no longer need the personal data for the purposes of processing, but the data subject needs them for the establishment, exercise, or defense of legal claims;
  • the data subject has objected to the processing, pending verification of whether our legitimate grounds override those of the data subject.


The data subject has the right to receive personal data concerning himself or herself that we hold in a structured, commonly used, and machine-readable format, and the right to have that data communicated to another controller without hindrance, where:

  • the processing is based on the individual’s consent or on a contract or where the processing is carried out by automated means.


The data subject has the right to object to the processing of personal data at any time, based on reasons related to his particular situation, if this is based on legitimate interests pursued by us or a third party. We stop processing personal data, unless we demonstrate imperative reasons for processing that override the interests, rights, and freedoms of the individual to whom the personal data relates, or for the assertion, exercise, or defense of legal claims. Where personal data is processed for the purposes of direct marketing, the individual has the right to object at any time to the processing of personal data relating to himself for the purposes of such marketing, including profiling in so far as it is related to such direct marketing. Insofar as direct marketing is based on consent, the right to object can be exercised by withdrawing the personal consent given.

Automated individual decision-making, including profiling

You have the right not to be subject to decisions based solely on automated processing, including profiling, which may result in legal or similarly significant effects on you, if such a decision is not necessary for the conclusion or performance of an agreement between you and us, or is not permitted by the legislation of the European Union to which we are subject and which establishes appropriate mechanisms to protect your rights and freedoms and legal interests or is not based on your express consent.


An individual can submit a possible complaint regarding the processing of personal data to the email address: or by post to Fistula Protect Medical d.o.o., Slivnica pri Celju 33 A, 3263 Gorica pri Slivnica.

In the event of a personal data breach, we will notify the competent supervisory authority, except where the breach is unlikely to have compromised the rights and freedoms of individuals. Where we suspect that a criminal offense has been committed at the time of the breach, we will notify the police and/or the competent prosecutor’s office.

In the event of a breach that may result in a high risk to the rights and freedoms of natural persons, we will immediately or, where this is not possible, without undue delay, inform the data subject of the breach.

If the data subject has exercised the right of access to data with the controller and, following a decision, considers that the personal data received is not the personal data he or she requested or that he or she has not received all the personal data requested, he or she may, before lodging a complaint with the Information Commissioner, lodge a reasoned complaint with the controller (FISTULA PROTECT MEDICAL) within a period of 15 days. We will decide on the complaint as a new request within five working days.

If the data subject considers that his/her rights or the regulations on the protection of personal data have been violated, he/she may lodge a complaint with the competent state authority: the Information Commissioner of the Republic of Slovenia (Zaloška 59, 1000 Ljubljana, telephone: 01 230 97 30, fax: 01 230 97 78, e-mail:


We will keep the personal data of the data subject for as long as necessary to fulfill the purpose for which the personal data were collected and further processed.

We obtain some information through the use of cookies and other similar technologies by analyzing your behavior on our website and your response to emails, and from third parties whose cookies are placed on your device with your consent (social media providers, etc.).

We will retain the data processed on the basis of legitimate interest or for the purpose of carrying out pre-contractual measures at your request for a maximum period of ten years from the time when the purpose of our communication with each other has been fulfilled or until the expiry of the limitation periods for any claims.

Where the applicable sectoral legislation (e.g. tax legislation) provides for mandatory retention periods for personal data, we delete personal data after the expiry of the period prescribed by law.


The Website may contain links to third-party websites that are not owned and/or operated by us. These websites have their own Privacy and Cookie Policies, which you should familiarise yourself with as the operator accepts no responsibility for them.


Cookies are small text files that a website stores on the devices of individuals accessing the internet. Their storage is under the individual’s full control, as he or she can restrict or disable the storage of cookies in the browser he or she uses. Cookies perform a number of functions – they track visits to a website, they enable various campaigns and discounts, and they also store information about whether an individual is eligible for certain discounts or benefits, for example.

Cookies provide a convenient way to keep content fresh and relevant, in line with the interests and preferences of website visitors. We can use website traffic statistics, which are also made possible by cookies, to assess the effectiveness of our website design, as well as the relevance of the type and number of advertisements we serve on the website.

However, consent to the use of cookies is not required for necessary cookies. They allow the normal functioning of the website. These cookies enable the basic use of the website. Without these cookies, the website does not function normally or at all, so they are also placed when the individual refuses the placing of cookies.

How do I change my cookie settings?

You can change your cookie settings at any time by clicking on the “________” icon. You can then set the available sliders to “On” or “Off”, and then click “Save and Close”.


Cookie name

Retention period

Purpose of use











If you wish to change the way cookies are used in your browser, including blocking or deleting them, you can do so by changing your browser settings accordingly. To manage cookies, most browsers allow you to accept or reject all cookies, accept only a certain type of cookie, or warn you that a website wants to store a cookie. You can easily delete cookies that have been stored by your browser. If you modify or delete your browser’s cookie file, or modify or reward your browser or device, you may need to disable cookies again. The process for managing and deleting cookies varies from browser to browser.


We reserve the right, at our sole discretion, to update, modify or replace any part of the Privacy and Cookie Policy by posting the update or modification on the Website without prior notice. Any change shall be effective from the date of public posting of the amended Privacy and Cookie Policy on our website.

Last update on: 1.1.2023