POLICY

PRIVACY POLICY

Last updated: 5 May 2026

1. Introduction

This Privacy Policy explains how Eco Comfort d.o.o. ("we", "us", "our", or "the Company") collects, uses, stores, and protects personal data when you visit our website [ecocomfortgroup.com] or interact with us through any of our digital channels.

We are committed to protecting your personal data and respecting your privacy in accordance with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the Slovenian Personal Data Protection Act (ZVOP-2).

2. Data Controller

The data controller responsible for the processing of your personal data is:

Eco Comfort d.o.o. Address: Ulica Vita Kraigherja 3, 2000 Maribor
Registration number (matična številka): SI 9034307000
VAT number (davčna številka): SI 37091280
Email: info@ecocomfortgroup.com
Phone: +386 64 222 030

For all matters relating to your personal data, including questions, complaints, or requests to exercise your rights, please contact us at: info@ecocomfortgroup.com

3. What Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Information you provide directly to us:

  • Full name

  • Email address

  • Phone number

  • Country of residence

  • Company name and position (where relevant)

  • Subject of inquiry and any information you include in your message

  • Investment-related information (where you submit an inquiry through the /invest page): capital range, investment preferences, and any disclosures you choose to make

3.2 Information collected automatically when you visit our website:

  • IP address (anonymized where possible)

  • Browser type and version

  • Device type and operating system

  • Pages visited, time spent on pages, navigation paths

  • Referring website

  • Date and time of access

  • Cookies and similar tracking technologies (see Section 9)

3.3 Information from third parties:

  • We do not purchase personal data from third parties or data brokers.

  • If you contact us through a third-party platform (LinkedIn, WhatsApp, etc.), we may receive limited profile information that you have made available on that platform.

4. Why We Collect Your Personal Data and Legal Basis

We process your personal data only for specified, legitimate purposes and on the basis of one or more of the legal grounds set out in Article 6 GDPR:

  1. Responding to your inquiries (contact forms, email, phone) Article 6(1)(b) — performance of a contract or pre-contractual steps

  2. Sending information about our projects upon request Article 6(1)(a) — consent

  3. Managing investor inquiries and onboardingArticle 6(1)(b) — performance of a contract / pre-contractual stepsMaintaining business records and legal compliance Article 6(1)(c) — legal obligation

  4. Website analytics (with consent) Article 6(1)(a) — consent

  5. Operational website functionality Article 6(1)(f) — legitimate interests

  6. Direct marketing to existing clientsArticle 6(1)(f) — legitimate interests, with opt-out at any timeAnti-fraud, anti-money-laundering, and security Article 6(1)(c) and (f) — legal obligation and legitimate interests

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.

5. How Long We Keep Your Personal Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law:

  • Contact form submissions and general inquiries: retained for up to 24 months from the date of last contact, unless an active business relationship is established.

  • Investor inquiries and related correspondence: retained for the duration of the relationship and for 10 years thereafter, in accordance with Slovenian commercial and anti-money-laundering law.

  • Contractual and accounting records: retained for 10 years, in accordance with the Slovenian Companies Act and tax legislation.

  • Website analytics data: retained for up to 14 months in anonymized or aggregated form.

  • Cookie data: retention periods vary by cookie type (see Section 9 and the Cookie Policy).

After the relevant retention period expires, your personal data is securely deleted or anonymized.

6. Who We Share Your Data With

We do not sell your personal data. We may share your personal data with the following categories of recipients, only to the extent necessary and under appropriate contractual safeguards:

6.1 Service providers (data processors):

  • Hosting and infrastructure: Vercel Inc. and Framer B.V. (website infrastructure)

  • Email and communication: Google Workspace (Google Ireland Limited)

  • Analytics: Google Analytics (Google Ireland Limited) — only with your consent

All processors are bound by Data Processing Agreements (DPAs) in accordance with Article 28 GDPR.

6.2 Professional advisors:

  • Lawyers, accountants, auditors, and tax advisors, where required for legitimate business purposes.

6.3 Authorities and regulators:

  • Where required by law, court order, or regulatory request (tax authorities, securities regulator, anti-money-laundering authorities).

6.4 Business partners (only with explicit consent):

  • Co-investment partners, financial intermediaries, or notaries — only where you have specifically engaged with our investment services and consented to the disclosure.

7. International Transfers of Personal Data

Some of our service providers (for example, hosting and analytics) are located outside the European Economic Area (EEA). When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place:

  • Adequacy decisions of the European Commission, where available

  • Standard Contractual Clauses (SCCs) approved by the European Commission

  • Binding Corporate Rules, where applicable

You may request a copy of the safeguards in place for any specific transfer by contacting us at the address provided in Section 2.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Article 15): to obtain confirmation whether we process your data and to receive a copy of it.

  • Right to rectification (Article 16): to have inaccurate or incomplete data corrected.

  • Right to erasure (Article 17, "right to be forgotten"): to request deletion of your data in certain circumstances.

  • Right to restriction of processing (Article 18): to limit how we process your data in certain circumstances.

  • Right to data portability (Article 20): to receive your data in a structured, commonly used format and to transfer it to another controller.

  • Right to object (Article 21): to object to processing based on legitimate interests, including direct marketing.

  • Right to withdraw consent: at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.

  • Right not to be subject to automated decision-making (Article 22): including profiling that produces legal or similarly significant effects.

  • Right to lodge a complaint: with the Slovenian supervisory authority — Informacijski pooblaščenec (IP-RS), Dunajska cesta 22, 1000 Ljubljana, Slovenia. Website: ip-rs.si

To exercise any of these rights, please contact us at [privacy@ecocomfortgroup.com]. We will respond within one month of receipt of your request, in accordance with Article 12 GDPR.

9. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to ensure proper functioning, analyze traffic, and improve user experience.

Categories of cookies we use:

  • Strictly necessary cookies: required for basic website functionality. No consent required.

  • Performance and analytics cookies: help us understand how visitors interact with the website. Used only with your consent.

  • Functionality cookies: remember your preferences. Used only with your consent.

You can manage your cookie preferences through the cookie banner displayed on your first visit, or at any time through the "Cookie Settings" link in our website footer.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encrypted data transmission (TLS/HTTPS)

  • Access controls and authentication for internal systems

  • Regular security reviews of third-party processors

  • Confidentiality obligations for all personnel with data access

  • Incident response procedures in line with Article 33 GDPR (breach notification)

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where required, inform affected individuals without undue delay.

11. Children's Privacy

Our website and services are not directed at children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us so we can delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated version will be posted on this page with a revised "Last updated" date. For material changes, we will provide reasonable advance notice through prominent display on the website or by email where appropriate.

13. Contact

If you have any questions about this Privacy Policy or about how we handle your personal data, please contact us:

Eco Comfort d.o.o. Email: info@ecocomfortgroup.com
Postal address: Ulica Vita Kraigherja 3, 2000 Maribor