Privacy policy
Privacy Policy
Last updated: April 7, 2026
This Privacy Policy explains how AcriCase ("AcriCase", "we", "us", or "our") collects, uses, stores, and discloses your personal information when you visit our website at acricase.com (the "Site"), place an order, subscribe to our communications, or otherwise interact with us (collectively, the "Services").
Konvikt d.o.o. is the data controller responsible for your personal information.
Registered address: Novi trg 10, 8000 Novo mesto, Slovenia VAT number: SI29471311 Contact email: info@acricase.com
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Slovenian Personal Data Protection Act (ZVOP-2), and the ePrivacy Directive 2002/58/EC as amended.
Please read this Privacy Policy carefully. By using our Services, you acknowledge that you have read and understood this policy.
1. What Personal Information We Collect
We collect different types of personal information depending on how you interact with us.
1.1 Information you provide directly
When you place an order, create an account, subscribe to our newsletter, contact customer support, or otherwise interact with us, you may provide:
- Contact information: your name, email address, phone number, and postal address.
- Order information: billing address, shipping address, the products you ordered, order value, and order history.
- Payment information: credit/debit card details, Apple Pay, Google Pay, Klarna, or Cash on Delivery selection. Payment card details are processed directly by our payment processor (Shopify Payments / Stripe) and are never stored on our servers.
- Account information: if you create an account, your email address and password.
- Communication content: any information you include when you email us, use our contact form, submit a product review, or otherwise communicate with us.
- Newsletter subscription: your email address when you subscribe to our marketing communications.
1.2 Information collected automatically
When you visit our Site, we automatically collect certain technical and usage data through cookies and similar technologies:
- Device information: device type, operating system, browser type and version, screen resolution.
- Network information: your IP address, internet service provider, approximate geographic location derived from your IP address.
- Usage data: pages viewed, time spent on pages, links clicked, products browsed, referring website or source, date and time of visit, search queries used on our Site.
- Cookie and tracking data: information collected through cookies, pixels, and similar tracking technologies (see Section 5 for details).
1.3 Information from third parties
We may receive information about you from third-party services we use:
- Shopify: our e-commerce platform, which processes orders, payments, and customer data on our behalf.
- Shopify Payments (powered by Stripe): our payment processor, which collects and processes your payment information.
- GLS (MyGLS Professional): our shipping carrier, which processes your shipping address and provides delivery tracking information.
- Google Analytics 4: which collects anonymised and pseudonymised usage data about how visitors interact with our Site.
- Meta (Facebook/Instagram): through the Meta Pixel, which collects data about your interactions with our Site for advertising and analytics purposes.
- Judge.me: our product review platform, which collects your name, email, and review content when you submit a product review.
2. How We Use Your Personal Information
We only process your personal information when we have a valid legal basis to do so. Below is a detailed overview of our processing purposes and the corresponding legal bases under Article 6(1) GDPR.
2.1 To fulfil your orders and provide our Services
We use your contact, order, payment, and shipping information to process and fulfil your orders, arrange shipping via GLS, send order confirmations and shipping notifications, handle returns and refunds, and provide customer support.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) — processing is necessary to fulfil the purchase agreement between you and us.
2.2 To manage your account
If you create an account on our Site, we use your information to create, maintain, and secure your account and provide account-related features.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
2.3 To send transactional communications
We send you emails related to your orders, including order confirmations, shipping notifications, delivery updates, review requests, and responses to your customer support enquiries.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
2.4 To send marketing communications
With your consent, we may send you marketing emails about new products, promotions, discounts, and content we think you may be interested in. We use Shopify Email for our email marketing.
You can withdraw your consent and unsubscribe at any time by clicking the "unsubscribe" link at the bottom of any marketing email, or by contacting us at info@acricase.com. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Legal basis: Consent (Art. 6(1)(a) GDPR).
2.5 To improve our Site and Services
We use analytics data (including from Google Analytics 4) to understand how visitors use our Site, identify trends, measure the effectiveness of our content and products, and improve the overall user experience.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — we have a legitimate interest in understanding how our Site is used in order to improve our Services. We have assessed that this processing does not override your rights and freedoms, as the data is pseudonymised and used solely for analytical purposes.
2.6 To show you relevant advertisements
We use the Meta Pixel to measure the effectiveness of our advertising campaigns on Facebook and Instagram, to create custom and lookalike audiences, and to show you relevant advertisements based on your interaction with our Site.
Legal basis: Consent (Art. 6(1)(a) GDPR) — the Meta Pixel is only activated after you provide consent through our cookie consent banner.
2.7 To detect and prevent fraud
We use your information to detect, investigate, and prevent fraudulent transactions and other illegal activities, and to protect the security of our Site and Services.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — we have a legitimate interest in preventing fraud and protecting our business and customers.
2.8 To comply with legal obligations
We process your personal information as necessary to comply with applicable tax, accounting, and legal obligations, including maintaining records of transactions as required by Slovenian and EU law.
Legal basis: Legal obligation (Art. 6(1)(c) GDPR).
3. How Long We Keep Your Personal Information
We retain your personal information only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
| Data type | Retention period | Reason |
|---|---|---|
| Order and transaction records | 10 years from the date of the transaction | Required by Slovenian tax and accounting law (ZDavP-2) |
| Customer account data | Until you request account deletion, or 3 years after your last activity | Necessary for account management |
| Email marketing subscriber data | Until you unsubscribe or request deletion | Based on your ongoing consent |
| Customer support correspondence | 3 years from the last communication | To resolve potential disputes and improve service |
| Product reviews (Judge.me) | Indefinitely, unless you request deletion | Legitimate interest in displaying social proof |
| Analytics data (Google Analytics 4) | 14 months (default GA4 retention) | Analytics and Site improvement |
| Meta Pixel data | Managed by Meta per their Data Policy | Advertising measurement |
| Server logs and technical data | 90 days | Security and troubleshooting |
After the applicable retention period expires, we securely delete or anonymise your personal information.
4. How We Share Your Personal Information
We do not sell your personal information. We share your personal information only with the following categories of third parties, and only to the extent necessary for the purposes described in this policy:
4.1 Service providers (data processors)
These companies process your personal information on our behalf, under our instructions and in accordance with data processing agreements:
| Service provider | Purpose | Data shared | Location |
|---|---|---|---|
| Shopify Inc. | E-commerce platform, order processing, hosting | All order and customer data | Canada / EU (data processing agreement in place, Standard Contractual Clauses) |
| Shopify Payments (Stripe) | Payment processing | Payment card details, billing address | EU / US (Standard Contractual Clauses) |
| GLS General Logistics Systems | Shipping and delivery | Name, shipping address, phone number, email | EU (Slovenia / recipient country) |
| Google LLC (Google Analytics 4) | Website analytics | Pseudonymised usage data, IP address (anonymised) | EU / US (EU-US Data Privacy Framework) |
| Meta Platforms Ireland Ltd | Advertising and analytics (Meta Pixel) | Pseudonymised browsing data, conversion events | EU / US (EU-US Data Privacy Framework) |
| Judge.me | Product reviews | Name, email, review content | US (Data processing agreement in place) |
| Shopify Email | Email marketing | Email address, name, purchase history | Canada / EU (via Shopify DPA) |
4.2 Other disclosures
We may also disclose your personal information:
- To comply with applicable laws, regulations, legal processes, or governmental requests.
- To enforce our Terms of Service, Shipping & Delivery policy, or other agreements.
- To protect the rights, property, or safety of AcriCase, our customers, or others.
- In connection with a merger, acquisition, or sale of all or a portion of our assets (you will be notified via email or a prominent notice on our Site before your information is transferred to a new entity).
5. Cookies and Tracking Technologies
5.1 What are cookies?
Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work efficiently and to provide information to website owners.
5.2 Cookies we use
We use the following categories of cookies on our Site:
Strictly necessary cookies These cookies are essential for the Site to function. They enable core functionality such as shopping cart operations, checkout, account login, and security. These cookies do not require your consent.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| _shopify_s, _shopify_y | Shopify | Session management and analytics | Session / 1 year |
| cart, cart_sig, cart_ts | Shopify | Shopping cart functionality | 14 days |
| secure_customer_sig | Shopify | Customer authentication | 20 years |
| storefront_digest | Shopify | Storefront access | Indefinite |
| _shopify_sa_t, _shopify_sa_p | Shopify | Shopify analytics (first-party) | 30 minutes |
Analytics cookies These cookies help us understand how visitors interact with our Site by collecting and reporting information. They are activated only after you provide consent.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| _ga | Google Analytics 4 | Distinguishes unique users | 2 years |
| ga[ID] | Google Analytics 4 | Maintains session state | 2 years |
| _gid | Google Analytics 4 | Distinguishes unique users | 24 hours |
| _gat | Google Analytics 4 | Throttles request rate | 1 minute |
Marketing cookies These cookies are used to track visitors across websites to display relevant advertisements. They are activated only after you provide consent.
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| _fbp | Meta (Facebook) | Identifies browsers for Facebook advertising | 3 months |
| _fbc | Meta (Facebook) | Stores click identifier from Facebook ads | 3 months |
| fr | Meta (Facebook) | Delivers and measures Facebook advertising | 3 months |
5.3 Managing your cookie preferences
When you first visit our Site, a cookie consent banner will appear allowing you to accept or decline non-essential cookies. You can change your cookie preferences at any time by:
- Clicking the cookie settings link in the footer of our Site.
- Adjusting your browser settings to block or delete cookies (note: blocking essential cookies may impair Site functionality).
- Using browser privacy tools such as the Global Privacy Control (GPC) signal, which we honour as an opt-out request.
Important: Analytics and marketing cookies are only activated after you provide explicit consent. If you decline non-essential cookies, Google Analytics 4 and the Meta Pixel will not be loaded.
5.4 Do Not Track
Some browsers offer a "Do Not Track" (DNT) feature. There is currently no universal standard for how websites should respond to DNT signals. We honour the Global Privacy Control (GPC) signal as a valid opt-out request.
6. International Data Transfers
AcriCase is based in Slovenia (EU). Some of our service providers process personal information outside the European Economic Area (EEA), particularly in Canada and the United States.
When personal information is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:
- EU-US Data Privacy Framework: Google LLC and Meta Platforms, Inc. are certified under the EU-US Data Privacy Framework, providing an adequate level of data protection as determined by the European Commission.
- Standard Contractual Clauses (SCCs): For transfers to service providers not covered by an adequacy decision, we rely on the European Commission's Standard Contractual Clauses to ensure an adequate level of protection.
- Adequacy decisions: For transfers to Canada, the European Commission has recognised Canada as providing an adequate level of data protection for commercial organisations subject to PIPEDA.
7. Your Rights Under GDPR
As a resident of the European Economic Area, you have the following rights regarding your personal information under the GDPR:
Right of access (Art. 15 GDPR): You have the right to request a copy of the personal information we hold about you, along with information about how we process it.
Right to rectification (Art. 16 GDPR): You have the right to request that we correct any inaccurate or incomplete personal information we hold about you.
Right to erasure (Art. 17 GDPR): You have the right to request that we delete your personal information, subject to certain legal exceptions (e.g., we must retain transaction records for tax purposes).
Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of your data.
Right to data portability (Art. 20 GDPR): You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to object (Art. 21 GDPR): You have the right to object to the processing of your personal information where we rely on legitimate interests as our legal basis. You also have the right to object to processing for direct marketing purposes at any time.
Right to withdraw consent (Art. 7(3) GDPR): Where we process your personal information based on your consent (e.g., marketing emails, analytics cookies, marketing cookies), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.
Right to lodge a complaint: If you believe that we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for AcriCase is:
Informacijski pooblaščenec Republike Slovenije (Information Commissioner of the Republic of Slovenia) Dunajska cesta 22, 1000 Ljubljana, Slovenia Website: https://www.ip-rs.si Email: gp.ip@ip-rs.si Phone: +386 1 230 97 30
You may also lodge a complaint with the supervisory authority in your country of residence.
How to exercise your rights
To exercise any of your rights, please contact us at:
Email: info@acricase.com Postal address: AcriCase d.o.o., Novi trg 10, 8000 Novo mesto, Slovenia
We will respond to your request within one month of receiving it. If your request is complex or we receive a large number of requests, we may extend this period by a further two months, in which case we will inform you of the extension and the reasons for the delay.
To verify your identity, we may ask you to provide additional information, such as confirming the email address associated with your order.
We will never charge a fee for exercising your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.
8. Email Marketing
We send marketing emails to subscribers who have given their explicit consent (opt-in) through our newsletter signup form or during checkout.
Our marketing emails are sent via Shopify Email and may include:
- New product announcements
- Promotions, sales, and discount offers
- Blog content and LEGO® display guides
- Seasonal offers and event-related communications
You can unsubscribe at any time by clicking the "unsubscribe" link at the bottom of any marketing email or by emailing us at info@acricase.com. We will process your unsubscribe request promptly.
We do not share your email address with third parties for their own marketing purposes.
9. Product Reviews
We use Judge.me to collect and display product reviews on our Site. When you submit a review, Judge.me collects your name, email address, and review content. This information is processed on the basis of your consent.
Your review (including your name) may be publicly displayed on our product pages. Your email address is never displayed publicly.
You may request the removal of your review at any time by contacting us at info@acricase.com.
10. Children's Privacy
Our Services are not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at info@acricase.com and we will promptly delete that information.
11. Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encrypted data transmission (SSL/TLS) across our entire Site.
- Secure payment processing through Shopify Payments (PCI DSS Level 1 compliant).
- Access controls limiting employee access to personal information on a need-to-know basis.
- Regular security monitoring of our platform.
Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information.
12. Third-Party Links
Our Site may contain links to third-party websites, including social media platforms (Facebook, Instagram, TikTok), our shipping carrier's tracking page (GLS), and other external resources.
We are not responsible for the privacy practices or content of these third-party websites. We encourage you to read the privacy policies of any third-party websites you visit.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws. When we make material changes, we will:
- Update the "Last updated" date at the top of this policy.
- Notify you by email or by posting a prominent notice on our Site if the changes are significant.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
AcriCase, Konvikt d.o.o., Novi trg 10, 8000 Novo mesto, Slovenia
Email: info@acricase.com VAT number: SI29471311
For data protection enquiries or to exercise your rights under GDPR, please email info@acricase.com with the subject line "Data Protection Request."
This Privacy Policy was last reviewed and updated on April 7, 2026.