Privacy Policy — MAHA - Integrative Medicine and Dentistry

PRIVACY POLICY

I. ABOUT THE PRIVACY POLICY

At Vidvana d.o.o, we are aware of the responsibility involved in handling personal data and we respect your privacy. The purpose of this Privacy Policy is to inform visitors to the websites www.maha.si, https://maha.clinic/ and other websites managed by Vidvana d.o.o. (hereinafter: “Websites”) as well as customers of goods and potential users, and users of the services provided by Vidvana d.o.o. about the processing of your personal data.

Vidvana operates in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the “GDPR”, the Personal Data Protection Act (ZVOP-2, Official Gazette of the Republic of Slovenia, No. 163/2022), the Electronic Communications Act (ZEKom-1, Official Gazette of the Republic of Slovenia, No. 109/2012, as amended), and other regulations governing the protection of personal data.

A visitor to the websites, by using the websites and their subdomains (hereinafter referred to as the “Websites”), and the functionalities they provide (such as subscribing to newsletters, booking an initial appointment at the Maha clinic, purchasing from the Maha-shop online store), acknowledges and accepts this Privacy Policy and confirms that they have read and agree to its terms.

This Privacy Policy may be amended or supplemented at any time without prior notice. By continuing to use the Websites after such changes or additions, the visitor confirms their acceptance of the updated Privacy Policy.

Users of integrative medicine and therapeutic services provided by Vidvana d.o.o. within the so-called “Maha Clinic” will, in connection with this Privacy Policy, receive an additional consent and information form — either electronically or in physical form — which constitutes an integral part of this Privacy Policy.

II. DATA CONTROLLER

The Data Controller is Vidvana d.o.o., Slovenska cesta 54, 1000 Ljubljana (hereinafter referred to as: »Controller«, »Provider«, or »Vidvana«). If you have any questions, please contact us by sending an email to: info@maha.si.

III. HOW WE COLLECT YOUR DATA

Your personal data is collected in the following ways:

When you visit or use the Websites or provide your personal data through the functionalities offered by the Websites, such as:
- subscribing to updates, notifications, and newsletters,
- booking an initial appointment via the subdomain https://maha.si/naroci-se/, https://maha.clinic/become-a-patient/,
- when purchasing from the online store via the subdomain https://maha.si/maha-shop/,
- and others.
When you provide it directly to us by phone, email, regular mail, or in person to our staff at the Maha Clinic,
When you provide it for the purpose of delivering our integrative medicine and therapeutic services (hereinafter referred to as: »therapies« or »therapeutic services«) in accordance with our mutual agreement,
When we collect it ourselves through observation or measurement while you use our services and related equipment.

IV. LEGAL BASIS FOR PROCESSING YOUR DATA

Processing Based on Your Voluntary Consent. Certain personal data is collected and processed by the Provider when you give your consent. Consent is provided electronically by clicking the appropriate link on the Websites or by using its functionalities, thereby confirming that you have read this Privacy Policy and agree to the collection and processing of the submitted data. Consent for processing your personal data that is not solely related to the use of the Websites is given by completing the information and consent form, either electronically or in physical form, or in another clear and demonstrable manner (e.g., via an email message).

Processing Based on Legitimate Interest. The Provider may process personal data on the basis of legitimate interest pursued by the Provider, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual to whom the personal data relates, and which require the protection of personal data. In cases where legitimate interest is applied, the Provider conducts an assessment in accordance with the GDPR.

Processing Based on Legal and Contractual Obligations. Where the provision of personal data is a contractual requirement or a requirement necessary for the conclusion and performance of a contract with the Provider, or a legal obligation, you must provide your personal data. If you do not provide the required personal data, you will not be able to enter into a contract with the Provider, and the Provider will not be able to perform the services or deliver the goods.

V. TYPES OF PERSONAL DATA WE PROCESS

Service Provision
Types of Personal Data Processed	Contact Information: Name, Surname, Email address, Physical address, Telephone Number. Other Personal Information: Date of Birth, Gender, Tax Number, Language. Data on the entire course of your therapeutic treatment: Date, time, and location of your initial appointment and all subsequent treatment appointments where the Provider performs therapeutic services; treatment plan and content of therapies; substances used, active ingredients, nutritional and other supplements; information about the person performing the service; details of the service; and other data related to the course of your therapeutic treatment. Data about your Health/Physical Condition: (i) Data you provide to us (by completing a questionnaire or otherwise) or that we obtain during the provision of services, through observation or measurement while you use our services and equipment, (ii) Data on the identified physical condition and the planned course of therapeutic treatment, (iii) Blood test results and findings obtained through laboratory blood analysis, if performed for the purpose of therapeutic treatment, (iv) Data and findings obtained through other laboratory tests or diagnostic procedures and measurements, (vi) Other data obtained within and for the purpose of providing dental services. Financial Information Related to Billing of Services: Amount charged for services, status of paid and unpaid obligations, and other data related to the billing of services.
Purpose	These data are required by the Provider in order to perform therapeutic services for you based on mutual agreement, to notify or remind you of scheduled appointments, and to ensure the fulfillment of mutual rights and obligations arising from the contractual relationship the provision of services and their invoicing. The Provider will inform you about appointments or changes to scheduled therapeutic treatments via email, SMS messages, or regular mail.
Legal Basis	The processing is necessary for the performance of a contract for the provision of therapeutic services of which you are a party – Article 6(1)(b) of the GDPR. The processing is also necessary for compliance with legal obligations applicable to the Controller – Article 6(1)(c) of the GDPR.
Type of Processing	Collection, Storage, Organization, Transmission, Access, Combination, Use, Deletion.
Users of Personal Data	The Controller, the Controller’s legal representative, employees of the Controller, or contractual partners of the Controller who participate in the organization and provision of dental services, their recording and billing, as well as companies with which the Controller has concluded a data processing agreement.

Purchase of goods through the Maha Shop online store or directly at the Maha Clinic
Types of Personal Data Processed	Contact Information: Name, Surname, Email address, Physical address, Telephone Number. Information about your order/purchase, which primarily includes details about the ordered items, purchase date, and payment method. Financial data regarding completed purchases: The amount of individual purchases, the status of settled and outstanding obligations, and other information related to purchases made during the relevant period.
Purpose	The provider needs this data in order to fulfill the delivery of the purchased goods based on the sales contract, to enable the completion of your online order, to maintain communication with you (such as sending order confirmations or notifications about item dispatch), to process payment for the goods, and to arrange delivery. For this purpose, we may also share your data with our transport partners to facilitate delivery of the goods, as well as in connection with any claims regarding the ordered goods.
Legal Basis	Processing is necessary for the performance of the sales contract to which you are a party – Article 6(1)(b) of the GDPR. Processing is necessary for compliance with legal obligations applicable to the controller – Article 6(1)(c) of the GDPR.
Type of Processing	Collection, Storage, Organization, Transmission, Access, Combination, Use, Deletion.
Users of Personal Data	The Controller, the Controller’s legal representative, employees of the Controller, or the Controller’s contractual partners involved in the sale of goods, their recording and accounting, as well as companies with which the Controller has concluded a personal data processing agreement.

Website visit
Types of Personal Data Processed	Data about the user’s interaction with the Controller’s website: IP address, dates and times of visits, pages or URLs visited, time spent on each page, number of pages visited, total time spent on the website, etc.
Purpose	To ensure the proper functioning of the website, maintain network and information security (i.e., enable detection and prevention of unauthorized access that could compromise the availability, integrity, and confidentiality of stored or transmitted personal data), maintain and improve the website, its content, and usability, and perform analytics and website functionalities.
Legal Basis	Legitimate Interests – Article 6(1)(f) of the GDPR.
Type of Processing	Collection, Storage, Structuring, Analysis, Transmission, Access, Deletion.
Users of Personal Data	The Controller, the Controller’s legal representative, employees of the Controller, or contractual partners who manage and ensure the operation of the website, as well as companies with which the Controller has concluded a data processing agreement.

Booking an Initial Appointment at Maha Clinic
Types of Personal Data Processed	Contact Information: Name, Surname, Email address, Physical address, Telephone Number. Other Personal Data: Language. Data about your communication with the Controller: Date, time, and content of postal or email correspondence, appointment booking details, date and location of the reserved appointment, etc. Other information provided by the individual or obtained by the Provider in connection with the initial appointment.
Purpose	Booking an initial appointment at Maha Clinic and exchanging information related to the initial appointment.
Legal Basis	The processing is necessary for the performance of a contract or for taking steps prior to entering into a contract – Article 6(1)(b) of the GDPR. The processing is necessary for compliance with a legal obligation applicable to the Controller – Article 6(1)(c) of the GDPR.
Type of Processing	Collection, Storage, Organization, Transmission, Access, Use, Deletion.
Users of Personal Data	The Controller, the Controller’s legal representative, employees of the Controller, or contractual partners of the Controller who participate in the booking and execution of the initial appointment, as well as companies with which the Controller has concluded a data processing agreement.

Receiving news and general communication
Types of Personal Data Processed	Contact Information: Name, Surname, Email address, Physical address, Telephone Number. Other Personal Data: Language.
Purpose	Sending e-newsletters, information about promotional activities, event details, educational content, updates, notifications, general offers, or other publications and printed or electronic materials of the Controller and Ustna medicina d.o.o., as well as their affiliated companies and business partners, in the fields of integrative medicine, dental services, and topics related to improving physical balance and vitality. Participation in any potential prize draws.
Legal Basis	Consent – Article 6(1)(a) of the GDPR.
Type of Processing	Collection, Storage, Organization, Transmission, Access, Use, Deletion.
Users of Personal Data	The Controller and Ustna medicina d.o.o., Slovenska cesta 54, 1000 Ljubljana, as well as companies associated with them, the Controller’s legal representative, employees of the Controller, or contractual partners involved in the distribution of newsletters, etc., and companies with which the Controller has concluded a personal data processing agreement. Companies considered associated with the Controller and/or Ustna medicina d.o.o. include those deemed affiliated in accordance with the provisions of the Companies Act (ZGD-1), as well as companies in which the same person holds the position of shareholder and/or legal representative as in the Controller or in Ustna medicina d.o.o.

Targeted Marketing
Types of Personal Data Processed	Contact Information: Name, Surname, Email address, Physical address, Telephone Number. Other Personal Data: Year of Birth, Language. Data on the timeline of your therapeutic treatment: The date of the first therapy and all subsequent appointment dates where the Provider performs therapeutic services, including the frequency of visits and the duration of the period during which you are a client of the Provider. Data on health/physical condition related to the therapeutic services provided by the Provider. Data on the type and content of the therapeutic treatments performed. Data on the type, quantity, and value of purchased goods. Financial data and purchasing habits: Information on the amounts charged for therapeutic services and delivered goods during the relevant period.
Purpose	Based on your explicit consent, we will process personal data for the following purposes: Targeted communication about news, promotions, and preparation of offers by the Controller and Ustna medicina d.o.o., as well as their affiliated companies and business partners, tailored to your interests and needs as assessed by the Provider based on the above-mentioned personal data, Categorizing clients/members into specific groups used for designing and implementing the Provider’s loyalty programs, under which the Provider may grant certain benefits and other advantages to specific member categories, with the aim of creating a more personalized and rewarding relationship with regular service users and product buyers, Your participation in the loyalty program mentioned in the previous point. For better targeting and customization of communication regarding relevant news, promotions, and offers to your interests and needs, as well as for implementing loyalty programs, the Provider performs segmentation of personal data and profiling and may assign you to different categories (e.g., gold, silver, bronze). Profiling does not include automated decision-making that would have legal or similarly significant effects on you.
Legal Basis	Consent – Article 6(1)(a) of the GDPR.
Type of Processing	Collection, Storage, Organization, Structuring, Aggregation, Analysis, Profiling, Segmentation, Transmission, Access, Use, Deletion.
Users of Personal Data	The Controller and Ustna medicina d.o.o., as well as companies associated with them, the Controller’s legal representative, employees of the Controller, or contractual partners involved in the preparation and/or distribution of newsletters, promotions, and offers, as well as in the implementation of the loyalty program, and companies with which the Controller has concluded a personal data processing agreement. Companies considered associated with the Controller and/or Ustna medicina d.o.o. include those deemed affiliated in accordance with the provisions of the Companies Act (ZGD-1), as well as companies in which the same person holds the position of shareholder and/or legal representative as in the Controller or in Ustna medicina d.o.o.

Other
Types of Personal Data Processed	Other personal data as specified in the Information and Consent form regarding the processing of personal data, which you confirmed to the Provider, or in another form of consent provided electronically via email, web form, etc. (hereinafter collectively referred to as: »Consent Form«).
Purpose	As specified in the Consent Form.
Legal Basis	As specified in the Consent Form.
Type of Processing	Collection, Storage, Organization, Transmission, Access, Use, Deletion, and other actions as specified in the Consent Form.
Users of Personal Data	The Controller, the Controller’s legal representative, employees of the Controller, contractual partners of the Controller, and others as specified in the Consent Form.

VI. PERIOD OF DATA PROCESSING

The Provider will process your personal data only for as long as necessary to achieve the purpose for which the personal data was collected and further processed (e.g., to ensure that you access and use the Provider’s website, to ensure that you can access specific information available to you, for the Provider’s newsletter distribution, to fulfill the Provider’s contractual obligations and/or your contractual obligations, i.e., for the provision of therapeutic treatment, etc.).

Personal data processed by the Provider on the basis of law will be retained for the period prescribed by law.

Personal data processed by the Provider for the purpose of performing a contractual relationship with an individual will be retained for the period necessary to fulfill the contract and for an additional 5 years after its termination, except in cases where a dispute arises between you and the Provider in connection with the contract; in such cases, the Provider will retain the data for 5 years after the finality of a court or arbitration decision or settlement, or, if no legal dispute occurred, 5 years from the date of amicable resolution of the dispute.

Your personal data collected and processed on the basis of your consent will be retained until you withdraw your consent or until the purpose for which they were collected has been fulfilled. Where processing is based on your consent, you may withdraw it at any time.

After the retention period has expired, the Controller will effectively and permanently delete or anonymize personal data so that it can no longer be linked to a specific individual.

VII. PRIVACY AND PERSONAL DATA PROTECTION

To prevent unauthorized access to or disclosure of the collected data, maintain the accuracy of personal information, and ensure its proper use, we implement appropriate technical and organizational measures to safeguard the data we collect.

We ensure protection through appropriate technical and organizational measures, which include in particular:

Adequate security of premises, hardware, system software, and application software;
Ensuring the security of transmission and transfer of personal data;
Preventing unauthorized persons from accessing computer systems where personal data is processed and from accessing personal data repositories;
Pseudonymization and encryption of personal data;
Measures to ensure continuous confidentiality, integrity, availability, and resilience of processing systems and services;
Measures to enable timely restoration of the availability of personal data in the event of a security incident;
Procedures for regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures;
Measures that allow determining when specific types of personal data were entered, used, or otherwise processed and by whom;
Regular education and training of all employees who process personal data in their work;
Careful and deliberate selection of all our contractual processors;
Appropriate limitation and monitoring of the collection, access, and processing of personal data;
Regular updating and proper upgrading of all computer equipment used to process your personal data;
Prompt and effective action in the event of potential security incidents to prevent or limit damage to personal data.

VIII. CONTRACTUAL PROCESSORS OF PERSONAL DATA

As an individual, you acknowledge and agree that the provider may entrust certain tasks related to your data to other parties (contractual processors). Contractual processors may process the entrusted data exclusively on behalf of the provider, within the limits of the provider’s authorization (as defined in a written contract or other legal act) and in accordance with the purposes specified in this Privacy Policy.

The contractual processors with whom the provider cooperates are:

The contractual processor responsible for maintaining and hosting the website for the Controller;
Providers of data processing and analytics;
IT system maintenance providers;
Providers of email and SMS messaging services (e.g., InfusionSoft and others);
Providers of online advertising solutions (e.g., Google, Facebook).

Contractual processors may process personal data only in accordance with the controller’s instructions and may not use the personal data to pursue any of their own interests.

The provider will not disclose your personal data to any unauthorized third parties.

IX. COOKIES

The website uses cookies. This policy complies with Regulation (EU) 2016/679 (GDPR), Directive 2002/58/EC (ePrivacy), and the Slovenian Electronic Communications Act (ZEKom-2). Cookies are small text files that we and third parties associated with us place on your device (e.g., computer or smartphone) when you visit our website and online interface. These files typically contain a string of alphanumeric characters that allow our servers to recognize your session, properly load the website, and provide you with the requested service (e.g., login).

You can change your cookie settings through the consent tool on the website or through your browser settings (Chrome, Firefox, Safari, Edge). With your consent/permission, which you provide by selecting the options shown to you when you visit the website, we will set additional optional cookies that are not strictly necessary for the functioning of the website, although they may enable additional functionalities. We will not set optional cookies unless you enable them. Optional cookies include: (i) functional cookies, (ii) analytical cookies, (iii) advertising cookies, and (iv) third‑party cookies. We will store optional cookies only with your consent.

For the operation of our website and online interface, we use:

• Strictly necessary cookies – these are essential for the basic functioning of the website and do not require your consent. They are stored in your browser. Without them, the website will not function as intended. Disabling strictly necessary cookies affects the operation of the website. These cookies are exempt from the consent requirement under Article 5(3) of Directive 2002/58/EC (ePrivacy) and do not store personally identifiable information. This category includes, among others, technical cookies of the WordPress CMS and the website theme (session, login, cart, security tokens), as well as the cookie used to store your consent decision.

List of strictly necessary cookies:

Piškotek	Hramba	Upravljavec	Namen
wordpress_*	Seja	MAHA - Integrative Medicine and Dentistry	WordPress sejni piškotki — potrebni za prijavo in varnost.
wp_woocommerce_session_*	2 dni	MAHA - Integrative Medicine and Dentistry	WooCommerce — shranjuje vsebino košarice in sejne podatke.
woocommerce_cart_hash	Seja	MAHA - Integrative Medicine and Dentistry	WooCommerce — oznaka vsebine košarice.
woocommerce_items_in_cart	Seja	MAHA - Integrative Medicine and Dentistry	WooCommerce — število izdelkov v košarici.
vbg_consent	1 leto	MAHA - Integrative Medicine and Dentistry	Shranjuje vašo odločitev o soglasju za piškotke.
PHPSESSID	Seja	MAHA - Integrative Medicine and Dentistry	PHP sejni piškotek — vzdržuje sejo med brskanjem.
uncode_privacy[consent_types]	1 leto	MAHA - Integrative Medicine and Dentistry	Uncode tema — shranjuje nastavitve soglasja za piškotke.
woocommerce_recently_viewed	Seja	MAHA - Integrative Medicine and Dentistry	WooCommerce — seznam nedavno ogledanih izdelkov.
tk_ai	Seja	MAHA - Integrative Medicine and Dentistry	WooCommerce / WordPress — notranji sejni identifikator.
partnero_session_uuid	1 leto	Partnero	Partnero — identifikator seje za partnerski program.

• Functional cookies – hese enable enhanced functionalities such as live chat and language settings. The legal basis for using these cookies is your consent (Article 6(1)(a) GDPR), which you provide by making the appropriate selection or clicking when the cookie banner appears on the website.

List of functional cookies:

Piškotek	Hramba	Upravljavec	Namen
_GRECAPTCHA	6 mesecev	Google Ireland Ltd.	Google reCAPTCHA — razlikuje med ljudmi in boti pri obrazcih.
__stripe_mid	1 leto	Stripe, Inc.	Stripe — identifikator naprave za preprečevanje goljufij.
intercom-device-id-*	9 mesecev	Intercom, Inc.	Intercom — identifikator naprave za klepet s podporo.
ml-traffic-source-*	Seja	MailerLite	MailerLite — vir prometa za obrazec za prijavo.
lp_custom	1 leto	MailerLite	MailerLite — podatki o obiskovalcu za personalizacijo.

• Analytical cookies – these are used to understand how visitors interact with the website (e.g., Google Analytics). The data is anonymised. The legal basis for using these cookies is your consent (Article 6(1)(a) GDPR), which you provide by making the appropriate selection or clicking when the cookie banner appears on the website.

List of analytical cookies:

Piškotek	Hramba	Upravljavec	Namen
_ga	2 leti	Google Ireland Ltd.	Google Analytics — razlikuje edinstvene uporabnike spletnega mesta.
_ga_*	2 leti	Google Ireland Ltd.	Google Analytics GA4 — shranjuje stanje seje in meri obiske.
_hjSessionUser_*	1 leto	Hotjar Ltd.	Hotjar — identifikator uporabnika za analitiko vedenja.
FPAU	3 mesece	Google Ireland Ltd.	Google — meri konverzije oglaševalskih akcij.
sbjs_current	Seja	MAHA - Integrative Medicine and Dentistry	SourceBuster — beleži trenutni vir obiska.
sbjs_first	Seja	MAHA - Integrative Medicine and Dentistry	SourceBuster — beleži prvi vir obiska.
sbjs_*	Seja	MAHA - Integrative Medicine and Dentistry	SourceBuster — analitika virov prometa (več piškotkov).

• Advertising cookies – these are used to deliver personalised advertisements based on previously visited pages (e.g., Facebook Pixel, Google Ads). They are set by our advertising partners. The legal basis for using these cookies is your consent (Article 6(1)(a) GDPR), which you provide by making the appropriate selection or clicking when the cookie banner appears on the website.

List of advertising cookies:

Piškotek	Hramba	Upravljavec	Namen
_gcl_au	3 mesece	Google Ireland Ltd.	Google Ads — meri učinkovitost oglaševalskih akcij.
_fbp	3 mesece	Meta Platforms Ireland Ltd.	Facebook Pixel — identifikator brskalnika za oglaševanje in remarketing.
_rdt_uuid	3 mesece	Reddit, Inc.	Reddit Pixel — identifikator za merjenje oglaševalskih konverzij.
_rdt_em	1 leto	Reddit, Inc.	Reddit Pixel — šifriran e-poštni naslov za ujemanje občinstev.
_rdt_pn	1 leto	Reddit, Inc.	Reddit Pixel — šifrirana telefonska številka za ujemanje občinstev.
_uetvid	13 mesecev	Microsoft Ireland Operations Ltd.	Microsoft UET (Bing Ads) — identifikator za merjenje konverzij.
_adroll_fpc	1 leto	AdRoll, Inc.	AdRoll — identifikator za retargeting oglase.

• Third‑party cookies. With your consent, we will store third‑party cookies. On this website, they are set by the following data controllers:
o Google Ireland Ltd. — https://policies.google.com/privacy
o Trustindex Zrt. — https://trustindex.io/privacy-policy/

X. CHANGE OF PERSONAL DATA AND INDIVIDUAL RIGHTS REGARDING THEIR PERSONAL DATA

If your personal data changes (postal code, email address, physical address, telephone number), please notify us of the changes at info@maha.si. Individuals who wish to unsubscribe from newsletters should also inform us at info@maha.si.

You are hereby informed that you have the following rights regarding your personal data: The right of access to personal data, rectification, deletion, or restriction of processing. You also have the right to object to processing and the right to data portability. You may submit a request to exercise these rights electronically, by mail, or in person. Each request will be handled in accordance with the provisions of the GDPR.

We specifically inform you that you may withdraw your consent for the processing of any personal data that Vidvana processes based on your consent at any time.

To exercise the above-mentioned rights or to submit any complaints, please contact the Controller, Vidvana d.o.o. at Slovenska cesta 54, 1000 Ljubljana, or via email at: info@maha.si. We also inform you that if you believe that regulations governing personal data protection have been violated, you have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec Republike Slovenija), Dunajska cesta 22, 1000 Ljubljana. On the Information Commissioner’s website, you can submit a report regarding violations of personal data protection legislation using the provided form.

Manage Cookies