Privacy Policy

This Privacy Policy outlines how QLEOS Biotech d.o.o., Bilje 112a, 5292 Renče, Slovenia (hereinafter referred to as “we”, “us”, or “QLEOS”), processes and protects the personal data of users, customers, and visitors in accordance with Regulation (EU) 2016/679 – the General Data Protection Regulation (GDPR), as well as all applicable data protection legislation in the European Union.

This policy applies to all processing of personal data carried out through our website www.qleos.com and any associated services offered directly by QLEOS Biotech.

By accessing our website, placing an order, submitting a form, communicating with us, subscribing to our newsletter, or otherwise engaging with our services, you acknowledge and agree to the terms of this Privacy Policy.

Data Controller

QLEOS Biotech d.o.o., with registered business address at Bilje 112a, 5292 Renče, Slovenia, acts as the data controller for all personal data collected and processed via our website. You can contact us with any questions or requests concerning your personal data at info@qleos.com.

Categories of Data Collected

We collect personal data that you provide to us voluntarily during the use of our website and services. This includes:

– Identification and contact details such as full name, email address, telephone number, and shipping/billing address when placing an order;
– Email address and name when subscribing to our newsletter or communicating via chatbot or contact forms;
– Information related to website interactions, including IP address, device type, browser, time zone, and referring pages, collected through cookies and third-party analytics tools;
– Any additional information you may voluntarily share with us during your communication with our support team.

We do not collect or process any special categories of personal data (sensitive data). We do not knowingly collect personal data from children under the age of 16. If we become aware that such data has been inadvertently collected, we will immediately take appropriate steps to delete it.

Purpose and Legal Basis for Processing

All personal data is processed lawfully, fairly, and transparently in accordance with Article 6 of the GDPR. The legal bases we rely on include:

– The necessity of processing for the performance of a contract to which the data subject is party (e.g., for fulfilling your product order);
– Compliance with legal obligations (e.g., for accounting, invoicing, or tax reporting requirements);
– Your explicit consent, where applicable (e.g., subscription to newsletters, use of marketing cookies);
– Our legitimate interests in maintaining, optimizing, and securing our website and customer relationships, provided such interests are not overridden by your fundamental rights and freedoms.

Use of Personal Data

We use the personal data collected for the following purposes:

– To process and fulfill your orders, including payment handling, order confirmation, shipping, and customer support;
– To communicate with you regarding inquiries, returns, or product information;
– To send newsletters and promotional content to users who have given explicit consent;
– To ensure the technical functionality, performance, and security of our website;
– To analyze visitor behavior, optimize user experience, and run remarketing campaigns through platforms like Meta and Google.

Data Retention

We retain your personal data only for as long as necessary to achieve the stated purposes and to comply with statutory retention obligations.

– Personal data related to transactions is typically retained for 5 years to comply with tax and accounting regulations in Slovenia;
– Personal data obtained through marketing consent is retained until you unsubscribe or request erasure;
– Technical logs and analytics data are retained for the minimal duration necessary to fulfill their analytical purpose.

Data Sharing and Disclosure

We do not sell, rent, or otherwise distribute your personal data to third parties for commercial purposes. We may share personal data strictly when necessary to:

– Fulfill contractual obligations (e.g., sharing name and address with logistics providers);
– Comply with legal obligations (e.g., judicial requests, tax authority audits);
– Work with trusted service providers (e.g., email platforms, payment processors), all of whom are bound by contractual obligations of confidentiality and data protection.

We do not transfer your personal data outside the European Economic Area unless appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission in accordance with Article 46 GDPR.

Categories of Data We Process for the Program

• Program status data: your active discount % and rank, XP total, streak count, badges unlocked, personal coupon/voucher codes issued to you, tier-protection window start and expiry timestamps, cumulative eligible spend within the current window, last activity timestamp, and whether Program notices were shown.
• Order-linked metrics: product line-item subtotals that qualify for the Program (excluding taxes, shipping and excluded categories), product IDs used to trigger badges, and order status needed to confirm/rollback rewards.
• Identifiers & contact: your account/user ID and email address (used to restrict personal coupons/vouchers to your account).
• Email operations metadata: Program email type (e.g., “rank unlocked”, “expiry warning”), send timestamps, and basic deliverability logs created by WooCommerce (no message body analytics).

We do not store payment card details in the Program. Payments are handled by your selected payment provider.

Purposes and Legal Bases (GDPR Art. 6)

• Operate the Program (calculate tiers/discounts, issue/validate personal coupons, award/reverse XP, badges and vouchers, apply soft-decay after inactivity): Art. 6(1)(b) – contract (Program Terms).
• Program communications by email (rank change, expiry warning, badge/voucher issued, inactivity nudge, monthly digest): Art. 6(1)(f) – legitimate interests (service updates for a program you joined). You can opt out at any time (see “Your Choices” below).
• Security and abuse prevention (anti-fraud checks, blocking coupon sharing/misuse): Art. 6(1)(f).
• Analytics and improvement of the Program (aggregate, product/category exclusions): Art. 6(1)(f). Where analytics relies on non-essential cookies, we request consent via our cookie banner.

Profiling and Automated Decisions

The Program uses automated rules to:

• award 1 XP per € of eligible product spend,
• set your active discount % to the highest tier reached,
• soft-decay the discount by steps after 70 days without an eligible purchase,
• unlock badges and issue vouchers when criteria are met,
• reverse XP/badges/vouchers/streaks/tiers if an order is Cancelled/Refunded/Failed.

These decisions only affect Program perks (discounts/rewards) and do not produce legal or similarly significant effects.
You may object to profiling or request human review (GDPR Art. 21/22) at info@qleos.com: note that doing so may require us to disable your Program access.

Sources

Data comes from your account and orders on our store and is computed by our WooCommerce system.

Store Credits & Referral Program

We operate an optional Store Credits & Referral Program (“Program”). When you participate, we process the following data to run the Program, prevent abuse, fulfil rewards, and keep audit records:

• Program identifiers & status: your account/user ID, referral code, credit balance, ledger entries (type, amount, timestamp, order ID), configuration in effect at the time of a transaction (percentages, caps), and whether Program notices/emails were shown.
• Order-linked metrics: product subtotals that qualify for credits (excluding shipping/fees/taxes and any excluded SKUs/categories), coupon impact, “eligible base” per order, planned/redeemed credits, and proportional reversals on refunds.
• Attribution & anti-abuse: referral owner ID and code stored with the order; a hashed IP/UA fingerprint for soft fraud checks (no raw IP/UA is stored in the Program record).
• Program emails: type (e.g., “reward earned”, “credit used”), timestamps, and basic deliverability logs. No message-body analytics.

Legal bases (GDPR Art. 6): performance of a contract (when you join and use the Program), our legitimate interests in operating and safeguarding the Program, and consent for any non-essential cookies used for referral tracking or analytics.

Referral Cookies (Marketing)

When you visit a short referral link (e.g., /r/JOHNFIT) after consenting to marketing cookies, we set first-Referral cookies (strictly necessary / functional – no consent required)
When a user intentionally uses a referral link (e.g., /r/CODE) or enters a referral code at checkout, we set first-party cookies solely to perform the requested service: auto-applying the friend discount and attributing referral credits within the QLEOS Credits program.

• Names: QX_REF_COOKIE (referral owner user ID) and QX_REF_CODE_COOKIE (alphanumeric code).
• Lifetime: up to 365 days, renewed on return visits.
• Purpose: strictly to execute the referral functionality requested by the user and to prevent abuse of the rewards system.
• Scope: no cross-site tracking, no sharing with third parties; used only on qleos.com (and subdomains).
• Legal basis: performance of a contract (GDPR 6(1)(b)) for users invoking the referral, and/or legitimate interests (GDPR 6(1)(f)) in ensuring correct discounting and credit attribution.
• Users may disable this functionality by removing the code at checkout or via their browser (clearing cookies). Disabling may prevent the discount and credits from being applied.

Note: These cookies are not marketing cookies and do not require consent, as they are necessary to provide a service explicitly requested by the user (referral discount/code).

Automated Decisions & Profiling

The Program uses automated rules to calculate friend discounts, award credits on “Completed” orders, apply redemption caps, and proportionally reverse credits on refunds. These decisions affect only loyalty/credits and do not produce legal or similarly significant effects. You may object or request human review at info@qleos.com.

Disclosures, Processors & Third-Country Transfers

We use standard ecommerce and email infrastructure (WordPress/WooCommerce, hosting and email delivery providers, and payment processors for order status).
Program emails import the “Outfit” webfont (Google Fonts). When your email client loads this font, Google may receive your IP address and user-agent. You can block remote images in your email client to prevent this. Any international transfers use appropriate safeguards (e.g., Standard Contractual Clauses), where applicable.

Retention (Program)

Program ledger and balances are kept while your account is active; if you become inactive, we delete or anonymize Program data within 24 months of the last Program activity, unless a longer period is required for accounting or legal claims. Referral cookies expire per the TTL above.

Your Choices (Program Emails & Unsubscribe)

Program emails include List-Unsubscribe headers (including one-click where supported) and a link to My Account → Rewards to manage preferences. You can also email info@qleos.com. Opting out of Program emails does not delete your account but may limit email-based benefits (e.g., receiving a voucher code by email).

Cookies

The Program uses the store’s essential cookies/sessions to keep you signed in and auto-apply your personal coupon. See Cookies and Tracking Technologies for full cookie details and consent options.

Retention for Program Data

• Program status and reward data are retained while your account is active.
• If you become inactive, we delete or anonymize Program data within 24 months of the last Program activity, unless required longer for legal claims/accounting.
• Email operations logs (type/timestamp) are retained for up to 24 months for deliverability diagnostics.

All other data retention periods in this Privacy Policy (e.g., five-year accounting records) remain unchanged.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website to ensure proper functionality, enhance the user experience, and support marketing and analytics.

Our use of cookies includes tools from Meta (Facebook/Instagram Pixel) and Google (Analytics, Ads, Tag Manager), which may collect information about your device, IP address, browser type, user behavior, and navigation patterns. This data is used to measure the effectiveness of advertising campaigns, personalize content, and support remarketing activities.

Non-essential cookies are only activated upon your explicit consent via the cookie banner displayed upon visiting our website, in accordance with Article 6(1)(a) GDPR. You can change or withdraw your consent at any time via your browser settings or the cookie management panel provided.

Your Rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights regarding your personal data:

– Right of access – you may request information about the personal data we hold about you and receive a copy of that data;
– Right to rectification – you have the right to request corrections to inaccurate or incomplete data;
– Right to erasure – also known as the “right to be forgotten”, you may request deletion of your data under specific conditions;
– Right to restriction of processing – you may request that we limit the processing of your data under certain circumstances;
– Right to data portability – you may request a machine-readable copy of your data or have it transferred to another controller;
– Right to object – you may object to the processing of your personal data where we rely on legitimate interest, or for direct marketing purposes;
– Right to withdraw consent – you may revoke your consent at any time when data processing is based on your prior consent.

To exercise any of your rights, please contact us at info@qleos.com. We will respond to your request within one calendar month as stipulated by the GDPR. If you believe your rights under data protection law have been infringed, you have the right to lodge a complaint with your national data protection authority.

Donations to the Youth Sports Development Fund

When you add a donation to the Youth Sports Development Fund, we process the same personal data as for a standard purchase (e.g., name, email, billing details, payment information) to record the transaction, ensure transparency, and comply with legal and accounting obligations. If you are enrolled in QLEOS Loyalty & Rewards, a qualifying donation may unlock a related badge and voucher according to the Program rules visible in your Rewards Center. Donation-related personal data will not be used for marketing unless you have explicitly consented.

International Transfers

Some of our service providers (e.g., Google, Meta, email delivery, anti-fraud) may process data outside the EEA. In such cases we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and implement supplementary measures where necessary. Copies of relevant safeguards are available on request via info@qleos.com.

Data Security

We implement strict technical and organizational security measures to ensure a high level of protection for your personal data. These include but are not limited to encryption, secure server hosting, access control protocols, internal data protection policies, and staff training. All data processing is performed in accordance with the principles of privacy by design and by default.

Google reCAPTCHA (Abuse Prevention)

We use Google reCAPTCHA to protect forms from spam and abuse. When you interact with protected forms, Google may collect device and usage data (e.g., IP address, user-agent, interactions) to determine whether an action is performed by a human. This processing is carried out on the basis of our legitimate interests in securing our services and preventing fraud (GDPR Art. 6(1)(f)).

reCAPTCHA may involve international data transfers, including to the United States. Where such transfers occur, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses. For more details, please see Google’s Privacy Policy and Terms.

Changes to this Privacy Policy

QLEOS reserves the right to modify this Privacy Policy at any time to reflect changes in applicable laws, technological developments, or our internal practices. The most current version of the Privacy Policy will always be published on our website. We encourage you to review this page periodically. Continued use of our website after changes to this policy implies acceptance of those changes.

Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, you can contact us at:

QLEOS Biotech d.o.o.
Bilje 112a
5292 Renče
Slovenia
info@qleos.com