Privacy Policy – 100% Smart Food B2B

This statement provides information on how BOLERO ADRIA d.o.o. processes your personal data in connection with the registration and use of the B2B platform b2b.100smartfood.hr, the conclusion and execution of sales contracts, order processing, product delivery, payment collection, and other services we provide to business customers.

1. Data Controller

The controller of personal data is:

BOLERO ADRIA d.o.o.
Avenija Dubrovnik 15
Zagrebački velesajam, Paviljon 12
10000 Zagreb, Hrvatska
OIB: 02255011450

For any questions regarding data processing and exercising your rights, you can contact us via our contact page.

2. For which purposes and on what legal basis do we process data?

We process personal data exclusively for providing B2B services:

2.1. 2.1. Conclusion and execution of contracts (B2B purchases)

We process customer data (legal entities and sole proprietors) who register or order goods via the B2B platform for the purposes of:

opening and managing a B2B user account
processing orders and delivering goods
issuing offers, delivery notes, and e-invoices
communication regarding the order
payment collection and managing the business relationship

Legal basis: performance of a contract and pre-contractual measures (Art. 6(1)(b) GDPR).

2.2. 2.2. Legal obligations

Data is processed to fulfill obligations under accounting, tax, and other regulations.

Legal basis: legal obligation (Art. 6(1)(c) GDPR).

2.3. 2.3. Legitimate interest

We process certain data for purposes such as:

system security and abuse prevention
optimization of business processes
monitoring orders and interactions in the B2B system
statistical analysis and internal reporting

This does not include automated decision-making or profiling that could have legal effects on the customer.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

3.1. 3.1. Data in online payments (CorvusPay)

When paying by card through the CorvusPay system, the following data is processed:

Card type
Transaction data (authorization, amount, transaction result)

We do not process or store card number, CVC/CVV code, or expiry date. The customer enters card data directly into CorvusPay, which is certified according to PCI DSS Level 1 and acts as an independent data controller for payment card data.

4. Who may the data be disclosed to?

Data may be shared with:

IT and hosting service providers
Logistics and delivery service providers
Accounting and external services to fulfill legal obligations
Banks and payment service providers (including CorvusPay)
State authorities where required by law

All partners process data exclusively according to our instructions and with appropriate security measures.

5. Data transfer outside the EU

If data is transferred to service providers located outside the EU/EEA, transfers are carried out with appropriate safeguards (e.g., EU Standard Contractual Clauses).

6. How long do we retain data?

Order and invoice data: at least 10 years (legal obligation)
User accounts: for the duration of the business relationship + statute of limitations period
Technical and security logs: up to 12 months
Data processed based on consent: until withdrawal of consent

After these periods, data is deleted or anonymized.

7. Your rights

You have the right to request:

access to your data
correction of inaccurate or incomplete data
deletion of data (“right to be forgotten”) in cases prescribed by GDPR
restriction of processing
data portability
objection to processing based on legitimate interest

To exercise your rights, contact us via our contact page.
You also have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP).

8. Cookie Policy

Our website uses cookies for functionality, analytics, and system security.