introduction


The processing of personal data is carried out in accordance with the Personal Data Protection Act of the Republic of Serbia and the General Data Protection Regulation (GDPR). This policy informs you about the purpose, scope and conditions of processing.

controller of personal data

DTM Duck Retail d.o.o. Beograd
Company registration number: 22069969 | Tax ID: 114785241 | Palmotićeva 5, 11000 Belgrade, Serbia

contact for data protection questions

E-mail: info@duck.rs (with the note “Data Protection”)
Phone: +381606000856

When sending an e-mail, please include in the subject line: «DATA PROTECTION» for faster processing.
For all questions regarding the protection of your personal data, you can contact us using the above contact details.

Given the scope of our activities, we are not legally obliged to appoint a special Data Protection Officer (DPO, Art. 60 of the Personal Data Protection Act), but all questions regarding privacy, exercising rights or complaints can be addressed to the above contact. We will respond within 30 days, and for more complex requests no later than within 3 months with prior notice.

purpose and legal basis for data processing

  1. online purchase and services
    We process your personal data to the extent necessary for concluding and performing the sales contract, including:
    • management of the user account on the online store
    • payment processing and delivery of goods via authorised partners
    • handling complaints and returns in accordance with the Consumer Protection Act
    • sending notifications about order status and product availability
    • ensuring security, functionality and stability of our services
      Legal basis: Art. 12(1.2) and 12(1.6) of the Personal Data Protection Act of the Republic of Serbia and Art. 6(1)(b) and 6(1)(f) GDPR – performance of a contract, prevention of abuse and protection of legal claims.

  2. display of products and services
    Your data are used for:
    • analysing displayed products on the website based on your purchase history and interests
    • personalising offers based on data obtained through cookies (Google Analytics, Yandex Metrika)
    • adapting recommendations according to your preferences
      Legal basis: consent (Art. 12(1.1) of the PDPA and Art. 6(1)(a) GDPR) which you give via the cookie banner; technically necessary cookies operate on the basis of legitimate interest (Art. 12(1.6))..
  3. advertising and market research
    We use data for:
    • creating targeted user groups on social networks (Facebook, Instagram, TikTok, Viber)
    • collecting data on demographics, fashion interests and purchasing habits
    • predicting fashion trends and planning promotional campaigns
    • evaluating the success of marketing campaigns
      Legal basis: exclusively your consent (Art. 12(1.1) PDPA and Art. 6(1)(a) GDPR) – given via the cookie banner or when subscribing to the newsletter.
  4. product and technology development
    Data are used for:
    • development of website and mobile application functionalities
    • optimisation of personalised services and analytics (Google Analytics, Yandex Metrika)
    • fraud prevention and securing IT systems
    • accelerating order processing and delivery
      Legal basis: legitimate interest (Art. 12(1.6) PDPA and Art. 6(1)(f) GDPR) with the performance of DPIA where necessary (Art. 57 PDPA).
  5. service optimisation
    Data you'd processed for:
    • improving communication with customers via Customer Service
    • respecting consumer rights (e.g. return of goods within 14 days)
    • fulfilling legal obligations (e.g. tax documentation)
    • proving compliance with the Personal Data Protection Act and the Consumer Protection Act
      Legal basis: legitimate interest (Art. 12(1.6)) and legal obligations (Art. 12(1.3) PDPA and Art. 6(1)(c) GDPR).

what data do we process?

  • For user account: First name, last name, e-mail address
  • For purchase: First name, last name, e-mail, phone number, address (street, number, postal code, city, country), tax number (if an invoice is required)
  • For newsletter and promotional messages (e-mail and/or phone): e-mail address and/or phone number (depending on what you provide during subscription or purchase)
  • For returns: Bank account number
  • For contact: First name, last name, transaction details, contact details. Calls are recorded only with your explicit consent at the beginning of the conversation (“Do you agree that the conversation is recorded for quality control purposes?”). Recordings are kept for a maximum of 90 days.
  • Automatic data: IP address, device data, behaviour on the website via cookies – details in the Cookie Policy

rights of data subjects

You have the right to:

  • access your data and information about their processing
  • rectification of inaccurate or completion of incomplete data
  • erasure (“right to be forgotten”)
  • restriction of processing
  • data portability – you will receive them in a structured, commonly used and machine-readable format (e.g. CSV)
  • object to processing (especially for direct marketing – in that case we stop immediately; objection to legitimate interest is considered within 30 days and we will inform you of the outcome)
  • withdraw consent at any time without any consequences (where consent was the basis of processing)
  • delete your user account and all related data via “My Account” or by sending a request to info@duck.rs
  • be informed about the processing of your data

Requests are processed free of charge and no later than within 30 days (in exceptional cases up to 3 months with prior notice).
If you believe that your rights have been violated, you have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection (Bulevar kralja Aleksandra 15, Belgrade, www.poverenik.rs).

methods of communication

For data questions:  

  • e-mail: info@duck.rs  
  • phone: +381606000856
  • contact form on the website  
  • address: DTM Duck Retail DOO Beograd, Palmotićeva 5, 11000 Belgrade

data retention periods

  • as long as the user account exists
  • 10 years for tax and accounting documentation (statutory period, deletion not possible)
  • 2 years after the last contact with customer service
  • until withdrawal of consent for newsletter and advertising
  • 6 months for product availability inquiries

Transfer of data outside Serbia/EEA is carried out only with appropriate safeguards: adequacy decision, Standard Contractual Clauses + TIA or Data Privacy Framework (for the USA). The list of processors is available upon written request to info@duck.rs.

transfer of data to third parties

We share data with:

  • Delivery partners (e.g. courier services) – only name, address and phone number for delivery and transactional notifications (including Viber/WhatsApp/SMS messages about shipment status)
  • Payment institutions for payment processing
  • Analytical and marketing services (e.g. Google Analytics, Yandex Metrika, Facebook Pixel, TikTok Pixel, Viber)  

Transfer of data outside the EEA is carried out with standard contractual clauses or other appropriate measures under GDPR. The list of processors and recipients is available upon written request by e-mail to info@duck.rs.

сommercial information – newsletter and messengers

By subscribing to the newsletter or leaving your phone number during purchase, you give explicit consent (Art. 12(1.1) PDPA) for us to send you promotional messages, offers, discounts, new collections, abandoned cart reminders, etc. via e-mail and/or phone (Viber, WhatsApp, Telegram, SMS – on the channel where you are available). You can withdraw consent at any time without any consequences:

  • by clicking the link in the message
  • by sending the word STOP or ODJAVA in reply to our message (in most cases the service stops automatically)
  • or by sending a request to info@duck.rs

product availability notifications

By entering your e-mail address and confirming, you give consent to receive availability notifications and possible related promotional messages. Unsubscription is possible at any time via the link in the message or by e-mail to info@duck.rs.

data processed by the websites

We automatically collect technical data (IPAddress, device type, behaviour on the site) via cookies.
Technically necessary cookies operate on the basis of legitimate interest (Art. 12(1.6) PDPA). Analytical and marketing cookies operate only with your explicit consent (Art. 12(1.1) PDPA) – details in the Cookie Policy.

login via social networks

If enabled, you can log in or register using existing accounts on social networks or other platforms (e.g. Facebook, Instagram, Google, Apple ID, etc.). In that case, we receive only basic publicly available data (first name, last name, e-mail address) exclusively with your explicit consent during login. We never have access to your password or private content on those accounts.

Facebook Custom Audience and Pixel

We use Facebook Pixel and Custom Audience for personalised ads on Facebook and Instagram. Data (e-mail, phone) are transferred securely and are not used for direct messaging. You can disable this feature in your Facebook settings: here here.

TikTok Pixel

We use TikTok Pixel to display personalised ads on TikTok. The data are anonymised and do not directly identify you. For more information: TikTok privacy policy.

Yandex Metrika and Yandex.Direct

We use Yandex Metrika for user behaviour analysis and Yandex.Direct for advertising. Data are processed with your consent via cookies. For more information: Yandex privacy policy.

Google Analytics and Google Ads

We use Google Analytics for website visit analysis and Google Ads for advertising. IP addresses are anonymised, and data are transferred to Google servers with standard contractual clauses. You can disable tracking at: Google opt-out.

Viber and other messengers (WhatsApp, Telegram, etc.)

We use Viber, WhatsApp, Telegram and other messengers for:

  • transactional notifications about delivery and order status (without consent – necessary for the performance of the contract, Art. 12(1.2) PDPA)
  • promotional messages, cart reminders, promotions and news (only with your explicit consent given when subscribing to the newsletter or during purchase, Art. 12(1.1) PDPA)

You can withdraw consent for promotional messages at any time without any consequences:

  • by sending the word STOP or ODJAVA in reply to the message
  • by clicking the unsubscribe link (if available)
  • by e-mail to info@duck.rs

changes to the Privacy Policy

The Policy may be updated. The new version will be published on the website. Last updated: 20.03.2025.