1. Who we are
This website (23points.com, the “Service”) is operated by Filip Rogelj s.p., trading as Admentor, registered at Srednja vas pri Šenčurju 51A, 4208 Šenčur, Slovenia (registration number 9525815000, VAT ID SI77096592). Contact: support@23points.com. We are the data controller of your personal data under the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Slovenian Personal Data Protection Act (ZVOP-2).
2. What we collect
a. Data you give us directly. When you request a referral link or buy Point-1 we collect your email address and (through our payment processor) your billing country and card brand.
b. Data collected automatically. On every visit we collect anonymised traffic statistics via Vercel Analytics, Vercel Speed Insights, and (if you consent) PostHog product analytics plus Meta and TikTok advertising pixels. This includes page views, device type, approximate city, referring URL, and how long you stay.
c. Cookies. One first-party cookie named ref stores the referral code of the person who invited you, for up to 90 days, so the right person can be credited if you buy. Analytics cookies are disabled until you accept them.
3. Why we process your data
- Delivering the product you bought (Art. 6(1)(b) GDPR — contract performance).
- Issuing tax-compliant invoices and keeping accounting records (Art. 6(1)(c) — legal obligation, SI Tax Act).
- Preventing fraud and abuse of the referral system (Art. 6(1)(f) — legitimate interest).
- Sending product emails (Point 1 delivery, drip reminders about your referral link). We do not sell, rent, or share your email with any third party for marketing.
- Advertising measurement, only if you consented to advertising cookies (Art. 6(1)(a) — consent).
4. Who we share data with
We share data only with the processors required to run the service:
- Stripe Payments Europe, Ltd.(Dublin, Ireland) — payment processing.
- Supabase, Inc.(USA, EU-hosted instance in Frankfurt) — database and authentication.
- Vercel Inc.(USA) — hosting and CDN. Data in transit only; runtime processing in the EU region.
- Resend, Inc.(USA) — transactional email.
- PostHog, Meta, TikTok— only if you opted in to analytics or advertising cookies.
Transfers to the USA rely on Standard Contractual Clauses and the EU–US Data Privacy Framework where available.
5. How long we keep it
- Account email + referral code: while your account exists, and for 10 years after purchase to meet Slovenian invoice-retention law.
- Referral click / signup events: 24 months.
- Analytics data: aggregated after 14 months and anonymised after 24 months.
6. Your rights
You may request access, correction, deletion, restriction, portability, or object to processing. Email support@23points.com. You may also lodge a complaint with the Information Commissioner of the Republic of Slovenia, www.ip-rs.si.
7. Security
All traffic is encrypted with TLS 1.3. Payment details never touch our servers — Stripe handles them under PCI-DSS Level 1. Database access requires per-request service tokens and is logged.
8. Changes
We may update this policy. The “Last updated” date at the top reflects the current version; we keep older versions in our Git repository on request.