Privacy Policy
Last updated: February 2026.
1Introduction
AlmaDerm Natural Cosmetic (hereinafter: "we", "our", "AlmaDerm"), based in Bosnia and Herzegovina, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store and protect your personal data when you use our websites (almaderm.ba) and related services.
This policy applies to all users of our website, regardless of their location — including Bosnia and Herzegovina, the European Union, the United Arab Emirates and all other countries to which we deliver our products.
2Data We Collect
We collect the following types of data:
- Personal data: name, surname, email address, phone number, shipping and billing address.
- Transaction data: order details, payments, purchase history and applied coupons.
- Technical data: IP address, browser type, operating system, device information, geolocation (for determining currency and shipping zone).
- Cookies: website usage data through cookies and similar technologies (see Cookies section).
- Communication data: messages via contact form, live chat, email correspondence regarding orders.
- Skin data (optional): if you use our skin analysis (selfie or quiz), we process data about the appearance and condition of your skin — exclusively with your explicit consent.
Skin analysis is voluntary and cosmetic (not medical) in nature. Data about the condition of your skin may be considered a special category of data, so we process it only on the basis of your EXPLICIT consent (Article 11 of the BiH Law on Personal Data Protection).
Your photo is analyzed in real time and is NEVER stored (neither on disk nor in a database) — we keep only the textual cosmetic result (e.g. skin type) to track progress and recommend products. For the analysis, the photo is temporarily sent to an AI partner (OpenAI/Anthropic, USA). You can withdraw consent and delete the data at any time via info@almaderm.ba or by deleting your account.
3Legal Basis for Data Processing
We process your data based on the following legal grounds:
- Contract performance: order processing, delivery, account management.
- Consent: marketing communications, newsletter, cookies (except essential ones).
- Legitimate interest: fraud prevention, service improvement, analytics.
- Legal obligation: retention of invoices and receipts in accordance with tax regulations.
- Explicit consent for special categories: to process skin data (skin analysis) we ask for your separate, explicit consent (Article 11).
4How We Use Your Data
We use your data for:
- Processing, delivering and tracking your orders.
- Communication regarding orders (email, SMS, WhatsApp status notifications).
- Personalizing user experience (product recommendations, currency rates).
- Marketing (with your explicit consent) — newsletters, special offers, new product announcements.
- Analytics and improvement of our website and services.
- Fraud prevention, abuse protection and ensuring the security of our website.
- Fulfilling legal obligations (tax records, accounting).
5Data Sharing with Third Parties
We do not sell or rent your data to third parties. We share data exclusively with verified partners who are necessary for providing our services:
- Courier and postal services (e.g. BH Pošta, regional couriers, Aramex and Express One for international delivery): for delivering your orders (name, address, phone).
- Payment processors (Stripe): for secure card payment processing. We do not store card details on our servers.
- Buy-now-pay-later payment processors (Tabby): when you choose "buy now, pay later", we forward the data needed to process it (name, email, phone, order history).
- Analytics and advertising tools (Google Analytics/GTM, Meta Pixel and Conversions API, TikTok Pixel): to analyze website usage and measure ad performance — only with your consent. Identifiers sent to Meta (e.g. email, phone) are cryptographically hashed beforehand. For approximate geolocation by IP address we use the ip-api.com service.
- AI assistant (OpenAI, Anthropic): when you use the chat or skin analysis, the text of your messages (and, for skin analysis, a photo that is NOT stored) is processed to provide recommendations. These partners process data on servers in the USA with appropriate safeguards.
- Email delivery platform (Mailgun): for sending newsletters and transactional messages — newsletters only with your consent.
- Hosting provider (Hetzner, Germany): for data storage and processing on secure servers within the EU.
All our partners are obligated to protect your data in accordance with applicable data protection laws.
6International Data Transfers
Our servers are located in Germany (Hetzner, Nuremberg), within the European Union. Some of our partners process data outside the EU/EEA — in the USA (Google, Meta, TikTok, OpenAI, Anthropic, ip-api.com) or the UAE (Tabby, Aramex) — on the basis of Standard Contractual Clauses (SCCs), your explicit consent and other approved transfer mechanisms, in accordance with the BiH Law on Personal Data Protection.
For customers from the UAE and other countries outside BiH: your data is processed on EU servers according to EU data protection standards, which are among the strictest in the world.
7Data Security
We use SSL/TLS encryption to protect all data transmitted between your browser and our website. Passwords are cryptographically protected (hashed) and we never store credit card information on our servers.
Additional security measures include: regular software updates, protection against unauthorized access, restricted access to personal data limited to authorized personnel only, and data backups.
8Your Rights
Regardless of your location, you have the following rights regarding your personal data:
- Right of access: You can request a copy of all personal data we hold about you.
- Right to rectification: You can request correction of inaccurate or incomplete data.
- Right to erasure: You can request deletion of your data ("right to be forgotten"), except where retention is legally required.
- Right to restriction: You can request restriction of processing of your data in certain situations.
- Right to withdraw consent: You can withdraw marketing consent at any time.
- Right to portability: You can request transfer of your data in a structured, readable format.
- Right to object: You can object to processing of your data based on legitimate interest.
- Right to lodge a complaint with the supervisory authority: If you believe we are processing your data unlawfully, you can lodge a complaint with the Personal Data Protection Agency of BiH (AZLP, www.azlp.ba).
To exercise any of these rights, contact us at info@almaderm.ba. We will respond to your request within 30 days.
9Cookies
We use cookies to enable our website to function and to improve your experience.
Essential cookies (cart, session, currency, login) do not require consent as they are necessary for the website to function. Analytics cookies (Google Analytics) and marketing cookies (Meta Pixel) are used only with your consent via the cookie banner.
You can manage cookie preferences through the banner on our website or in your browser settings. Disabling certain cookies may affect website functionality.
By voluntarily providing your data (e.g. your email via the newsletter, chat or checkout) you consent to being tracked via cookies and to us using that data to improve our service and send you personalized offers.
Choosing 'Accept All' on the cookie bar also enables marketing cookies, which includes tracking on other websites (e.g. Facebook, Instagram, Google) to show you relevant ads (remarketing).
We keep a record of each consent you give (what you accepted, when, and from which IP address) as proof of consent. You can withdraw consent at any time via the cookie settings or by contacting info@almaderm.ba.
10Data Retention
We retain your personal data for as long as necessary to fulfill the purpose for which it was collected, or as required by law.
Order data is retained for a minimum of 6 years (legal requirement for tax documentation). User accounts remain active until you deactivate them. Marketing preferences are retained until you withdraw consent. Technical logs are automatically deleted after 90 days.
11Protection of Minors
Our services are not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a minor, we will promptly delete it.
12Policy Changes
We reserve the right to update this Privacy Policy. You will be notified of significant changes via email or a notice on our website. The date of the last update is indicated at the top of the page.
13Privacy Contact
For all questions regarding the protection of your data, contact us:
AlmaDerm Natural Cosmetic
Email: info@almaderm.ba
Web: almaderm.ba